Access To Knowledge (A2K)

Privacy and Surveillance Roundtable

praskrishna — 2014-06-29T14:50:20Z

The Centre for Internet and Society and the Cellular Operators Association of India invite you to a roundtable at the India International Centre, New Delhi on July 4, 2014.

Background and Context to the Roundtables

In India, lawful interception of communications may be conducted by the state in three ways: firstly, intercepting telephone calls and other telecommunications may take place under powers listed in the Telegraph Act, 1885 and procedure set out in the Telegraph Rules, 1951; secondly, intercepting written communications transmitted through the postal service or by private couriers may occur under the Post Office Act, 1898; and, thirdly, intercepting, de-crypting, and monitoring email messages and other electronic communications may take place under the Information Technology Act, 1950 and two sets of Rules issued in 2008.

The government’s intention to create a Central Monitoring System to automate the existing process of telephone tapping is significant for a number of reasons. It will bypass private telephone service providers; currently the active cooperation of TSPs is required and compelled in order to intercept and monitor a telephone conversation. This creates an extra layer of compliance activity for TSPs which is cumbersome and expensive. Interception orders from the state often do not comply with the procedure required by law. This uncertainty is compounded by the lack of an indemnity for TSPs.

However, while the CMS will release TSPs from legal liability, it will leave the government free to conduct telephone interceptions in absolute secrecy and without a credible system of oversight and checks and balances. Amongst the world’s major democratic countries, India is alone in refusing to overhaul its telephone tapping regime. The legal requirements of probable cause, judicial sanction, and warrant-based interception – which are followed with exceptions in democracies around the world – are not adequately protected in India. The same principles also apply to the interception of postal and electronic communications.

There are several intelligence and police agencies in India that conduct interceptions of communications without central coordination. Previous cases in the Supreme Court of India and a few Indian High Courts reveal many cases of improper and even illegal surveillance. The sheer number of interested state agencies, the concerns of inadequate oversight, the lack of a credible legal regime, the constant leaks of private communications, and the poor legal protection given to TSPs and ISPs must be legally addressed.

Information about the Roundtables

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI). From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The Report of the Group of Experts on Privacy

In January 2012 Justice A.P. Shah formed a committee to create a report of recommendations for privacy legislation in India. The committee met seven times from January 2012 to September 2012. The Report is made up of six chapters and begins by reviewing the international best practices around privacy and the relevant Indian jurisprudence. The Report then recommends nine National Privacy Principles to be adopted by each sector in India. The Nine National Privacy Principles reflect international standards, as well as taking into consideration the Indian context. Along with the National Privacy Principles, the Report lays out a regulatory framework for privacy including privacy commissioners at the regional and national level, self regulating organizations at the industry level, and a system of complaints. Finally the report demonstrates how the National Privacy Principles could be used to harmonize existing legislation and practices.

The Draft CIS Citizens Privacy (Protection) Bill 2013

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness, completing in depth research, and driving a privacy legislation in India. As part of this work, the Centre for Internet and Society has drafted the Privacy (Protection) Bill 2013. The Citizens Privacy Protection Bill contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the privacy commissioner, and lays out offenses and penalties for contravention of the Act. The Bill represents a citizens’ version of a privacy legislation, and will be shared with civil society, industry, and government. It is hoped that the review and revision of the Bill will be a participatory process, and thus comments and feedback to it’s’ provisions will be included as annex’s to the Bill.

The International Principles on the Application of Human Rights to Communication Surveillance

These principles were defined in 2013 in response to rapidly changing technologies and surveillance practices. The principles are the outcome of a global consultation with civil society groups, industry and international experts in communications surveillance law, policy and technology, spearheaded by the Electronic Frontier Foundation US and Privacy International UK. As technologies that facilitate State surveillance of communications advance, States are failing to ensure that laws and regulations related to communications surveillance adhere to international human rights and adequately protect the rights to privacy and freedom of expression. These principles attempt to explain how international human rights law applies in the current digital environment, particularly in light of the increase in and changes to communications surveillance technologies and techniques. These principles can provide civil society groups, industry, States and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with human rights.

Tentative Agenda

Time	Detail
10.00 11.00	Introduction
11.00 11.30	Tea
11.30 13.00	Discussion
13.00 14.00	Lunch
14.00 16.00	Discussion
16.00 16.15	Tea

Resources

For more details visit https://cis-india.org/internet-governance/events/privacy-and-surveillance-roundtable-new-delhi

Report on ICANN 50

jyoti — 2014-10-12T05:42:04Z

Jyoti Panday attended ICANN 50 in London from 22-26 June. Below are some of the highlights from the meeting.

From 22- 26 June, ICANN hosted its 50^th meeting in London, the largest congregation of participants, so far. In the wake of the IANA transition announcement, Internet governance was the flavor of the week. ICANN’s transparency and accountability measures emerged as much contested notions as did references to NETmundial. This ICANN meeting clearly demonstrated that questions as to the role of ICANN in internet governance need to be settled.

ATLAS II

Coinciding with ICANN meeting was the 2^nd At-Large Summit, or ATLAS II, bringing together a network of regionally self organized and self supporting At-Large structures, representing individual Internet users throughout the world. The goal of the meeting was to discuss, reach consensus and draft reports around five issues organized around five issues organized around thematic groups of issues of concerns to the At-Large Community.

The subjects for the thematic groups were selected by the representatives of ALSes, each summit participant was allocated to thematic groups according to his/her preferences. The groups included were:

Future of Multistakeholder models
The Globalization of ICANN
Global Internet: The User perspective
ICANN Transparency and Accountability
At-Large Community Engagement in ICANN

Fahad Chehade Five Point Agenda

ICANN President, Mr Chehade in his address to the ICANN community covered five points which he felt were important for ICANN in planning its future role. The first topic was the IANA Stewardship and transition, and he stated that ICANN is committed to being a transparent organization and seeks to be more accountable to the community as the contract with the US government ends. Regarding the IANA transition, he remarked that ICANN had received thousands of comments and proposals regarding the transition of IANA stewardship and understood there would be much more discussion on this subject, and that a coordination group has been proposed of 27 members representing all different stakeholders in order to plot the course forward for IANA transition.

His second topic was about ICANN globalization and hardening of operations. He said that ICANN has about 2-3 years to go before he is comfortable that ICANN operations are where they need to be. He applauded the new service channels which allows customer support in many different languages and time zones, and mentioned local language support that would add to the languages in which ICANN content is currently available. Chehade spent a few minutes discussing the future of WHOIS "Directory" technology and highlighted the initial report that a working group had put together, led by Jean-Francois Poussard.

Next he covered the GDD, the Global Domains Division of ICANN and an update from that division on the New gTLD program. He mentioned the ICANN Auction, the contracts that had been signed, and the number of New gTLDs that had already been delegated to the Root. Internet Governance was Chehade's 4th topic of discussion, he applauded the NETmundial efforts, though he stressed that internet governance is one of the things that ICANN does and it will not be a high priority. He ended his speech with his last point, calling for more harmony within the ICANN community.

High Level Government Meeting

During ICANN London, UK government hosted a high-level meeting, bringing together representatives from governments of the world to discuss Internet Governance and specifically the NTIA transition of the IANA contract. Government representatives recognized that the stewardship of IANA should be a shared responsibility between governments and private sector groups, while other representatives stressed giving governments a stronger voice than other stakeholders. The consensus at the meeting held that the transition should not leave specific governments or interest groups with more control over the Internet, but that governments should have a voice in political issues in Internet Governance.

GAC Communiqué

GAC Communique, is a report drafted by the Governmental Advisory Committee, advising the ICANN board on decisions involving policy and implementation. Highlights from the communiqué include:

The GAC advises the Board regarding the .africa string, saying it would like to see an expedited process, especially once the Independent Review Panel comes to a decision regarding the two applicants for the string. They reaffirm their decision that DotConnectAfrica's application should not proceed.
The GAC mentioned the controversy surrounding .wine and .vin, where some European GAC representatives strongly felt that the applications for these strings should not proceed without proper safeguards for geographic names at the second level. However, the GAC was unable to reach consensus advice regarding this issue and thus did not relay any formal advice to the Board.
The GAC requested safeguards in the New gTLDs for IGO (Inter-Governmental Organization) names at the second level, and specifically related such advice for names relating to Red Cross and Red Crescent.

Civil Society in ICANN and Internet Governance

NCUC, or the Noncommercial Users Constituency www.ncuc.org, voice of civil society in ICANN’s policy processes on generic top level domain names and related matters, as well as other civil society actors from the ICANN community organized a workshop to provide an opportunity for open and vigorous dialogue between public interest advocates who are active both within and outside the ICANN community.

For more details visit https://cis-india.org/internet-governance/blog/report-on-icann-50

PMA Policy and COAI Recommendations

dipankar — 2014-07-02T06:45:22Z

Introduction

The Ministry of Communications and Information Technology on the 10th of February, 2012 released a notification [1] in the Official Gazette outlining the Preferential Market Access [2] Policy for Domestically Manufactured Electronic Goods 2012. The Policy is applicable to procurement of telecom products by Government Ministries/Departments and to such electronics that had been deemed to having security concerns, thus making the policy applicable to private bodies in the latter half. The Notification reasoned that preferential access was to be given to domestically manufactured electronic goods predominantly for security reasons. Each Ministry or Department was to notify the products that had security implications, with reasons, after which the notified agencies would be required to procure the same from domestic manufacturers. This policy was also meant to be applicable to even procurement of electronic goods by Government Ministries/Agencies for Governmental purposes except Defence. Each Ministry would be required to notify its own percentage of such procurement, though it could not be less than 30%, and also had to specify the Value Addition that had to be made to a particular product to qualify it as a domestically manufactured product, with the policy again specifying the minimum standards. The policy was also meant for procurement of electronic hardware as a service from Managed Service Providers (MSPs).

The procurement was to be done as according to the policies of the each procuring agency. The tender was to be apportioned according to the procurement percentage notified and the preference part was to be allotted to the domestic manufacturer at the lowest bid price. If there were no bidders who were domestic manufacturers or if the tender was not severable, then it was to be awarded to the Foreign Manufacturer and the percentage adjusted as against other electronic procurement for that period.

Telecom equipment that qualifies as domestically manufactured telecom products for preferential market access include: encryption and UTM platforms, Core/Edge/Enterprise routers, Managed leased line network equipment, Ethernet Switches, IP based Soft Switches, Media gateways, Wireless/Wireline PABXs, CPE, 2G/3G Modems, Leased-line Modems, Set Top Boxes, SDH/Carrier Ethernet/Packet Optical Transport Eqiupments, DWDN systems, GPON equipments, Digital Cross connects, small size 2G/3G GSM based Base Station Systems, LTE based broadband wireless access systems, Wi-Fi based broadband wireless access systems, microwave radio systems, software defined radio cognitive radio systems, repeaters, IBS, and distributed antenna system, satellite based systems, copper access systems, network management systems, security and surveillance communication systems (video and sensors based), optical fiber cable.

The Policy also mentioned the creation of a self-certification system to declare domestic value addition to the vendor. The checks would be done by the laboratories accredited by the Department of Information Technology. The policy was to be in force for a period of 10 years and any dispute concerning the nature of product was to be referred to the Department of Information Technology.

International and Domestic Response to the Policy

There was a large scale opposition, usually from international sectors, towards the mooting of this policy. Besides business houses, even organizations like those of the United States Trades Representatives criticized the policy as being harmful to the global market and in violation of the World Trade Organization Guidelines.[3] Criticism also poured in from domestic bodies in terms of recommendations towards modification of the policy largely on three grounds: (i) the high domestic value addition requirement and the method of calculation of the same, (ii) the lack of a link between manufacturing and security and (iii) application of the policy to the private sector.

The Cellular Operations Association of India (COAI) in a letter dated March 15, 2012 to the Secretary of the Department Technology and Chairman of the Telecom Commission expressed its views on the telecom manufacturing in the country.[4]The COAI stated that such a development had to be done realistically and holistically so that the whole eco-system was developed as a comprehensive whole. In that regard it also forwarded a study that had been commissioned by COAI and conducted by M/s. Booz and Company titled “Telecom Manufacturing Policy – Developing an Actionable Roadmap”. The report was a comprehensive study of the telecom industry and outlined the challenges and opportunities that lay on its development trajectory. It also talked about Government involvement in the development process. The Report while citing the market share of Indian Telecom Industry which would be around 3% [5] of the Global Market highlighted the fact that no country could be self-sufficient in technology. It further talked about the development of local clusters in order to cut costs and encourage manufacturing, while ensuring that the PMA Policy was consistent with the WTO Guidelines. It further recommended opening up of foreign investments and making capital available to ensure growth of innovation. Finally it highlighted the lack of a connection between manufacturing and security and instead stressed upon proper certification, checks and development of a comprehensive CIIP framework across all sensitive networks for security purposes.

In a further letter to the Joint Secretary of the Department of Information and Technology dated April 25, 2012 the COAI expressed some reservations concerning the draft guidelines that had been published along with the notification.[6] While stressing upon the fact that a higher value addition would be impossible with the lack of basic manufacturing capabilities for the development of technological units, it also highlighted the need to redefine Bill of Materials which had been left ambiguous and subject to exploitation. It further highlighted the fact that allowing every Ministry to make its own specifications would lead to inconsistent definitions and an administrative challenge and hence such matters should be handled by a Central Body. Furthermore it opined that the calculation of BOMs and the Value Additions should be done using the concept of substantial transformation as has been given in the Booz Study. Furthermore, while discouraging the use of disincentives, it stated that one individual Ministry should be in charge of specifying such incentives to avoid confusion and for the sake of ease of business.

