REVISITING THE LEGAL REGULATION OF DIGITAL IDENTITY IN THE LIGHT OF GLOBAL IMPLEMENTATION AND LOCAL DIFFERENCE

Biometrisizing a Billion Odd

Work on the next Indian Census is reported to begin tomorrow. The difference is that this census will facilitate the launch of the new Unique Id Scheme in India.

THE REGULATORY FUTURE OF DIGITAL IDENTITY - WORKSHOP REPORT

The workshop opened with an Introduction by Rowena Rodrigues. The aims of the workshop were elaborated: first, to facilitate and broaden the understanding of the complexities and issues prevalent in the interplay between digital identity, its technologies, law and policy and second, to explore the regulatory future of digital identity with experts from the legal, technical and policy domains. Introductions followed.

Session 1 (0945 -1050) was led by Mr Burkhard Schafer (Senior Lecturer in Computational Legal Theory School of Law, University of Edinburgh). The title of his talk was, “Deceptively Simple – Deception, Identity and Culture.” Schafer talked about the complex interactions between deception and identity, which are two sides of the same coin. That deception and identity have a strong connection with culture, is another point Schafer made. What is permissible in one culture in relation to identity and deception is not permissible in another. Schafer used British and Indian legendary examples to make his point – like that of Uther Pendragon, the father of King Arthur and the Blue Jackal respectively, both of which illustrate how identity and deception are used in interpersonal and social relationships, and the consequences of the use of identity and deception. The fact of deception largely depends on the observer’s perspective. The creative aspects of deception are evident in evolution and the natural world. In specific relation to digital identity, Schafer spoke about the law of agency and electronic agents and deceptive practices connected therewith. How and should deception be employed in electronic agency, should agents be taught how to lie, should there be a right to know the true identity of an entity (whether an entity is an agent or a robot) were some of the questions Schafer raised.

In Session 2 (1100 -1145), Professor Lilian Edwards (Professor of Internet Law at Sheffield University), spoke about “Who am I, Avatar? Protecting Digital Identities Online and Offline.” This session was interspersed with identity examples from popular culture, mainly the media of cinema and television like Jake Scully and his avatar from the movie Avatar, and Dr Who. Edwards explained that there was a straddling of online and offline digital identities, and the merging of the essentialist and non-essentialist selves. Digital identity was more and more coming to be about digital presence. In addition to simultaneous digital identities, Edwards explained that there can be non-simultanoeus digital identities like that of Jake Scully and his Avatar in the movie ‘Avatar’ – such identities were those one transferred from and into and occupied, one at a time. She also laid stress on the immersive effects of digital identities. She also talked about how digital identities could be sequential in nature (using the example of in Dr Who of how the tenth doctor transforms into the eleventh doctor). This session also explored how law regulates digital identity through intellectual property law like trademarks, copyright and personality rights. Edwards felt these were largely ineffective in protecting a digital identity subject as they often did not give the identity subject many rights to their identity, rather mainly enabled intellectual property owners to protect their rights in their intellectual property. Edwards then ventured into privacy and reputation based protection of identity (libel), particularly in the light of the Firsht case [Applause Store Productions Ltd & Firsht v Raphael. Case Reference [2008] EWHC 1781 (QB)]. In regards the regulatory future of digital identity, Edwards queried whether future trends would show increasing support for single essentialist identities or multiple distributed identities.

A refreshments break followed (1145 – 1200).

Session 3 (1215 -1300) focussed on “Whether human rights law in the digital age needs an extra right to identity or would the privacy right do?” Professor Paul de Hert (Professor of Law at the Faculty of Law and Criminology of Vrije Universiteit Brussel), talked about the right to identity – a right he had proposed to deal with “the Internet of things.” De Hert favoured the creation of a new human right to identity, incorporating ipse and idem elements of identity, which he felt was a good instrument to stress governmental duties in relation to protecting individual identities. A new right to identity can complement the existing human rights apparatus and help balance the different stakeholder interests at stake. De Hert strongly opined that even though the conceptualisation of such a right was fraught with difficulties, identity was a high quality tool of making democracy work.

Lunch ensued.

