Building an AI governance framework for India

This post has been authored by Jhalak M. Kakkar and Nidhi Singh

In July 2020, the NITI Aayog released a “Working Document: Towards Responsible AI for All” (“NITI Working Document/Working Document”). The Working Document was initially prepared for an expert consultation held on 21 July 2020. It was later released for comments by stakeholders on the development of a ‘Responsible AI’ policy in India. CCG responded with comments to the Working Document, and our analysis can be accessed here.

The Working Document highlights the potential of Artificial Intelligence (“AI”) in the Indian context. It attempts to identify the challenges that will be faced in the adoption of AI and makes some recommendations on how to address these challenges. The Working Document emphasises the economic potential of the adoption of AI in boosting India’s annual growth rate, its potential for use in the social sector (‘AI for All’) and the potential for India to export relevant social sector products to other emerging economies (‘AI Garage’). 

However, this is not the first time that the NITI Aayog has discussed the large-scale adoption of AI in India. In 2018, the NITI Aayog released a discussion paper on the “National Strategy for Artificial Intelligence” (“National Strategy”). Building upon the National Strategy, the Working Document attempts to delineate ‘Principles for Responsible AI’ and identify relevant policy and governance recommendations. 

Any framework for the regulation of AI systems needs to be based on clear principles. The ‘Principles for Responsible AI’ identified by the Working Document include the principles of safety and reliability, equality, inclusivity and non-discrimination, privacy and security, transparency, accountability, and the protection and reinforcement of positive human values. While the NITI Working Document introduces these principles, it does not go into any substantive details on the regulatory approach that India should adopt and what the adoption of these principles into India’s regulatory framework would entail. 

In a series of posts, we will discuss the legal and regulatory implications of the proposed Working Document and more broadly discuss the regulatory approach India should adopt to AI and the principles India should embed in it. In this first post, we map out key considerations that should be kept in mind in order to develop a comprehensive regulatory regime to govern the adoption and deployment of AI systems in India. Subsequent posts will discuss the various ‘Principles for Responsible AI’, their constituent elements and how we should think of incorporating them into the Indian regulatory framework.

Approach to building an AI regulatory framework 

While the adoption of AI has several benefits, there are several potential harms and unintended risks if the technology is not assessed adequately for its alignment with India’s constitutional principles and its impact on the safety of individuals. Depending upon the nature and scope of the deployment of an AI system, its potential risks can include the discriminatory impact on vulnerable and marginalised communities, and material harms such as the negative impact on the health and safety of individuals. In the case of deployments by the State, risks include violation of the fundamental rights to equality, privacy, freedom of assembly and association, and freedom of speech and expression. 

We highlight some of the regulatory considerations that should be considered below:

Anchoring AI regulatory principles within the constitutional framework of India

The use of AI systems has raised concerns about their potential to violate multiple rights protected under the Indian Constitution such as the right against discrimination, the right to privacy, the right to freedom of speech and expression, the right to assemble peaceably and the right to freedom of association. Any regulatory framework put in place to govern the adoption and deployment of AI technology in India will have to be in consonance with its constitutional framework. While the NITI Working Document does refer to the idea of the prevailing morality of India and its relation to constitutional morality, it does not comprehensively address the idea of framing AI principles in compliance with India’s constitutional principles.

For instance, the government is seeking to acquire facial surveillance technology, and the National Strategy discusses the use of AI-powered surveillance applications by the government to predict crowd behaviour and for crowd management. The use of AI powered surveillance systems such as these needs to be balanced with their impact on an individual’s right to freedom of speech and expression, privacy and equality. Operational challenges surrounding accuracy and fairness in these systems raise further concerns. Considering the risks posed to the privacy of individuals, the deployment of these systems by the government, if at all, should only be done in specific contexts for a particular purpose and in compliance with the principles laid down by the Supreme Court in the Puttaswamy case.

In the context of AI’s potential to exacerbate discrimination, it would be relevant to discuss the State’s use of AI systems for the sentencing of criminals and assessing recidivism. AI systems are trained on existing datasets. These datasets tend to contain historically biased, unequal and discriminatory data. We have to be cognizant of the propensity for historical bias’ and discrimination getting imported into AI systems and their decision making. This could further reinforce and exacerbate the existing discrimination in the criminal justice system towards marginalised and vulnerable communities, and result in a potential violation of their fundamental rights.

The National Strategy acknowledges the presence of such biases and proposes a technical approach to reduce bias. While such attempts are appreciable in their efforts to rectify the situation and yield fairer outcomes, such an approach disregards the fact that these datasets are biased because they arise from a biased, unequal and discriminatory world. As we seek to build effective regulation to govern the use and deployment of AI systems, we have to remember that these are socio-technical systems that reflect the world around us and embed the biases, inequality and discrimination inherent in the Indian society. We have to keep this broader Indian social context in mind as we design AI systems and create regulatory frameworks to govern their deployment. 

While, the Working Document introduces the principles for responsible AI such as equality, inclusivity and non-discrimination, and privacy and security, there needs to be substantive discussion around incorporating these principles into India’s regulatory framework in consonance with constitutional guaranteed rights.

Regulatory Challenges in the adoption of AI in India

As India designs a regulatory framework to govern the adoption and deployment of AI systems, it is important that we keep the following in focus: 

  • Heightened threshold of responsibility for government or public sector deployment of AI systems

The EU is considering adopting a risk-based approach for regulation of AI, with heavier regulation for high-risk AI systems. The extent of risk factors such as safety, consumer rights and fundamental rights are assessed by looking at the sector of deployment and the intended use of the AI system. Similarly, India must consider the adoption of a higher regulatory threshold for the use of AI by at least government institutions, given their potential for impacting citizen’s rights. Government use of AI systems that have the potential of severely impacting citizens’ fundamental rights include the use of AI in the disbursal of government benefits, surveillance, law enforcement and judicial sentencing

  • Need for overarching principles based AI regulatory framework

Different sectoral regulators are currently evolving regulations to address the specific challenges posed by AI in their sector. While it is vital to harness the domain expertise of a sectoral regulator and encourage the development of sector-specific AI regulations, such piecemeal development of AI principles can lead to fragmentation in the overall approach to regulating AI in India. Therefore, to ensure uniformity in the approach to regulating AI systems across sectors, it is crucial to put in place a horizontal overarching principles-based framework. 

  • Adaptation of sectoral regulation to effectively regulate AI

In addition to an overarching regulatory framework which forms the basis for the regulation of AI, it is equally important to envisage how this framework would work with horizontal or sector-specific laws such as consumer protection law and the applicability of product liability to various AI systems. Traditionally consumer protection and product liability regulatory frameworks have been structured around fault-based claims. However, given the challenges concerning explainability and transparency of decision making by AI systems, it may be difficult to establish the presence of defects in products and, for an individual who has suffered harm, to provide the necessary evidence in court. Hence, consumer protection laws may have to be adapted to stay relevant in the context of AI systems. Even sectoral legislation regulating the use of motor vehicles, such as the Motor Vehicles Act, 1988 would have to be modified to enable and regulate the use of autonomous vehicles and other AI transport systems. 

  • Contextualising AI systems for both their safe development and use

To ensure the effective and safe use of AI systems, they have to be designed, adapted and trained on relevant datasets depending on the context in which they will be deployed. The Working Document envisages India being the AI Garage for 40% of the world – developing AI solutions in India which can then be deployed in other emerging economies. Additionally, India will likely import AI systems developed in countries such as the US, EU and China to be deployed within the Indian context. Both scenarios involve the use of AI systems in a context distinct from the one in which they have been developed. Without effectively contextualising socio-technical systems like AI systems to the environment they are to be deployed in, there are enhanced safety, accuracy and reliability concerns. Regulatory standards and processes need to be developed in India to ascertain the safe use and deployment of AI systems that have been developed in contexts that are distinct from the ones in which they will be deployed. 

The NITI Working Document is the first step towards an informed discussion on the adoption of a regulatory framework to govern AI technology in India. However, there is a great deal of work to be done. Any regulatory framework developed by India to govern AI must balance the benefits and risks of deploying AI, diminish the risk of any harm and have a consumer protection framework in place to adequately address any harm that may arise. Besides this, the regulatory framework must ensure that the deployment and use of AI systems are in consonance with India’s constitutional scheme.

Group Privacy and Data Trusts: A New Frontier for Data Governance?

The Centre’s Non Personal Data Report proposes a policy framework to regulate the use of anonymised data used by Big Tech companies. The question now is: how well do its recommendations meet up to the challenges of regulating non-personal data, amidst a regulatory lacuna for the same? Shashank Mohan of the Centre for Communication Governance explores how concepts of collective privacy and data trusts lie at the forefront of India’s future frameworks for digital governance.

By Shashank Mohan

This post first appeared on The Bastion on September 13, 2020

Image Credits: Swagam Dasgupta, The Bastion

In the past few years, it has become common knowledge that Big Tech companies like Facebook, Google, and Amazon rely on the exploitation of user data to offer seemingly free services. These companies typically use business models that rely on third party advertising to profit off this data. In exchange for their services, we hand over our data without much control or choice in the transaction. 

In response to the privacy threats posed by such business models, countries around the world have been strengthening and enacting data privacy laws. India is currently debating its own personal data protection law, which is loosely based on the benchmark EU data protection law–the General Data Protection Regulation (GDPR). More recently, attention has shifted to the regulation of non-personal data as well. The Indian Government recently released a report on the Non-Personal Data Governance Framework (NPD Report).