In another letter to a Member of the Department of Telecommunications dated July 12, 2012 the COAI stressed upon the futility of having high value additions as the same was impossible under the present scenario.[7] There was a lack of manufacturing sector which had to be comprehensively developed backed by fiscal incentives and comprehensive policies. In spite of that, it stressed that no country could become self-reliant and that such policies, like the PMA, were reminiscent of the “license and permit raj” era. It further said that such policies should be consistent with WTO Guidelines and should not give undue preference to domestic manufacturers to the detriment of other manufacturers. Countering the security aspect, it said that the same had been addressed by the DoT License Amendment of May 31, 2011 whereby all equipments on the network would have to comply with the “Safe to Connect” standard, and stressed upon the lack of any link between manufacturing and security. Furthermore for calculation of Value Addition it suggested an alternative to the method proposed by the Government as the same would lead to disclosures of sensitive commercial information which were contained in the BOMs. The COAI said that the three stages as laid out in the Substantial Transformation (as mentioned in the Booz Study) should be used for calculating the VA. It made several proposals to develop the telecom manufacturing industry in India including provision of fiscal incentives, development of telecom clusters and comprehensive policies which led to harmonization with laws and creation of SEZs among other such benefits.

In October 2012 the Government released a draft notification notifying products due to security consideration in furtherance of the PMA Policy.[8] The document outlined the minimum PMA and VA specification for a range of products. It also stated several security reasons for pursuing such a policy and stated that India had to be completely self-reliant for its active telecom products. It also contained data on the predicted growth of the telecom market in India. The COAI thereafter released a document commenting upon the draft notification of the Government.[9]

Besides highlighting the fact that the COAI still had not received a response to its former comments, it again stressed upon the lack of a link between security and manufacturing. It reiterated its point on the impossibility of a complete self-reliance on any nation’s part, and stressed upon the need of involving other stakeholders in the promulgation of such policies. It also made changes to the notified list of equipments, reclassifying it according to technology and only listing equipments which had volumes. Furthermore it also suggested changes towards the calculation of value addition to include materials sourced from local suppliers, in-house assemblage to be considered local material and the calculation to be done for complete order and not for each item in the order. It further recommended a study be conducted and the industry be involved while predicting demands as such were dated and needed revision. The Government thereafter released a revised notification[10] on October 5, 2012 but it did not contain much of the commented changes that the COAI had proposed.

Thereafter in April 2013, the DeitY released draft guidelines[11] for providing preference to domestically manufactured electronic products in Government Procurement in further of the second part of the PMA Policy. The guidelines besides containing definitions to several terms such as BOM also prescribed a minimum of 20% domestic procurement while leaving the specifications onto individual Ministries. It recommended the establishment of a technical committee by the concerned Ministry or Department that would recommend value addition to products. It followed a BOM based calculation of Value Addition while leaving the matter of certification to be dealt by DeitY certified laboratories that are notified for such purposes by the concerned Ministry/Department. DeitY was the nodal ministry for monitoring the implementation of the policy while particular monitoring was left to each Ministry or Department concerned. Among the annexures were indicative lists of generic and telecom products and a format for Self Certification regarding Domestic Value Addition in an Electronic Product.

The COAI thereafter released a revised draft containing its own comments on April 15, 2013.[12] The COAI pointed out faults in the definition of BOM. It highlighted the difficulty in splitting R&D according to countries, and also stressed upon the impractical usage of BOM in calculation of value addition as the same was confidential business information. As it had already suggested earlier, it reiterated the usage of the Substantial Transformation process for the calculation of Value Addition. While removing the lists of equipments mentioned, it further pointed out that the disqualification in the format for self-certification would be a very harsh disincentive and would result in driving away manufacturers. It suggested that there should be incentives for compliance instead.

The COAI along with the Association of Unified Telecom Service Providers of India sent a letter dated January 24, 2013 to the Secretary, DoT containing their inputs on Draft List of Security Sensitive Telecom Products for Preferential Market Access (PMA).[13] It again stressed upon the fact that security and manufacturing were not related and that the security aspect had been dealt by the “Safe to Connect” requirement mandated by the DoT License Amendment. It talked of the impossibility of arriving at VA figures until the same is defined to internationally accepted norms. Further it opined that if the Government had security concerns it should consider VA at a network level in the configurations as would be deployed in the network or its segments rather at element or subsystem levels as the latter would leave too many calculations open and the procurement entities will find it very difficult to ensure if they meet the PMA requirement or not. It further stressed upon the need to comply with WTO Guidelines while stressing upon the need to pay heed to certification standards than pursue the unavailable link between manufacturing and security through a PMA Policy. Finally it suggested a grouping of telecom products for the policy based on technology rather than individual products.

Pursuant to a Round Table Conference Organized by the Department of Information and Technology, AUSPI and COAI sent another letter dated April 15, 2013 to the Secretary, Department of Information and Technology.[14] It reiterated several points that both the AUSPI and COAI had been suggesting to the Government on the Telecom Manufacturing Policy. It cited the examples of other manufacturing nations to reiterate the fact that no country could be completely self-reliant in manufacturing electronics and such positions would only lead to creation of an environment that would not be conducive to global business. It further stressed upon the need to change the manner of calculation of VA while highlighting the fact that every Department should notify its list of products having security implications and the list of telecom equipment should be deleted from the draft guidelines being issued by DeitY to ensure better implementation.

A major change came in on July 8, 2013 when the Prime Minister’s Office made a press release withdrawing the PMA policy for review and withholding all the notifications that had been issued in that regard.[15] It said that he revised proposal will incorporate a detailed provision for project / product / sector specific security standards, alternative modes of security certification, and a roadmap for buildup of domestic testing capacity. It further noted that the revised proposal on PMA in the private sector for security related products will not have domestic manufacturing requirements, percentage based or otherwise and that the revised proposal will incorporate a mechanism for a centralised clearing house mechanism for all notifications under the PMA Policy.

The COAI thereafter on November 7, 2013 sent a letter to the DoT containing feedback on the list of items slated for Government procurement.[16] It noted that there were 23 products on which PMA was applicable. It pointed out that there were no local manufacturers for many of the products notified. It also asked the Government to take steps to ensure that fiscal incentives were given to encourage manufacturing sector which was beset by several costs such as landing costs which acted as impediments to its development. It stressed upon the tiered development of the industry needed to ensure that a holistic and comprehensive growth is attained which would result in manufacturing of local products. It requested that the Government "focus on right enablers (incentives, ecosystem, infrastructure, taxation) as the outcome materializes once all of these converge."

The COAI sent a further letter dated November 13, 2013 to the DoT concerning the investment required in the telecom manufacturing industry.[17] It noted the projected required investment of 152bn USD in the telecom sector and that the Government had projected that 92% of the investment would have to come from the Private Sector. COAI, while stressing upon the need of the Government and the Private Industry to work in tandem with each other, suggested that the Government devise methods to attract investments in the telecom sectors from international telecom players and that the Telecom Equipment Manufacturing Council meet to review and revise methods for attracting such investments.

Pursuant to the PMO directive, DeitY released a revised PMA Policy on the 23rd of December, 2014.[18] While there have been a few major changes, not all of recommendations by various bodies have been adhered to.[19] The major changes in the revised policy included the exemption of the private sector from the policy and the removal of PMA Policy to equipments notified for security reasons. The manner of calculation of the domestic value addition has not been changed though there has been a reduction in the percentage of value addition needed to qualify a product as domestic product. Another addition has been of a two-tiered implementation mechanism for the Policy. Tier-I includes a National Planning and Monitoring Council for Electronic Products which would design a 10-year roadmap for the implementation of the policy including notification of the products and subsequent procurement. Under Tier-II, the Ministries and Departments will be issuing notifications specifying products and the technical qualifications of the same, after approval by the Council. The former notifications under the 2012 Policy, including the notification of 23 telecom products by Department of Telecom,[20] are still valid until revised further.[21]

[1]. No. 8(78)/2010-IPHW. Available at http://www.dot.gov.in/sites/default/files/5-10-12.PDF (accessed 03 June, 2014).

[2]. Preferential Market Access

[3]. See The PMA Debate, DataQuest at http://www.dqindia.com/dataquest/feature/191001/the-pma-debate/page/1 (accessed June 2014).

[4]. The letter is available at http://www.coai.com/Uploads/MediaTypes/Documents/letter-to-dit-on-pma-notification.pdf (accessed June, 2014).

[5]. Around $17bn.

[6]. The letter is available at http://www.coai.com/Uploads/MediaTypes/Documents/letter-to-dit-on-pma-notification.pdf (accessed June, 2014).

[7]. The letter is available at http://www.coai.com/Uploads/MediaTypes/Documents/coai-to-dot-on-enhancing-domestic-manufacturing-of-telecom-equipment-bas.pdf (accessed June, 2014).

[8]. The notification no. 18-07/2010-IP can be found at http://www.coai.com/Uploads/MediaTypes/Documents/DoT-draft-notification-on-Policy-for-preference-to-domestically-manufactured-telecom-products-in-procurement-October-2012.pdf (accessed June, 2014).

[9]. The commented COAI draft can be found at http://www.coai.com/Uploads/MediaTypes/Documents/Annexure-1-Comments-on-draft-notification-by-DoT.pdf (accessed June, 2014).

[10]. Available at http://www.coai.com/Uploads/MediaTypes/Documents/dots-notification-on-telecom-equipment-oct-5,-2012.pdf (accessed June, 2014).

[11]. The draft guidelines can be found at http://www.coai.com/Uploads/MediaTypes/Documents/pma_draft-govt-procurement-guidelines-april-2013.pdf (accessed June, 2014).

[12]. The COAI commented draft can be found at http://www.coai.com/Uploads/MediaTypes/Documents/pma-draft-security-guidelines-15-april-2013.pdf (accessed June, 2014).

[13]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/jac-007-to-dot-on-Januarys-list-of-telecom-products-final.pdf (accessed June, 2014).

[14]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/jac-to-moc-on-pma.pdf (accessed June, 2014).

[15]. The press release can be found at http://www.coai.com/Uploads/MediaTypes/Documents/pmo-on-pma.pdfhttp://www.coai.com/Uploads/MediaTypes/Documents/pmo-on-pma.pdf (accessed June, 2014).

[16]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/COAI-letter-to-DoT-on-Feedback-on-List-of-Items-for-Govt-Procurement.pdf (accessed June, 2014).

[17]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/COAI-letter-to-DoT-on-Investments-Required-(TEMC)-Nov%2013-2013.pdf (accessed June, 2014).

[18]. The Notification No. 33(3)/2013-IPHW can be found at http://deity.gov.in/sites/upload_files/dit/files/Notification_Preference_DMEPs_Govt_%20Proc_23_12_2013.pdf (accessed June, 2014).

[19]. For more information, see http://electronicsb2b.com/policy-corner/revised-preferential-market-access-policy/# (accessed June, 2014).

[20]. The notification has been mentioned and discussed above.

[21]. A list of notifications dealing with electronic products except telecom products can be found on the website of DeitY at http://deity.gov.in/esdm/pma (accessed June, 2014).

For more details visit https://cis-india.org/internet-governance/blog/pma-policy-and-coai-recommendations

IANA Transition: Suggestions for Process Design

Smarika Kumar — 2014-06-22T09:15:21Z

With analysis of community-input and ICANN processes, Smarika Kumar offers concrete suggestions for process design. She urges the Indian government to take a stronger position in matters of IANA transition.

Introduction:

On 14 March 2014, the NTIA of the US Government announced its intention to transition key internet domain name functions to the global multistakeholder community. These key internet domain name functions comprise functions executed by Internet Assigned Numbers Authority (IANA), which is currently contracted to ICANN by the US government. The US Government delineated that the IANA transition proposal must have broad community support and should address the following four principles:

Support and enhance the multistakeholder model;
Maintain the security, stability, and resiliency of the Internet DNS;
Meet the needs and expectation of the global customers and partners of the IANA services; and
Maintain the openness of the Internet.

Additionally, the US Government asked ICANN to convene a multistakeholder process to develop the transition plan for IANA. In April 2014, ICANN issued a Scoping Document for this process which outlined the scope of the process, as well as, what ICANN thinks, should not be a part of the process. In the spirit of ensuring broad community consensus, ICANN issued a Call for Public Input on the Draft Proposal of the Principles, Mechanisms and Process to Develop a Proposal to Transition NTIA’s Stewardship of IANA Functions on 8 April 2014, upon which the Government of India made its submission.

ICANN is currently deliberating the process for the development of a proposal for transition of IANA functions from the US Government to the global multistakeholder community, a step which would have implications for internet users all over the world, including India. The outcome of this process will be a proposal for IANA transition. The Scoping Document and process for development of the proposal are extremely limited and exclusionary, hurried, and works in ways which could potentially further ICANN’s own interests instead of global public interests. Accordingly, the Government of India is recommended take a stand on the following key points concerning the suggested process.

Submissions by the Government of India thus far, have however, failed to comment on the process being initiated by ICANN to develop a proposal for IANA transition. While the actual outcome of the process in form of a proposal for transition is an important issue for deliberation, we hold that it is of immediate importance that the Government of India, along with all governments of the world, pay particular attention to the way ICANN is conducting the process itself to develop the IANA transition proposal. The scrutiny of this process is of immense significance in order to ensure that democratic and representative principles sought by the GoI in internet governance are being upheld within the process of developing the IANA transition proposal. How the governance of the IANA functions will be structured will be an outcome of this process. Therefore if one expects a democratic, representative and transparent governance of IANA functions as the outcome, it is absolutely essential to ensure that the process itself is democratic, representative and transparent.