Session 4 (1415-1530) was taken up by Mr Caspar Bowden (Chief Privacy Adviser for Microsoft in Europe, Middle-East and Africa). Bowden talked about “Privacy Engineering meets Law: The Case of U-Prove Minimum Disclosure Tokens, Data Protection and the ECHR.” Bowden talked about the technical aspects of identity - identity management. He introduced some traditional identity management technologies like public key infrastructure (PKI) before introducing the concept of anonymous credentials or minimum disclosure tokens, Caspar talked about Microsoft’s implementation of minimum disclosure tokens - U-Prove technology. Caspar opined that there is sufficient basis for the use of privacy enhancing technologies (PETS) like U-Prove in the European Convention of Human Rights. More vitally, he proposed a way forward in terms of the regulatory future of digital identity in terms of three specific measures – regulating data mining, regulating specific legal conditions under which persons can be recognised digitally without their consent and finally, building systems around subject access.

Session 5 (1530-1630) was led by Professor Charles Raab (Professor Emeritus in the department of Politics and International Relations and Honorary Professorial Fellow School of Social and Political Science, University of Edinburgh). Raab’s talk, titled, “Privacy Principles for Identity Management: A Regulatory Solution,” delved into Scotland recently proposed policy solution to digital identity management in the public sector – the Privacy and Identity Management Principles. These principles, recently opened for consultation (now closed) are aimed at PSO’s (public sector organisations) in Scotland to guide them in privacy and identity management. These principles, Raab outlined would help do away with the problems of “tunnel vision of data security,” bring about greater data transparency, promote good data practices and help data grievance redressal.

All sessions were interactive sessions with every session averaging 15 minutes of discussion time. Rowena Rodrigues summarised the day in the plenary session and called for future collaboration in terms of future activities and dissemination. The day ended with networking teas and coffees.

THE REGULATORY FUTURE OF DIGITAL IDENTITY

Friday, 19th February 2010, 9 am – 5 pm

Venue: The University of Edinburgh, Dugald Stewart Building, Room G.07

This is a one day workshop aimed at exploring the regulatory future of digital identity in the light of global differences in identity culture and law with experts from the legal, technical and policy domains.

Digital identity (broadly referring to the digital representation of an entity) has attained great significance in the light of its social, economic and legal ramifications. The digital identity realm encompasses a wide range of problems (like identity fraud, deception), challenges (e.g. pervasiveness, invisibility or seamlessness of digital identity technologies) and issues (for instance, liberty, privacy, control of digital identities, trust).

The regulation of digital identity is a complex phenomenon, given the contextual and ever changing nature of digital identity and the plurality of stakeholder interests. And an in-depth exploration of the field brings into focus how individualism centric the digital identity regulatory discourse is, evidenced by leading developments in the digital identity management and regulatory sectors, particularly in Europe and Canada. But digital identity is both an international and local creature that makes its play in different jurisdictions with different social and legal cultures. For instance, India is a phenomenal digital identity market in the process of implementing law that particularly impacts digital identity. But India does not have a social or legal culture of digital identity protection equivalent to the digitally advanced countries like for instance, the United Kingdom.

In such cases, and to help other countries, in the same position as India, with different socio-legal orientations, the workshop will explore some possible regulatory solutions with the intent of determining the best way forward for the regulatory future of digital identity.

Sponsored by: The University of Edinburgh Development Trust Small Projects Grants and SCRIPT.

Please pre-register your attendance with Simone-Louise Hull:simone.hull@ed.ac.uk
For further details, contact Rowena Rodrigues:R.E.Rodrigues@sms.ed.ac.uk

Developments in Indian IT law

The Indian Information Technology( Certifying Authorities) Amendment Rules, 2009 009 are here.

Snap, another database!

Track, monitor and log
Social network and blog
All the world’s problems
Can be solved with a database


Is a monitored society
A haven of propriety?
Perhaps, all the world’s problems
Can be solved with a database


So they log who one talks to
And they log what one may do
Because, all the world’s problems
Can be solved with a database


So maybe the digital world
Is more virtual prison, less world
But then, all the world’s problems
Will be solved with a database

(Or so they blissfully think)!


Read the Joseph Rowntree Report on the Database State (2009) which delves into Britain's Database State and concludes that, "the public are neither served nor protected by the increasingly complex and intrusive holdings of personal information invading every aspect of our lives."