But, why do we need to regulate non-personal data?

While progress on the regulation of personal data is necessary and laudable, in the era of Big Data and machine learning, tech companies no longer need to solely rely on processing our personally identifiable data (personal data) to profile or track users. With newer developments in data analytics, they can find patterns and target us using seemingly innocuous data that may be aggregated or anonymised, but doesn’t need to be identifiable.

For example, they only need to know that I am a brown male in the age range of 25-35, from New Delhi, looking for shoes, and not necessarily my name or my phone number. All of this is “non-personal” data as it’s not linked to my personal identity.

Clearly, tech companies extract value from their service offerings using advanced data analytics and machine learning algorithms which rummage through both personal and non-personal data. This shift to harnessing non-identifiable/anonymised/aggregated data creates a lacuna in the governance of data, as traditionally, data protection laws like the GDPR have focused on identifiable data and giving an individual control over their personal data.

So, among other economic proposals, the NPD Report proposes a policy framework to regulate such anonymised data, to fill this lacuna. The question now is: how well do its recommendations meet up to the challenges of regulating non-personal data? 

How Does The Government Define Non-Personal Data?

The NPD Report proposes the regulation of non-personal data, which it defines as data that is never related to an identifiable person, such as data on weather conditions, or personal (identifiable) data which has been rendered anonymous by applying certain technological techniques (such as data anonymisation). The report also recommends the mandatory cross-sharing of this non-personal data between companies, communities of individuals, and the government. The purpose for which this data may be mandated to be shared falls under three broad buckets: national security, community benefit, and promoting market competition.

However, if such data is not related to an identifiable individual, then how can it be protected under personal data privacy laws?

To address these challenges in part, the report introduces two key concepts: collective privacy and data trusts. 

The NPD Report defines collective privacy as a right emanating from a community or group of people that are bound by common interests and purposes. It recommends that communities or a group of people exercise control over their non-personal data–which is distinct from an individual exercising control of their personal data–and do so via an appropriate nominee called a data trustee, who would exercise their privacy rights on behalf of the entire community. These two interconnected concepts of collective privacy and data trusteeship merit deeper exploration, due to their significant impact on how we view privacy rights in the digital age.

What is Collective Privacy and How Shall We Protect It?

The concept of collective privacy shifts the focus from an individual controlling their privacy rights, to a group or a community having data rights as a whole. In the age of Big Data analytics, the NPD Report does well to discuss the risks of collective privacy harms to groups of people or communities. It is essential to look beyond traditional notions of privacy centered around an individual, as Big Data analytical tools rarely focus on individuals, but on drawing insights at the group level, or on “the crowd” of technology users.

In a revealing example from 2013, data processors who accessed New York City’s taxi trip data (including trip dates and times) were able to infer with a degree of accuracy whether a taxi driver was a devout Muslim or not, even though data on the taxi licenses and medallion numbers had been anonymised. Data processors linked pauses in taxi trips with adherence to regularly timed prayer timings to arrive at their conclusion. Such findings and classifications may result in heightened surveillance or discrimination for such groups or communities as a whole.

An example of such a community in the report itself is of people suffering from a socially stigmatised disease who happen to reside in a particular locality in a city. It might be in the interest of such a community to keep details about their ailment and residence private, as even anonymised data pointing to their general whereabouts could lead to harassment and the violation of their privacy.

In such cases, harms arise not specifically to an individual, but to a group or community as a whole. Even if data is anonymised (and rendered completely un-identifiable), insights drawn at a group level help decipher patterns and enable profiling at the macro level.

However, the community suffering from the disease might also see some value in sharing limited, anonymised data on themselves with certain third parties; for example, with experts conducting medical research to find a cure to the disease. Such a group may nominate a data trustee–as envisioned by the NPD Report–who facilitates the exchange of non-personal data on their behalf, and takes their privacy interests into account with relevant data processors. 

This model of data trusteeship is thus clearly envisioned as a novel intermediary relationship–distinct from traditional notions of a legal trust or trustee for the management of property–between users and data trustees to facilitate the proper exchange of data, and protect users against privacy harms like large-scale profiling and behavioral manipulation.

But, what makes data trusts unique? 

Are Data Trusts the New ‘Mutual Funds’? 

Currently, data processors process a wide-range of data–both personal and non-personal–about users, without providing them accessible information about how they use or collect it. These users, if they wish to use services offered by data processors, do not have any negotiating powers over the collection or processing of their data. This results in information asymmetries and power imbalances between both parties, without much recourse to users–especially in terms of non-personal data which is not covered by personal data protection laws like the GDPR, or India’s Draft Personal Data Protection Bill.  

Data trusts can help solve the challenges arising during everyday data transactions taking place on the Internet. Acting as experts on behalf of users, they may be in a better position to negotiate for privacy-respecting practices as compared to individual users. By standardising data sharing practices like data anonymisation and demanding transparency in data usage, data trusts may also be better placed to protect collective privacy rights as compared to an unstructured community. One of the first recommendations to establish data trusts in the public fora came from the UK Government’s independent report from 2017, ‘Growing the artificial intelligence industry in the UK’, which recommended the establishment of data trusts for increased access to data for AI systems.

Simply put: data trusts might be akin to mutual fund managers, as they facilitate complex investments on behalf of and in the best interests of their individual investors. 

The Fault in Our Data Sarkaar

Since data trusts are still untested at a large scale, certain challenges need to be anticipated at the time of their conceptualisation, which the NPD Report does not take account of.

For example, in some cases, the report suggests that the role of the data trustee could be assumed by an arm of the government. The Ministry of Health and Family Welfare, for instance, could act as a trustee for all data on diabetes for Indian citizens. 

However, the government acting as a data trustee raises important questions of conflict of interest–after all, government agencies might utilise relevant non-personal data for the profiling of citizens. The NPD Report doesn’t provide solutions for such challenges.

Additionally, the NPD Report doesn’t clarify the ambiguity in the relationship between  data trusts and data trustees, adding to the complexity of its recommendations. While the report envisions data trusts as institutional structures purely for the sharing of given data sets, it defines data trustees as agents of ‘predetermined’ communities who are tasked with protecting their data rights. 

Broadly, this is just like how commodities (like stocks or gold) are traded over an exchange (such as data trusts) while agents such as stockbrokers (or data trustees) assist investors in making their investments. This is distinct from how Indian law treats traditional conceptions of trusts and trustees, and might require fresh law for its creation. 

In terms of the exchange of non-personal data, possibly both these tasks–that is, facilitating data sharing and protecting data rights of communities/groups–can be delegated to just one entity: data trusts. Individuals who do not form part of any ‘predetermined’ community–and thus may not find themselves represented by an appropriate trustee–may also benefit from such hybrid data trusts for the protection of their data rights.

Clearly, multiple cautionary steps need to be in place for data trusts to work, and for the privacy of millions to be protected–steps yet to be fully disclosed in the Report. 

Firstly, there is a need for legal and regulatory mechanisms that will ensure that these trusts genuinely represent the best interests of their members. Without a strong alignment with regulatory policies, data trusts might enable the further exploitation of data, rather than bringing about reforms in data governance. Borrowing from traditional laws on trusts, a genuine representation of interests can be ensured by placing a legal obligation–in the form of an enforceable trust deed– on the trust of a fiduciary duty (or duty of care) towards its members.

Secondly, data trusts will require money to operate, and developing funding models that ensure the independence of trusts and also serve their members’ best interests. Various models will need to be tested before implementation, including government funded data trusts and user-subscription based systems.

Thirdly, big questions about the transparency of data trusts remain. As these institutions may be the focal point of data exchange in India, ensuring their independence and accountability will be crucial. Auditing, continuous reviews, and reporting mechanisms will need to be enmeshed in future regulation to ensure the accountability of data trusts.

Privacy Rights Must Be Paramount

As the law tries to keep pace with technology in India, recognising new spheres which require immediate attention, like the challenges of collective privacy, becomes pertinent for policymakers. The NPD Report takes momentous strides in recognising some of these challenges which require swift redressal, but fails to take into consideration emerging scholarship on the autonomy, transparency, and strength of its proposed data trusts.

For example, large data processors will need to be incentivised to engage with data trusts. Smaller businesses may engage with data trusts easily considering the newfound easy access to large amounts of data. But, it might be difficult to incentivise Big Tech companies to engage with such structures, due to their existing stores of wide-scale data on millions of users. This is where the government will need to go back to the drawing board and engage with multiple stakeholders to ensure that innovation goes hand in hand with a privacy respecting data governance framework. Novel solutions like data trusts should be tested with pilot projects, before being baked into formal policy or law.

More than three years after India’s Supreme Court reaffirmed the right to privacy as intrinsic to human existence and a guarantee under the Indian Constitution, government policy continues to treat data–whether personal or non-personal–as a resource to be ‘mined’. In this atmosphere, to meaningfully recognise the right to privacy and self-determination, the government must lay down a data governance framework which seeks to protect the rights of users (or data providers), lays down principles of transparency and accountability, and establishes strong institutions for enforcement of the law.