Issues and Recommendations:

Ensuring adequate representation and democracy of all stakeholders in the process for developing the proposal for IANA transition is essential to ensuring representative and democratic outcomes. Accordingly, one must take note of the following issues and recommendations concerning the process.

Open, inclusive deliberation by global stakeholders must define the Scope of the Process for developing proposal for IANA transition:

The current Scoping Document was issued by ICANN to outline the scope of the process by which the proposal for IANA transition would be deliberated. The Scoping Document was framed unilaterally by ICANN, without involvement of the global stakeholder community, and excluding all governments of the world including USA. Although this concern was voiced by a number of submissions to the Public Call by ICANN on the Draft Proposal, such concern was not reflected in ICANN’s Revised Proposal of 6 June 2014. It merely states that the Scoping Document outlines the “focus of this process.” Such a statement is not enough because the focus as well as the scope of the process needs to be decided in a democratic, unrepresentative and transparent manner by the global stakeholder community, including all governments.

This unilateral approach to outline which aspects of IANA transition should be allowed for discussion, and which aspects should not, itself defeats the multistakeholder principle which ICANN and the US government claim the process is based on. Additionally, global community consensus which the US Govt. hopes for the outcome of such process, cannot be conceivable when the scope of such process is decided in a unilateral and undemocratic manner. Accordingly, the current Scoping Document should be treated only as a draft, and should be made open to public comment and discussion by the global stakeholder community in order that the scope of the process reflects concerns of global stakeholders, and not just of the ICANN or the US Government.

Accountability of ICANN must be linked to IANA Transition within Scope of the Process:

ICANN Accountability must not run merely as a parallel process, since ICANN accountability has direct impact on IANA transition. The current Scoping Document states, “NTIA exercises no operational role in the performance of the IANA functions. Therefore, ICANN’s role as the operator of the IANA functions is not the focus of the transition: it is paramount to maintain the security, stability, and resiliency of the DNS, and uninterrupted service to the affected parties.” However this rationale to exclude ICANN’s role as operator of IANA from the scope of the process is not sound because NTIA does choose to appoint ICANN as the operator of IANA functions, thereby playing a vicarious operational role in the performance of IANA functions.

The explicit exclusion of ICANN’s role as operator of IANA functions from the scope of the process works to serve ICANN’s own interests by preventing discussions on those alternate models where ICANN does not play the operator role. Basically, this presumes that in absence of NTIA stewardship ICANN will control the IANA functions. Such presumption raises disturbing questions regarding ICANN’s accountability as the IANA functions operator. If discussions on ICANN’s role as operator of IANA functions is to be excluded from the process of developing the proposal for IANA transition, it also implies exclusion of discussions regarding ICANN’s accountability as operator of these functions.

Although ICANN announced a process to enhance its accountability on 6 May 2014, this was designed as a separate, parallel process and de-linked from the IANA transition process. As shown, ICANN’s accountability, its role as convenor of IANA transition process, and its role as current and/or potential future operator of IANA functions are intrinsically linked, and must not be discussed in separate, but parallel process. It is recommended that ICANN accountability in the absence of NTIA stewardship, and ICANN’s role as the operator of IANA functions must be included within the Scoping Document as part of the scope of the IANA transition process. This is to ensure that no kind of IANA transition is executed without ensuring ICANN’s accountability as and if as the operator of IANA functions so that democracy and transparency is brought to the governance of IANA functions.

Misuse or appearance of misuse of its convenor role by ICANN to influence outcome of the Process must not be allowed:

ICANN has been designated the convenor role by the US Govt. on basis of its unique position as the current IANA functions contractor and the global co-ordinator for the DNS. However it is this unique position itself which creates a potential for abuse of the process by ICANN. As the current contractor of IANA functions, ICANN has an interest in the outcome of the process being conducive to ICANN. In other words, ICANN prima facie is an interested party in the IANA transition process, which may tend to steer the process towards an outcome favourable to itself. ICANN has already been attempting to set the scope of the process to develop the proposal for IANA transition unilaterally, thus abusing its position as convenor. ICANN has also been trying to separate the discussions on IANA transition and its own accountability by running them as parallel processes, as well as attempting to prevent questions on ICANN’s role as operator of IANA functions by excluding it from the Scoping Document. Such instances provide a strong rationale for defining the limitations of the role of ICANN as convenor.

Although ICANN’s Revised Proposal of 6 June 2014 stating that ICANN will have a neutral role, and the Secretariat will be independent of ICANN staff is welcome, additional safeguards need to be put in place to avoid conflicts of interest or appearance of conflicts of interest. The Revised Proposal itself was unilaterally issued, whereby ICANN incorporated some of the comments made on its Proposed Draft, in the revised Draft, but excluded some others without providing rationale for the same. For instance, comments regarding inclusion of ICANN’s role as the operator of IANA functions within the Scoping Document, were ignored by ICANN in its Revised Proposal.

It is accordingly suggested that ICANN should limit its role to merely facilitating discussions and not extend it to reviewing or commenting on emerging proposals from the process. ICANN should further not compile comments on drafts to create a revised draft at any stage of the process. Additionally, ICANN staff must not be allowed to be a part of any group or committee which facilitates or co-ordinates the discussion regarding IANA transition.

Components of Diversity Principle should be clearly enunciated in the Draft Proposal:

The Diversity Principle was included by ICANN in the Revised Proposal of 6 June 2014 subsequent to submissions by various stakeholders who raised concerns regarding developing world participation, representation and lack of multilingualism in the process. This is laudable. However, past experience with ICANN processes has shown that many representatives from developing countries as well as from stakeholder communities outside of the ICANN community are unable to productively involve themselves in such processes because of lack of multilingualism or unfamiliarity with its way of functioning. This often results in undemocratic, unrepresentative and non-transparent decision-making in such processes.

In such a scenario, merely mentioning diversity as a principle is not adequate to ensure abundant participation by developing countries and non-ICANN community stakeholders in the process. Concrete mechanisms need to be devised to include adequate and fair geographical, gender, multilingual and developing countries’ participation and representation on all levels so that the process is not relegated merely to domination by North American or European entities. Accordingly, all the discussions in the process should be translated into multiple native languages of participants in situ, so that everyone participating in the process can understand what is going on. Adequate time must be given for the discussion issues to be translated and circulated widely amongst all stakeholders of the world, before a decision is taken or a proposal is framed. To concretise its diversity principle, ICANN should also set aside funds and develop a programme with community support for capacity building for stakeholders in developing nations to ensure their fruitful involvement in the process.

The Co-ordination Group must be made representative of the global multistakeholder community:

Currently, the Co-ordination Group includes representatives from ALAC, ASO, ccNSO, GNSO, gTLD registries, GAC, ICC/BASIS, IAB, IETF, ISOC, NRO, RSSAC and SSAC. Most of these representatives belong to the ICANN community, and is not representative of the global multistakeholder community including governments. This is not representative of even a multistakeholder model which the US Govt. has announced for the transition; nor in the multistakeholder participation spirit of NETmundial.

It is recommended that the Co-ordination Group then must be made democratic and representative to include larger global stakeholder community, including Governments, Civil Society, and Academia, with suitably diverse representation across geography, gender and developing nations. Adequate number of seats on the Committee must be granted to each stakeholder so that they can each co-ordinate discussions within their own communities and ensure wider and more inclusive participation.

Framing of the Proposal must allow adequate time:

All stakeholder communities must be permitted adequate time to discuss and develop consensus. Different stakeholder communities have different processes of engagement within their communities, and may take longer to reach a consensus than others. If democracy and inclusiveness are to be respected, then each stakeholder must be allowed enough time to reach a consensus within its own community, unlike the short time given to comment on the Draft Proposal. The process must not be rushed to benefit a few.

Smarika Kumar is a graduate of the National Law Institute University, Bhopal, and a member of the Alternative Law Forum, a collective of lawyers aiming to integrate alternative lawyering with critical research, alternative dispute resolution, pedagogic interventions and sustained legal interventions in social issues. Her areas of interest include interdisciplinary research on the Internet, issues affecting indigenous peoples, eminent domain, traditional knowledge and pedagogy.

For more details visit https://cis-india.org/internet-governance/blog/iana-transition-suggestions-for-process-design

CIS Policy Brief: IANA Transition Fundamentals & Suggestions for Process Design

geetha — 2014-07-08T08:39:41Z

In March 2014, the US government announced that it would transfer oversight of IANA functions to an as-yet-indeterminate global multi-stakeholder body. This policy brief, written by Smarika Kumar and Geetha Hariharan, explains the process concisely.

Short Introduction:

In March 2014, the National Telecommunications and Information Administration (NTIA) announced its intention to transition key Internet domain name functions to the global multi-stakeholder community. Currently, the NTIA oversees coordination and implementation of IANA functions through contractual arrangements with ICANN and Verisign, Inc.

The NTIA will not accept a government-led or inter-governmental organization to steward IANA functions. It requires the IANA transition proposal to have broad community support, and to be in line with the following principles: (1) support and enhance the multi-stakeholder model; (2) maintain the security, stability, and resiliency of the Internet DNS; (3) meet the needs and expectation of the global customers & partners of IANA services; (4) maintain the openness of the Internet.

ICANN was charged with developing a proposal for IANA transition. It initiated a call for public input in April 2014. Lamentably, the scoping document for the transition did not include questions of ICANN’s own accountability and interests in IANA stewardship, including whether it should continue to coordinate the IANA functions. Public Input received in May 2014 revolved around the composition of a Coordination Group, which would oversee IANA transition. Now, ICANN will hold an open session on June 26, 2014 at ICANN-50 to gather community feedback on issues relating to IANA transition, including composition of the Coordination Group.

CIS Policy Brief:

CIS' Brief on IANA Transition Fundamentals explains the process further, and throws light on the Indian government's views. To read the brief, please go here.

Suggestions for Process Design

As convenor of the IANA stewardship transition, ICANN has sought public comments on issues relating to the transition process. We suggest certain principles for open, inclusive and transparent process-design:

Short Introduction:

In March 2014, the US government through National Telecommunications and Information Administration (NTIA) announced its intention to transition key Internet domain name functions (IANA) to the global multi-stakeholder community. The NTIA announcement states that it will not accept a government-led or intergovernmental organization solution to replace its own oversight of IANA functions. The Internet Corporation for Assigned Names and Numbers (ICANN) was charged with developing a Proposal for the transition.

At ICANN-49 in Singapore (March 2014), ICANN rapidly gathered inputs from its community to develop a draft proposal for IANA transition. It then issued a call for public input on the Draft Proposal in April 2014. Some responses were incorporated to create a Revised Proposal, published on June 6, 2014.

Responses had called for transparent composition of an IANA transition Coordination Group, a group comprising representatives of ICANN’s Advisory Committees and Supporting Organizations, as well as Internet governance organizations such as the IAB, IETF and ISOC. Also, ICANN was asked to have a neutral, facilitative role in IANA transition. This is because, as the current IANA functions operator, it has a vested interest in the transition. Tellingly, ICANN’s scoping document for IANA transition did not include questions of its own role as IANA functions operator.

ICANN is currently deliberating the process to develop a Proposal for IANA transition. At ICANN-50, ICANN will hold a governmental high-level meeting and a public discussion on IANA transition, where comments and concerns can be voiced. In addition, discussion in other Internet governance fora is encouraged.

CIS Policy Brief:

CIS' Brief on IANA Transition Principles explains our recommendations for transition process-design. To read the brief, please go here.

For more details visit https://cis-india.org/internet-governance/blog/cis-policy-brief-iana-transition-fundamentals-and-suggestions-for-process-design

Understanding IANA Stewardship Transition

Smarika Kumar — 2014-06-22T03:23:37Z

Smarika Kumar describes the process of the IANA stewardship transition, and enumerates what the NTIA announcement does and does not do.

NTIA Announcement and ICANN-convened Processes:

On 14 March 2014, the National Telecommunications and Information Administration (NTIA) of the US Government announced “its intent to transition key Internet domain name functions to the global multistakeholder community”. These key Internet domain name functions refer to the Internet Assigned Numbers Authority (IANA) functions. For this purpose, the NTIA asked the Internet Corporation for Assigned Names and Numbers (ICANN) to “convene global stakeholders to develop a proposal to transition the current role played by NTIA in the coordination of the Internet’s domain name system (DNS)”. This was welcome news for the global Internet community, which has been criticising unilateral US Government oversight of Critical Internet Resources for many years now. NTIA further announced that IANA transition proposal must have broad community support and should address the following four principles:

Support and enhance the multistakeholder model;
Maintain the security, stability, and resiliency of the Internet DNS;
Meet the needs and expectation of the global customers and partners of the IANA services; and
Maintain the openness of the Internet.

Subsequently, during ICANN49 in Singapore (March 23-27, 2014), ICANN held flurried discussions to gather initial community feedback from participants to come up with a Draft Proposal of the Principles, Mechanisms and Process to Develop a Proposal to Transition NTIA’s Stewardship of the IANA Functions on 8 April 2014, which was open to public comments until 8 May 2014, which was further extended to 31 May 2014. Responses by various stakeholders were collected in this very short period and some of them were incorporated into a Revised Proposal issued by ICANN on 6th June 2014. ICANN also unilaterally issued a Scoping Document defining the scope of the process for developing the proposal and also specifying what was not part of the scope. This Scoping Document came under severe criticism by various commentators, but was not amended.

ICANN also initiated a separate but parallel process to discuss enhancement of its accountability on 6 May 2014. This was launched upon widespread distress over the fact that ICANN had excluded its role as operator of IANA functions from the Scoping Document, as well as over questions of accountability raised by the community at ICANN49 in Singapore. In the absence of ICANN’s contractual relationship with NTIA to operate the IANA functions, it remains unclear how ICANN will stay accountable upon the transition. The accountability process looks to address the same through the ICANN community. The issue of ICANN accountability is then envisioned to be coordination within ICANN itself through an ICANN Accountability Working Group comprised of community members and a few subject matter experts.