Here's the dosh on the Indian IT Amendment Act 2008

Its been a long time coming. And when it did come we took such a long time to find it. But its here and a lot is being said about it.

What we like:

* insertion of provision on identity theft ( though I would have preferred the use of the word fraud)- S 66C

* the pornography provision in S 67B

And what is causing the pain:

* Reduction in the "quantum of punishment"

* the limited conceptualisation of privacy in S 66E relating to punishment for the violation of privacy

* increase in computer user liability

But, what intrigues me the most is S 67 C which relates to the preservation and retention of information by intermediaries. More on this soon.

Article 8 ECHR comes good again

The verdict is out on the Marper case. The Marper case revolved around Articles 8 & 14 of the ECHR and the European Court of Human Rights was called upon to decide whether the retention of the applicants' DNA material was in breach of the right to respect for private life, and aggravated by the fact that the information was actively used in criminal investigations despite charges having been dropped and being acquitted post arrest.

The European Court of Human Rights has criticised the "...blanket and indiscriminate nature of the power of retention in England and Wales" and found it to be "disproportionate interference with the applicants' right to respect for private life and could not be regarded as necessary in a democratic society.

See BBC News Report

What happens next is going to keep me on the edge of my seat. P Johnston tackles some probable results in the Telegraph.

Sample some Indian kanoon!

Great portal for Indian law, articles and else.

Indian Kanoon - http://www.indiankanoon.com/

One ingenious way of encouraging the use of identification.

The Times of India reports about how Indian tourists visiting Indian monuments are being asked to pay the overseas entry rates if they don't look the part. Or carry an identity card proving they are Indian citizens.

Woe is us. I wonder whether I will get past!

I am what I am. But am I free to be?

So I am what I am.
And I am what I chose to be
But I am not that at all times.
or in all places.
Or for all people,
I am different, yet I am same.
There is growth and simultanoeus constancy.
But it's good as long as I am FREE to be.
But am I truly free?

30 May 08. Musings.

Cops, digital clues and cultural bias

A news report by CNN-IBN raises the issue of whether the police force in India are actually competent enough to evaluate electronic evidence and its significance to a crime.

The report speculates that policing does not take into account new cultural tastes and behaviour (influenced by the global technological age) and goes so far as to make an allegation that the police may be weighing the evidence according to their personal moral values (read traditionally acquired).

Take for instance, traditionally, Indian unmarried women (and even married women) did not and still do not (openly) maintain "relationships" with men they are not normally associated with in the course of their personal lives. What happens in the case where a girl has ten male friends seeking friendship or partners in her 'Friends List' in her social networking profile? Or has emails from random male members of the social networking community in her Inbox?

Or what happens when the police discover in their course of their investigations that a suspect belong to a homosexual community? (Same sex relations are legally still a crime and punishable as an unnatural offence under Section 377 of the Indian Penal Code with imprisonment and a fine (though attempts are being made to get section 377 to be “read down” to exclude adult consensual sex from within its purview and though the Law Commission in 2001 recommended its repeal, backed by the Union ministry of family and child welfare in 2006).

It is a matter of “wait and watch,” to see how this will pan out.

Why ID cards aren't the new "cool"

Two reports show why simply having identity cards isn't the new "in".

In the first, identity cards were taken away (read appropriated) by goons ahead of Gram Panchayat Elections.

In the second, it led to pro-India activists being shot.

There's loads more like this.

But will the implementors listen?

So, what's it with us and databases ? Maybe the InfoCom needs to pre-vet databases.

It is so disappointing that society has got to a point where every problem can be sorted with DATA in a DATABASE. Seems like if you have a problem, what you need is a database - whatever's happened to intelligence ?

Ok. I'm peeved with recent news that employers will share a database of workers which will be used for vetting prospective employees and companies like Harrods, Selfridges, Reed Managed Services and Mothercare are alleged to have signed up to the scheme.

I won't even go into the nitty gritty.

Of course, the "private" database will propose to comply with DP laws and practice.

Who makes these stupid decisions about setting up databases?

Perhaps the Information Commissioner can set up some procedure for PRE-VETTING prospective databases. Anyone who wants to sent up a database should apply to the InfoCommr and while I understand this would be a daunting task in terms of resources and convenience, it would serve to deter those bureaucrats that put our lives at risk of being compromised.

Making the TURING point

A very interesting link via Random Thoughts on Digital Identity.

