Analysing India’s Bilateral MOUs In the Field of Information and Communication Technologies (ICTs)

Sukanya Thapliyal

Introduction

As per the latest figures released by the International Telecommunication Union (ITU), post-COVID-19, the world witnessed a sharp rise in the number of internet users from 4.1 billion people (54% of the world population) in 2019 to 4.9 billion people (63% of the world population) in 2021. However, the same report states that some 2.9 billion people remain offline, 96%  of whom live in developing countries. These stark differences emanate from several barriers faced by the residents of the developing countries and include lack of access because of unaffordability of ICT services, lack of strong technological and industrial bases, inadequate R&D facilities, and deficient ICT operating skills. 

Countries are increasingly exploring different ways to partner with other countries through multilateral, bilateral, and other legal arrangements. The countries often forge bilateral cooperation with other countries through signing Memorandum of Understanding(MOUs), Memorandum of Cooperation (MOCs) and creating Joint Working Groups, and Joint Declarations of Intent, among others. These are informal legal instruments as compared to typical treaties or international agreements, and promote international cooperation in strategic interest areas. India has a detailed Standard Operating Procedure (SOP) with respect to MOUs/agreements with foreign countries. The SOP lays down the Indian legal practice on treaty formation and detailed guidelines in respect to the different international agreements that may be signed by the countries. 

India has executed several MOUs, MOCs, Joint Declaration of Intent, and Working Groups to identify common interests, priorities, policy dialogue, and the necessary tools for ICT collaboration. These include a broad range of areas,  including the development of IT software,  telecom software, IT-enabled services, E-commerce services & information security, electronic governance, IT and electronics hardware, Human Resource Development for IT education, IT-enabled education, Research and Development, strengthening the cooperation between private and public sector, collaboration in the field of emerging technologies, capacity building and technical assistance in the ICT sector. 

Aims and Objectives

This mapping exercise lists the numerous bilateral MOUs, Joint Declarations and other agreements signed between India and partner countries to locate the nature and extent of international collaborative efforts in the ICT sector. Furthermore, this mapping exercise aims to understand India’s strategic interests and priority areas in the sector and evaluate India’s unique positioning in South-South Cooperation. The said mapping exercise remains a work in progress and shall be updated at periodic intervals. 

Methodology

The mapping exercise includes an assessment of 36 MOUs and 5 other agreements subdivided into four categories: Fixed Term/ Renewed ICT MOUs (13), Open-Ended ICT MOUs (4), ICT MOUs with Pending Renewal/ Extension and Expired MOUs (19), and Joint Declaration and Proposals concerning ICT Sector (5). The relevant details of  such MOUs are derived from publicly available information provided by the Ministry of Electronics and Information Society (MeitY), Department of Telecommunication (DoT), Ministry of Communications (MOC) and the Indian Treaties Database by Ministry of External Affairs (MEA). The current analysis attempts to bring out the different MOUs, MOCs, and Joint Declarations of Intent executed by Indian authorities (MeitY, MOC and MEA), their duration of operation and the areas covered under the scope of such collaboration.   

Conclusion/Observations/Remarks:

Some of our key observations from the mapping exercise are as follows: 

• India has entered into MOUs/ Joint Declaration of Intent and other agreements with both developed and developing countries. These include Bangladesh, Bulgaria, Estonia, Israel, Japan, South Korea, Singapore, United Kingdom, among others. 
• Within India’s ICT cooperation and collaboration landscape, we have identified the following as priority areas: 

Building capacity of CERTs and law enforcement agencies	1. Cybersecurity technology cooperation relevant to CERT activities. 2. Exchange of information on prevalent cybersecurity policies and best practices. 3. CERT-to-CERT Cooperation. 4. Exchange of experiences regarding technical infrastructure of CERT.
Technical assistance and capacity building	1. Human resource development including  training of Govt. officials in e-governance. 2. Institutional cooperation among the academic and training institutions. 3. Strengthening collaboration in areas such as e-government, m-governance, smart infrastructure, e-health, among others.
Sharing of technology, standardization and certification	1. Cooperation in software development, rural telecommunication, manufacturing of telecom manufacturing and sharing of know-how technologies. 2. Cooperation in exchanging and developing technology. 3. Standardisation, testing and certification.
B2B cooperation and economic advancement	1. Enhancing B2B cooperation in cyber security. 2.Enable and strengthen industrial, technological and commercial cooperation between industry and research establishments. 3.Exploring third country markets. 4. Favourable environment for the business entities through various measures to facilitate trade and investment.

Key Priority Areas for India in ICT Sector

Mapping MOUs signed by India in the field of Information and Communication Technologies (ICT), created using https://www.mapchart.net/world.html

list-bilateral-agreements-in-the-field-of-ictDownload

Technology and National Security Law Reflection Series Paper 5: Legality of Cyber Weapons Under International Law

Siddharth Gautam^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

What are cyber weapons? Are they cyber weapons subject to any regulation under contemporary rules of international law? Explain with examples.

Introducing Cyber Weapons

In simple terms weapons are tools that harm humans or aim to harm the human body. In ancient times nomads used pointing tools to hunt and prey. Today’s world is naturally more advanced than that. In conventional methods of warfare, modern tools of weapons include rifles, grenades, artillery, missiles, etc. But in recent years the definition of warfare has changed immeasurably after the advancement of the internet and wider information and communication technologies (“ICT”). In this realm methods and ways of warfare are undergoing change. As internet technology develops we observe the advent/use of cyber weapons to carry out cyber warfare.