What are the IANA Functions?

Internet Assigned Numbers Authority, or IANA functions consist of three separate tasks:

Maintaining a central repository for protocol name and number registries used in many Internet protocols.
Co-ordinating the allocation of Internet Protocol (IP) and Autonomous System (AS) numbers to the Regional Internet Registries, who then distribute IP and AS numbers to ISPs and others within their geographic regions.
Processing root zone change requests for Top Level Domains (TLDs) and making the Root Zone WHOIS database consisting of publicly available information for all TLD registry operators.

The first two of the abovementioned functions are operated by ICANN in consonance with policy developed at the Internet Engineering Task Force (IETF) and Address Supporting Organisation (ASO) respectively, both of which exist under the ICANN umbrella.

The performance of last of these functions is distributed between ICANN and Verisign. NTIA has a Cooperative Agreement with Verisign to perform the related root zone management functions. The related root zone management functions are the management of the root zone “zone signing key” (ZSK), as well as implementation of changes to and distribution of the DNS authoritative root zone file, which is the authoritative registry containing the lists of names and addresses for all top level domains.

Currently, the US Government oversees this entire set of operations by contracting with ICANN as well as Verisign to execute the IANA functions. Though the US Government does not interfere generally in operations of either ICANN or Verisign in their role as operators of IANA functions, it cannot be denied that it exercises oversight on both the operators of IANA functions, through these contracts.

Import of the NTIA Announcement:

The NTIA announcement of 14th March intends to initiate the withdrawal of such oversight of IANA functions by the NTIA in order to move towards global multistakeholder governance. NTIA has asked ICANN to initiate a process to decide upon what such global multistakeholder governance of IANA functions may look like. The following diagram presents the current governance structure of IANA functions and the areas that the NTIA announcement seeks to change:

The IANA Oversight Mechanism (Source)

What does the NTIA Announcement NOT DO?

The NTIA announcement DOES NOT frame a model for governance of IANA functions once it withdraws its oversight role. NTIA has asked ICANN to convene a process, which would figure the details of IANA transition and propose an administrative structure for IANA functions once the NTIA withdraws its oversight role. But what this new administrative structure would look like has not itself been addressed in the NTIA announcement. As per the NTIA announcement, the new administrative structure is yet to be decided by a global multistakeholder community in accordance with the four principles outlined by the NTIA through a process, which ICANN shall convene.

The NTIA announcement DOES NOT limit discussions and participation in IANA transition process to within the ICANN community. NTIA has asked ICANN to convene “global stakeholders to develop a proposal to transition” IANA functions. This means all global stakeholders participation, including that of Governments and Civil Society is sought for the IANA transition process. ICANN has been asked “to work collaboratively with the directly affected parties, including the Internet Engineering Task Force (IETF), the Internet Architecture Board (IAB), the Internet Society (ISOC), the Regional Internet Registries (RIRs), top level domain name operators, VeriSign, and other interested global stakeholders”, in the NTIA announcement. This however does not signify that discussions and participation in development of proposal for IANA transition needs to be limited to the ICANN community or the technical community. In fact, ICANN has itself said that the list of events provided as “Timeline of Events” in its Draft Proposal of 8 April 2014 for engagement in development of a proposal for IANA transition is non-exhaustive. This means proposal for IANA transition can be developed by different stakeholders, including governments and civil society in different fora appropriate to their working, including at the IGF and WSIS+10.

The NTIA announcement DOES NOT mean devolution of IANA functions administration upon ICANN. NTIA chooses ICANN and Verisign to operate the IANA functions. If NTIA withdraws from its role, the question whether ICANN or Verisign should operate the IANA functions at all becomes an open one, and should be subject to deliberation. By merely asking ICANN to convene the process, the NTIA announcement in no way assigns any administration of IANA functions to ICANN. It must be remembered that the NTIA announcement says that key Internet domain name functions shall transition to the global multistakeholder community, and not the ICANN community.

The NTIA announcement DOES NOT prevent the possibility of removal of ICANN from its role as operator of IANA functions. While ICANN has tried to frame the Scoping Document in a language to prevent any discussions on its role as operator of IANA functions, the question whether ICANN should continue in its operator role remains an open one. There are at least 12 submissions made in response to ICANN’s Draft Proposal by varied stakeholders, which in fact, call for the separation of ICANN’s role as policy maker (through IETF, ASO, gNSO, ccNSO), and ICANN’s role as the operator of IANA functions. Such calls for separation come from private sector, civil society, as well as the technical community, among others. Such separation was also endorsed in the final NETmundial outcome document (paragraph 27). Governments have, in general, expressed no opinion on such separation in response to ICANN’s Draft Proposal. It is however urged that governments express their opinion in favour of such separation to prevent consolidation of both policy making and implementation within ICANN, which would lead to increased potential situations for the ICANN Board to abuse its powers.

For more details visit https://cis-india.org/internet-governance/blog/understanding-iana-transition

Commonwealth Domain Name System Forum 2014

praskrishna — 2014-07-03T09:27:08Z

This event took place on 19 June 2014 from 09:00-17:30 BST at ICANN50 | London in the Viscount room. It was organized by the CTO, hosted by ICANN, and supported by Nominet and the Public Interest Registry.

Pranesh Prakash was a panelist for this event. The detailed brochure of the event can be downloaded here.

For more details visit https://cis-india.org/news/common-wealth-domain-name-system-forum-2014

WSIS+10 High Level Event: A Bird's Eye Report

geetha — 2014-06-20T15:57:32Z

The WSIS+10 High Level was organised by the ITU and collaborative UN entities on June 9-13, 2014. It aimed to evaluate the progress on implementation of WSIS Outcomes from Geneva 2003 and Tunis 2005, and to envision a post-2015 Development Agenda. Geetha Hariharan attended the event on CIS' behalf.

The World Summit on Information Society (WSIS) +10 High Level Event (HLE) was hosted at the ITU Headquarters in Geneva, from June 9-13, 2014. The HLE aimed to review the implementation and progress made on information and communication technology (ICT) across the globe, in light of WSIS outcomes (Geneva 2003 and Tunis 2005). Organised in three parallel tracks, the HLE sought to take stock of progress in ICTs in the last decade (High Level track), initiate High Level Dialogues to formulate the post-2015 development agenda, as well as host thematic workshops for participants (Forum track).

The High Level Track:

Opening Ceremony, WSIS+10 High Level Event (Source)

The High Level track opened officially on June 10, 2014, and culminated with the endorsement by acclamation (as is ITU tradition) of two Outcome Documents. These were: (1) WSIS+10 Statement on the Implementation of WSIS Outcomes, taking stock of ICT developments since the WSIS summits, (2) WSIS+10 Vision for WSIS Beyond 2015, aiming to develop a vision for the post-2015 global information society. These documents were the result of the WSIS+10 Multi-stakeholder Preparatory Platform (MPP), which involved WSIS stakeholders (governments, private sector, civil society, international organizations and relevant regional organizations).

The MPP met in six phases, convened as an open, inclusive consultation among WSIS stakeholders. It was not without its misadventures. While ITU Secretary General Dr. Hamadoun I. Touré consistently lauded the multi-stakeholder process, and Ambassador Janis Karklins urged all parties, especially governments, to “let the UN General Assembly know that the multi-stakeholder model works for Internet governance at all levels”, participants in the process shared stories of discomfort, disagreement and discord amongst stakeholders on various IG issues, not least human rights on the Internet, surveillance and privacy, and multi-stakeholderism. Richard Hill of the Association for Proper Internet Governance (APIG) and the Just Net Coalition writes that like NETmundial, the MPP was rich in a diversity of views and knowledge exchange, but stakeholders failed to reach consensus on crucial issues. Indeed, Prof. Vlamidir Minkin, Chairman of the MPP, expressed his dismay at the lack of consensus over action line C9. A compromise was agreed upon in relation to C9 later.

Some members of civil society expressed their satisfaction with the extensive references to human rights and rights-centred development in the Outcome Documents. While governmental opposition was seen as frustrating, they felt that the MPP had sought and achieved a common understanding, a sentiment echoed by the ITU Secretary General. Indeed, even Iran, a state that had expressed major reservations during the MPP and felt itself unable to agree with the text, agreed that the MPP had worked hard to draft a document beneficial to all.

Concerns around the MPP did not affect the review of ICT developments over the last decade. High Level Panels with Ministers of ICT from states such as Uganda, Bangladesh, Sweden, Nigeria, Saudi Arabia and others, heads of the UN Development Programme, UNCTAD, Food and Agriculture Organisation, UN-WOMEN and others spoke at length of rapid advances in ICTs. The focus was largely on ICT access and affordability in developing states. John E. Davies of Intel repeatedly drew attention to innovative uses of ICTs in Africa and Asia, which have helped bridge divides of affordability, gender, education and capacity-building. Public-private partnerships were the best solution, he said, to affordability and access. At a ceremony evaluating implementation of WSIS action-lines, the Centre for Development of Advanced Computing (C-DAC), India, won an award for its e-health application MOTHER.

The Outcome Documents themselves shall be analysed in a separate post. But in sum, the dialogue around Internet governance at the HLE centred around the success of the MPP. Most participants on panels and in the audience felt this was a crucial achievement within the realm of the UN, where the Tunis Summit had delineated strict roles for stakeholders in paragraph 35 of the Tunis Agenda. Indeed, there was palpable relief in Conference Room 1 at the CICG, Geneva, when on June 11, Dr. Touré announced that the Outcome Documents would be adopted without a vote, in keeping with ITU tradition, even if consensus was achieved by compromise.

The High Level Dialogues:

Prof. Vladimir Minkin delivers a statement. (Source)

The High Level Dialogues on developing a post-2015 Development Agenda, based on WSIS action lines, were active on June 12. Introducing the Dialogue, Dr. Touré lamented the Millennium Development Goals as a “lost opportunity”, emphasizing the need to alert the UN General Assembly and its committees as to the importance of ICTs for development.

As on previous panels, there was intense focus on access, affordability and reach in developing countries, with Rwanda and Bangladesh expounding upon their successes in implementing ICT innovations domestically. The world is more connected than it was in 2005, and the ITU in 2014 is no longer what it was in 2003, said speakers. But we lack data on ICT deployment across the globe, said Minister Knutssen of Sweden, recalling the gathering to the need to engage all stakeholders in this task. Speakers on multiple panels, including the Rwandan Minister for CIT, Marilyn Cade of ICANN and Petra Lantz of the UNDP, emphasized the need for ‘smart engagement’ and capacity-building for ICT development and deployment.

A crucial session on cybersecurity saw Dr. Touré envision a global peace treaty accommodating multiple stakeholders. On the panel were Minister Omobola Johnson of Nigeria, Prof. Udo Helmbrecht of the European Union Agency for Network and Information Security (ENISA), Prof. A.A. Wahab of Cybersecurity Malaysia and Simon Muller of Facebook. The focus was primarily on building laws and regulations for secure communication and business, while child protection was equally considered.

The lack of laws/regulations for cybersecurity (child pornography and jurisdictional issues, for instance), or other legal protections (privacy, data protection, freedom of speech) in rapidly connecting developing states was noted. But the question of cross-border surveillance and wanton violations of privacy went unaddressed except for the customary, unavoidable mention. This was expected. Debates in Internet governance have, in the past year, been silently and invisibly driven by the Snowden revelations. So too, at WSIS+10 Cybersecurity, speakers emphasized open data, information exchange, data ownership and control (the right to be forgotten), but did not openly address surveillance. Indeed, Simon Muller of Facebook called upon governments to publish their own transparency reports: A laudable suggestion, even accounting for Facebook’s own undetailed and truncated reports.

In a nutshell, the post-2015 Development Agenda dialogues repeatedly emphasized the importance of ICTs in global connectivity, and their impact on GDP growth and socio-cultural change and progress. The focus was on taking this message to the UN General Assembly, engaging all stakeholders and creating an achievable set of action lines post-2015.

The Forum Track:

Participants at the UNESCO session on its Comprehensive Study on Internet-related Issues (Source)

The HLE was organized as an extended version of the WSIS Forum, which hosts thematic workshops and networking opportunities, much like any other conference. Running in parallel sessions over 5 days, the WSIS Forum hosted sessions by the ITU, UNESCO, UNDP, ICANN, ISOC, APIG, etc., on issues as diverse as the WSIS Action Lines, the future of Internet governance, the successes and failures of WCIT-2012, UNESCO’s Comprehensive Study on Internet-related Issues, spam and a taxonomy of Internet governance.

Detailed explanation of each session I attended is beyond the scope of this report, so I will limit myself to the interesting issues raised.

At ICANN’s session on its own future (June 9), Ms. Marilyn Cade emphasized the importance of national and regional IGFs for both issue-awareness and capacity-building. Mr. Nigel Hickson spoke of engagement at multiple Internet governance fora: “Internet governance is not shaped by individual events”. In light of criticism of ICANN’s apparent monopoly over IANA stewardship transition, this has been ICANN’s continual response (often repeated at the HLE itself). Also widely discussed was the role of stakeholders in Internet governance, given the delineation of roles and responsibilities in the Tunis Agenda, and governments’ preference for policy-monopoly (At WSIS+10, Indian Ambassador Dilip Sinha seemed wistful that multilateralism is a “distant dream”).