It's game on Kurzweil v Kapor. And of course, we will all know for sure in 2029.

Googling out the bad 'uns in Brazil

The Associated Press reports that Google will take steps to "stop chid pornography and hate crimes" on Orkut.

It is estimated that approx 90% of paedophilia complaints are prompted by material on Orkut and a Brazilian Senate Panel has ordered Google to permit it access to nearly 3000 profiles containing suspect material.

Loss of ID cards

Losses of military cards to talk about now. MOD figures in a Commons written answer reveal that 4,433 ID cards disappeared in 2006 and a further 6,812 went missing in 2007.

Scientia est Potentia

Scientia est potentia. Knowledge is power. We have made it so.

We want to know. It is good to know, it is good to learn, and it is good if it helps us grow.

Turn that around and read as Information is power. It is good for the state to know (all). It is good for the state to learn(all). And it is good if it helps the state to use it for the greater good.

Its time for some constitutional re-thinking. And more thoughts on who will bell the cate if the need arises.

Postscript: Just saw Kim's post on the Need-to Know Internet. More at his blog.

Tell me all that you are, and there will be no sex offenders on SNS. Identity stakes go up another notch in NY

Outlaw reports that "sex offenders will be banned from using social networking sites under a law proposed in the US state of New York." The law would, if enacted permit the release of offenders details to SNS operators in order to restrict them from using these sites. In this regard, the "offenders" would have to register all of their online identities, internet acounts and email id's with with the police as conditions of their probation or parole. The New York Senate passed the proposed law this week, and it remains to be debated by the Assembly.

A step forward, but a bit over ambitious I think for the following reason: how would you register a uncreated identity? How will they deal with new identities? How will they prevent these people from stealing other people's identities or using them to their own benefit ? The identity stakes have gone up another notch in New York

Is a single digital identity good for me?

Thought for the day:

You have one key that opens all the (many) doors you need to access.

This is very convenient for you, saves time and makes life so much more hassle free and easy to manage. It saves you the trouble of carrying aorund many keys or remembering where you put them all.

This one key thus becomes a very valuable asset. But surely, this must be ok. Of course, it is. Provided you dilligently look after the key, and keep it safe. Or insure it.

But, what if someone stole that key, and gained access to all your rooms, lockers and hideaways. Yes, you could change the locks and get another similar key.

Then again, what if your key was compromised without your knowledge? And you were targetted on the basis of someone knowing something about you? Perhaps you may never wisen up to this, if you are not overly affected or then again something nasty might happen to you and your personal effects.

Defining digital identity

Here is something I have come up with in my quest for the definition of digital identity. This is only a working definition and all comments and suggestions are welcome.

"Digital identity refers to any digital representation (whole or partial)
of an entity,
in tangible or abstract form,
either self-created,
externally assigned
or consequentially generated."

Watch this space.

Links to this definition: http://citizenl.hors-sujet.com/?p=12

My quest to find the perfect ( or rather holistic) "digital identity" definition is on.

The question is is this possible? Or even advisable?

I'm also very, very upset by the whale killing pictures I've seen. And I'm no vegetarian.

The right to DI life and privacy

Can the right to digital identity be read into the right to life and privacy? or need it be made a separate right altogether? I going to think long and hard about this one. So should you.

Catching up with news

A lot happened while I was busy in the real world. Google, NTT and the US GSA deployed SAML 2.0. Yahoo rolled out OpenID 2.0 framework. The ECJ ruled that the identity of file sharers was to be protected in civil suits. Press reports like this show how golden the biometric goose is. And in India, the MNIC came under fire once again.

Helping men pursue women: another lesson learnt in e-governance

BBC News reports that a text messaging service launched in Madhya Pradesh was withdrawn after complaints that it was being used to gain contact details of women and harrass them !

Virtual thieving = thieving: Its that plain and simple

An arrest for virtual theft. Read the story.

Tch, tch.... wrongful arrests..and who can you trust ?

An IANS report states that a man ( a tech guy) was arrested on "suspicion of having posted insulting images of Chhatrapati Shivaji on Internet networking site Orkut". His innocence was later discovered - and a certain telecom company (who revealed the identity of its customer) and an ISP ( whose networking site the images were posted on) were said to be at fault for providing the wrong information to the police.