Cyber warfare through weapons that are built using technological know-how are low cost tools. Prominent usage of these tools is buttressed by wide availability of computer resources. Growth in the information technology (“IT”) industry and relatively cheap human resource markets have a substantial effect on the cost of cyber weapons which are capable of infiltrating other territories with relative ease. The aim of cyber weapons is to cause physical or psychological harm either by threat or material damage using computer codes or malware.

2007 Estonia Cyber Attack

For example during the Estonia –Russia conflict the conflict arose after the Soldier memorial was being shifted to the outskirts of Estonia. There was an uproar in the Russian speaking population over this issue. On 26^th and 27^th April, 2007 the capital saw rioting, defacing of property and numerous arrests.

On the same Friday cyber attacks were carried out using low tech methods like Ping, Floods and simple Denial-of-Service (DoS) attacks. Soon thereafter on 30^th April, 2007 the scale and scope of the cyber attack increased sharply. Actors used botnets and were able to deploy large scale distributed denial of service (D-DoS) attacks to compromise 85 thousand computer systems and severely compromised the entire Estonian cyber and computer landscape. The incident caused widespread concerns/panic across the country.

Other Types of Cyber Weapons

Another prominent type of cyber weapon is HARM i.e. High-speed Anti Radiation missiles. It is a tactical air-to-surface anti radiation missile which can target electronic transmissions emitted from surface-to-air radar systems. These weapons are able to recognise the pulse repetition of enemy frequencies and accordingly search for the suitable target radar. Once it is visible and identified as hostile it will reach its radar antenna or transmitter target, and cause significant damage to those highly important targets. A prominent example of its usage is in the Syrian–Israel context. Israel launched cyber attacks against the Syrian Air defence system by blinding it. It attacked their Radar station in order not to display any information of Airplanes reaching their operators. 

A third cyber weapon worth analysing can be contextualised via the Stuxnet worm that sabotaged Iran’s nuclear programme by slowing the speed of its uranium reactors via fake input signals. It is alleged that the US and Israel jointly conducted this act of cyber warfare to damage Iran’s Nuclear programme.

In all three of the aforementioned cases, potential cyber weapons were used to infiltrate and used their own technology to conduct cyber warfare. Other types of cyber risks emerge from semantic attacks which are otherwise known as social engineering attacks. In such attacks perpetrators amend the information stored in a computer system and produce errors without the user being aware of the same. It specifically pertains to human interaction with information generated by a computer system, and the way that information may be interpreted or perceived by the user. These tactics can be used to extract valuable or classified information like passwords, financial details, etc. 

HACKERS (PT. 2) by Ifrah Yousuf. Licensed under CC BY 4.0.From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

Applicable Landscape Under International Law

Now the question that attracts attention is whether there are any laws to regulate, minimise or stop the aforementioned attacks by the use of cyber weapons in International law? To answer this question we can look at a specific branch of Public international law; namely International Humanitarian law (“IHL”). IHL deals with armed conflict situations and not cyber attacks (specifically). IHL “seeks to moderate the conduct of armed conflict and to mitigate the suffering which it causes”. This statement itself comprises two major principles used in the laws of war.

Jus ad Bellum – the principle which determines whether countries have a right to resort to war through an armed conflict,

Jus in bello– the principle which governs the conduct of the countries’ soldiers/States itself which are engaging in war or an armed conflict. 

Both principles are subjected to the Hague and Geneva Conventions with Additional Protocol-1 providing means and ways as to how the warfare shall be conducted. Nine other treaties help safeguard and protect victims of war in armed conflict. The protections envisaged in the Hague and Geneva conventions are for situations concerning injuries, death, or in some cases  damage and/or destruction of property. If we analyse logically, cyber warfare may result in armed conflict through certain weapons, tools and techniques like Stuxnet, Trojan horse, Bugs, DSOS, malware HARM etc. The use of such weapons may ultimately yield certain results. Although computers are not a traditional weapon its use can still fulfil conditions which attract the applicability of provisions under the IHL.

Another principle of importance is Martens Clause. This clause says that even if some cases are not covered within conventional principles like humanity; principles relating to public conscience will apply to the combatants and civilians as derived from the established customs of International law. Which means that attacks shall not see the effects but by how they were employed

The Clause found in the Preamble to the Hague Convention IV of 1907 asserts that “even in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.” In other words, attacks should essentially be judged on the basis of their effects, rather than the means employed in the attack being the primary factor.

Article 35 says that “In any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury and unnecessary suffering”

The above clause means that the action of armed forces should be proportionate to the actual military advantage sought to be achieved. In simple words “indiscriminate attacks” shall not be undertaken to cause loss of civilian life and damage to civilians’ property in relation to the advantage.

Conclusion

Even though the terms of engagement vis-a-vis kinetic warfare is changing, the prospect of the potential of harm from cyber weapons could match the same. Instead of guns there are computers and instead of bullets there is malware, bugs, D-DOS etc. Some of the replacement of one type of weapon with another is caused by the fact that there are no explicit provisions in law that outlaw cyber warfare, independently or in war.