This discussion bore greater fruit in a session on Internet governance ‘taxonomy’. The session saw Mr. George Sadowsky, Dr. Jovan Kurbalija, Mr. William Drake and Mr. Eliot Lear (there is surprisingly no official profile-page on Mr. Lear) expound on dense structures of Internet governance, involving multiple methods of classification of Internet infrastructure, CIRs, public policy issues, etc. across a spectrum of ‘baskets’ – socio-cultural, economic, legal, technical. Such studies, though each attempting clarity in Internet governance studies, indicate that the closer you get to IG, the more diverse and interconnected the eco-system gets. David Souter’s diagrams almost capture the flux of dynamic debate in this area (please see pages 9 and 22 of this ISOC study).

There were, for most part, insightful interventions from session participants. Mr. Sadowsky questioned the effectiveness of the Tunis Agenda delineation of stakeholder-roles, while Mr. Lear pleaded that techies be let to do their jobs without interference. Ms. Anja Kovacs raised pertinent concerns about including voiceless minorities in a ‘rough consensus’ model. Across sessions, questions of mass surveillance, privacy and data ownership rose from participants. The protection of human rights on the Internet – especially freedom of expression and privacy – made continual appearance, across issues like spam (Question 22-1/1 of ITU-D Study Group 1) and cybersecurity.

Conclusion:

The HLE was widely attended by participants across WSIS stakeholder-groups. At the event, a great many relevant questions such as the future of ICTs, inclusions in the post-2015 Development Agenda, the value of muti-stakeholder models, and human rights such as free speech and privacy were raised across the board. Not only were these raised, but cognizance was taken of them by Ministers, members of the ITU and other collaborative UN bodies, private sector entities such as ICANN, technical community such as the ISOC and IETF, as well as (obviously) civil society.

Substantively, the HLE did not address mass surveillance and privacy, nor of expanding roles of WSIS stakeholders and beyond. Processually, the MPP failed to reach consensus on several issues comfortably, and a compromise had to be brokered.

But perhaps a big change at the HLE was the positive attitude to multi-stakeholder models from many quarters, not least the ITU Secretary General Dr. Hamadoun Touré. His repeated calls for acceptance of multi-stakeholderism left many members of civil society surprised and tentatively pleased. Going forward, it will be interesting to track the ITU and the rest of UN’s (and of course, member states’) stances on multi-stakeholderism at the ITU Plenipot, the WSIS+10 Review and the UN General Assembly session, at the least.

For more details visit https://cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report

Privacy and Surveillance Roundtable

praskrishna — 2014-06-20T05:26:10Z

The Centre for Internet and Society and the Cellular Operators Association of India in collaboration with the Council for Fair Business Practices invite you to a "Privacy Roundtable" at IMC Building, IMC Marg, Churchgate, Mumbai on June 28, 2014, 10.00 a.m. to 4.00 p.m.

Time	Details
10:00 – 11:00	Introduction
11:00 - 11:30	Tea
11:30 - 13:00	Discussion
13:00 - 14:00	Lunch
14.00 - 16.00	Discussion
16.00 - 16.15	Tea

Background and Context to the Roundtables

Information about the Roundtables

The Report of the Group of Experts on Privacy

The Draft CIS Citizens Privacy (Protection) Bill 2013

The International Principles on the Application of Human Rights to Communication Surveillance

Tentative schedule for the Roundtables:

Mumbai – June 28th
New Delhi – July 4th
Ahmedabad/Hyderabad – August 1st
Bangalore – September 5th
New Delhi – October 3rd
Chennai – October 24th
New Delhi – November 7th

Resources

For more details visit https://cis-india.org/events/privacy-surveillance-roundtable

UN Human Rights Council urged to protect human rights online

geetha — 2014-06-19T13:28:32Z

63 civil society groups urged the UN Human Rights Council to address global challenges to freedom of expression, privacy and other human rights on the Internet. Centre for Internet & Society joined in the statement, delivered on behalf of the 63 groups by Article 19.

The 26th session of the United Nations Human Rights Council (UNHRC) is currently ongoing (June 10-27, 2014). On June 19, 2014, 63 civil society groups joined together to urge the United Nations Human Rights Council to protect human rights online and address global challenged to their realization. Centre for Internet & Society joined in support of the statement ("the Civil Society Statement"), which was delivered by Article 19 on behalf of the 63 groups.

In its consensus resolution A/HRC/20/8 (2012), the UNHRC affirmed that the "same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice". India, a current member of the UNHRC, stood in support of resolution 20/8. The protection of human rights online was also a matter of popular agreement at NETmundial 2014, which similarly emphasised the importance of protecting human rights online in accordance with international human rights obligations. Moreover, the WSIS+10 High Level Event, organised by the ITU in collaboration with other UN entities, emphasized the criticality of expanding access to ICTs across the globe, including infrastructure, affordability and reach.

The Civil Society Statement at HRC26 highlights the importance of retaining the Internet as a global resource - a democratic, free and pluralistic platform. However, the recent record of freedom of expression and privacy online have resulted in a deficit of trust and free, democratic participation. Turkey, Malaysia, Thailand, Egypt and Pakistan have blocked web-pages and social media content, while Edward Snowden's revelations have heightened awareness of human rights violations on the Internet.

At a time when governance of the Internet and its institutions is evolving, a human rights centred perspective is crucial. Openness and transparency - both in the governance of Internet institutions and rights online - are crucial to continuing growth of the Internet as a global, democratic and free resource, where freedom of expression, privacy and other rights are respected regardless of location or nationality. In particular, the Civil Society Statement calls attention to principles of necessity and proportionality to regulate targeted interception and collection of personal data.

The UNHRC, comprising 47 member states, is called upon to address these global challenges. Guided by resolutions A/HRC/20/8 and A/RES/68/167, the WSIS+10 High Level Event Outcome Documents (especially operative paragraphs 2, 8 and 11 of the Vision Document) and the forthcoming report of the UN High Commissioner for Human Rights regarding privacy in the digital age, the UNHRC as well as other states may gather the opportunity and intention to put forth a strong case for human rights online in our post-2015 development-centred world.

Civil Society Statement:

The full oral statement can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/un-human-rights-council-urged-to-protect-human-rights-online

Research Advisory Network Meeting

praskrishna — 2014-07-03T06:39:38Z

All sessions will take place at the OECD Headquarters, located at 2 Rue André Pascal, 75016, Paris, France. Sunil Abraham is participating in the event.

For agenda and other details, click here.

Hosting of the Event

The Organisation for Economic Co-operation and Development (OECD) has agreed to host this meeting of the Global Commission on Internet Governance’s Research Advisory Network (RAN). The OECD will provide meeting space and logistical support, and is committed to engaging the project in the development of evidence-based policy recommendations for the future of Internet governance.

Meeting Participant List

Special Guests

James Kaplan
Bill Woodcock

OECD Staff

Aaron Martin
Anne Carblanc
Sam Paltridge
Alexia Gonzalez Fanfalone
Lorrayne Porciuncula

Commission Secretariat

Caroline Baylon
Eric Jardine
Mark Raymond
Aaron Shull
Brenda Woods

Research Advisory Network Biographies

Sunil Abraham / @sunil_abraham

Sunil Abraham is the executive director of the Centre for Internet and Society (CIS). CIS is a five year old policy and academic research organization focusing on accessibility, access to knowledge, Internet governance, telecom, digital natives and digital humanities. He founded Mahiti in 1998, a social enterprise that provides technology to civil society for which he was elected an Ashoka fellow in 1999. Between June 2004 and June 2007, Sunil also managed the International Open Source Network, a project of UNDP serving 42 countries in the Asia-Pacific region.

Subimal Bhattacharjee / @subimal

Subimal Bhattacharjee is an independent consultant on defence and cyber issues, working primarily with government and private sector advisory panels in India. He is the former India country director for General Dynamics International Corporation. Subimal is a columnist and internationally respected speaker on issues of Internet governance and cyber security.

Bertrand de La Chapelle / @bdelachapelle

Bertrand de La Chapelle is the Director of the Internet & Jurisdiction Project, a global multistakeholder dialogue process developing a due process framework to handle the diversity of national laws in cross-border online spaces. He served as a Director on the ICANN Board from 2010 to 2013. From 2006 to 2010, he was France’s Thematic Ambassador and Special Envoy for the Information Society, participating in all WSIS follow-up activities and Internet governance processes, including in particular the Internet Governance Forum (IGF), and was a Vice-Chair of ICANN’s Governmental Advisory Committee (GAC). Bertrand is a graduate of Ecole Polytechnique, Sciences Po Paris and Ecole Nationale d’Administration.

Laura DeNardis / @LauraDeNardis

A scholar of Internet architecture and governance, Dr. Laura DeNardis is a CIGI senior fellow and professor at American University. She is an affiliated fellow at Yale Law School’s Information Society Project and previously served as its Executive Director. She is the Director of Research for the Global Commission on Internet Governance and is the author of The Global War for Internet Governance (Yale University Press 2014).

Patrik Fältström / @patrikhson

Patrik Fältström is head of research and development at Netnod. Previously, he was a distinguished engineer at Cisco, technical specialist at Tele2, systems manager at the Royal Institute of Technology, researcher at Bunyip Information Systems and a programmer in the Royal Swedish Navy. He has been a member of numerous advisory groups and investigations related to the Internet, both public and private sector. Patrik holds an M.Sc. in mathematics from the University of Stockholm.

Paul Fehlinger / @PaulFehlinger

Paul Fehlinger is the co-founder and manager of the Internet & Jurisdiction Project, a global multi-stakeholder dialogue process developing a due process framework to enable the coexistence of diverse national laws in cross-border online spaces. He started working on Internet governance at Sciences Po Paris and the Max Planck Institute for the Study of Societies. He is since actively engaged in the UN Internet Governance Forum, EuroDIG and other global Internet fora.

Fen Hampson

Fen Osler Hampson is a distinguished fellow and director of the Global Security & Politics Program at the Centre for International Governance Innovation (CIGI). He has served as director of the Norman Paterson School of International Affairs and is concurrently chancellor’s professor at Carleton University. He is the recipient of various awards and honours and is a frequent commentator and contributor to international media.

Clem Herman / @clemherman

Clem Herman is a senior lecturer in the Department of Computing and Communications at the UK Open University, and was previously director of the Manchester Women’s Electronic Village Hall (WEVH) pioneering the use of ICTs to empower women. She has published widely on gender issues in technology and is the founder and editor-in-chief of the International Journal of Gender Science and Technology.

Konstantinos Komaitis / @kkomaitis

Konstantinos Komaitis is a policy advisor at the Internet Society, focusing primarily on the field of digital content and intellectual property. Before joining the Internet Society in July 2012, he was a senior lecturer at the University of Strathclyde in Glasgow. Konstantinos holds a Ph.D. in law and his thesis focused on issues of intellectual property and the Internet, with particular focus on the intersection of trademarks and domain names. He is the author of The Current State of Domain Name Regulation.

Young-eum Lee

Young-eum Lee is a professor in the Department of Media Arts and Sciences at Korea National Open University. She has been involved in various Internet governance policy making processes of the Korean domain name .kr at KISA (KRNIC), and has also been involved in global Internet governance activities at ICANN. Since 2003, she has been a council member of the ccNSO representing .kr in the Asia-Pacific region. Young-eum received her M.A. in Communication Science at Northwestern University and her doctorate in Communication from the University of Michigan.

Tim Maurer

Tim Maurer is a research fellow at the New America Foundation’s Open Technology Institute. He focuses on cyberspace and international affairs, namely Internet governance, cyber-security, and human rights online. In October 2013 and February 2014, he spoke about cyber-warfare at the United Nations. Tim’s research has been published and featured by national and international print, radio and television media, including Harvard University, Foreign Policy, CNN and Slate among others. He conducts academic research as a non-resident research fellow at the University of Toronto’s Citizen Lab.

Emily Taylor / @etaylaw

Emily Taylor is a renowned expert in the field of Internet law and governance, and provides research services in areas including security, IPv6 deployment, internationalised domain names, the domain name industry, and global policy development. Her roles in the Internet sphere include chair of the WhoIs Review Committee for ICANN 2012, member of the Multistakeholder Advisory Group to the IGF (2006-2012), director of Synetergy (providing Sunrise Dispute resolution services to the largest gTLD applicant, Donuts), and several ongoing non-executive directorships.

Rolf H. Weber

Rolf H. Weber is professor for civil, commercial and European law at the University of Zurich Law School. Since 2008, he is the director of the Information and Communication Law Center at the University of Zurich, a member (now Vice-Chairman) of the Steering Committee of the Global Internet Governance Academic Network (GigaNet) as well as a member of the European Dialogue on Internet Governance (EuroDIG). Since 2009, he has been a member of the High-level Panel of Advisers of the Global Alliance for Information and Communication Technologies and Development (GAID) and author of frequent publications on Internet Governance.

Andrew Wyckoff

Andrew W. Wyckoff is the director of the OECD’s Directorate for Science, Technology and Industry. Prior to the OECD, he was a program manager of the Information, Telecommunications and Commerce program of the US Congressional Office of Technology Assessment, an economist at the US National Science Foundation and a programmer at the Brookings Institution. Andrew holds a Master of Public Policy from the JFK School of Government, Harvard University.

Special Guest Biographies

James M. Kaplan

James M. Kaplan is a partner at McKinsey & Company in New York. He convenes McKinsey's global practices in IT infrastructure and cyber-security. He has assisted leading institutions in implementing cyber-security strategies, conducting cyber-war games, optimizing enterprise infrastructure environments and exploiting cloud technologies. James led McKinsey's collaboration with the World Economic Forum on "Risk & Responsibility in a Hyper-Connected World," which was presented at the Forum's recent Annual Meeting in Davos. He published on a variety of technology topics in the McKinsey Quarterly, the Financial Times, the Wall Street Journal and the Harvard Business Review Blog Network.