See what happens when we leave it to the ISPs?

Chris Soghoian offers an analysis of the events.

Will we get a landmark damages judgment here?

Buddies now -Google and My Space

A BBC report states that MySpace is to join Google's OpenSocial.

And so the Facebook - Google competition is expected to hot up ( in terms of their applications being thrown open to outside software developers.)

Huh, according to a very geekie friend of mine and in anticipation of advent... Its all about Google now

You better watch out ....
Google is taking over town.

So much for the Facebook hype, can we please talk about Orkut now?

Orkut in the dock in Brazil

Google found itself in a not so good position after it reportedly put ads on Orkut beside images of pictures of naked children and abused animals. The ads were suspended and Google's Brazilian Head of Operations is facing criminal contempt charges for refusing to turn Orkut users' data over to police. Orkut has been accused of becoming a portal for criminal acitivities ranging from child porn to racist speech [vide Prof T N De Oliveira's report on the matter]

Update: Reporters Without Borders has urged the Sao Paulo state prosecutor, Rodrigo Cesar Rebello Pinho, to safeguard freedom of speech on 13 November 2008, when an attempt at conciliation between the Brazilian judicial authorities and Google’s Brazilian subsidiary is due to take place.

Truth, distortions and manipulations: Indian ISP liability in the dock

An article in the Times ( a much impassioned one, I must say), alleges that there is a clear and present danger to the Internet in India( don't hold your breath!). Read the full article.

So I thought I would check this out.

And then I saw this- Naavi's rebuttal of the Times of India report.

I shall defer my opinion till more comes to light.

Watch this space.

More data sharing plans

While the plan to merge to merge the U.K.'s General Register Office (which deals with the registration of births and deaths), into the nation's Identity and Passport Service have come under criticism from several quarters- perhaps this is a necessary evil?

Ode to ID Cards

The Pet Shop Boys show their dispproval for ID cards in their new single.

The song is called Integral and is supposed to be an authoritative rant for privacy - perhaps, this form of protest may generate a heightened interest in the debate!

All things real and virtual…

Problem with your company in the real world?
Make a virtual protest…especially if your company has a significant online presence.

Read Outlaw’s Report on Second Life picketing.

There are “real” problems,
There are “virtual” problems,
And there are problems that are both.
Take a “virtual” problem, make it “real”
And a “real,” “virtual”
And that’s the way it should be (is).
© RERodrigues

Creative Commons licenses take a bit of heat with Virgin Mobile being sued over it allegedly using a photo of a girl in an ad without her permission.

Recommended: The ICO's films on identity

I enjoyed ( rather was more than amused) to see the ICO's films on protecting personal information and identity. Have fun watching.

Here's to the Manifesto of Radical Inaction

The Manifesto for Radical Inaction in relation to the legal challenges/ threats posed by Web 2.0 was proposed at the SCL Law 2.0 Conference held in London. It can be found at PanGloss.

My pithier/shorter version:

1. LEGISLATE NOT IN HASTE, NOR GET CARRIED AWAY BY THOSE THAT KNOW NOT WHAT TO DO (BUT LIKE TO PRETEND THEY DO!)

2. LET WEB 2.0 BLOSSOM

3. WHAT (LAW THERE) IS, MUST BE EXTENDED AND APPLIED.

4. AND WHILE WE FIGURE OUT THE BEST SOLUTION, IP AND PRIVACY MUST TAKE CENTRESTAGE!

I think I'm going to carry these in my wallet as a perpetual reminder. Hurrah to Chris Reed.

Bitten by the bug: so who else can I find on Orkut?

It was hard to undertand why employers were rushing off to ban the use of social networking sites. There was I over the weekend with a bit of time to spare -and decided to take a peek into the going ons in the social networking world. Now I'm in and I understand just how those employers must feel. Everyone seems to be in ( and everything as well!).

It starts like this- you create a profile and start finding friends who have friends who you were once friends with and you want to be their friend again, or simply say hello and then you discover they are connected to another of those elusive acquaintances of yours. I'm sure you get the drift.

I always did wonder

Doctorow gives a very illustrative account of what would happen in a Googled world.

What will the future be, I ponder...

Bored of Web 2.0, then here's Web 3.0

There was me
Just getting friendly with Web 2.0
And now it looks like
it will soon be the next decade and Web 3.0!

