Update on Aadhaar hearing

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of a fundamental right has been upheld, challenges against the Aadhaar programme are yet to be adjudicated upon.

On the 30th of October, the Chief Justice stated that a Constitution Bench would be constituted and the Aadhaar linking matter would be heard in the last week of November, 2017. More on this can be found in our post here.

Today, the matter was mentioned again.

The Attorney General stated that the hearing should be scheduled for the end of January or the beginning of February, since it would take 6 weeks to conclude. He also made reference to a white paper on data protection the Srikrishna Committee was about to release, and stated that the hearing should commence after these recommendations were considered.

At this point, Mr. Shyam Diwan stated that interim relief in the form of an order should be granted, if the matter could not be heard before the 31st of December. Mr. Diwan reiterated that interim relief was promised if the matter went on beyond the 31st of December.

The Attorney General mentioned that since the matter was of national importance, it would be best for it to be heard before the constitutional bench.

The Chief Justice stated that interim relief would have to be passed by the constitutional bench as well.

Presently, it is unclear whether the matter will be heard next week and dates for hearings in January and February have also not been mentioned.

Advertisements

#DelhiTechTalks | Embedding Human Rights in Cybersecurity | November 21, 2017

Embedding Human Rights in Cybersecurity

November 21, 2017

organised by

Centre for Communication Governance at National Law University Delhi

Centre for Internet and Society, India

Digital Empowerment Foundation

HasGeek

Internet Democracy Project

IT for Change

&

SFLC.in (Software Freedom Law Centre, India)

along with media partner MediaNama

at

Lecture Room II | India International Centre – Annexe | KK Birla Lane | Lodhi Road | New Delhi

Timings

Programme

6.00 – 6.30 pm Tea & Coffee
6.30 – 7.30 pm Resolving tensions between rights and security in cyberspace

Amalia Toledo, Karisma Foundation

Matthew Shears, Global Partners Digital

Serene Lim, Empower Malaysia

Prem Trivedi, Georgetown University School of Foreign Service

Lillian Nalwoga, ISOC Uganda

Moderator: Gayatri  Khandhadai, Association for Progressive Communications

7.30 – 8.30 pm Embedding human rights in India’s cybersecurity laws and policies

Dr. Anja Kovacs, Internet Democracy Project

Mishi Choudhary, SFLC.in

Chinmayi Arun, Centre for Communication Governance at National Law University, Delhi

Moderator: Nikhil Pahwa, MediaNama

 

8.30 pm onwards Dinner

The road ahead for norms in cyberspace: Moving forward from Tallinn 2.0

by Elizabeth Dominic

Digitalisation has become an integral part of our life. Our increasing reliance on digital infrastructures is linked to the use of cyberspace as a new domain for disrupting international peace and security, with cyber operations becoming an increasingly prominent threat. However, the laws governing such cyber operations remain unclear. There have been some attempts amongst the international community to transpose the existing international law framework to the cyber domain to regulate it. This post will briefly look into the processes that are ongoing for the development of cyberspace norms and will focus specifically on the Tallinn Manual 2.0 and its application of the principle of sovereignty in cyberspace.

The UN Group of Governmental Experts on Developments in the field of information and telecommunications in the context of international security (UN GGE)

The UN adopted digital security as part of its agenda in 1999, following which the UN GGE was formed in 2004. There have been five iterations of the UN GGE. The 2013 and 2015 reports of the UN GGE established that current international law applies to cyberspace and reached some agreement on principles applicable to the responsible behavior of states. A brief discussion of the contributions of the first four UN GGE can be found here. This group collapsed in mid 2017 due to the failure of the states to arrive at a consensus on the application of certain norms of international law (specifically, relating to self defence and countermeasures) in the cyber domain. Accordingly, the future of the group is now uncertain.