The principles detailed in the previous section must necessarily apply to cyber warfare because it limits the attacker’s ability to cause excessive collateral damage. On the same note cyber weapons are sui generis like the nuclear weapons that upshot in the significance to that of traditional weapons

Another parallel is that in cyber attacks often there are unnecessary sufferings and discrimination in proportionality and the same goes for  traditional armed conflict. Therefore, both should be governed by the principles of IHL. 

In short, if the cyber attacks produce results in the same way as kinetic attacks do, they will be subject to IHL.

---

*The views expressed in the blog are personal and should not be attributed to the institution.

Introducing the Reflection Series on CCG’s Technology and National Security Law and Policy Seminar Course

In February 2022, CCG-NLUD will commence the latest edition of its Seminar Course on Technology and National Security Law and Policy (“the Seminar Course”). The Seminar Course is offered to interested 4th and 5th year students who are enrolled in the B.A. LL.B. (Hons.) programme at the National Law University, Delhi. The course is set against the backdrop of the rapidly evolving landscape of international security issues, and concomitant challenges and opportunities presented by emerging technologies.

National security law, viewed as a discrete discipline of study, emerges and evolves at the intersection of constitutional law; domestic criminal law and its implementation in surveillance; counter-terrorism and counter-insurgency operations; international law including the Law of Armed Conflict (LOAC) and international human rights law; and foreign policy within the ever-evolving contours of international politics.

Innovations and technological advancements in cyberspace and next generation technologies serve as a jumping off point for the course since they have opened up novel national security issues at the digital frontier. New technologies have posed new legal questions, introduced uncertainty within settled legal doctrines, and raised several legal and policy concerns. Understanding that law schools in India have limited engagement with cyber and national security issues, this Seminar Course attempts to fill this knowledge gap.

The Course was first designed and launched by CCGNLUD in 2018. In 2019, the Seminar Course was re-designed with the help of expert consultations to add new dimensions and debates surrounding national security and emerging technologies. The redesign was meant to ground the course in interdisciplinary paradigms in a manner which allows students to study the domain through practical considerations like military and geo-political strategy. The revised Seminar Course engages more  deeply with third world approaches which helps situate several issues within the rubric of international relations and geopolitics. This allows students to holistically critique conventional precepts of the international world order.  

The revamped Seminar Course was relaunched in the spring semester of 2020. Owing to the sudden countrywide lockdown in the wake of COVID-19, most sessions shifted online. However, we managed to navigate these exigencies with the support of our allies and the resolve of our students.

In adopting an interdisciplinary approach, the Seminar Course delves into debates at the intersection of national security law and policy, and emerging technologies, with an emphasis on cybersecurity and cyberwarfare. Further, the Course aims to:

1. Recognize and develop National Security Law as a discrete discipline of legal studies, and
2. Impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The Technology and National Security Seminar Reflection Paper Series (“The Reflection Series”) is meant to serve as a mirror of key takeaways and student learnings from the course. It will be presented as a showcase of exceptional student essays which were developed and informed by classroom discussions during the 2020 and 2021 editions of the Seminar Course. The Reflection Series also offers a flavour of the thematic and theoretical approaches the Course adopts in order to stimulate structured discussion and thought among the students. A positive learning from these two editions is that students demonstrated considerable intellectual curiosity and had the freedom to develop their own unique understanding and solutions to contemporary issues—especially in the context of cyberspace and the wider ICT environments. Students were prescribed atypical readings and this allowed them to consider typical issues in domains like international law through the lens of developing countries. Students were allowed to revisit the legitimacy of traditional sources of authority or preconceived notions and assumptions which underpin much of the orthodox thinking in geostrategic realms like national security.

CCG-NLUD presents the Reflection Series with a view to acknowledge and showcase some of the best student pieces we received and evaluated for academic credit. We thank our students for their unwavering support and fruitful engagement that makes this course better and more impactful.

Starting January 5, 2022, select reflection papers will be published three times a week. This curated series is meant to showcase different modules and themes of engagement which came up during previous iterations of the course. It will demonstrate that CCG-NLUD designs the course in a way which covers the broad spectrum of issues which cover topics at the intersection of national security and emerging technology. Specifically, this includes a showcase of (i) conceptual theory and strategic thinking, (ii) national security through an international and geostrategic lens, and (iii) national security through a domestic lens.

Here is a brief glimpse of what is to come in the coming weeks:

1. Reimagining Philosophical and Theoretical Underpinnings of National Security and Military Strategy (January 5-12, 2022)

Our first reflection paper is written by Kushagra Kumar Sahai (Class of ’20) in which he evaluates whether Hugo Grotius, commonly known as the father of international law owing to his seminal work on the law of war and peace, is better described as an international lawyer or a military strategist for Dutch colonial expansion.

Our second reflection paper is a piece written by Manaswini Singh (Class of ’20). Manaswini provides her take on Edward Luttwak’s critique of Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of strategy. In a separate paper (third entry), Manaswini also undertakes the task of explaining the relationship between technological developments and the conduct of war through the lens of the paradoxical logic of strategy.

Our fourth reflection paper is by Animesh Choudhary (Class of ’21) on Redefining National Security. Animesh, in his submission, points out several fallacies in the current understanding of national security and pushes for “Human Security” as an alternative and more appropriate lens for understanding security issues in the 21^st century.

2. International Law, Emerging Technologies and Cyberspace (January 14-24, 2022)

In our fifth reflection paper, Siddharth Gautam (Class of ’20) explores whether cyber weapons could be subjected to any regulation under contemporary rules of international law.