Bill Woodcock

Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system. Since entering the Internet industry in 1985, Bill has helped establish more than one hundred and fifty Internet exchange points. In the early 1990s, Bill developed the anycast routing technique that now protects the domain name system. In 2002 he co-founded INOC-DBA, the security-coordination hotline system that interconnects the network operations centers of more than three thousand ISPs around the world. And in 2007, Bill was one of the two international liaisons deployed by NSP-Sec to the Estonian CERT during the Russian cyber-attack.

For more details visit https://cis-india.org/news/research-advisory-network-meeting

Vodafone Report Explains Government Access to Customer Data

joe — 2014-06-19T10:38:01Z

Vodafone Group PLC, the world’s second largest mobile carrier, released a report on Friday, June 6 2014 disclosing to what extent governments can request their customers’ data.

The Law Enforcement Disclosure Report, a section of a larger annual Sustainability Report began by asserting that Vodafone "customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws."

However, the report continues, Vodafone is incapable of fully protecting its customers right to privacy, because it is bound by the laws in the various countries in which it operates. "If we do not comply with a lawful demand for assistance, governments can remove our license to operate, preventing us from providing services to our customers," The report goes into detail about the laws in each of the 29 nations where the company operates.

Vodafone’s report is one of the first published by a multinational service provider. Compiling such a report was especially difficult, according to the report, for a few reasons. Because no comparable report had been published before, Vodafone had to figure out for themselves, the “complex task” of what information they could legally publish in each country. This difficulty was compounded by the fact that Vodafone operates physical infrastructure and thus sets up a business in each of the countries where it provides services. This means that Vodafone is subject to the laws and operating licenses of each nation where it operates, unlike as a search engine such as Google, which can provide services across international borders but still be subject to United States law – where it is incorporated.

The report is an important step forward for consumer privacy. First, the Report shows that the company is aware of the conflict of interest between government authorities and its customers, and the pivotal position that the company can play in honoring the privacy of its users by providing information regarding the same in all cases where it legally can. Additionally, providing the user insight into challenges that the company faces when addressing and responding to law enforcement requests, the Report provides a brief overview of the legal qualifications that must be met in each country to access customer data. Also, Vodafone’s report has encouraged other telecom companies to disclose similar information to the public. For instance, Deutsche Telekom AG, a large European and American telecommunications company, said Vodafone’s report had led it consider releasing a report of it’s own.

Direct Government Access

The report revealed that six countries had constructed secret wires or “pipes” which allowed them access to customers’ private data. This means that the governments of these six countries have immediate access to Vodafone’s network without any due process, oversight, or accountability for these opaque practices. Essentially, the report reveals, in order to operate in one of these jurisdictions, a communications company must ensure that authorities have, real time and direct access to all personal customer data at any time, without any specific justification. The report does not name these six nations for legal reasons.

"These pipes exist, the direct access model exists,” Vodafone's group privacy officer, Stephen Deadman, told the Guardian. “We are making a call to end direct access as a means of government agencies obtaining people's communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used."

Data Organization

Vodafone’s Report lists the aggregate number of content requests they received in each country where it operates, and groups these requests into two major categories. The first is Lawful Interceptions, which is when the government directly listens in or reads the content of a communication. In the past, this type of action has been called wiretapping, but now includes reading the content of text messages, emails, and other communications.

The second data point Vodafone provides for each country is the number of Communications Data requests they receive from each country. These are requests for the metadata associated with customer communications, such as the numbers they have been texting and the time stamps on all of their texts and calls.

It is worth noting that all of the numbers Vodafone reports are warrant statistics rather than target statistics. Vodafone, according to the report, has chosen to include the number of times a government sent a request to Vodafone to "intrude into the private affairs of its citizens, not the extent to which those warranted activities then range across an ever-expanding multiplicity of devices, accounts and apps."

Data Construction

However, in many cases, laws in the various companies in which Vodafone operates prohibit Vodafone from publishing all or part of the aforementioned data. In fact, this is the rule rather than the exception. The majority of countries, including India, prohibit Vodafone from releasing the number of data requests they receive. Other countries publish the numbers themselves, so Vodafone has chosen not to reprint their statistics either. This is because Vodafone wants to encourage governments to take responsibility for informing their citizens of the statistics themselves.

The report also makes note of the process Vodafone went through to determine the legality of publishing these statistics. It was not always straightforward. For example, in Germany, when Vodafone’s legal team went to examine the legislation governing whether or not they could publish statistics on government data requests, they concluded that the laws were unclear, and asked German authorities for advice on how to proceed. They were informed that publishing any such statistics would be illegal, so they did not include any German numbers in their report. However, since that time, other local carriers have released similar statistics, and thus the situation remains unresolved.

Other companies have also recently released reports. Twitter, a microblogging website, Facebook, a social networking website, and Google a search engine with social network capabilities have all released comparable reports, but their reports differ from Vodafone’s in a number of ways. While Twitter, Google, and Facebook all specified the percent of requests granted, Vodafone released no similar statistics. However, Vodafone prepared discussions of the various legal constraints that each country imposed on telecom companies, giving readers an understanding of what was required in each country for authorities to access their data, a component that was left out of other recent reports. Once again, Vodafone’s report differed from those of Google Facebook and Twitter because while Vodafone opens businesses in each of the countries where it operates and is subject to their laws, Google, Facebook, and Twitter are all Internet companies and so are only governed by United States law.

Google disclosed that it received 27,427 requests over a six-month period ending in December, 2013, and also noted that the number of requests has increased consistently each six-month period since data began being compiled in 2009, when fewer than half as many requests were being made. On the other hand Google said that the percentage of requests it complied with (64% over the most recent period) had declined significantly since 2010, when it complied with 76% of requests.

Google went into less detail when explaining the process non-American authorities had to go through to access data, but did note that a Mutual Legal Assistance Treaty was the primary way governments outside of the United States could force the release of user data. Such a treaty is an agreement between the United States and another government to help each other with legal proceedings. However, the report indicated that Google might disclose user information in situations when they were not legally compelled to, and did not go into detail about how or when it did that. Thus, given the difficulty of obtaining a Mutual Legal Assistance Treaty in addition to local warrants or subpoenas, it seems likely that Google complies with many more non-American data requests than it was legally forced to.

Facebook has only released two such reports so far, for the two six month periods in 2013, but they too indicated an increasing number of requests, from roughly 26,000 to 28,147. Facebook plans to continue issuing reports every six months.

Twitter has also seen an increase of 22% in government requests between this and the previous reporting period, six months ago. Twitter attributes this increase in requests to an increase in users internationally, and it does seem that the website has a similarly growing user base, according to charts released by Twitter. It is worth noting that while large nations such as the United States and India are responsible for the majority of government requests, smaller nations such as Bulgaria and Ecuador also order telecom and Internet companies to turn over data.

Vodaphone’s Statistics

Though Vodafone’s report didn’t print statistics for the majority of the countries the report covered, looking at the few numbers they did publish can shed some light on the behavior of governments in countries where publishing such statistics is illegal. For the countries where Vodafone does release data, the numbers of government requests for Vodafone data were much higher than for Google data. For instance, Italy requested Vodafone data 605,601 times, while requesting Google data only 896 times. This suggests that other countries such as India could be looking at many more customers’ data through telecom companies like Vodafone than Internet companies like Google.

Vodafone stressed that they were not the only telecom company that was being forced to share customers’ data, sometimes without warrants. In fact, such access was the norm in countries where authorities demanded it.

India and the Reports

India is one of the most proliferate requesters of data, second only to the United States in number of requests for data from Facebook and fourth after the United States, France and Germany in number of requests for data from Google. In the most recent six-month period, India requested data from Google 2,513 times, Facebook 3,598 times, and Twitter 19 times. The percentage of requests granted varies widely from country. For example, while Facebook complies with 79% of United States authorities’ requests, it only grants 50% of India’s requests. Google responds to 83% of US requests but only 66% of India’s.

Facebook also provides data on the number of content restrictions each country requests. A content restriction request is where an authority asks Facebook to take down a particular status, photo, video, or other web content and no longer display it on their site. India, with 4,765 requests, is the country that most often asks Facebook to remove content.

While Vodafone’s report publishes no statistics on Indian data requests, because such disclosure would be illegal, it does discuss the legal considerations they are faced with. In India, the report explains, several laws govern Internet communications. The Information Technology Act (ITA) of 2000 is the parent legislation governing information technology in India. The ITA allows certain members of Indian national or state governments order an interception of a phone call or other communication in real time, for a number of reasons. According to the report, an interception can be ordered “if the official in question believes that it is necessary to do so in the: (a) interest of sovereignty and integrity of India; (b) the security of the State; (c) friendly relations with foreign states; (d) public order; or (e) the prevention of incitement of offences.” In short, it is fairly easy for a high-ranking official to order a wiretapping in India.

The report goes on to detail Indian authorities’ abilities to request other customer data beyond a lawful interception. The Code of Criminal Procedure allows a court or police officer to ask Vodafone and other telecom companies to produce “any document or other thing” that the officer believes is necessary for any investigation. The ITA extends this ability to any information stored in any computer, and requires service providers to extend their full assistance to the government. Thus, it is not only legally simple to order a wiretapping in India; it is also very easy for authorities to obtain customer web or communication data at any time.

It is clear that Indian laws governing communication have very little protections in place for consumer privacy. However, many in India hope to change this reality. The Group of Experts chaired by Justice AP Shah, the Department of Personnel and Training, along with other concerned groups have been working towards the drafting of a privacy legislation for India. According to the Report of the Group of Experts on Privacy, the legislation would fix the 50 or so privacy laws in India that are outdated and unable to protect citizen’s privacy when they use modern technology.

On the other hand, the Indian government is moving forward with a number of plans to further infringe the privacy of civilians. For example, the Central Monitoring System, a clandestine electronic surveillance program, gives India’s security agencies and income tax officials direct access to communications data in the country. The program began in 2007 and was announced publicly in 2009 to little fanfare and muted public debate. The system became operational in 2013.

Conclusion

Vodafone’s report indicates that it is concerned about protecting its customer’s privacy, and Vodafone’s disclosure report is an important step forward for consumer web and communication privacy. The report stresses that company practice and government policy need to come together to protect citizen’s privacy and –businesses cannot do it alone. However, the report reveals what companies can do to effect privacy reform. By challenging authorities abilities to access customer data, as well as publishing information about these powers, they bring the issue to the government’s attention and open it up to public debate. Through Vodafone’s report, the public can see why their governments are making surveillance decisions. Yet, in India, there is still little adoption of transparent business practices such as these. Perhaps if more companies were transparent about the level of government surveillance their customers were being subjected to, their practices and policies for responding to requests from law enforcement, and the laws and regulations that they are subject to - the public would press the government for stronger privacy safeguards and protections.

For more details visit https://cis-india.org/internet-governance/blog/vodafone-report-explains-govt-access-to-customer-data

Multi-stakeholder Models of Internet Governance within States: Why, Who & How?

geetha — 2014-06-16T14:27:38Z

Internet governance, for long a global exercise, has found new awareness within national frameworks in recent times. Especially relevant for developing countries, effective national IG mechanisms are important to raise awareness and ensure multi-stakeholder participation at technical, infrastructural and public policy levels.

This post is a surface-level overview of national IG bodies, and is intended to inform introductory thoughts on national IG mechanisms.

A Short Introduction

The previous decade has seen a proliferation of regional, sub-regional and national initiatives for Internet governance (IG). Built primarily on the multi-stakeholder model, these initiatives aim at creating dialogue on issues of regional, local or municipal importance. In Asia, Bangladesh has instituted a national IGF, the Bangladesh IGF, with the stated objective of creating a national multi-stakeholder forum that is specialized in Internet governance issues, and to facilitate informed dialogue on IG policy issues among stakeholders. India, too, is currently in the process of instituting such a forum. At this juncture, it is useful to consider the rationale and modalities of national IG bodies.

The Internet has long been considered a sphere of non-governmental, multi-stakeholder, decentralized, bottom-up governance space. The Declaration of Independence of Cyberspace, John Perry Barlow’s defiant articulation of the Internet’s freedom from governmental control, is a classic instance of this. The Internet is a “vast ocean”, we claimed; “no one owns it”.[1] Even today, members of the technical community insist that everyone ought to “let techies do their job”: a plea, if you will, of the complexity of cyber-walls and –borders (or of their lack).

But as Prof. Milton Mueller argues in Ruling the Root, the Internet has always been a contentious resource: battles over its governance (or specifically, the governance of the DNS root, both the root-zone file and the root servers) have leapt from the naïveté of the Declaration of Independence to a private-sector-led, contract-based exploitation of Internet resources. The creation of ICANN was a crucial step in this direction, following arbitrary policy choices by Verizon and entities managing the naming and numbering resources of the Internet.

The mushrooming of parallel tracks of Internet governance is further evidence of the malleability of the space. As of today, various institutions – inter-governmental and multi-stakeholder – extend their claims of governance. ICANN, the World Summit of Information Society, the World Conference on International Telecommunications, the Internet Governance Forum and the Working Group on Enhanced Cooperation under the ECOSOC Committee for Science, Technology and Development are a few prominent tracks. As of today, the WSIS process has absorbed various UN special bodies (the ITU, UNESCO, UNCTAD, UNDP are but a few), with the UNESCO instituting a separate study on Internet-related issues. A proposal for a multilateral Committee on Internet-Related Policies remains stillborn.

Amongst these, the Internet Governance Forum (IGF) remains a strong contender for a truly multi-stakeholder process facilitating dialogue on IG. The IGF was set up following the recommendation of the Working Group of Internet Governance (WGIG), constituted after the Geneva phase of the WSIS.

Rationale: Why Have National IG bodies?