(This post is in context of the report released by the Committee of Experts on Personal Data Governance Framework, as constituted by the Ministry of Electronics and Information Technology. CCG’s comments on the report can be accessed here)

CCG’s Comments to the Ministry of Defence on the Defence Acquisition Procedure, 2020

On 28 July 2020, the Ministry of Defence (‘MoD’) uploaded the second draft of the Defence Procurement Procedure 2020 (‘DPP 2020’), now renamed as the ‘Defence Acquisition Procedure 2020’ (‘DAP 2020’) on its website, inviting comments and suggestions from interested stakeholders and the general public.

CCG submitted its comments on the DAP 2020 underscoring its key concerns with this latest iteration of the MoD’s policy for capital acquisitions. The comments were authored by Gunjan Chawla, with inputs and research from Sharngan Aravindakshan and Vagisha Srivastava.

Our comments to the MoD are aimed at:

(1) Highlighting certain points in law and procedure to refine the DAP 2020 and facilitate the building of a more robust regulatory framework for defence acquisitions that contribute to the building of an Aatmanirbhar Bharat (self-reliant India).

(2) Presenting certain legal tools and frameworks that remain at the Ministry’s disposal in this endeavour geared towards a thorough preparation for the defence of India, in tandem with the envisioned goal of the National Cybersecurity Strategy 2020-2025 [currently being formulated by the office of the National Cybersecurity Coordinator (‘NCSC’)] to build a cyber secure nation.

Other than this broader objective of formulating a clear, coherent and comprehensive policy for acquisition of critical technologies to strengthen India’s national security posture, our comments are intended to contribute meaningfully to the building of legal frameworks that enable enhancing the state of cybersecurity in India generally, and the defence establishment and defence industrial base ecosystem specifically.

The comments are divided into five parts.

Part I introduces the scope and ambit of this document. These comments are not a granular evaluation of the merits and demerits of every procedural step to be followed in various categories of defence acquisitions. Here, we broadly trace the evolution of the structure, objectives and salient features of India’s defence procurement and acquisition policies in recent years. The scope of the comments are restricted to those features of the DAP that are most closely related with or have implications for the cybersecurity of the defence establishment. In this regard, we note the omission of Chapter X on ‘Simplified Capital Expenditure Procedure’ from the text of the draft DAP document as a serious error that ought to be rectified at the earliest opportunity.

Part II deals with the cybersecurity and information security in the acquisitions process generally, as this is a concern that must be addressed irrespective of the procedural categorisation of a particular acquisition. The inherently sensitive and strategic nature of defence acquisitions demands that processes and procedures be formulated in a manner that prevents any unwarranted leakage of information at premature stages in the acquisition process. Herein, we recommend that:

  1. The DAP 2020 should carefully distinguish between the terms ‘information security’ and ‘cyber security’, and refrain from using them interchangeably in policy documents.
  2. Demand a full disclosure of the history of cyber-attacks, breaches and incidents suffered by the vendor company (and related corporate entities) prior to the signing of the acquisition contract. This should be supplemented with a good faith disclosure of incidents where the cyber infrastructure or assets of the vendor company may have been used, with or without proper authorization, in the conduct of a cyber breach or other incident including attacks or exploits or other violations of digital privacy and human rights.

    As discussed in the comments, this line of inquiry would further India’s adherence to at least three of eleven voluntary, non-binding norms on responsible state behaviour in cyberspace articulated in the 2015 Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the context of International Security.
  3. Designation of online procurement portals as ‘Critical Information Infrastructure’ and/or ‘Protected Systems’ within the meaning of Sections 70 and 70A of the Information Technology Act, 2000.

Part III of the comments focuses on issues in the acquisition of information and communications technologies (ICT) and cyber systems. All suggestions and comments included in this Part are aimed towards ensuring that our vision of  Aatmanirbhar Bharat (self-reliant India) is also a sustainable one.

Key recommendations presented in this part include:

  1. Clearly defining the terminologies used with regard to the ‘cyber domain’ in Chapter VIII, such as ICTs/cyber systems in order to bring more clarity to the procurement process, as well the scope and ambit of the DAP document.
  2. In these definitions and classification, distinguishing both ‘cyber weapons’ and ‘cyber physical weapons’ from cyber systems for command and control or C4I2SR, as well as ‘cybersecurity products and services’, which are essential to protect the confidentiality and integrity of sensitive government data across various ministries from external threats.
  3. The MoD should clarify the scope and ambit of the DAP and the DPM and the extent to which they apply to various categories of IT, ICT and cyber systems.
  4. The defence budget dataset should be re-assessed to evaluate the ratio of revenue expenditures to capital expenditure alongside an assessment of the contribution of capital expenditures incurred over the years to capital assets owned by the armed forces and that portion of capital expenditure that is diverted towards maintenance, upkeep and life cycle costs of equipment as per the CBRP model.

Further building on the issues that have been highlighted in the previous sections, Part IV delves into the broader legal and Constitutional framework applicable to procurements generally, and defence acquisitions specifically.

Herein, we propose opening up a discussion on opportunities and challenges in strengthening Parliamentary oversight over the defence acquisitions. Given the huge sums of public funds that are involved in defence acquisitions, ensuring accountability and integrity in these processes is of paramount importance.

We note that the Defence Acquisition Procedure as well as the Defence Procurement Manual are internal guidelines issued by the Ministry of Defence as policy directives to be followed as matter of the Executive’s internal administration and so far, do not enjoy legislative backing through an Act of Parliament. Accordingly, this section presents a brief overview of current processes and mechanisms in this regard, and recommends that:

  1. This defect in the DAP ought to be remedied on a priority basis, drawing on the Constitutional authority vested in Parliament pursuant to Article 246 read with Schedule VII, List I Entry 1 to enact laws ‘for the preparation of defence of India’.

Part V concludes the major findings and recommendations of this submission.

The comments can be accessed here on CCG’s Blog.

What are ‘offensive cyber capabilities’?

Antivirus interface over modern tech devices in dark background 3D rendering

By Gunjan Chawla and Vagisha Srivastava

In our previous post, “Does India have offensive cyber capabilities?”, we discussed a recent amendment to the SCOMET list appended to the ITC-HS classification by the Directorate General of Foreign Trade (DGFT). The amendment did not define, but described software for military offensive cyber operations as a term including (but not limited to) software which are designed to destroy, damage, degrade or disrupt systems, equipment and other softwares specified by Category 6 (Munitions), as well as software for cyber reconnaissance and cyber command and control.

In this post, we examine what exactly constitutes ‘offensive cyber capabilities’ (OCCs) and their role in conducting cyber operations with reference to various concepts from US, UK and Australia’s cyber doctrines. We begin by comparing two definitions of ‘cyber capabilities’.

‘Cyber Capabilities’ = ‘Cyber Operations’?

In US military doctrine, a ‘cyberspace capability’ is defined not as human skill in handling tools and software, but as “a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.” (emphasis added)

In contrast, the Australian Strategic Policy Institute (ASPI) in Defining Offensive Cyber Capabilities notes that “In the context of cyber operations, having a capability means possessing the resources, skills, knowledge, operational concepts and procedures to be able to have an effect in cyberspace.” (emphasis added)

The ASPI’s emphasis on resources, skills and knowledge merits special attention. Without skilled personnel to wield such devices or software, offensive cyber operations cannot be mounted successfully. This is an especially important distinction if we are looking to formulate a functional definition relevant to India’s requirements. Our conceptualisation of OCCs must accord priority to not only the acquisition of tools, devices and software developed by other nations, but to build internal capacity through investment in creation and dissemination of technical knowledge and skill development.

This view also finds support in the United Kingdom’s articulation of defence ‘cyber capabilitiy’. In the UK’s Cyber Primer formulated by the Ministry of Defence, it is acknowledged (see fn 7) that defence cyber capabilities can be a combination of hardware, firmware, software and operator action (emphasis added).

Yet, surprisingly, the ASPI’s concluding definition of OCCs equates offensive capabilities with offensive cyber operations (OCOs), “offensive cyber capabilities are defined as operations in cyberspace to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.” (emphasis added)

The underlying logic of this equation is perhaps the old adage – the proof of the pudding is in the eating? This means that in ASPI’s conceptualisation, to ‘have’ OCCs would be meaningless, and not entirely credible if no OCOs are conducted by entities claiming to possess OCCs. However, from a legal standpoint, one cannot say that ‘capabilities’ and ‘operations’ are synonymous any more than one could claim that having ‘arms/ammunitions/weapons’ are synonymous to an ‘armed attack’.

This leads us to an obvious question – what are offensive cyber operations?

Offensive Cyber Operations: Cyber Attacks (or Exploits) by Another Name?

In the United States’ military doctrine, Offensive Cyber Operations (OCOs) are understood to be operations that are “intended to project power by application of force in or through cyberspace.”

This definition of OCOs is also reiterated in the March 2020 report of the Cyberspace Solarium Commission (CSC). The CSC was constituted last year by the US Congress under the John S. McCain National Defense Authorization Act, 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences” and presented its report to the public on 11 March 2020.

Over the years, the vocabulary of the US military doctrine and strategy documents of the Department of Defense (DoD) too, have used a variety of terms to classify various categories of cyber operations. In 2006, the DoD preferred using the broader term ‘Computer Network Operations’ (CNOs) instead of ‘cyber attacks’, as seen in its National Military Strategy for Cyberspace Operations.  CNOs were classified into computer network attack (CNAs), computer network defense (CND) and computer network exploitation (CNEs).