Found this very interesting Round-up on web 3.0 and maybe you can also re-think the history of the web.

Identity in the InfoSoc

The Third International Summer School on the Future of Identity in the Information Society was organized by IFIP WG 9.2, 9.6/11.7, 11.6 in cooperation with FIDIS Network of Excellence and HumanIT at Karlstad University, Sweden, 6th – 10th August 2007. It was a very interesting event with some very good keynotes on Social and Political Dimensions of Identity (C Raab), Claims-Based Identity Layer for the "New" Internet (S Kavsan), Second Life - Security and Privacy at Risk(M Swimmer), Second Life Social and Legal Challenges (R Leenes) etc. The workshops conducted focussed on a range of topics like: the forensic frameworks for tracing phishers, Identity, trust and consent, community isolation in an age of infotech overload, Rules for Identity access and Control, entreprise identity management for corporations, fundamentals of anonymity metrics, Digital identity in India, RFID issues.

My personal favourite was Rasmussen and Ortiz on Changing Identities: particularly the point they reiterated about the need to identify identity paradoxes across cultures to empower information societies.

Facebooked privacy !

Pangloss has some interesting comments on Facebook.

I have just one: Facebook is about social networking ( ummm that means connectivity, lack of privacy)... in fact for social networking to fulfil its purpose, openess is often a prerequisite.
For social networking to be effective must bank on a degrees of openess!

For more see the item at Wired: http://www.wired.com/techbiz/media/news/2007/07/facebook_changes

THE CALL ME NOT LIST

Mobile phone users in India are finally set to get a reprieve from unwanted direct marketing calls. TRAI is to set up a "Do Not Call" list which subscribers will be able to register on. A very welcome intiative, but did it have to take a Supreme Court Order to get us going?

See BBC Report.

The MNIC becomes operational and India joins the compulsory identification bandwagon

A report in the Hindu states that the MNIC scheme becomes operational today in India...

The MNIC (Mulitpurpose National Identity Card) is a tamper poof? plastic card with visble data and a microchip requiring a reader. Each citizen would get a unique sixteen digit ID number.

Big-bio brother is here: wanting, taking and keeping your DNA

Here is a link to my Bileta 2007 abstract on the England and Wales National DNA Database- Full paper out now.

Retention of bio information, function creep and sleepless nights

Comments are invited on the retention of bioinformation !

Do you think that the retention of bioinformation obtained from those not convicted of an offence is vital to meet the needs of law enforcement?

I am researching this area at the moment... and will come up with some scenarios that would if not enlighten you, definitely make you think twice about how law enforcement is becoming subservient to a certain administrative function creep.

More jurisdictional nightmares for cybercops and lawyers in India

A report in the Economic Times illustrates how the international locations of firms and their policies is posing a hurdle to effective law enforcment even in respect of minor computer crime complaints.

E-veils and forced choices

A news item on the BBC website entitled 'Enemies of the internet' is very interesting food for thought. It draws attention to a Blacklist drawn up by Reporters Without Borders of 13 countries that come out tops as regards Internet censorship and denial of freedom of expression.

More on phones

A report by Associated Press in the Guardian advises users not to keep secrets on their mobile phones while comparing the information to that stored in a personal diary. It emerges that manually erasing informnation stored on a phone isn't enough... Getting rid of techno data is no piece of cake.

Moral of the story: What doesnt exist, cannot come back to hurt you. Suggestions to solve the problem include destroying the phone-literally speaking. I wonder what the environmentalists will retort to that though.

And now the Blackberry

I am getting into a very doomsday phase about whether my personal information will remain personal anymore. With the latest BBC report that the Blackberry can be hijacked to steal confidential data, I am becoming less and less a fan of slick gadgets that are being designed to make life more convenient. Seems like there is always a catch. And the cons.

Another crack, another clone

TechNewsWorld reports on Grunwald's success in cracking the RFID-based U.S. passport and cloning the chip within.

Is this measure designed with security in mind becoming increasingly fraught with inherent security issues?

More proaction on the ID theft front

Minnesota has put into place a new law that will allow residents to freeze their credit reports in an attempt to safeguard the information from falling into the wrong hands.

Varsity data threats

A report outlining data security breaches in colleges is no good news