The issue of national multi-stakeholder cooperation/collaboration in IG is not new; it has been alive since the early 2000s. The Tunis Agenda, in paragraph 80, encourages the “development of multi-stakeholder processes at the national, regional and international levels to discuss and collaborate on the expansion and diffusion of the Internet as a means to support development efforts to achieve internationally agreed development goals and objectives, including the Millennium Development Goals” (emphasis supplied).

In its June 2005 Report, the Working Group on Internet Governance (WGIG) emphasizes that “global Internet governance can only be effective if there is coherence with regional, subregional and national-level policies”. Towards this end it recommends that “coordination be established among all stakeholders at the national level and a multi-stakeholder national Internet governance steering committee or similar body be set up” (emphasis supplied). The IGF, whose creation the WGIG recommended, has since been commended for its impact on the proliferation of national IGFs.

The rationale, then, was that multi-stakeholder steering committees at the national level would help to create a cohesive body to coordinate positions on Internet governance. In Reforming Internet Governance, WGIG member Waudo Siganga writes of the Internet Steering Committee of Brazil as a model, highlighting lessons that states (especially developing countries) may learn from CGI.br.

The Brazilian Internet Steering Committee (CGI.br) was set up in 1995 and is responsible, inter alia, for the management of the .br domain, distribution of Internet addresses and administration of metropolitan Internet exchange points. CERT.br ensures network security and extends support to network administrators. Siganga writes that CGI.br is a “well-structured multistakeholder entity, having representation from government and democratically chosen representatives of the business sector, scientific and technological community and an Internet expert”.

Why is CGI.br a model for other states? First, CGI.br exemplifies how countries can structure in an effective manner, a body that is involved in creating awareness about IG issues at the national level. Moreover, the multi-stakeholder nature of CGI.br shows how participation can be harnessed effectively to build capacity across domestic players. This also reflects the multi-stakeholder aspects of Internet governance at the global level, clarifying and implementing the WSIS standards (for instance). Especially in developing countries, where awareness and coordination for Internet governance is lacking at the national level, national IG committees can bridge the gap between awareness and participation. Such awareness can translate into local solutions for local issues, as well as contributing to an informed, cohesive stance at the global level.

Stakeholders: Populating a national IG body

A national IG body – be in steering committee, IGF or other forum – should ideally involve all relevant stakeholders. As noted before, since inception, the Internet has not been subject to exclusive governmental regulation. The World Summit on Information Society recognized this, but negotiations amongst stakeholders resulted in the delegation of roles and responsibilities: the controversial and much-debated paragraph 35 of the Tunis Agenda reads:

Policy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues.
The private sector has had, and should continue to have, an important role in the development of the Internet, both in the technical and economic fields.
Civil society has also played an important role on Internet matters, especially at community level, and should continue to play such a role.
Intergovernmental organizations have had, and should continue to have, a facilitating role in the coordination of Internet-related public policy issues.
International organizations have also had and should continue to have an important role in the development of Internet-related technical standards and relevant policies.

This position remains endorsed by the WSIS process; the recent WSIS+10 High Level Event endorsed by acclamation the WSIS+10 Vision for WSIS Beyond 2015, which “respect mandates given by Tunis Agenda and respect for the multi-stakeholder principles”. In addition to government, the private sector and civil society, the technical community is identified as a distinct stakeholder group. Academia has also found a voice, as demonstrated by stakeholder-representation at NETmundial 2014.

A study of the Internet Society (ISOC) on Assessing National Internet Governance Arrangements, authored by David Souter, maps IG stakeholders at the global, regional and national levels. At the global level, primary stakeholders include ICANN (not-for-profit, private sector corporation involved in governance and technical coordination of the DNS), the IETF, IAB and W3C (technical standards), governments and civil society organizations, all of which participate with different levels of involvements at the IGF, ICANN, ITU, etc.

At the national/municipal level, the list of stakeholders is as comprehensive. Governmental stakeholders include: (1) relevant Ministries (in India, these are the Ministry of Information and Broadcasting, and the Ministry of Communications and Information Technology – the Department of Electronics and Information Technology under the MCIT is particularly relevant), and (2) regulators, statutory and independent (the Telecom Regulatory Authority of India, for example). At the national level, these typically seek inputs from other stakeholders while making recommendations to governments, which then enact laws or make policy. In India, for instance, the TRAI conducts consultations prior to making recommendations to the government.

Within the private sector, there may be companies (1) on the supply-side, such as infrastructure networks, telecommunications service companies, Internet Service Providers, search engines, social networks, cybercafés, etc., and (2) on the demand-side, online businesses, advertising/media, financial service providers, etc. who use the Internet. There may also be national registries managing ccTLDs, such as the Registro.br or the National Internet Exchange of India (NIXI). There may also the press and news corporations representing both corporate and public interest under specific circumstances (media ownership and freedom of expression, for distinct examples).

Civil society organisations, including consumer organisations, think-tanks and grassroots organisations, participate at various levels of policy-making in the formal institutional structure, and are crucial in representing users and public interest. The complexity of stakeholders may be seen from Souter’s report, and this enumeration is but a superficial view of the national stakeholder-population.

Processes: Creating effective national IG bodies

National IG bodies – be they steering committees, IGFs, consultative/working groups or other forums – may be limited by formal institutional governmental settings. While limited by the responsibility-gradient in paragraph 35 of the Tunis Agenda, an effective national IG body requires robust multi-stakeholder participation, as Souter notes, in technical governance, infrastructure and public policy issues. Its effectiveness also lies in governmental acquiescence of its expertise and recommendations; in short, in the translation of the IG body’s decisions into policy.

How do these stakeholders interact at the national level? In addition to the Brazilian example (CGI.br), an ISOC study by Souter and Monica Kerretts-Makau, Internet Governance in Kenya: An Assessment, provides a detailed answer. At the technical level, the registry KENIC manages the .ke domain, while the Kenya Computer Incident Response Team Coordination Centre coordinates national responses to incidents and collaborates internationally on cyber-security issues. A specific IPv6 Force to promote Kenya’s transition to IPv6 was also created.

At the infrastructural level, both the government and the private sector play important roles. Directly, ministries and government departments consult with infrastructure providers in creating policy. In India, for instance, the TRAI conducts multi-stakeholder consultations on issues such as telecom tariffs, colocation tariffs for submarine cable stations and mobile towers, etc. The government may also take a lead in creating infrastructure, such as the national optic fibre networks in India and Kenya, as also creating investment opportunities such as liberalizing FDI. At the public policy level, there may exist consultations initiated by government bodies (such as the TRAI or the Law Commission), in which other stakeholders participate.

As one can see, government-initiated consultations by ministries, regulators, law commissions or specially constituted committees. Several countries have also set up national IGFs, which typically involve all major stakeholders in voluntary participation, and form a discussion forum for existing and emerging IG issues. National IGFs have been considered particularly useful to create awareness within the country, and may best address IG issues at the domestic policy level. However, Prof. Mueller writes that what is necessary is a “reliable mechanism reliable mechanisms for consistently feeding the preferences expressed in these forums to actual global policy-making institutions like ICANN, RIRs, WIPO, and WTO which impact distributional outcomes”.

[1] M. Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace 57 (2002).

For more details visit https://cis-india.org/internet-governance/blog/multi-stakeholder-models-of-internet-governance-within-states-why-who-how

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act

divij — 2014-07-03T05:43:23Z

Tribunals and quasi-judicial bodies are a regular feature of the Indian judicial system, as they provide for easier and less onerous methods for dispute resolution, especially disputes which relate to technical areas and often require technical knowledge and familiarity with specialised factual scenarios.

Further, quasi-judicial bodies do not have the same procedural restrictions as proper courts, which makes the adjudication of disputes easier. The Information Technology Act of India, which regulates several important aspects of electronic information, including the regulation of private electronic transactions as well as detailing civil and criminal offences relating to computers and electronic information, contemplates a specialised dispute resolution mechanism for disputes relating to the offences detailed under the Act. The Act provides for the establishment of quasi-judicial bodies, namely adjudicating officers under S.46, to hear disputes arising out of Chapter IX of the Act, namely, offences of a civil nature under S.43, 43A, 44 and 45 of the Act, as well as criminal offences described under Chapter XI of the Act. The adjudicating officer has the power to both award compensation as damages in a civil remedy, as well as impose penalties for the contravention of the Act,[1] and therefore has powers of both civil and criminal courts. The first appellate body provided in the Act, i.e. the authority that any party not satisfied by the decision of the adjudicating officer can appeal to, is the Cyber Appellate Tribunal, consisting of a Chairperson and any other members so prescribed by the Central Government.[2] The second appeal, if a party is aggrieved by the decision of the Cyber Appellate Tribunal, may be filed before the High Court having jurisdiction, within 60 days from the date of communication of the order.[3]

Functioning of the Offices of the State Adjudicating Officers and the Cyber Appellate Tribunal

The office of the adjudicating officer is established under S.46 of the IT Act, which provides that the person appointed to such a post must be a government officer of a rank not below that of a Director or an equivalent rank, and must have experience both in the field of Information Technology as well as legal or judicial experience.[4] In most cases, the appointed adjudicating officer is the Principle Secretary to the Department of Information Technology in the state.[5] The decisions of these adjudicating officers determine the scope and meaning of several provisions of the IT Act, and are instrumental in the development of the law in this field and filling a lacuna regarding the interpretation of these important provisions, particularly in areas such as data protection and privacy.[6] However, despite the large number of cyber-crime cases being registered across the country,[7] there is a lack of available judgements on the adjudication of disputes under Sections 43, 43A, 44 and 45 of the Act. Of all the states, only the websites of the Departments of Information Technology in Maharashtra,[8], Tamil Nadu[9], New Delhi[10], and Haryana[11] have reported judgements or orders of the Adjudicating Officers. The adjudicating officer in Maharasthra, Rajesh Aggarwal, has done a particularly commendable job, having disposed of 51 cases under the IT Act, with 20 cases still pending.

The first Cyber Appellate Tribunal set up by the Central Government is located at New Delhi. Although a second branch of the Tribunal was to be set up in Bangalore, no efforts seem to have been made in this regard.[12] Further, the position of the Chairperson of the Appellate Tribunal, has been left vacant since 2011, after the appointed Chairperson attained the age of superannuation and retired. Although judicial and technical members have been appointed at various points, the tribunal cannot hold hearings without a chairperson. A total of 17 judgements have been passed by the Cyber Appellate Tribunal prior to the retirement of the chairperson, while the backlog of cases is continuously growing.[13] Despite a writ petition being filed before the Karnataka High Court and the secretary of the Department of IT coming on record to state that the Chairperson would be appointed within 6 months (of September 2013), no action seems to have been taken in this regard, and the lacunae in the judicial mechanism under the IT Act continues. The proper functioning of adjudicating officers and the Cyber Appellate Tribunal is particularly necessary for the functioning of a just judicial system in light of the provisions of the Act (namely, Section 61) which bar the jurisdiction of ordinary civil courts in claims below the amount of Rs. 5 Crores, where the adjudicating officer or the CAT is empowered.[14]

Analysis of Cases Filed under Section 43A

Section 43A of the Information Technology Act was inserted by the 2008 Amendment, and is the principle provision governing protection of information held by intermediaries under the Act. Section 43A provides that “body corporates” handling “sensitive personal data” must implement reasonable security practices for the protection of this information. If it is negligent in providing or maintaining such reasonable security practices, the body corporate is to be held liable and must pay compensation for the loss occurred.[15] Rule 3 of the Draft Reasonable Security Practices Rules, defines sensitive personal data as including – passwords, user details as provided at the time of registration or thereafter, information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users, physiological and mental health conditions, medical records and history, biometric information, information received by body corporate for processing, stored or processed under lawful contract or otherwise and call data records.[16]

All the decisions of appointed adjudicators are available for an analysis of Section 43A are from the adjudicating officer in Maharashtra, Mr. Rajesh Tandon, who despite having no judicial experience, has very cogent analysis and knowledge of legal issues involved in the cases, which is commendable for a quasi-judicial officer.

One class of cases, constituting a major chunk of the claims, is where the complainant is claiming against a bank for the fraudulent transfer of funds from the claimants account to another account. In most of these cases, the adjudicating officer examined the compliance of the bank with “Know Your Customer” norms and guidelines framed by the Reserve Bank of India for prevention of banking fraud and, where such compliance was found to be lacking and information which allowed the bank accounts of the complainant was allowed to be accessed by fraudsters, the presumption is that the bank was negligent in the handling of “sensitive personal information”,[17] by failing to provide for reasonable security practices and consequently was liable for compensation under S.43A, notwithstanding that the complainant also contributed to compromising certain personal information by responding to phishing mails,[18] or divulging information to other third parties.[19] These instances clearly fall within the scope of Section 43A, which protects “information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users” as sensitive personal data from negligent handling by body corporates. The decisions of the adjudicating officer must be applauded for placing a higher duty of care on banks to protect informational privacy of its customers, given that they are in a position where they ought to be well equipped to deal with intimate financial information and holding them accountable for lack of proper mechanisms to counter bank fraud using stolen information, which reflects in the compensation which the banks have been liable to pay, not only as indemnification for losses, but also punitive damages.[20]

In Nirmalkumar Bhagerwal v IDBI Bank and Meenal Bhagerwal, the sensitive financial information of the complainant, namely, the bank statement, had been accessed by the complainants wife. In holding the bank to be liable for divulging the same, and that access to personal information by a spouse is also covered under S.43A, the officer seems to have imputed the loss of privacy on account of such negligence as ‘wrongful loss’ which deserves compensation. One anomalous decision of the officer was where the operator of an ATM was held liable for fraudulent credit card transactions in that Machine, due to “reasonable security practices” such as security personnel or CCTV footage, and therefore causing the loss of “sensitive personal data”. However, it is difficult to see how ATM operators can be held liable for failing to protect sensitive information from being divulged, when the case is simply of a person fraudulently using a credit card.