More recent documents have dropped the use of the term ‘CNO’ and exhibit a preference for ‘cyberspace operations’ or ‘cyber operations’ instead. The US DoD Dictionary of Military and Associated Terms defines ‘cyberspace operations’ as ‘[t]he employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace’.

Yet, in spite of the multiplicity of terms employed, offensive cyber capabilities can be categorised broadly, as the ability to conduct a cyber attack or cyber exploitation. Although similar, it is important to distinguish cyber attacks from cyber exploitations. Herbert Lin has observed that “[t]he primary technical difference between cyber attack and cyber exploitation is in the nature of the payload to be executed—a cyber attack payload is destructive whereas a cyber exploitation payload acquires information nondestructively”.

Indeed, the US DoD dictionary defines ‘cyberspace attacks’ and ‘cyberspace exploits’ separately. ‘Cyberspace attacks’ are actions taken in cyberspace that create noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial that appears in a physical domain, and is considered a form of fire. In contrast, cyberspace exploitation refers to actions taken in cyberspace to gain intelligence, maneuver, collect information, or perform other enabling actions required to prepare for future military operations’.

A definition of OCOs similar to the US’ conceptualisation can also be found in the UK Cyber Primer. This Primer defines OCOs as “activities that project power to achieve military objectives in, or through, cyberspace”.

The UK envisions OCOs as one of four non-discrete categories within the broader term ‘cyber operations’ that can be used to inflict temporary or permanent effects that reduce an adversary’s confidence in networks or capabilities.  Such action can support deterrence by communicating intent or threats. These four categories are, namely, (1) defensive cyber operations; (2) offensive cyber operations; (3) cyber intelligence, surveillance and reconnaissance; and (4) cyber operational preparation of the environment.

Thus, we can infer from a combined reading of all these definitions that

  1. cyber capabilities and cyber operations are not synonymous, but
  2. cyber capabilities (both the technological tools, as well as the human skill elements) are a prerequisite to conducting OCOs, which may be intended to either –
    • ‘project power through the application of force’ (US) or
    • ‘achieve military objectives‘ (UK) or  
    • ‘manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks’ (ASPI)  or
    • ‘destroy, damage, degrade or disrupt systems, equipment and other softwares (India’s DGFT) – in or through cyberspace.

A one trick pony?

In order to execute an offensive cyber operation, the tools (or capabilities) used could range from simple malware, virus, phishing attacks, ransomware, denial of service attacks, to more sophisticated and specially-built softwares. But these tools would be futile if not for the existence of vulnerabilities in the system being attacked to enable the exploit.

From the standpoint of conducting an offensive cyber operation (whether an attack or exploit), one would necessarily require:

  1. Cyber capabilities (technical tools and software) to exploit a pre-existing vulnerability, or to introduce a new vulnerability into the targeted system
  2. A specific intent (i.e. specific orders or directions to meet a particular, specified military or strategic objective through on in cyberspace)
  3. A person/organization/entity/State identified as the target and (i.e. an intended target)
  4. Planning and clearly defining the expected consequences of the attack (i.e. the intended effects)

The presence or absence of any of these factors would heavily determine the likelihood of the success of a cyber attack or exploit. Often, the actual outcome of a cyber attack is different from the intended outcome. As one cyber intelligence analyst puts it, “Any cyber operator worth her salt knows that even mission-driven, militaristic hacking thrives under great, terrifying ambiguity.”

Additionally, while the tools used are time-consuming to produce, they are rendered useless after deploying an attack. In most cases, this is because operators of the system being attacked will ensure the application of security patches to close known vulnerabilities in the aftermath of a cyber attack. For this reason, OCCs, especially those that have been ‘specially designed or modified for use in military offensive cyber operations’, once deployed, have extremely limited to negligible potential for re-use or re-deployment, especially against the same target. However, without sufficient emphasis on and investment in human skills and capabilities, the effectiveness of the available technical tools would also suffer in the long run.

A ‘digital strike’ to start a ‘cyber war’?

The deployment of cyber capabilities in an OCO must cause actual physical damage comparable in scale and effects to that of a conventional, kinetic attack to be termed as an ‘armed attack’ or an unlawful ‘use of force’ in international law. Although some of the attacks or exploitations in cyberspace could result in physical damage akin to damage caused by a traditional kinetic attack, most don’t.

Drawing from a list of significant cyber incidents recorded by the Center for Strategic and International Studies (CSIS), we can observe that very few attacks carried out in the past had the potential to lead to casualties. Scholars still disagree if all these cyber incidents could be termed as ‘a use of force’ or ‘a tool of coercion’ in international law.

However, it is interesting to note that the intent of the perpetrator of a cyber attack, a crucial element that is baked into American definitions of OCOs, is conspicuously missing from the international law analyses to classify cyber attacks as a ‘use of force’ or ‘armed attack’ – which relies largely on the scale and effects (actual, not intended) of the cyber attack. (see Tallinn Manual 2.0, Rules 69 and 71) The omission of any reference to human skill or judgment in the US’ definition of cyber capabilities too, provides additional insulation from inquiries into the actual intent of the perpetrator of a cyber attack.

At this point in time it is difficult to conceptualize a ‘war’ that is waged exclusively in cyberspace, does not manifest physical effects or spill over into other domains—not just air, land and sea, but also the economy. For this very reason, i.e. the interconnected nature of cyberspace with other domains of where conflict manifests from competing interests, OCCs provide States a strategic military advantage by strengthening the effectiveness of conventional means and methods of warfare and streamlining military communications. However, the increasing dependence of the Government, critical infrastructure as well as businesses on the internet in the networked economy necessarily implies that a failure to develop or acquire cyber capabilities will make regular economic losses and disruptions by way of cyber attacks inevitable.

This leads us to another question worth considering in the context of State hostilities in cyberspace—whether economic losses occasioned by cyber attacks can be considered as a factor in determining whether its scale and effects are comparable to that of a kinetic armed attack?

Both cyber attack and cyber exploitations hold the potential to cause economic losses to the State under attack. Today it is common knowledge that the notorious WannaCry and NotPetya attacks resulted in losses totalling up to billions of dollars. Attacks on financial systems, commercial softwares, platforms or applications that generate economic value, or civilian infrastructure linked closely with the state economy could all fall under this risk. Such attacks can also substantially slow down State functions if the chaos generated within cyber systems spills over into the physical realm.

We must also remember, that any response to this question cuts both ways – if India – or any other nation – wishes to treat economic losses caused by hostile States and other actors in cyberspace as indicative of an unlawful ‘use of force’ or an ‘armed attack’ in cyberspace, we must also be prepared to have our adversaries draw similar conclusions regarding economic losses inflicted upon them, and anticipate retaliatory action.

Given the massive risks to the economy associated with a high incidence of cyber attacks, it would be interesting to observe what direction the debate on offensive cyber capabilities takes with the release of the National Cyber Security Strategy 2020. With India’s cyber ecosystem under development, both the cyber offence and cyber defence capabilities are of immense strategic value and merit a deeper exploration and stricter scrutiny by policymakers.

This question lingers as an especially intriguing one, as the amendments to Appendix III of the ITC-HS classification referred to in our last post have now been taken down from the website of the Directorate General of Foreign Trade, only to be replaced by a sanitized version of the SCOMET list amended on 11.06.2020 – one that includes no reference ‘military offensive cyber operations’ or even ‘cyber’ simpliciter. Even the reference to ‘intrusion software’ under head 8E401 has now been omitted. The version of the SCOMET list that we relied on for our previous post is no longer available on the DGFT website, but for interested researchers, can be downloaded here on CCG’s Blog.

Does India have offensive cyber capabilities?

cyber, attack,hacked word on screen binary code display, hacker

By Gunjan Chawla

While we await the release of the much-anticipated National Cyber Security Strategy 2020 (NCSS), a very significant development in the domestic regulation of foreign trade – by way of an amendment quietly inserted by the Directorate General of Foreign Trade (DGFT) on 11.06.2020, contains an extremely significant indication for the direction we can expect the NCSS document to take.

The Foreign Trade Policy (FTP) is formulated and notified by the DGFT under the statutory authorization provided by Section 5 of the Foreign Trade (Development and Regulation) Act, 1992.  The FTP regulates among many other things, the import and export of certain types of technologies. It also enforces in compliance with India’s obligations under international export control agreements like the Wassenaar Arrangement.

The latest FTP was formulated for the period of 2015-2020, and last revised in December 2017. The FTP is published in three parts – (i) the Policy Document (ii) Handbook of Procedures and (iii) the ITC-HS Classification.

The Indian Trade Classification based on Harmonized System of Coding, better known as the ITC-HS classification system uses eight digit codes to describe and categorize items subject to regulation. Schedule I of the ITC-HS deals with import policy, while Schedule II of the ITC-HS describes the rules and regulations related to export policies.

Appendix III to Schedule II contains a descriptive list for the category of SCOMET (Special Chemicals, Organisms, Materials, Equipment and Technology). The SCOMET list itemises goods, services and technologies used for civilian and military applications, including also some ‘dual-use items’ for export control regulation.

Category 6 of the SCOMET list is the Munitions list, while Category 8 relates to “Special Materials and Related Equipment, Material Processing, Electronics, Computers, Telecommunications, Information Security, Sensors and Lasers, Navigation and Avionics, Marine, Aerospace and Propulsion”.