Our sixth reflection paper is written by Drishti Kaushik (Class of ’21) on The Legality of Lethal Autonomous Weapons Systems (“LAWS”). In this piece, she first presents an analysis of what constitutes LAWS. She then attempts to situate modern systems of warfare like LAWS and its compliance with traditional legal norms as prescribed under international humanitarian laws.

Our seventh reflection paper is written by Karan Vijay (Class of ’20) on ‘Use of Force in modern times: Sisyphus’ first world ‘boulder’. Karan examines whether under international law, a mere threat of use of force by a state against another state would give rise to a right of self-defence. In another piece (eighth entry), Karan writes on the authoritative value of interpretations of international law expressed in texts like the Tallinn Manual with reference to Article 38 of the Statute of the International Court of Justice i.e. traditional sources of international law.

Our ninth reflection paper is written by Neeraj Nainani (Class of ’20), who offers his insights on the Legality of Foreign Influence Operations (FIOs) under International law. Neeraj’s paper, queries the legality of the FIOs conducted by adversary states to influence elections in other states through the use of covert information campaigns (such as conspiracy theories, deep fake videos, “fake news”, etc.) under the established principles of international law.

Our tenth reflection paper is written by Anmol Dhawan (Class of ’21). His contribution addresses the International Responsibility for Hackers-for-Hire Operations. He introduces us to the current legal issues in assigning legal responsibility to states for hacker-for-hire operations under the due diligence obligation in international law.

3. Domestic Cyber Law and Policy (January 28- February 4, 2022)

Our eleventh and twelfth reflection papers are two independent pieces written by Bharti (Class of ’20)and Kumar Ritwik (Class of ’20). These pieces evaluate whether the Government of India’s ongoing response to the COVID-19 pandemic could have benefited if the Government had invoked emergency provisions under the Constitution. Since the two pieces take directly opposing views, they collectively product a fascinating debate on the tradeoffs of different approaches.

Our thirteenth and fourteenth reflection papers have been written by Tejaswita Kharel (Class of ’20) and Shreyasi (Class of ’20). Both Tejaswita and Shreyasi interrogate whether the internet (and therefore internet access) is an enabler of fundamental rights, or whether access to the internet is a fundamental right unto itself. Their analysis rely considerably on the Indian Supreme Court’s judgement in Anuradha Bhasin v. Union of India which related to prolonged government mandated internet restrictions in Kashmir.

We will close our symposium with a reflection paper by Romit Kohli (Class of ’21), on Data Localisation and National Security: Flipping the Narrative. He argues that the mainstream narrative around data localisation in India espouses a myopic view of national security. His contribution argues the need to go beyond this mainstream narrative and constructs a novel understanding of the link between national security and data localisation by taking into consideration the unintended and oft-ignored consequences of the latter on economic development.

No Recognition for the New Generation of Digital Rights

By Puneeth Nagaraj and Gangesh Varma

The original article was published on The Wire on 5th January, 2016.

Plenty of Loose Ends. Credit: Pascal Charest/Flickr CC BY-NC-ND 2.0

The international community’s attempt to shape a new agenda for the Information Society by taking forward the Declaration of Principles and the Tunis Agenda adopted over a decade ago has produced a mixed bag that disappoints more than it pleases.

The WSIS was a two-phase summit which was initiated in 2003 at Geneva and had its second phase in 2005 at Tunis. The summit was a reaction to the growing importance of information and communication technologies (ICTs) in development and a recognition of the crucial role the Internet played in shaping the landscape of the information society. The first phase in Geneva focused on a wide range of issues affecting the information society including human rights, and ICTs for development. The Tunis Agenda in 2005 was focused on developing financing mechanisms for ICT for development and governance of the Internet. The Tunis Agenda was also the first time a globally negotiated instrument articulated a definition of Internet governance and incorporated the notion of multistakeholder governance. However, it was a negotiated outcome in the debate between multilateral and multistakeholder models in global governance. This resulted in the inclusion of the ambiguous concept of  ‘Enhanced Cooperation’ which was conceived as a device to discuss unresolved contentions.

The ten-year review in 2015 was meant to take stock of the changes in the information society since Tunis and create a new agenda for the next decade. The conclusion of the high level meeting with an agreed outcome document means the negotiations were completed successfully. But the outcome itself is a qualified success at best.

Outcome document

The review process has revealed that while there are new concerns that have emerged from the evolution of the Internet and its uses, the underlying debates still remain the same. For instance, human rights and cybersecurity were both issues that were covered by the Tunis Agenda. But the fact that they have their own sections in 2015 highlights the increased importance of both these issues. Internet governance, on the other hand is an issue that has not moved in the last 10 years.

World leaders at WSIS 2003, Geneva, where the original Declaration of Principles were adopted. Credit: Jean-Marc Ferré

The inclusion of a separate section on human rights has received praise from all quarters. It is also a testament to the increasing importance of human rights in the information society. The acknowledgement of human rights resolutions from other fora like the Human Rights Council and human rights instruments like the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights is encouraging. This means that nations have an additional mandate to respect human rights obligations while dealing with the Internet and ICT issues. At the same time, it must be noted that no reference was made to the International Covenant on Economic, Social and Cultural Rights which is especially pertinent for countries from the Global South.