The Tallinn Manual Project

As increasing number of states are subjected to cyber operations from rival states and non-state actor groups, it is crucial to establish what laws regulate them to ensure stability, security and accountability. This has been the aim of the group working on the Tallinn Manual. The Tallinn Manual is an international academic initiative that examines the applicability of international law to cyber operations. The project consists of two manuals: Tallinn Manual 1.0 on the International Law Applicable to Cyber Warfare (hereinafter Tallinn Manual 1.0) and Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (hereinafter Tallinn Manual 2.0) published in 2013 and 2017 respectively. The Manuals were prepared by an International Group of Experts under the invitation of the NATO Cooperative Cyber Defense Centre of Excellence following the cyber operations directed against Estonia in 2007. A brief analysis of Tallinn Manual 1.0 can be found here.

Tallin Manual 2.0: Objective

The Tallinn Manual 2.0 is a four-year follow-on project on Tallinn Manual 1.0. It is a compendium of 154 ‘black letter rules’[1] accompanied by a commentary on each rule prepared by a (new) group of international law experts along with the unofficial input of many states. While the Tallinn Manual 1.0 examined how to apply existing international law norms to cyber warfare, the Tallinn Manual 2.0 expanded on this endeavor by extending the focus to cyber operations in general. The former focused on the most severe cyber operations – i.e. the ones that amount to use of force, armed attacks entitling the victim state to engage in self-defense, and/or take place during armed conflicts. The latter additionally examined the application of international law norms to cyber operations that do not satisfy the threshold of use of force or armed attack and take place during peacetime.[2]

Tallinn Manual 2.0 has analyzed a state’s rights and obligations under international law while engaging in cyber actions outside the context of an armed conflict to further national interests. Some of the principal grey areas of law addressed in the Tallinn Manual 2.0 are:[3]

  • The principle of state sovereignty in cyber space
  • How governments can respond within the framework of international law
  • Principle of attribution
  • State responsibility

Additionally, the Tallinn Manual 2.0 addresses various specialized regimes of international law – human rights, air and space law, law of the sea and diplomatic and consular law – in the context of cyber operations.

Tallinn Manual 2.0: Sovereignty in Cyberspace

One of the most politically delicate legal issues that was addressed in depth in Tallinn Manual 2.0 was the application of the concept of sovereignty in cyberspace. Sovereignty is the underlying principle of international law. It is defined as the “supreme authority of every state within its territory”.[4] It entitles a state to engage in the functions of a state within its territory, to the exclusion of other states.[5]

According to the Tallinn Manual 2.0, cyber space is also governed by the principle of sovereignty. Rule 4[6] of Tallinn Manual 2.0 states “A state must not conduct cyber operations that violate the sovereignty of another state”. Tallinn Manual 2.0 lays down two grounds for determining violations of sovereignty:[7] a) degree of infringement upon the target state’s territorial integrity; and b) whether there has been an interference with or usurpation of inherently governmental functions. Determination of the first ground is based on three factors-

1) Physical damage

2) Loss of functionality

3) Infringement falling below the threshold of loss of functionality

There was unanimous consent amongst the experts with respect to the application of first two factors as they have close resemblance to what would entail a violation of sovereignty in the non-cyber context. Regarding the third factor, the experts were divided.

Cyber espionage will be an issue that falls under this category. In the absence of sufficient state practice and opinio juris, customary international law does not prohibit espionage per se. However, the International Group of Experts concurred that the means employed to perform cyber espionage may at times be unlawful, thereby resulting in a violation of international law obligations of states, including respect for the principle of sovereignty.

With respect to cyber espionage[8] conducted by one state while physically present on the territory of the victim state, a majority of the experts felt that it would be in violation of sovereignty. On the other hand, remote cyber espionage despite its severity was concluded by the majority to not violate sovereignty.

This is problematic because some incidents of cyber espionage may result in severe consequences such as exfiltration of nuclear launch codes that can pose a serious threat. Therefore upholding the view that remote cyber espionage irrespective of the severity of its consequences does not violate sovereignty might not be ideal. Tallinn Manual 2.0 also fails to give a definite answer to whether cyber operations targeted against the online resources of terrorist organizations hosted on the infrastructure of a foreign state violates the territorial integrity of the state. This emphasizes the limitations of the adaptive process, and leads us to the value of independent norm-development processes such as the UN GGE.

