Hey Standing Committee, let's sit and talk?

tl;dr

As the Parliamentary Standing Committee on Communications & Information Technology (“Committee” or “IT Standing Committee”) convenes to examine the conduct of business of ministries/departments under its mandate, we write to the Chairman highlighting our stances and engagement with issues that form part of its subject roster for the year 2023-24. Review and recommendations of the Committee can play a significant role in protecting user interest and safeguarding our informational privacy.

Background

Every year, Departmentally Related Standing Committees convene to examine and oversee the state of executive and legislative affairs at the ministry/department level, and translate discussions and decisions of the Parliament into action through specific recommendations. The IT Standing Committee is one of 24 Departmentally Related Committees in existence, and is constituted under Rule 331C of the Rules of Procedure and Conduct of Business in Lok Sabha. It comprises 31 members and oversees the Ministry of Communications, Department of Telecommunications (“DoT”), Department of Posts, Department of Telecommunications, Ministry of Electronics and Information Technology (“MeitY”), and Ministry of Information and Broadcasting (“MIB”). 

For the year 2023-24, the committee will take up a diverse roster of subjects across these ministries/departments. We wrote to the Chairman, Shri Prataprao Jadhav, highlighting our areas of work and underscoring our past engagement with the selected subjects, while offering support and assistance in advancing digital rights in a way that champions constitutional rights at its core. We followed up with another letter requesting the Committee to address two recent privacy threats as part of their regular roster, namely the Aadhaar data leak and the Apple threat notification.

Summary of our inputs

1. On the emergence of “OTT” platforms and related issues: Part of the Committee’s agenda is to examine the emergence of “OTT” platforms and policy responses thereto. We voiced our concerns about the Telecom Regulatory Authority of India’s (“TRAI’s”) recent interest in regulating the space, highlighting how telecom service providers’ current demands threaten net neutrality and user interest. We have previously written to DoT on the matter, but we hope the Committee will reflect our concerns in their annual report.
2. On internet and telecom suspensions: IFF has monitored and pushed back on several counts of internet and telecom shutdown across India over the years. We have provided legal assistance to petitioners before the Hon’ble Supreme Court in Anuradha Bhasin v. Union of India, (2020) 3 SCC 63 and Foundation of Media Professionals v. Union Territory of Jammu & Kashmir, (2020) 5 SCC 746. Settled judicial opinion states that when an internet shutdown is imposed, a Review Committee must be constituted under Rule 2(5) of the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017, which will review all internet suspension orders within 5 days of their issuance and record its findings on the legality of such orders. We urge the Committee to review and examine the implementation of these principles at the state and union level. We also noted that the Committee has previously issued recommendations on telecom suspensions and their impact on rights and liberties, upholding the hon’ble Supreme Court’s orders listed above, which is deeply appreciated. These recommendations were followed by the Committee’s action-taken report, highlighting that the union and state governments have not successfully imbibed these recommendations, especially with regards to constitution of review committees, principle of proportionality, publishing blocking orders, and additional ones such as promoting impact assessments and public consultations. We request the Committee to reiterate these recommendations and urge government entities to establish safeguards as enumerated by the Committees in the two reports.
3. On data protection: India’s data protection legislation, the recent Digital Personal Data Protection Act, 2023 (“DPDP” Act), is not equipped to respond to the increasing data breaches and cyber attacks over recent years. We have raised concerns with some provisions of the Act in detail. Moreover, the consultative process for the Act was inadequate. . MeitY did not make comments received about the DPDP Bill 2022 public, and subsequently did not invite counter comments to the draft. The DPDP Bill, 2023 was then introduced and passed in the Parliament without due consideration to the Pre-legislative Consultation Policy (“PLCP”), 2014, without providing an explanation of the changes, nor an opportunity to provide further comments. We hope that MeitY will meaningfully engage with civil society to introduce necessary changes and safeguards to the Act, and that the Committee can issue necessary recommendations to facilitate the same.
4. On the Unique Identification Authority of India (UIDAI): We expressed concern about the increasing use of Aadhaar and its linkage to various government schemes and across sectors. We have contended at various instances the risks associated with linking Aadhaar ID with various public and private services (see here and here). 
5. On safeguarding citizens’ rights and prevention of misuse of social/online news media platforms including special emphasis on women security in the digital space: We urge the Committee to continue investigating the misuse of social/ online news media platforms with special emphasis on women security, and also expand the scope to include more gender minorities in order to ensure constitutionally guaranteed rights in digital space for all.
6. On the cyber security scenario in India: In recent times, India has seen a slew of attacks and cyber security threats to both public and private databases. In October 2023, it was discovered that the National Logistics Portal disclosed several sensitive credentials and secret encryption keys via publicly available JS files on their website. Additionally, many Amazon Web Services S3 buckets containing personal data of workers, marine crew, invoices, and internal documents, were left publicly accessible. The Committee is urged to review and issue recommendations on the cybersecurity measures taken by public and private entities. Additionally, we raised concerns over the upcoming “Digital India Act” (“DIA”) which can be read in detail here and here. We contend that the new digital legal framework should be based on constitutional principles, enshrining constitutionally guaranteed fundamental rights, and request the Committee to monitor developments on the “DIA” and recommend rights-affirming amendments thereto.
7. On issues related to social media domain: We, at IFF, work towards preserving free speech on the internet, and push back against any attempt at arbitrary censorship or content takedowns. We believe that arbitrary blocking is harmful not only for operational transparency but also for India’s democratic ethos. We requested the Committee to urge MeitY, MIB, and the DoT to proactively make public the reasons for blocking specific URLs or service providers. 
8. On the emergence of Artificial Intelligence and related issues: With the rising instances of government functionaries deploying Artificial Intelligence (“AI”) at the union and state level, we raised one primary concern with the Committee. In our assessment and through our continued engagement on government use of AI in India, we have observed that the usage lacks transparency. Union or state functionaries often do not make public the accuracy assessment processes or reports of the technologies they deploy across sectors. They do not reveal adequate information about the usage in the press releases or tenders. For instance, AI is being used in traffic management, city planning, waste management, and other urban administration issues under several flagship “Smart City” programmes, but little information is available about the kind of technologies used, the technology provider, the accuracy and cyber security measures taken, cost implications, or the data collected through AI. We request the Committee to review the use of AI in governance, and encourage transparent deployment of emerging technologies.
9. On issues confronting the telecom sector in India: As part of our work on safeguarding digital rights and freedoms, we have and will continue to engage with the draft Indian Telecommunication Bill, 2022 (“Bill”). Our assessment of the Bill can be read here, but in summary, we believe it to be incongruent with the principles of net neutrality. In the run up to the Bill potentially being tabled during the Winter Session of the Parliament, we request the Committee to note our enumerated concerns.
10. We raised our concerns about 5G technology and its effect on net neutrality under the Committee’s subject header ‘Inter-sectoral review of challenges of emerging and converging technologies, entities and practices’.
11. We urge the Committee to review the performance of the Universal Service Obligation Fund (“USOF”) and expand the grounds to review its performance in other remote areas such as Andaman and Nicobar Islands, the North East, and other “industrially backward” states across the country, under the subject header ‘review of the performance of schemes/projects under USOF implemented by Public and Private Sector’.