It is also disappointing that the document fails to recognise a new generation of ‘digital rights’ that have increased in importance over the last decade. There is only a passing reference to privacy and there is no mention of network neutrality at all. It appears from the statements at the General Assembly that countries like the US and UK were not very keen on privacy and network neutrality. On the other hand, many European countries, notably the Netherlands, were pushing for stronger language on these issues. The outcome text is a negotiated compromise on many issues and the human rights language is the best example of this. But the fact that it ignores widespread public sentiment on issues that will be at the forefront over the next decade is worrying.

On Internet governance, the outcome text calls for immediate, concrete action on Enhanced Cooperation and greater participation in Internet governance institutions. But if this section of the outcome document is compared with the Tunis Agenda, it would seem like nothing has changed in the last decade. The outcome document is an attempt to update many foundational concepts in Internet governance such as Enhanced Cooperation and multistakeholderism. India for its part, reiterated support for a multistakeholder model but also drew attention to the importance of greater representation and participation of actors from the developing world in multistakeholder platforms.  One such platform is the Internet Governance Forum (IGF), whose mandate was extended for another 10 years. Unfortunately the conditionalities of the extension, including showing tangible outcomes on issues like accountability and representation, were diluted during the final negotiations. The outcome document thus failed to adequately address many pressing issues like the need for greater accountability and meaningful participation on Internet governance platforms.

Increasing threats to cybersecurity and the difficulty in dealing with cybersecurity is a concern that all countries were alive to. For developing countries, the capacity to deal with such threats heightened the importance of this issue. The outcome document reflects this position with a separate section on cybersecurity. It recognises the central role of states in dealing with cybersecurity issues, but also acknowledges the role other stakeholders have to play. The role that cybersecurity measures have to play in securing development projects through ICTs and the Internet has also been highlighted. However, the cybersecurity language fails to acknowledge the need to create a safe and secure Internet ecosystem for all users. As it stands, this section takes a securitised view of the Internet. This is unfortunate given that an earlier version of the document circulated last week took a more nuanced approach that focussed on the cyberspace as a safe platform whereas the outcome document takes a protectionist approach . However, like the human rights text, it appears that this was a casualty of negotiated compromise.

India’s Role

India played a critical role in negotiations, and contributed to an international agreement around the idea that all stakeholders, and not just governments, need to be a part of conversations about Internet governance. Speaking at the high level meeting of the 10-year review of the World Summit on Information Society (WSIS), the Indian delegation emphasised the role the Internet and ICTs have played in the country’s remarkable growth story over the last decade. India, along with other developing nation delegations were also quick to point out there is still a lot of work to be done in connecting the four billion people worldwide who have no access to the Internet.

Broadly speaking, India played a crucial role in these negotiations as a key swing state. On many contentious issues, the country played a facilitative role. On issues where the stated government policy aligned with the middle ground, like multistakeholderism and human rights, India took strong positions that helped achieve consensus. This was evident from its statement at the General Assembly supporting multistakeholderism but calling for greater representation. Similarly, India supported the outcome document on many issues like Internet governance, access and development but highlighted its own priorities in the process.

India’s role in bringing the WSIS negotiations to a successful conclusion has not gone unnoticed. Its unequivocal positions on contentious issues have come in for praise in the international community. However, the most difficult part of the process lies ahead in realising the WSIS vision and achieving the SDGs (sustainable development goals) over the next decade. India certainly has a big role to play in fulfilling both these international mandates and domestic development goals. It remains to be seen if it can rise to the challenge.

Puneeth Nagaraj and Gangesh Varma are Project Managers at the Centre for Communication Governance at National Law University Delhi

E-Health, Digital India and Cyber (In)Security

By Shalini S

Under the government’s flagship initiative, Digital India, healthcare has been flagged as a sector awaiting reformation through enabling digital access. Across the world, the internet has increasingly come to serve as a platform for organized public healthcare delivery and has also demonstrated its potential in effectively increasing access to timely, specialized medical care in remote areas. Both e-health and m-health, public health models that use information and communications technology (ICTs) for the provision of both healthcare services and information, have been employed extensively to support physical healthcare infrastructure in several countries and is now finding its way into the Indian public health framework.[1]

The health initiative under the project, attempts to transform healthcare from an event-based intervention to an integrated, continuous delivery model by employing ICTs to remedy information asymmetry and substandard access. The initiative is also expected to partially remedy healthcare access issues extant due to insufficient healthcare infrastructure and manpower. However, the use of ICTs exposes the sector to a range of unique challenges that must be dealt with in order to harness the potential of ICTs for the healthcare sector. This brief post seeks to outline the dangers of digitally storing and transmitting electronic health records and suggests strengthening security and risk management capability to avoid breaches.

E-health Initiative

The health limb of the Digital India project aims to increase access to quality healthcare for all citizens by enabling information flow, facilitating collaboration through the use of ICTs and providing timely, economic health services. It seeks to do so by increasing transparency in healthcare delivery, eliminating structural opacity and multiple intermediaries. Additionally, it envisions the use of emerging technology in bridging the healthcare divide by connecting patients with specialized health professionals, who are geographically far-removed, for online diagnosis. E-health programs are expected to benefit those that have little access to quality healthcare services such as the urban poor and rural populations.