The International Group of Experts unanimously agreed on the second ground for determination of violation of sovereignty even though they could not give a definite definition for “inherently governmental functions” which may again as a loophole for states engaging in cyber operations. Tallinn Manual 2.0 cited few examples that can be referred to, to understand what constitute inherently governmental functions- “delivery of social services, conduct of elections, collections of taxes, the effective conduct of diplomacy, and the performance of key national defense activities”.[9] Additionally the group also stated that an inherently governmental function could be performed either by the state or by a private party.

Tallinn Manual 2.0 has provided insights on the application of the principle of sovereignty in cyberspace. But it has not managed to give definitive answers on its application in various contexts. Therefore, sovereignty will definitely be up for future discussions.

Conclusion

The Tallinn Manual 2.0 affirms the application of existing framework of international law to cyberspace. It is strictly a compilation of the expression of opinions of the international group of experts and is therefore non-binding on the states. However, it can serve as a guide for international conversations on how international law applies to cyberspace. But there are still grey areas for which Tallinn Manual 2.0 cannot provide guidance, application of sovereignty in cyber space being one of them. States may choose to primarily focus on those areas and develop norms through state practice and opinio juris. In the absence of definite norms however, states will continue to play in this grey area without fear of rebuke.

 

[1] Restatements of international law in the context of cyberspace, which obtained unanimity amongst the International Group of Experts who drafted the Tallinn Manual.

[2] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 3 (Michael N. Schmitt gen. ed., 2017)

[3] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt gen. ed., 2017)

[4] Oppenheim’s International Law 564 (Robert Jennings et al. eds., 9th ed. 2008).

[5] Island of Palmas Case (U.S. v. Netherlands), 2 Reports of International Arbitral Awards 838 (1928).

[6] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 17–27 (Michael N. Schmitt gen. ed., 2017).

[7] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 20–27 (Michael N. Schmitt gen. ed., 2017).

[8] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 168–174 (Michael N. Schmitt gen. ed., 2017).

[9] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 22 (Michael N. Schmitt gen. ed., 2017).

 

Biometric-based identification systems and democracy

In September, 2017, Scroll, in collaboration with the Centre for Communication Governance, published our data on biometric-based identification systems across the world, and their correlation with a country’s democratic record. Our data demonstrates a reciprocity between these factors:

“While examining whether countries were instituting these Aadhaar-like systems, researchers from the Centre noticed a trend wherein nations with strong biometric identity systems were less likely to have robust democratic governments…

…So they sought to map out their research, based on data collected primarily from countries within the Commonwealth, measured against their positions on Freedom House’s Freedom in the World index and the Economist Intelligence Unit’s Democracy index. The results show a cluster of nations with less freedoms also instituting a biometric system, while others higher up the democracy index do not have similar identity programmes.”

The original piece published on Scroll.in can be found here. Graphs representing the data set can be found below.

mglqgyqnnl-150666462168928-stesrxqzsh-1505904085

Update on Aadhaar hearing

In October 2015, a 3 judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of a fundamental right has been upheld, challenges against the Aadhaar programme are yet to be adjudicated upon.

Today, the Supreme Court decided on a date to continue hearing these challenges.

The Attorney General started off by addressing the orders passed and the Data Protection Committee’s pending report. He stated that they would prefer to argue the case in March, as mentioned previously.

At this point, the Chief Justice suggested hearing the matter in January.

Senior Advocate Gopal Subramaniam reiterated that 8 interim orders, related to Aadhaar linking, had been passed. He stated that if the hearing was to be held at a later date, the voluntary nature of such linking and a lack of compulsion had to be guaranteed.

Senior Advocate CA Sundaram appearing for the State of Maharashtra stated that regardless of an interim order or a final order, the case would still have to be argued. He also stated that the hearing should be held soon, since the matter had been in Court for a while.

The Chief Justice stated that a Constitution Bench would be constituted and the matter would be heard in the last week of November, 2017.

Update:  The deadline for linking Aadhaar with bank accounts is the 31st of December and the deadline for linking with mobile phones is the 6th of March. Contrary to media reports, this deadline has not been extended. 

In the event that the petition is not heard in November, the Court may issue interim orders to stay such linkings.