On recent privacy threats

In addition to its regular roster, we also urge the Committee to examine two recent instances that have jeopardised the privacy and data security of Indian citizens, namely a reported leak of sensitive personal data of 81.5 crore Indian citizens connected to their Aadhaar being sold on the dark web, and a threat notification by Apple Inc. (“Apple”) alerting some of its users of a ‘state-sponsored attack’. 

According to news reports, a database claiming to contain sensitive personal details of 81.5 crore Indian citizens, including their Aadhaar number, passport number, and other personal details, has been listed for sale on a dark web platform named ‘BreachForums’ since October 9, 2023. Cybersecurity analysts reportedly found one of the leaked samples to contain 1,00,000 records of personally identifiable information, which included Aadhaar and passport numbers. The threat actor, alias ‘Tanaka’ or ‘pwn0001’, was allegedly trying to sell the entire dataset for $80,000 (over Rs 66 Lakh) over BreachForums. On November 01, 2023, the threat actor informed journalists that the database is “old” which they had bought from a now defunct dark web forum last year. This is reported to be India’s largest data breach yet, but it is not the first. 

The history of Aadhaar-related data leaks in India alludes to the lack of robust security measures at various government machineries which record Aadhaar information, and within the central Aadhaar database itself. Accountability for unsecured Aadhaar databases should lie with UIDAI, whether pertaining to data breaches at the state or union level. We request the Committee to issue specific recommendations to strengthen cybersecurity in the public sector, especially in view of databases as rich and sensitive as the Aadhaar, and urge UIDAI to build accountability and transparency mechanisms in the interest of safeguarding sensitive personal data of Indian citizens.

On the Apple threat notification, we request the Committee to recommend a holistic investigation into the alleged ‘state-sponsored attack’ to be conducted by an appropriate authority. Our detailed requests to the investigating authority along with key considerations can be read here.

Important documents

1. IFF’s Letter to Parliamentary Standing Committee on Communications and IT dated 01.11.2023 (link)
2. IFF’s Letter to Parliamentary Standing Committee on Communications and IT on recent privacy threats dated 09.11.2023 (link)