Under 6A021, which falls under the Munitions list, “software” subject to export control regulations is now defined to include,

“Software” specially designed or modified for the conduct of military offensive cyber operations;

Note 1 6A021.b.5. includes “software” designed to destroy, damage, degrade or disrupt systems, equipment or “software”, specified by Category 6, cyber reconnaissance and cyber command and control “software”, therefor.

Note 2 6A021.b.5. does not apply to “vulnerability disclosure” or to “cyber incident response”, limited to non-military defensive cybersecurity readiness or response.

Note 2 under 6A021 appears as a welcome relief to the information security research community by keeping vulnerability disclosures beyond the purview of export control regulations. However, it is relevant to mention that “vulnerability disclosures” and “cyber incident response” had already been excluded from the purview of export control restrictions in an earlier amendment to the SCOMET list on 03.07.2018.  However, this exception appears not under category 6, but category 8, as an exception to head 8E401 Computers (Technology). Therefore, the exception carved out under 6A021 by the 11.06.2020 amendment is a mere reiteration of the exception already contained under 8E401, inserted by the amendment of 03.07.2018, which reads as follows:

c. “Technology” for the “development” of “intrusion software”.

Note 1: 8E401.a and 8E401.c do not apply to ‘vulnerability disclosure’ or ‘cyber incident response’.

 Note 2: Note 1 does not diminish national authorities’ rights to ascertain compliance with 8E401.a and 8E401.c.

Technical Notes:

1. ‘Vulnerability disclosure’ means the process of identifying, reporting, or communicating a vulnerability to, or analysing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.

2. ‘Cyber incident response’ means the process of exchanging necessary information on a cyber security incident with individuals or organizations responsible for conducting or coordinating remediation to address the cyber security incident.

Therefore, our export control regulations may have been cognizant of and sensitive to the need for ensuring free flow of data and information with regards to vulnerability disclosures and cyber incident response systems since 2018. It is also relevant to mention that the previous version of this list dated 24.04.2017 made no references whatsoever to ‘cyber incident response’ or ‘vulnerability disclosure’.

The June 2020 amendment to the SCOMET list is a highly significant development, as this is the first official document that strongly suggests the existenceof offensive cyber capabilities specially designed for military use in the broader ecosystem of tech regulation in India.

While MeitY had made a passing reference to “offensive cyber” in a draft report authored by one of four Committees constituted in February 2018, for the promotion of AI and the development of a regulatory framework. The Report of Group D, the Committee on Cyber Security, Safety, Legal and Ethical Issues briefly speaks of “defensive and offensive AI techniques”. However, this report contained  recommendations that do not carry the force of law. In contrast, the DGFT’s  latest amendment to the SCOMET list has the effect of subjecting the export of such technologies to strict regulatory control by the Government.

This regulatory development stands in contrast to the response of National Cyber Security Coordinator Lt. Gen. Pant in an interview to Medianama on 2 June 2020, only a few days before the date of this amendment to the SCOMET list:

MediaNama: In terms of follow-up to hardware and software procurement, does India procure any software as cyber weapons? Is there a process to import or export them? There has been a discussion at the Open-ended Working Group [OEWG] at the UN regarding global procurement of cyber weapons. What is India’s position, policy on procurement of cyber weapons?

Lt General Pant: No, no. I don’t think anyone will be speaking of cyber weapons, sale or anything like that.

It now remains to be seen whether the National Cyber Security Strategy, yet to be released, will officially acknowledge the existence of ‘offensive cyber capabilities’, if not ‘cyber weapons’ within India’s cyber ecosystem.

Technology and National Security Law and Policy: Seminar Course Curriculum [February-June 2020]

Given the rapidly evolving landscape of international security issues and the challenges and opportunities presented by new and emerging technologies, Indian lawyers and policymakers need to acquire the capacity to engage effectively with national security law and policy. However, curricula in Indian law schools do not engage adequately with issues of national security. National security threats, balance of power, issues of secrecy and political accountability, terrorism and surveillance laws tend to be discussed in a piece-meal manner within various courses or electives.

To fill this knowledge gap within the legal community, the Centre for Communication Governance at National Law University Delhi (CCG-NLU) offered this seminar course to fourth and fifth-year students of the B.A. LL.B. (Hons.) Programme during in February-June 2020..

The course explores interdisciplinary approaches in the study of national security law and policy, with a particular focus on issues in cybersecurity and cyberwarfare. Through this course curriculum, we aim to (1) recognize and develop National Security Law as a discrete discipline of legal studies, and (2) impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The curriculum is split into six modules taught over a period of 12 weeks:

  • Module I: Unpacking ‘National Security’
  • Module II: Introduction to Strategic Thinking – Linking Law and Policy
  • Module III: National Security in the Domestic Sphere
  • Module IV: War and National Security in International Law
  • Module V: Cybersecurity, Cyberwarfare and International Law
  • Module VI: Cybersecurity in India

The course outline and reading list can be accessed here:

CCG’s Comments on the NODE Whitepaper

By Shashank Mohan and Nidhi Singh

In late March, the Ministry of Electronics and Information Technology (MeitY) released its consultation whitepaper on the National Open Digital Ecosystems (NODE). The NODE strategy was developed by MeitY in consultation with other departments and stakeholders, as a part of its efforts to build an enabling ecosystem to leverage digital platforms for transformative social, economic and governance impact, through a citizen-centric approach. The Whitepaper highlights key elements of NODE, and also its distinction from the previous models of GovTech. The Centre submitted its comments on the NODE Whitepaper on 31 May 2020, highlighting some of our key concerns with the proposed strategy.

The NODE Whitepaper proposes a complex network of digital platforms with the aim of providing efficient public services to the citizens of India. It defines NODE as open and secure delivery platforms anchored by transparent governance mechanisms, which enable a community of partners to unlock innovative solutions, to transform societal outcomes.

Our comments on the NODE strategy revolve around four key challenges: open standards, privacy and security, transparency and accountability, and community engagement. We have provided recommendations at each stage and have relied upon our previous work around privacy, cyber security and technology policy for our analysis.

Firstly, we believe that the NODE Whitepaper stops short of providing a robust definition of openness, and does not comprehensively address existing Government policies on open source software and open APIs. We recommend that existing policies are adopted by MeitY where relevant, and are revised and updated at least in the context of NODEs where required.

Secondly, one of the key concerns with the NODE Whitepaper is the lack of detailed discussion on the aspects of data privacy and security. The Whitepaper does not consider the principles of data protection established in the Personal Data Protection Bill, 2019 (PDPB 2019) or take into account other internationally recognised principles. Without adequately addressing the data privacy concerns which arise from NODEs, any policy framework on the subject runs the risk of being devoid of context. The existence of a robust privacy framework is essential before instituting a NODE like architecture. As the PDPB 2019 is considered by Parliament, MeitY should, as a minimum, incorporate the data protection principles as laid down in the PDPB 2019 in any policy framework for NODEs. We also recommend that in order to fully protect the right to privacy and autonomy of citizens, participation in or the use of NODEs must be strictly voluntary.

Thirdly, a NODE framework built with the aim of public service delivery should also incorporate principles of transparency and accountability at each level of the ecosystem. In a network involving numerous stakeholders including private entities, it is essential that the NODE architecture operates on sound principles of transparency and accountability and sets up independent institutions for regulatory and grievance redressal purposes. Public private relationships within the ecosystem must remain transparent in line with the Supreme Court jurisprudence on the subject. To this end, we recommend that each NODE platform should be supported and governed by accountable institutions, in a transparent manner. These institutions must be independent and not disproportionately controlled by the Executive arm of the Government.

Lastly, we focus on the importance of inclusion in a digital first solution like the NODE. Despite steady growth in Internet penetration in India, more than half of its population does not enjoy access to the Internet and there is a crucial gender gap in the access to Internet amongst Indians, with men forming a majority of the user base. Learning from studies on the challenges of exclusion from the Aadhaar project, we recommend that the NODE architecture must be built keeping in mind India’s digital infrastructure. Global best practices suggest that designing frameworks which are based on inclusion is a pre-condition for building successful models of e-governance. Similarly, NODEs should be built with the aim of inclusion, and must not become a roadblock for accessing public services by citizens.

Public consultations like these will go a long way in building a robust strategy on open data systems as numerous stakeholders with varied skills must be consulted to ensure quality and efficacy in e-governance models. We thank MeitY for this opportunity and hope that future developments would also follow a similar process of public consultations to foster transparency, openness and public participation in the process of policy making.

Our full comments submitted to the Ministry can be found here.

ICANN Rejection of .ORG Sale to Ethos Capital: A Win for Public Interest?

On the 30th of April 2020, the Internet Corporation for Assigned Names and Numbers (ICANN) blocked the sale of the Public Interest Registry (PIR) to a private equity firm, Ethos Capital. The sale was announced by the Internet Society (ISOC) in November 2019. While on the face of it, the sale seemed like a routine transaction, it had much broader implications for the future of the three bodies involved, namely ISOC, PIR and ICANN and the internet in general.

Before we can unpack the implications of this refusal, we must introduce the players and set out the background to this sale.

Background

ICANN, founded in 1998, is a private not-for-profit corporation based in Los Angeles. ICANN is responsible for the management of the Domain Name System (DNS). It promotes competition in domain registrations (a domain name is a string which identifies the authority within the internet, common examples of top-level domains are dot-net, dot-com etc.) and develops policy on the internet’s unique identifiers (the address on the internet where something is located). ICANN is, therefore responsible for maintaining universal resolvability, i.e. ensuring that the internet from different countries is not separate from each other. ICANN thus helps to manage and maintain certain core infrastructure, which keeps the internet on.