Another class of cases, generally linked with the above cases, is complaints against cell phone providers for divulging information through falsely procured Sim Cards. In such instances, the officer has held that by negligently allowing the issuance of duplicate sim cards, the phone company has led to the access of sensitive personal data and thus caused wrongful loss to the complainant. This interpretation of Section 43A is somewhat confusing. The officer seems to have interpreted the provisions of Section 43A to include carriers of the information which was originally sent through the computer resource of the banking companies. In this way, they are imputed the status of “handlers” of sensitive personal information, and their communications infrastructure through which the information is sent is the “computer resource” which it operates for the purpose of the Act. Therefore, through their negligence, they are abetting the offence under 43A.[21]

For example, in the case of Sanjay Govind Dhandhe v ICICI and Vodafone, the officer remarked that –“A SIM card is a veritable key to person’s sensitive financial and personal information. Realizing this, there are clear guidelines issued by the DOT regarding the issuance of SIM cards. The IT Act also intends to ensure that electronic personal and sensitive data is kept secured and reasonable measures are used to maintain its confidentiality and integrity. It is extremely crucial that Telecom companies actively follow strict security procedures while issuing SIM cards, especially in wake of the fact that mobiles are being increasingly used to undertake financial transactions. In many a case brought before me, financial frauds have been committed by fraudsters using the registered mobile numbers of the banks’ account holders.” Therefore, intermediaries such as telecom companies, which peripherally handle the data, are also liable under the same standards for ensuring its privacy. The adjudicating officer has also held telephone companies liable for itemized phone bills as Call Data Records negligently divulged by them, which again clearly falls under the scope of the Reasonable Security Practices Rules.[22]

Note:

"Credentek v Insolutions (http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_Credentek_Vs_Insolutions-28012014.pdf) . This case holds that banks and the National Payments Corporation of India were liable under S. 43A for divulging information relating to transactions by their customers to a software company which provides services to these banks using the data, without first making them sign non-disclosure agreements. The NCPI was fined a nominal amount of Rs. 10,000."

[1]. Section 46, Information Technology Act, 2000.

[2]. Section 48 and 49 of the Information Technology Act, 2000 (Amended as of 2008).

[3]. Section 62, IT Act. However, The High Court may extend this period if there was sufficient cause for the delay.

[4]. S. 46(3), Information Technology Act, “No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and Legal or Judicial experience as may be prescribed by the Central Government.”

[5]. From whatever data is available, the adjudicating officers in the states of Maharashtra, New Delhi, Haryana, Tamil Nadu and Karnataka are all secretaries to the respective state departments relating to IT.

[6]. See http://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra; Also see the decision of the Karnataka adjudicating officer which held that body corporates are not persons under S.43 of the IT Act, and thus cannot be liable for compensation or even criminal action for offences under that Section, available at http://www.naavi.org/cl_editorial_13/adjudication_gpl_mnv.pdf.

[7]. Maharashtra Leads in War Against Cyber Crime, The Times of India, available at http://timesofindia.indiatimes.com/city/mumbai/Maharashtra-leads-in-war-against-cyber-crime/articleshow/30579310.cms. (18^th February, 2014).

[8]. https://it.maharashtra.gov.in/1089/IT-Act-Judgements

[9]. http://www.tn.gov.in/documents/atoz/J

[10]. http://www.delhi.gov.in/wps/wcm/connect/DoIT_IT/doit_it/it+home/orders+of+adjudicating+officer

[11]. http://haryanait.gov.in/cyber.htm

[12]. Bangalore Likely to host southern chapter of Cyber Appellate Tribunal, The Hinduk http://www.thehindu.com/news/national/karnataka/bangalore-is-likely-to-host-southern-chapter-of-cyber-appellate-tribunal/article3381091.ece (2^nd May, 2013).

[13]. http://catindia.gov.in/Judgement.aspx

[14]. Section 61 of the IT Act – ‘No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. Provided that the court may exercise jurisdiction in cases where the claim for injury or damage suffered by any person exceeds the maximum amount which can be awarded under this Chapter.’

[15]. Section 43A, Information Technology Act, 2000 – ‘Compensation for failure to protect data (Inserted vide ITAA 2006) Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. (Change vide ITAA 2008)

Explanation: For the purposes of this section (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

[16]. Draft Reasonable Security Practices Rules under Section 43A of the IT Act, available at http://www.huntonfiles.com/files/webupload/PrivacyLaw_Reasonable_Security_Practices_Sensitive_Personal_Information.pdf.

[17]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013.PDF. Ram Techno Pack v State Bank of India, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RamTechno_Vs_SBI-22022013.pdf.

Srinivas Signs v IDBI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SreenivasSigns_Vs_IDBI-18022014.PDF.

Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf

Pravin Parkhi v SBI Cards, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PravinParkhi_Vs_SBICardsPayment-30122013.PDF.

[18]. Sourabh Jain v ICICI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI&Idea-22022013.PDF.

[19]. Poona Automobiles v Punjab National Bank, https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PoonaAuto_Vs_PNB-22022013.PDF

[20]. Amit Patwardhan v Bank of Baroda, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudicaton_AmitPatwardhan_Vs_BankOfBaroda-30122013.PDF.

[21]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013; Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf.

[22]. Rohit Maheshwari v Vodafone, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RohitMaheshwari_Vs_Vodafone&ors-04022014.PDF.

For more details visit https://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-tribunal-and-adjudicatory-officers-under-it-act

Content Removal on Facebook — A Case of Privatised Censorship?

jessie — 2014-06-16T05:23:09Z

Any activity on Facebook, be it creating an account, posting a picture or status update or creating a group or page, is bound by Facebook’s Terms of Service and Community Guidelines. These contain a list of content that is prohibited from being published on Facebook which ranges from hate speech to pornography to violation of privacy.

Facebook removes content largely on the basis of requests either by the government or by other users. The Help section of Facebook deals with warnings and blocking of content. It says that Facebook only removes content that violates Community Guidelines and not everything that has been reported.

I conducted an experiment to primarily look at Facebook’s process of content removal and also to analyse what kind of content they actually remove.

I put up a status which contained personal information of a person on my Friend List (the information was false). I then asked several people (including the person about whom the status was made) to report the status — that of being harassed or for violation of privacy rights. Seven people reported the status. Within half an hour of the reports being made, I received the following notification:
"Someone reported your post for containing harassment and 1 other reason."

The notification also contained the option to delete my post and said that Facebook would look into whether it violated their Community Guidelines.

A day later, all those who had reported the status received notifications stating the following:

"We reviewed the post you reported for harassment and found it doesn't violate our Community Standards."

I received a similar notification as well.
I, along with around thirteen others, reported a Facebook page which contained pictures of my friend and a few other women with lewd captions in various regional languages. We reported the group for harassment and bullying and also for humiliating someone we knew. The report was made on 24 March, 2014. On 30 April, 2014, I received a notification stating the following:

"We reviewed the page you reported for harassment and found it doesn't violate our Community Standards.

Note: If you have an issue with something on the Page, make sure you report the content (e.g. a photo), not the entire Page. That way, your report will be more accurately reviewed."

I then reported each picture on the page for harassment and received a series of notifications on 5 May, 2014 which stated the following:

"We reviewed the photo you reported for harassment and found it doesn't violate our Community Standards."

These incidents are in stark contrast with repeated attempts by Facebook to remove content which it finds objectionable. In 2013, a homosexual man’s picture protesting against the Supreme Court judgment in December was taken down. In 2012, Facebook removed artwork by a French artist which featured a nude woman. In the same year, Facebook removed photographs of a child who was born with defect and banned the mother from accessing Facebook completely. Facebook also removed a picture of a breast cancer survivor who posted a picture of a tattoo that she had following her mastectomy. Following this, however, Facebook issued an apology and stated that mastectomy photographs are not in violation of their Content Guidelines. Even in the sphere of political discourse and dissent, Facebook has cowered under government pressure and removed pages and content, as evidenced by the ban on the progressive Pakistani band Laal’s Facebook page and other anti-Taliban pages. Following much social media outrage, Facebook soon revoked this ban. These are just a few examples of how harmless content has been taken down by Facebook, in a biased exercise of its powers.

After incidents of content removal have been made public through news reports and complaints, Facebook often apologises for removing content and issues statements that the removal was an “error.” In some cases, they edit their policies to address specific kinds of content after a takedown (like the reversal of the breastfeeding ban).

On the other hand, however, Facebook is notorious for refusing to take down content that is actually objectionable, partially evidenced by my own experiences listed above. There have been complaints about Facebook’s refusal to remove misogynistic content which glorifies rape and domestic violence through a series of violent images and jokes. One such page was removed finally, not because of the content but because the administrators had used fake profiles. When asked, a spokesperson said that censorship “was not the solution to bad online behaviour or offensive beliefs.” While this may be true, the question that needs answering is why Facebook decides to draw these lines only when it comes to certain kinds of ‘objectionable’ content and not others.

All of these examples represent a certain kind of arbitrariness on the part of Facebook’s censorship policies. It seems that Facebook is far more concerned with removing content that will cause supposed public or governmental outrage or defy some internal morality code, rather than protecting the rights of those who may be harmed due to such content, as their Statement of Policies so clearly spells out.

There are many aspects of the review and takedown process that are hazy, like who exactly reviews the content that is reported and what standards they are made to employ. In 2012, it was revealed that Facebook outsourced its content reviews to oDesk and provided the reviewers with a 17-page manual which listed what kind of content was appropriate and what was not. A bare reading of the leaked document gives one a sense of Facebook’s aversion to sex and nudity and its neglect of other harm-inducing content like harassment through misuse of content that is posted and what is categorised as hate speech.

In the process of monitoring the acceptability of content, Facebook takes upon itself the role of a private censor with absolutely no accountability or transparency in its working. A Reporting Guide was published to increase transparency in its content review procedures. The Guide reveals that Facebook provides for an option where the reportee can appeal the decision to remove content in “some cases.” However, the lack of clarity on what these cases are or what the appeal process is frustrates the existence of this provision as it can be misused. Additionally, Facebook reserves the right to remove content with or without notice depending upon the severity of the violation. There is no mention of how severe is severe enough to warrant uninformed content removal. In most of the above cases, the user was not notified that their content was found offensive and would be liable for takedown. Although Facebook publishes a transparency report, it only contains a record of takedowns following government requests and not those by private users of Facebook. The unbridled nature of the power that Facebook has over our personal content, despite clearly stating that all content posted is the user’s alone, threatens the freedom of expression on the site. A proper implementation of the policies that Facebook claims to employ is required along with a systematic record of the procedure that is used to remove content that is in consonance with natural justice.

For more details visit https://cis-india.org/internet-governance/blog/content-removal-on-facebook

Access To Knowledge (A2K)

Privacy and Surveillance Roundtable

Background and Context to the Roundtables

Information about the Roundtables

The Report of the Group of Experts on Privacy

The Draft CIS Citizens Privacy (Protection) Bill 2013

The International Principles on the Application of Human Rights to Communication Surveillance

Tentative Agenda

Resources

Report on ICANN 50

PMA Policy and COAI Recommendations

Introduction

International and Domestic Response to the Policy

IANA Transition: Suggestions for Process Design

Introduction:

Issues and Recommendations:

Open, inclusive deliberation by global stakeholders must define the Scope of the Process for developing proposal for IANA transition:

Accountability of ICANN must be linked to IANA Transition within Scope of the Process:

Misuse or appearance of misuse of its convenor role by ICANN to influence outcome of the Process must not be allowed:

Components of Diversity Principle should be clearly enunciated in the Draft Proposal:

The Co-ordination Group must be made representative of the global multistakeholder community:

Framing of the Proposal must allow adequate time:

CIS Policy Brief: IANA Transition Fundamentals & Suggestions for Process Design

Short Introduction:

CIS Policy Brief:

Suggestions for Process Design

Short Introduction:

CIS Policy Brief:

Understanding IANA Stewardship Transition

NTIA Announcement and ICANN-convened Processes:

What are the IANA Functions?

Import of the NTIA Announcement:

What does the NTIA Announcement NOT DO?

Commonwealth Domain Name System Forum 2014

WSIS+10 High Level Event: A Bird's Eye Report

The High Level Track:

The High Level Dialogues:

The Forum Track:

Conclusion:

Privacy and Surveillance Roundtable

Background and Context to the Roundtables

Information about the Roundtables

The Report of the Group of Experts on Privacy

The Draft CIS Citizens Privacy (Protection) Bill 2013

The International Principles on the Application of Human Rights to Communication Surveillance

Tentative schedule for the Roundtables:

Resources

UN Human Rights Council urged to protect human rights online

Civil Society Statement:

Research Advisory Network Meeting

Hosting of the Event

Meeting Participant List

Research Advisory Network Committees

Special Guests

OECD Staff

Commission Secretariat

Research Advisory Network Biographies

Vodafone Report Explains Government Access to Customer Data

Direct Government Access

Data Organization

Data Construction

Vodaphone’s Statistics

India and the Reports

Conclusion

Multi-stakeholder Models of Internet Governance within States: Why, Who & How?

A Short Introduction

Rationale: Why Have National IG bodies?

Stakeholders: Populating a national IG body

Processes: Creating effective national IG bodies

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act

Functioning of the Offices of the State Adjudicating Officers and the Cyber Appellate Tribunal

Analysis of Cases Filed under Section 43A

Content Removal on Facebook — A Case of Privatised Censorship?