Using hospital management information systems (HMIS), healthcare delivery limb of the Digital India Initiative’s online registration system (ORS) rightly attempts to simplify registration and appointment process. However, each new registrant is assigned a Unique Health Identification (UHID) number which is linked to their Aadhaar number used primarily to seek appointments at registered hospitals and subsequently to access their health records including lab reports. Under the initiative patient’s health records are digitized and uploaded electronically in order to better maintain records and make it easily accessible to health professionals. Further, these health records are to be integrated into a digital locker that can be accessed both by the government and private establishments.

As a part of the above-mentioned Digital India program, the Government of India also proposed to setup a National eHealth Authority (NeHA) under which a “centralized electronic healthcare record repository” containing comprehensive health information of all citizens could be fashioned.[2] While this proposed statutory authority will be vested with the responsibility of managing the complexities birthed by use of ICTs in the healthcare sector and also act as a regulatory authority to ensure privacy, confidentiality and security of patient information, it is yet to be created. In the absence of demonstrable, technical cybersecurity capability and regulatory or legislative cybersecurity framework, this statutory body might remain an insufficient effort. Further, the implementation of privacy and security norms evolved by NeHA by healthcare providers could take years and sensitive patient information might be stolen by persons who stand to benefit from the use or sale of such personal information.

Sensitivity of health records

Healthcare records are primarily attractive to criminals as they contain personally identifiable information and are therefore highly vulnerable. In addition to threat of stolen health data being misused in multiple ways, health records stored and transmitted online can be tampered with and this can have implications on patient health. With the E-health initiative, this holds especially true as the Aadhaar linkage connects health records to other personal information. The proposed healthcare record repository must also address these concerns. Hosting of personal information, especially healthcare records on any internet-based platforms without adequate cybersecurity measures in place is an invitation for large-scale breach.

Why digitize health records and information

Public health has arguably been raised as a national security priority and a centralized information database will undoubtedly be a prodigious healthcare intelligence tool that will allow researchers to engage in disease surveillance in order to better understand the state of public health in any nation. This information is critical to the medical fraternity and policymakers in ensuring medical preparedness and developing prevention and responsive capabilities.

Independently, most private healthcare providers have already made the move to digitizing health records that contain sensitive patient data and storing them electronically on often poorly-secured hospital networks, fueling pertinent privacy and security concerns. These health information systems are designed to host big data in a highly accessible manner in order to leverage speedy access to patient information for newer modalities of treatment that are time and cost effective.[3]

While the potential of information technology in radically transforming healthcare is indisputable, protecting healthcare data against misuse, without impeding healthcare professionals’ access to patient information, remains the biggest security concern.

Way forward

While it might not be necessary to view cybersecurity in healthcare delivery as a novel issue, patient information must be recognized as sensitive information that needs to be protected from breaches. Thus, the overarching Digital India initiative must necessarily account for vulnerabilities in digitally storing healthcare records and develop risk management capabilities as a part of its existing governance. Further, as the healthcare initiative under Digital India hinges on collaboratively partnering with private healthcare providers to bridge the gap in access to advanced medical technology and specialized care, a minimum standard of cybersecurity must be mandated to be followed by all participating private healthcare providers to prevent localized breaches.

[1] Sanjeev Davey & Anuradha Davey, m-Health- Can IT improve Indian Public Health System, 4 National Journal of Community Medicine (2013), http://njcmindia.org/uploads/4-3_545-549.pdf.

[2] The Indian Express, Digital India programme: Govt mulls setting up eHealth Authority, 2015, http://indianexpress.com/article/india/india-others/digital-india-programme-govt-mulls-setting-up-ehealth-authority/ (last visited Nov 7, 2015).

[3] How technology is changing the face of Indian Healthcare, The Economic Times, 2014, http://articles.economictimes.indiatimes.com/2014-04-02/news/48801172_1_indian-healthcare-collaborative-data-exchange-healthcare-information-technology-market (last visited Nov 7, 2015).

CCG’s Analysis of the WSIS+10 Draft Outcome Document- Initial Thoughts

By Puneeth Nagaraj

The draft outcome document for the World Summit on Information Society (WSIS) High Level Meeting in December has been released today (it can be accessed here). This draft is a revision of the Zero Draft based on discussions held in New York last month i.e., the 2nd Preparatory Meeting and the 2nd Informal Consultations. Our coverage of those two meetings can be found here. The Outcome Document will be the basis for informal multilateral discussions to be held from 19-20 and 24-25 November. As per our understanding at this point, these discussions will be closed door meetings between country representatives and will not be open to other stakeholders. Below is a summary of the major changes from the Zero Draft to the Outcome Document:

New Section on Human Rights

Easily the most contentious part of the Zero Draft which had subsumed Human Rights discussions under the heading of Internet Governance. This had attracted criticism from civil society groups and many Member countries. The Draft Outcome Document now contains a separate section on human rights. In terms of content, this new section on Human Rights is notable for the explicit recognition in Paragraph 38 of journalists, bloggers and civil society actors in supporting freedom of expression and plurality. This is a big and welcome change from the Zero draft which only cited the freedom of press in the limited context of journalists. Paragraph 38 is also important given the recent attacks against bloggers in many countries who have been targeted for expressing their views online.