ICANN operates through a unique multi-stakeholder model. Any technical changes to the internet are raised within the supporting organizations of ICANN. These suggested changes are then released for public review. The ICANN review process generally composes of at least two rounds of comments, once initial suggestions are incorporated, the proposal is then released for the second round of public review. The ICANN board, taking into account the reports made by the bodies, and the comments received, then make a decision concerning the proposed change.

ISOC is a non-profit organization which was founded in 1992 and works towards an open, globally-connected, secure and trustworthy internet for all. ISOC promotes the concept of ‘internet for all’ and is composed of both individual and organizational members. It is governed by a board of trustees composed of 13 members who are appointed by chapters, organizational members and the Internet Engineering Task Force.

ISOC currently controls the dot-org (.org) domain through the Public Interest Registry (PIR), a not-for-profit organization created by ISOC in 2002 and based out of Virginia.  PIR took over the operations and management of dot-org in 2003 and has since launched and managed the dot-NGO and dot-ONG top-level domain names as well. The PIR is responsible for maintaining the registry of all the domains in the dot-org community. PIR is also an active member of ICANN.

The other party to the sale, Ethos Capital is a specialized investment firm which focuses on companies in which technology can be used to automate and optimize traditional business models. It was founded in June 2019, just a few months before the sale.

In this post, we shall examine the details of the proposed sale of the dot-org domain, the issues which arose as a consequence of the sale and finally what the implications of the refusal by the ICANN will be on the future of dot-org.

What is dot-org (.org)

Dot-org was created in 1984 as one of the internet’s original top-level domains, other domains from this era include dot-edu, dot-net, dot-com, dot-gov. Dot-org is one of the oldest and the third largest domain on the internet. The domain is home to over 10.5 million websites and is most recognizable for hosting non-profit websites. It is managed by the PIR.

The initial term of the agreement between PIR and ICANN ended in June 2019, following which the parties renewed the agreement for a period of 10 years. The agreement is based upon the provisions of the generic top-level domain registry agreements, which is entered into between ICANN and the registry operator (the entity responsible for providing the registry services), which in this case was PIR. The renewal agreement included some important changes, including the removal of price caps and adopting public interest commitments and the Public Interest Commitment Dispute Resolution Process (PICDRP). These changes to the renewal agreement played a significant role in the proposed sale between ISOC and Ethos Capital.

The agreement between Ethos Capital and ISOC over the sale PIR would have the effect of altering the agreement between PIR and ICANN, and thus, ICANN’s would have had to consent to the sale as well. Section 7.5 of the contract between ICANN and PIR mandates that PIR must seek its approval before a change of control and that such consent cannot be withheld unreasonably by ICANN. Consequently, after the announcement of the sale by ISOC, ICANN started the process of review for the sale.

While the technical specifications of PIR, and the contract for its sale are relatively clear, the transaction itself was mired in controversy. This was, for the most part, due to the perceived value of the dot-org domain.

Before we move on to the details of the sale, and the consequences of the same, we must first examine the arguments supporting the value of dot-org.

The dot-org domain derives most of its value from the belief that it is primarily used by non-profits, and adds credibility to a hosted domain. The dot-org domain is generally thought of as being synonymous with non-profit organizations. This is also bolstered by the fact that many large international organisations and non-profits such as the United Nations, the International Committee of the Red Cross, Wikimedia Foundation, Greenpeace, YMCA, Red Cross, Human Right Watch etc. use the dot-org domain. Dot-org is the second most valuable namespace, behind dot-com. 

The dot-org domain is an ‘open’ domain, as opposed to a closed one, like dot-edu, consequently anyone can register with a dot-org domain, regardless of their for-profit status. The trust in the dot-org domain is a remnant of its historical status, and there is no evidence to support the theory that it is mostly used by non-profits. The true value of the dot-org domain is essentially the public perception of trust which is associated with it, regardless of the actual identity of the actors using the service.

The sale of dot-org (.org)

In November 2019, ISOC announced the acquisition of the PIR by Ethos Capital. PIR would continue to oversee the management and mission of dot-org, but would now come under the oversight of Ethos Capital. The proposed transaction was estimated to close by the first quarter of March, and in its statement, ISOC reaffirmed PIR’s ability to meet the ‘highest standards of public accountability and transparency’. The statement also discussed that the transaction would also infuse ISOC with a large endowment and sustainable funding which would allow ISOC to expand its work in internet governance. The sale was also said to have no disruption of service or sale to the dot-org community or any of their educational initiatives.

This sale was opposed by many immediately, due to concerns relating to increasing prices of domain registrations, therefore, subjecting many non-profit websites to large price hikes. This fear is also backed by ICANN’s decision in July 2019, which lifted the price caps on all the dot-org domains. The decision was heavily criticized, as it could potentially lead to major price hikes on domains, and also as the move had been undertaken despite almost universal opposition to the same. This removal of price caps, when taken in conjunction with the sale of PIR to a for-profit organization led to rising fears of price hikes for the dot-org domain.

The list of those opposing the sale of the dot-org domain was wide and varied. ICANN received missives from the governments of France and Germany. While France did not outright advocate for refusing the sale altogether, it questioned the commitments made by Ethos Capital, and commented upon the insufficiency of time provided to ICANN to deal with the matter. Similarly, Germany also commented upon the insufficiency of information provided and asks ICANN to conduct further reviews of the proposed transaction.

Another important opposition to this sale came from the Office of the Attorney General in the state of California, who urged ICANN to reject the transfer of PIR to Ethos Capital. It cited concerns such as the lack of transparency about the future plans of Ethos Capital, potential risks to operational uncertainty of PIR and the repayment of the 300 million USD which would be assigned to PIR after the sale. In the light of the possible risks to the non-profit community, the Attorney General suggests rejecting the sale.

The sale was also the subjected to scrutiny by a number of US senators and members of Congress. At least three letters were sent by a group of representatives to ISOC, PIR and ICANN raising concerns about the deal. In a letter to ICANN dated 18 March 2020, Senators Elizabeth Warren, Ron Wyden, Richard Blumenthal, Edward J. Markey and representative Anna G. Eshoo have advocated against the sale. The letter argues that such a sale would be contrary to ICANN’s commitment to public benefit, and would ultimately have the effect of undermining the reliability of dot-org as a whole. In addition to concerns of transparency and a potential price hike, they also argue that initiatives suggested by Ethos Capital (mentioned below) would be toothless. It therefore advocates strongly for ICANN to reject the proposed sale.

Finally, the deal saw a massive pushback including a public campaign from over 900 organisations led by Electronic Frontier Foundation (EFF). Many activists and organisations also demonstrated against the proposed sale at a rally at ICANN’s LA headquarters in January. Additionally, many others including UNESCO sent representation to the ICANN, in its public comments, asking ICANN to withhold the consent for this transaction.

While the proposed sale had more than its share of opposition, other experts took a different position regarding the sale. It was argued that the amendments proposed by Ethos, through the Public Interest Commitments, as discussed in the next section, could have been used to patch up the holes left by the new registry agreement between ICANN and PIR. 

Public Interest Commitments

Following the announcement of the sale, Ethos Capital also released a series of key initiatives, to allay the fears surrounding the sale of dot-org. These initiatives were announced as public interest commitments (PICs), which were voluntarily undertaken by Ethos, to reinforce the company commitment to the dot-org community. The company proposed that these commitments could be added to the registry agreement which exits between PIR and ICANN, thus making them legally binding.

This included measures such as enforcing a price limit to bolster the affordability of dot-org domain names, by capping the increase on the registration or renewal charges for a domain name at 10% per year on an average, for eight years. It also announced setting up a new ORG Stewardship council, which would have the power to veto any resolution passed by the PIR on the censorship of the freedom of speech and expression, or the use of user data. It also announced establishing community enablement funds to a tune of 10 million USD and releasing annual public reports to ensure transparency in the working of the PIR.

In support of the Stewardship council, Ethos released a series of updates, including the proposed charter, the nomination process and even appointed an independent search firm Heidrick & Struggles, as the agency which would handle nomination requests from the community.

The enforcement mechanism of these commitments remained vague. Since the inclusion of the PICs in the registry agreement with ICANN makes them legally binding, they could not be unilaterally amended by PIR as they were a part of the registry agreement with ICANN, and in case of any default, they were legally enforceable. However, it is uncertain to what extent the members of the community could enforce these commitments through the newly adopted PICDRP. The PICDRP is a relatively new dispute resolution procedure, and it is uncertain how effective it would be in resolving the challenges raised by community members.

Refusal by ICANN

The process leading up to the decision by ICANN has been long and time consuming. PIR formally submitted the notice of indirect change of control to ICANN on 14 November 2019, and the final deadline for ICANN to approve or reject the transaction was 4May 2020. The five intervening months have seen several rounds of questions between ICANN and the parties to the sale. ICANN’s issued three requests for additional information in December 2019, February 2020 and finally in April 2020, which were all provided by PIR. ICANN also responded to requests by the office of the Attorney General of the State of California in January 2020, by providing information regarding the proposed transfer of PIR to allow the Attorney General’s office to ‘analyse the potential impact of the same on the non-profit community, including ICANN.’

In addition to the formal consultation process undertaken with PIR, ICANN also received over 30 letters from the ICANN community, relating to the PIR transaction. The ICANN board also convened a public forum at the 67th meeting of ICANN to encourage community dialogue on the proposed transfer of ownership of the PIR.

On 30th April 2020, ICANN finally rendered its decision, refusing the sale of the PIR to Ethos Capital. The implications of this refusal are vast.

ICANN has cited several reasons for refusing the sale of PIR to Ethos Capital. These include the lack of experience on the part of Ethos, removal of protections of the not-for-profit status, and the debt of 360 million USD which the transaction would bring to PIR, especially in the current economic and fiscal uncertainty. The transaction would oblige the PIR to repay this debt of 360 million USD, post the sale, but this would not in any way benefit the dot-org community or PIR itself. While the initial sale models had shown the capacity of PIR to repay this debt, the decision argues that the current uncertainties were not taken into account in the fiscal model, and hence it could not be relied upon.

ICANN reiterated PIR’s responsibility to serve public interest, through its operations of dot-org and other domains, and held that the transfer of this mandate to another entity could not be upheld, especially without a public interest mandate on the part of Ethos Capital. The valuation of PIR was also discussed in the order. Since its inception in 2002, PIR has created a value of 1 billion USD, which the ISOC could realize through this sale, which would convert the PIR into a for-profit body.

At this point however, it is important to clarify, that the sale of PIR would not dissolve the agreements between PIR and ICANN, and that ICANN would still hold a contract with PIR, as it did before the sale. However, the board goes on to say that the changes in the form of the entity in this instance, would be so significant, that they would have to be considered in this change of control request.

On the other hand, in the response statement, ISOC has alleged that the ICANN stepped outside its remit, by essentially undertaking the role of a regulator in this transaction between ISOC and Ethos Capital, which is beyond the scope of what ICANN was intended to do. This particular transaction was a transference of indirect control, which has previously been accepted by the ICANN, much more expeditiously. The statement also commented on the delay in the decision-making process. It also alludes to the possibility of influence, wherein the statement raises concern on behalf of the internet community about ICANN’s potential susceptibility to political influence. 

Additionally, PIR and Ethos Capital have also released statements condemning the move by ICANN. PIR alleges that the decision represents a failure by ICANN to follow its bylaws and processes, while Ethos Capital describes this as a dangerous precedent which will ‘suffocate innovation and deter future investment in the domain industry’. It has described the move by ICANN as ‘agenda-driven’ and based on ‘subjective interpretation’ while overstepping its mandate.

The Next Steps

The refusal on the part of ICANN has effectively stopped the sale for now. This decision has taken a long time, with the initial deadline being pushed from 17th February to 20th April to 4th May. However, it must also be kept in mind, that in their decision ICANN reiterated, that keeping the totality of the surrounding circumstances in mind, the board has supported a denial of the request in the change of ownership at this time. The PIR may, later, provide additional information to resolve the concerns which have been raised and re-submit or initiate a new change of control request in the favour of Ethos Capital.

It is hard to see any real winners in this transaction. While blocking the sale was considered a ‘win’ for the internet, it makes no real changes to the status quo either.

On the one hand, the primary concerns that were raised during the sale, including the potential price hike, stem from the removal of the price caps in the renewed registry agreement between ICANN and PIR; with or without the sale, the possibility of price hikes for dot-org renewals remains unchanged.

Additionally, with the failure of the deal, the proposal for the Stewardship council had also fallen though, which could have potentially bolstered the participation of independent experts in preserving the right to freedom of speech and expression online. While the charter suggested by Ethos was not perfect, it is difficult to say that a better deal could not have been achieved. Another factor to consider here is the loss of an endowment valued at over 1 billion USD for the ISOC.

On the other hand, the sale still brought up many questions of transparency which were not adequately addressed. While the central debate on the sale was based around the perceived link of non-profit organizations to the dot-org domain, Ethos’s lack of real experience or history in the field of internet governance also played a role in the refusal by ICANN. Additionally, a former employee of ICANN, Nora Abusitta-Ouri who serves as Chief Purpose Officer, and Erik Brooks, the founder and CEO are the only two employees of the firm. The former CEO of ICANN Fadi Chehadé serves as an advisor to the firm, but not much more is known about Ethos capital.

Another possible factor which could have had an impact on the sale of PIR to Ethos, are the lockdowns, which were put into place post the outbreak of COVID-19. While the decision and the subsequent statements make no reference to the outbreak per se, the decision by ICANN does make reference to the financial and economic instability, and the potential impacts of the same. A large part of the value of the dot-org domain is attributable to the perceived rhetoric supporting the ‘non-profit’ nature of the domain. While this link between non-profits and the dot-org domain is factually inaccurate, it would still be bad optics for ICANN to go against the submissions of major non-profits, especially during a pandemic, where they are more visible.

Denying the current sale does not in fact, address any of the concerns which were raised during the ‘Save the Dot-Org movement’. However, it is not certain that allowing the sale to a corporation which registered its domain name, a mere week before the price caps on dot-org were removed, would have been any better. Additionally, the sale also brought up pertinent questions relating to the public’s trust in ISOC and PIR, following the unilateral announcement for sale.

There is nothing to stop another sale from being proposed in the future, but as of now, it seems that the internet is ‘safe’.

Supreme Court Verdict on 4G in Jammu and Kashmir Undermines the Rule of Law

The court agreed with the petitioners that the government was going against previously laid down principles – and then did nothing about it.

By Shrutanjaya Bhardwaj

This piece first appeared on the Wire on May 14, 2020

On May 11, the Supreme Court rejected a petition seeking the restoration of 4G internet services in the union territory of Jammu and Kashmir. The plea was premised on the rights violations caused by suspending the internet during a pandemic and national lockdown, including the rights to health, education, freedom of speech, freedom of trade and access to justice.

Specifically, the petition alleged violations of a January 2020 judgment of the Supreme Court, in Anuradha Bhasin vs Union of India. The court had then laid down important safeguards that the government should follow before imposing an internet shutdown.

The 4G judgment undermines the rule of law. In the judgment, the court accepts that the government has violated Bhasin, but itself fails to apply the relevant principles laid down in Bhasin. In addition, the court finally abdicates the judicial task of deciding upon the constitutional validity of the internet suspension to a “Special Committee” – composed of members of the executive.

Unconstitutional but permissible?

The most striking feature of the 4G judgment is the somewhat clear, somewhat cryptic acknowledgement that the government has violated the law laid down in Bhasin on two counts.

First, in Bhasin, the court had held that the minimal requirement for any suspension order to be lawful is that it must list the reasons for imposing restrictions: “[O]rders passed mechanically or in a cryptic manner cannot be said to be orders passed in accordance with law.” Relying on this holding, the petitioners argued that since the repeated suspension orders pertaining to Jammu and Kashmir did not disclose any reasons, they contravened Bhasin. The court agreed.

Second, in Bhasin the court was clear that any restrictions on the freedom of speech must satisfy the “proportionality” test – which means the restrictions must be a proportionate response to the aim sought to be achieved through the restrictions. Proportionality is judged by looking, among other things, at the “territorial extent” of the restriction. This means the internet must only be suspended in regions where an imminent threat to public order exists. The petitioners relied on this holding and challenged the suspension orders on the ground that they apply to the entire union territory, without explaining why such a need exists. Once again, the court agreed.

Surprisingly, however, despite agreeing with the petitioners on both counts, the court refused to invalidate the suspension orders. It held that while the petitioners’ submission would merit consideration in “normal circumstances”, the present situation in Jammu and Kashmir is “compelling” and warrants consideration.

Thus, in a unique approach to rights adjudication, the court carved out an ad hoc exception to the norms of legality and proportionality enunciated in Bhasin – in extraordinary circumstances, the court seemed to imply, constitutional safeguards are suspended.

Selective 4G access to specific websites

One facet of proportionality is that the state’s measure must be the “least restrictive” way of achieving the aim that the state seeks to achieve. In other words, out of a given set of alternatives – all of which can achieve the state’s aim – the state is obligated to choose the alternative that least burdens the right(s) in question.

According to the Bhasin bench, “before settling on [a] measure, the authorities must assess the existence of any alternative mechanism in furtherance of the… goal.” In the context of internet suspensions, one way to judge least restrictiveness is to analyse whether access has been cut off or downgraded only to particular websites which pose a threat or to the web as a whole.

In Bhasin, the court held that the state must consider the feasibility of selective blocking before resorting to a total internet shutdown. In Jammu and Kashmir, for instance, the government has been citing only social media websites as the main cause for concern because they help spread terrorism and fake news. Yet, 4G is not made available for any website, including governmental, educational, medical or news websites.

The Bhasin judgment records a specific query that the court had put to the Solicitor General – whether it was feasible to suspend only social media services rather than the entire internet. The Solicitor General had responded by saying that the same could not be done. Contrary to the Solicitor General’s claim, however, selective blocking has been employed by the government in Jammu and Kashmir after Bhasin.

2G internet was first restored in parts of the region on January 14, but only “whitelisted” sites were permitted to be accessed over the network. The number of whitelisted websites was gradually increased through the seven subsequent orders, until all websites were finally made accessible over 2G on March 4. Is it not similarly possible to selectively allow 4G access to some websites while permitting 2G access to others?

It was important to ask whether the government has explored that alternative. Yet, in an unfortunate oversight, the 4G judgment does not address the possibility of selective access at all. Contrary to the principles recognised in Bhasin, it does not hold the government accountable for its failure to consider less restrictive alternatives.