Also notable is the explicit recognition of the Right to Development in Paragraph 40 and the reaffirmation of the universality, indivisibility, interdependence and interrelation of all human rights. The latter is a concept enshrined in the Universal Declaration on Human Rights and an integral component of International Human Rights Law. Its recognition in the Outcome Document is important as these concepts need to be reinforced in the Information Society. This is because many of the rights based discussions online are often connected to other issues such as development, access and security. These cannot be discussed in isolation. This idea has been discussed in some detail in CCG’s comment on the non-paper.

The emphasis placed on the right to privacy on the context of mass surveillance in Paragraph 42 is also a new addition. This expands on the earlier Paragraph 43 from the Zero Draft which merely encouraged stakeholders to respect privacy and the protection of personal information. The expanded Paragraph 42 in the outcome Document is a vast improvement, calling on countries to respect International Human Rights law as it relates to mass surveillance. Para 42 also explicitly cites General Assembly Resolution 69/166 which recognised the Right to Privacy in the Digital Age.

Though the improvements to the Human Rights paragraphs in the document are welcome, Human Rights is still listed as the 2nd section which is contrary to the calls made by civil society groups to list it as the first.

Linkages with Sustainable Development Goals (SDGs)

A common concern across stakeholder groups in the October meetings was to link the WSIS process with the SDGs. While earlier drafts cited the SDGs, they failed to identify specific goals that could be linked with the WSIS process. Though the SDGs do not a have a separate goal that mentions ICTs or the internet, the understanding was that as a cross-cutting issue there are many potential linkages between the two processes.

The capacity of ICTs to facilitate the fulfillment of all SDGs has been mentioned in Paragraph 14. It also lists Goal 4b on Education and Scholarships, Goal 5b on Women’s Empowerment, Goal 9c on Infrastructure and Access and Goal 17.8 on Technology Bank and Capacity Building as specific goals where this linkages can be particularly useful. In Follow Up and Review, the document in Paragraph calls for the CSTD review to feed into the SDG process in Paragraph 58. Additionally, Paragraph 62 designates the High Level Meeting in 2025 as an input process into the 2030 Review of the SDGs.

ICT for Development

In this section, the Outcome document takes a more nuanced view of development issues and the Digital Divide, however a few key ideas are still missing.

Paragraph 19 on cultural expression and Paragraph 23 on Local Content in different languages highlight the need for greater diversity online. The discussion on the Digital divide has also improved from the Zero Draft with Paragraph 22 calling for the creation of knowledge societies and for UN bodies to analyse the nature of the digital divide.  Paragraph 25 dedicated to the Gender divide is a much needed addition and it calls for immediate measures to address this divide. However, the discussion on the digital divide is lacking in that it fails to recognise that the digital divide is a manifestation of existing socio-economic inequalities. It also fails to reognise that access to the internet and ICTs should be rights based and equitable. While the role of ICTs in development is not disputed, having differential access to ICTs or the internet can actually serve to exacerbate the digital divide. Though this point has been made repeatedly, the draft outcome document does not acknowledge it.

Paragraph 36 is also notable as it calls for new mechanisms to fund ICT4D as opposed to the Zero Draft which called for the Digital Solidarity Fund to be reviewed. The position on the DSF has since changed as States and other stakeholders in October recognized that the DSF cannot be strengthened and a new mechanism is necessary.

New Section on Security

Much like human rights, many countries- especially the G77+China- called for a separate section on security issues. Thus, the outcome document has a new section 3 on Building Confidence and Security in the use of ICTs which was the erstwhile Section 2.3 in the Zero Draft.

Paragraph 45 is a change from the earlier Paragraph 46 in the Zero Draft. It notes the ‘leading role’ of governments in cybersecurity as opposed to the Zero Draft which called on them to play an enhanced role. The recognition of the need for security measures to be consistent with Human Rights is a much needed change.

Paragraph 46 of the Draft Outcome Document on cyber-ethics has been expanded to explicitly refer to the need to protect and empower children, women and girls.

Paragraphs 48 and 49 call for greater cooperation among States on cybersecurity matters. In a change from the Zero draft, these paragraphs have placed greater emphasis on cooperation and information sharing across stakeholders and between States. The call for an international cybercrimes convention in the Zero Draft has been changed to an acknowledgment of the call for such a convention.

Internet Governance

The absence of the mention of multistakeholderism or multistakeholder approaches is conspicuous in this Section. In fact Paragraph 50 suggests that internet governance is a multilateral process with “the full involvement of all stakeholders”.

The mandate of the IGF should be extended by 10 years according to Paragraph 54. However, it calls on the IGF to incorporate the findings of the CSTD Working Group on Improvements to the IGF and that the IGF should show progress on these lines. On Enhanced Cooperation, Paragraph 56 calls on the Secretary General to provide a report to the next (71st) General Assembly on the implementation and means to improve Enhanced Cooperation.

Follow-Up and Review

The most notable addition is the call for a High Level Meeting in 2025 to Review the WSIS Outcomes in Paragraph 62. This suggests some sort of a compromise between States as there were multiple proposals on whether there should be a Summit or a High Level Meeting. The section is also notable for the explicit recognition of the ways in which the WSIS Process can be linked with the SDGs. Other than the linkages mentioned above, Paragraph 52 calls for the WSIS Action Lines to be closely linked to the SDG process.

The Outcome Document is a more complete Document than the Zero Draft in many ways. However, there are a few issues that need to be ironed out before the High Level Meeting. With the process closed for stakeholders from now on , most of these changes will largely come from States. Though the co-facilitators have called for comments to be sent on the Draft Outcome Document, it is not on the same scale as the public comment periods and it is not clear how much these suggestions will be taken into consideration by them. In the absence of another Informal Consultation, their interaction with stakeholders at the IGF may be the last opportunity to participate in this process before the High Level Meeting.