Another committee?

Finally, in a curious move, the court has set up a “Special Committee” – the Union home secretary, the Union communications secretary, and the chief secretary of Jammu and Kashmir – to “immediately” decide whether the prevalent internet restrictions are necessary. Seemingly as solace, the committee has been directed to consider the petitioners’ arguments as well. However, this is deeply problematic for at least two reasons.

First, this amounts to judicial abdication of responsibility. The constitution entrusts the function of rights adjudication exclusively to the high courts and the Supreme Court. Indeed, Article 32 of the constitution, which “guarantees” the right to approach the Supreme Court to remedy the violation of fundamental rights, prohibits the Supreme Court from abdicating in this fashion. In Prem Chand Garg vs Excise Commr., 1963, Justice Gajendragadkar eloquently spoke about the nature of the guarantee contained in Article 32:

“It is true that [fundamental] rights are not absolute…. But, the scheme of Article 19 illustrates, the difficult task of determining the propriety or the validity of adjustments made either legislatively or by executive action between the fundamental rights and the demands of socio-economic welfare has been ultimately left in charge of the High Courts and the Supreme Court by the Constitution…. The fundamental right to move this Court can, therefore, be appropriately described as the corner-stone of the democratic edifice raised by the Constitution. That is why it is natural that this Court should, in the words of Patanjali Sastri J., regard itself “as the protector and guarantor of fundamental rights,” and should declare that “it cannot, consistently with the responsibility laid upon it, refuse to entertain applications seeking protection against infringements of such rights.”…. In discharging the duties assigned to it, this Court has to play the role “of a sentinel on the qui vive” and it must always regard it as its solemn duty to protect the said fundamental rights’ zealously and vigilantly.” (emphasis added)

The constitution, therefore, does not leave the Supreme Court with the option of abdicating its duties in favour of a committee no matter how special. Coupled with the general deferential approach evident from the judgment, this abdication by the court might have the unintended and unfortunate effect of signalling to the government that the extraordinary situation in Jammu and Kashmir is a warrant to commit unconstitutional action without accountability.

Second, passing the buck to the “Special Committee” amounts to making the executive a judge in its own cause. The suspension order that was under challenge in the 4G case was passed by the government of Jammu and Kashmir, and the Committee formed to decide upon the validity of that order includes the chief secretary of the same government (Respondent No. 1 before the Court). The other two members of the Committee – the Union home secretary (Respondent No. 2) and Union communications secretary – are both part of the Central government, which practically dictates the terms in Jammu and Kashmir.

Therefore, this abdication by the court completely abandons the principle of checks and balances by asking the executive to review its own orders.

The court should have been stricter in its approach. It should have sought a justification from the government for not applying its mind to lesser restrictive alternatives. It should have remained consistent with the law it laid down in Bhasin and struck down the admittedly unreasoned suspension orders.

Most of all, it should not have abdicated its responsibility in favour of the government itself. Although such an attitude would not prevent the passing of fresh suspension orders, it would certainly compel the government to think more seriously and narrowly tailor its future orders so that they only fit existing security needs and go no further.

Shrutanjaya Bhardwaj is a Delhi-based lawyer and a Fellow at the Centre for Communication Governance at National Law University Delhi

Supreme Court’s order on Kashmir internet shutdown: Judicial abdication or judicial restraint?

This post first appeared on Times of India on May 12, 2020

The Supreme Court on Monday pronounced its order in the Foundation of Media Professionals v. Union Territory of J&K (for the restoration of 4G services in Jammu and Kashmir).

The Court did not allow for the restoration of services – nor did it engage with the arguments of the parties in its order. Instead, the Court asked a special committee headed by the Union Home Secretary and comprising of the Secretary of Department of Communications, Government of India and the Chief Secretary of the Union Territory (UT) of Jammu and Kashmir (J&K) to examine the prevailing circumstances in the UT and determine whether the restrictions on internet services should continue.

Arguments of Parties

The current petition was filed by Foundation for Media Professionals, a not for profit comprising of journalists to uphold media freedom and promote quality journalism. In its petition, the foundation prayed for the restoration of 4G services in J&K with immediate effect. Apart from raising the challenge on the ground of right to freedom of speech and expression [Article 19(1)(a) of the Constitution], the petition also contended a violation of Articles 19(1)(g), 21 and 21A of the Constitution.

According to the petitioners, the restriction on 4G internet in the times of Covid-19 restricts the right to business, education, health, and speech and expression of the people of J&K. The restriction makes it impossible for individuals in J&K to access information, government advisories, and orders relating to Covid-19. It makes it impossible for doctors to have video consultations and prevents the doctors in the UT from gaining access to the latest studies and treatments of Covid-19. This violates to right to healthcare of the people and is a violation of Article 21. The right to access to justice of people in J&K is also restricted (since most courts are only functioning through video conferencing and filing is also taking place online), thereby violating Article 21. These restriction also prevent a large number of people in J&K from complying with work from home orders of the government and violates the right to trade under Article 19(1)(g) and right to livelihood under Article 21.

The petitioners also argued that the order by the J&K administration does not adhere to the requirements laid down by the Supreme Court in the recent judgment in Anuradha Bhasin v. Union of India.

A significant argument of the petitioner was also that given the situation arising due to the spread of Covid-19 and the unprecedented times we are in, the restriction on 4G services is disproportionate since it applies to the entire J&K.

The government, on the other hand, argued that because of the prevailing security situation in J&K and the use of the internet by insurgents and terrorists to spread violence, it is not possible to provide 4G services in the region. It also contended that there is no restriction over broadband and fixed line internet, and that the government is taking alternate measures to provide information relating to Covid-19 and for the education of students in the region.

Anuradha Bhasin and Guidelines for Internet Shutdown

In Anuradha Bhasin, the Court laid down various guidelines/ safeguards which the government needs to follow before ordering an internet shutdown.

It held that the shutdown order should specify the exact duration of a shutdown and it cannot be indefinite. It directed the Review Committee formed under the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017, to review the shutdown orders every seven days.

Additionally, the Court stated that these orders must pass the test of proportionality. It held that the government must identify the exact stage of public emergency before shutting down the internet, since that will assist the committee in determining the proportionality of the measure.

However, despite laying down all the principles, the Court did not decide the validity of the shutdown orders and passed on this job to the review committee.

The Current Order: Second Round of Judicial Abdication on Internet Shutdowns?

In the current case, despite having the benefit of the Auradha Bhasin guidelines, the Court did not apply them. As stated above, it instead asked a special committee to determine to question of the continuation of the internet restrictions.

The Court starts by stating that fundamental rights need to be balanced with national security concerns. It rightly points out the importance of national security concerns prevailing in J&K and their role while deciding on the restrictions.

In Bhasin the Court already acknowledged that modern terrorism relies heavily on the internet, noting that the internet is being used to support proxy wars and to raise money, recruit and spread of propaganda. It has been well established that infiltration attempts increase in Kashmir valley from May every year. This year also around 300 terrorists are waiting to cross over from Pakistan occupied Kashmir to India. There is also a fear of terrorists using drones in J&K.

In light of this, a clear public emergency situation exists. However, the question is whether the situation is the same in the entire Union Territory of Jammu and Kashmir and requires a restriction on 4G services in the entire region, or is the restriction overbroad?

The Court, in its order, found that the order prohibiting 4G internet services while limited does not specify the reasons for the restriction through J&K. The Court has held that the order for limiting of services should only be for areas, “where there is absolute necessity of such restrictions to be imposed, after satisfying the directions passed earlier” [in Anuradha Bhasin].

However, strangely the Court states that “A perusal of the submissions made before us and the material placed on record indicate that the submissions of the Petitioners, in normal circumstances, merit consideration. However, the compelling circumstances of cross border terrorism in the Union Territory of Jammu and Kashmir, at present, cannot be ignored.”

While, the prevailing security situation in J&K may be a legitimate aim to restrict the 4G internet service and should be a factor in determining the proportionality of the restrictions, the order does not explain how this is a factor for the Court to refuse to apply its own judgment and the legal principles laid therein is not explained.

The Court should have found the current J&K Order for restricting 4G services illegal and struck it down for not complying with the guidelines under the Telecom Suspension Rules and safeguards laid down in Bhasin. To balance it with the security concerns in J&K – the Court could have additionally provided the J&K administration a few days to come up with a new order (if they so desired), which complies with the guidelines.

The Road Ahead

The Court has directed the special committee to look at the material presented by petitioners, examine the alternatives, including the petitioners suggestions of placing restrictions only in areas where there is a serious public emergency situation and allowing 3G/4G internet in certain areas on a trial basis.

While it does not provide immediate relief to the residents of J&K, this judgment like Bhasin is a little step forward in making internet shutdowns in India more transparent, proportional and accountable. The order by the Jammu & Kashmir administration prohibiting 3G/4G services in the region expired yesterday. One can only hope that if a new order is passed, the administration will comply with the guidelines under Bhasin and limit the restriction only to areas where there is an actual security threat.

In a country which has the most number of internet shutdowns in the world, these incremental steps by the highest Court of the country may not be enough. Ultimately they leave the fate of a large part of India population in the hands of the bureaucrats – who may not be the best suited to make these decisions on proportionality. However, along with Bhasin, today’s order and its limited reasoning is something to be built upon in future challenges to internet shutdowns in India.