Puneeth Nagaraj is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Index of CCG’s WSIS+10 Review Coverage

To help readers navigate our coverage of the 2nd Preparatory Meeting, we have indexed our posts from the last 3 days. Please find them below:

• Summary of Day 1

https://ccgnludelhi.wordpress.com/2015/10/20/2nd-preparatory-meeting-of-wsis10-review-summary-of-day-1/

• India’s Statement on Day 1

https://ccgnludelhi.wordpress.com/2015/10/20/wsis10-zero-draft-indias-statement-at-the-2nd-preparatory-meeting/

• Summary of Day 2- ICT4D

https://ccgnludelhi.wordpress.com/2015/10/21/2nd-preparatory-meeting-of-wsis10-review-summary-of-ict4d-discussions-on-day-2/

• Summary of Day 2- Internet Governance

https://ccgnludelhi.wordpress.com/2015/10/22/2nd-preparatory-meeting-of-wsis10-review-summary-of-internet-governance-discussions-on-day-2/

• India’s Statements on Day 2

https://ccgnludelhi.wordpress.com/2015/10/21/indias-statements-on-day-2-of-the-2nd-preparatory-meeting-of-the-wsis-review/

• India’s Statements on Day 3

https://ccgnludelhi.wordpress.com/2015/10/22/indias-statement-on-cybersecurity-on-day-3-of-2nd-preparatory-meeting-for-wsis-review/

https://ccgnludelhi.wordpress.com/2015/10/22/indias-second-statement-on-cyber-security-references-digital-india/

https://ccgnludelhi.wordpress.com/2015/10/23/indian-statements-on-implementation-and-follow-up-at-2nd-preparatory-meeting/

Indian Statements on Implementation and Follow up at 2nd Preparatory Meeting

By Puneeth Nagaraj

India made a third statement today, this time on the Implementation and Follow up of the WSIS Review. Below is the Statement:

The essence of what we’ve been discussing is Implementation and Follow-up. Talking about action lines is also talking about implementation. It is an assessment of whether we have succeeded or not. The WSIS document is commendable as it stands. We are in favour of an ongoing review process. But also support a High Level Meeting to look at these at some point. We do not understand approach of not changing anything or changing Action Lines. We’re talking about a dynamic platform like the internet, the manner in which it has changed the economy, lifestyles of people around the world would tell us that more is yet to come. Therefore we must be talking constantly about Cybersecurity, ICT4D and human rights as change is happening at rapid pace. Not being ready to review Action Lines or High Level Meeting that brings to attention issues that needs to be addressed is not understandable. Support Review Process and High Level Meeting at a period agreeable to Member states.”

In response to a query from the US on why a Review was needed the Indian delegation had the following to say:

This Review platform is a different one from the ongoing review. If ongoing review was efficient we wouldn’t be sitting here. Review must happen at the UNGA in 2020. We will continue to call for it.We urge the reconsideration of the approach that Review or High Level Meeting is not needed. Societies that have reached a certain level of development and want to manage growth over the next 10 years like India need Review. India is targeting internet for all by 2020. There will be several consequences for all. It will be mostly positive, but there might be negative as well. We are an open democracy. Voices are expressed and encouraged in India. UNGA must have Review in 2020.

Puneeth Nagaraj is a Project Manager at the Centre for Communication Governance at National Law University Delhi

India’s Second Statement on Cyber Security, References Digital India

By Puneeth Nagaraj

India made a 2nd statement on cyber security and the WSIS today, highlighting the importance of a secure environment for development programmes for ICTs. India highlighted the Digital India programme in its statement. The summary is below:

India re-emphasized the importance of cybersecurity both from the point of view of economic development and national security. India also disagreed with Japan on the importance of cybersecurity for development pointing to the Digital india Initiative. India argued that the Digital India Initiative, which is taking e-services to all citizens in country needs to be supported by a secure environment and cybersecurity is an important part of this. India also stressed the importance of protecting  critical internet resources for India. India went on to Encourage Member States to present concrete, clear proposals on cybersecurity. India suggested having more Confidence Building Measures and raising awareness. India also supported Brazil on finding that the Budapest Convention as it stands is not sufficient to tackle cybercrimes.

Puneeth Nagaraj is a Project Manager at the Centre for Communication Governance at National Law University Delhi

India’s Statement on Cybersecurity on Day 3 of 2nd Preparatory Meeting for WSIS+10 Review

By Puneeth Nagaraj

During discussions on cybersecurity in the Zero Draft of the WSIS+10, the Indian government made a statement calling attention to the increasing cyber threat and “malicious activities” online. Below is a summary of the statement:

We must recognize that Cyberspace is now the 5th domain as there is increasing innovation with information technology and cyber technology. However, we must protect existing infrastructure and information contained in infrastructure as malicious activities online are increasing exponentially with improvement in technology. Hence, the security of infrastructure is paramount, we must work together to prevent this through exchange of information and collaboration. Steps must be taken in comprehensive manner to improve R&D and technology transfer to counter cyber threats.

Puneeth Nagaraj is a Project Manager at the Centre for Communication Governance at National Law University Delhi