We are anonymous, we are legion

Internet's Core Resources are a Global Public Good - They Cannot Remain Subject to One Country's Jurisdiction

vidushi — 2016-11-14T06:39:52Z

This statement was issued by 8 India civil society organizations, supported by 2 key global networks, involved with internet governance issues, to the meeting of ICANN in Hyderabad, India from 3 to 9 November 2016. The Centre for Internet & Society was one of the 8 organizations that drafted this statement.

Recently, the US gave up its role of signing entries to the Internet's root zone file, which represents the addressing system for the global Internet. This is about the Internet addresses that end with .com, .net, and so on, and the numbers associated with each of them that help us navigate the Internet. We thank and congratulate the US government for taking this important step in the right direction. However, the organisation that manages this system, ICANN,[1] a US non-profit, continues to be under US jurisdiction, and hence subject to its courts, legislature and executive agencies. Keeping such an important global public infrastructure under US jurisdiction is expected to become a very problematic means of extending US laws and policies across the world.

We the undersigned therefore appeal that urgent steps be taken to transit ICANN from its current US jurisdiction. Only then can ICANN become a truly global organisation.[2] We would like to make it clear that our objection is not directed particularly against the US; we are simply against an important global public infrastructure being subject to a single country's jurisdiction.

Domain name system as a key lever of global control
A few new top level domains like .xxx and .africa are already under litigation in the US, whereby there is every chance that its law could interfere with ICANN's (global) policy decisions. Businesses in different parts of the world seeking top level domain names like .Amazon, and, hypothetically, .Ghaniancompany, will have to be mindful of de facto extension of US jurisdiction over them. US agencies can nullify the allocation of such top level domain names, causing damage to a business similar to that of losing a trade name, plus losing all the 'connections', including email based ones, linked to that domain name. For instance, consider the risks that an Indian generic drugs company, say with a top level domain, .genericdrugs, will remain exposed to.

Sector specific top level domain names like .insurance, health, .transport, and so on, are emerging, with clear rules for inclusion-exclusion. These can become de facto global regulatory rules for that sector. .Pharmacy has been allocated to a US pharmaceutical group which decides who gets domain names under it. Public advocacy groups have protested [3] that these rules will be employed to impose drugs-related US intellectual property standards globally. Similar problematic possibilities can be imagined in other sectors; ICANN could set “safety standards”, as per US law, for obtaining .car.

Country domain names like .br and .ph remain subject to US jurisdiction. Iran's .ir was recently sought to be seized by some US private parties because of alleged Iranian support to terrorism. Although the plea was turned down, another court in another case may decide otherwise. With the 'Internet of Things', almost everything, including critical infrastructure, in every country will be on the network. Other countries cannot feel comfortable to have at the core of the Internet’s addressing system an organisation that can be dictated by one government.

ICANN must become a truly global body
Eleven years ago, in 2005, the Civil Society Internet Governance Caucus at the World Summit on the Information Society demanded that ICANN should “negotiate an appropriate host country agreement to replace its California Incorporation”.

A process is currently under-way within ICANN to consider the jurisdiction issue. It is important that this process provides recommendations that will enable ICANN to become a truly global body, for appropriate governance of very important global public goods.

Below are some options, and there could be others, that are available for ICANN to transit from US jurisdiction.

ICANN can get incorporated under international law. Any such agreement should make ICANN an international (not intergovernmental) body, fully preserving current ICANN functions and processes. This does not mean instituting intergovernmental oversight over ICANN.
ICANN can move core internet operators among multiple jurisdictions, i.e. ICANN (policy body for Internet identifiers), PTI [4] (the operational body) and the Root Zone Maintainer must be spread across multiple jurisdictions. With three different jurisdictions over these complementary functions, the possibility of any single one being fruitfully able to interfere in ICANN's global governance role will be minimized.
ICANN can institute a fundamental bylaw that its global governance processes will brook no interference from US jurisdiction. If any such interference is encountered, parameters of which can be clearly pre-defined, a process of shifting of ICANN to another jurisdiction will automatically set in. A full set-up – with registered HQ, root file maintenance system, etc – will be kept ready as a redundancy in another jurisdiction for this purpose. [5] Chances are overwhelming that given the existence of this bylaw, and a fully workable exit option being kept ready at hand, no US state agency, including its courts, will consider it meaningful to try and enforce its writ. This arrangement could therefore act in perpetuity as a guarantee against jurisdictional interference without actually having ICANN to move out of the US.
The US government can give ICANN jurisdictional immunity under the United States International Organisations Immunities Act . There is precedent of US giving such immunity to non-profit organisations like ICANN. [6] Such immunity must be designed in such a way that still ensures ICANN's accountability to the global community, protecting the community's enforcement power and mechanisms. Such immunity extends only to application of public law of the US on ICANN decisions and not private law as chosen by any contracting parties. US registries/registrars, with the assent of ICANN, can choose the jurisdiction of any state of the US for adjudicating their contracts with ICANN. Similarly, registries/registrars from other countries should be able to choose their respective jurisdictions for such contracts.

We do acknowledge that, over the years, there has been an appreciable progress in internationalising participation in ICANN's processes, including participation from governments in the Governmental Advisory Committee. However, positive as this is, it does not address the problem of a single country having overall jurisdiction over its decisions.

Issued by the following India based organisation:

Centre for Internet and Society, Bangalore
IT for Change, Bangalore
Free Software Movement of India, Hyderabad
Society for Knowledge Commons, New Delhi
Digital Empowerment Foundation, New Delhi
Delhi Science Forum, New Delhi
Software Freedom Law Centre - India, New Delhi
Third World Network - India, New Delhi

Supported by the following global networks:

Association For Progressive Communications
Just Net Coalition

For any clarification or inquiries you may may write to or call:

Parminder Jeet Singh: parminder@itforchange.net +91 98459 49445, or
Vidushi Marda: vidushi@cis-india.org +91 99860 92252

[1] Internet Corporation for Assigned Names and Numbers

[2] The “NetMundial Multistakeholder Statement” , endorsed by a large number of governments and other stakeholders, including ICANN and US government, called for ICANN to become a “truly international and global organization”.

[3] See, https://www.techdirt.com/articles/20130515/00145123090/big-pharma-firms-seeking-pharmacy-domain-to-crowd-out-legitimate-foreign-pharmacies.shtml

[4] Public Technical Identifier, a newly incorporated body to carry out the operational aspects of managing Internet's identifiers.

[5] This can be at one of the existing non US global offices of ICANN, or the location of one of the 3 non-US root servers. Section 24.1 of ICANN Bylaws say, “The principal office for the transaction of the business of shall be in the County of Los Angeles, State of California, United States of America. may also have an additional office or offices within or outside the United States of America as it may from time to time establish”.

[6] E.g., International Fertilizer and Development Center was designated as a public, nonprofit, international organisation by US Presidential Decree, granting it immunities under United States International Organisations Immunities Act . See https://archive.icann.org/en/psc/corell-24aug06.html

For more details visit https://cis-india.org/internet-governance/blog/internets-core-resources-are-a-global-public-good

ICANN 57

praskrishna — 2016-11-08T01:14:37Z

ICANN 57 is being hosted by the Ministry of Electronics & Information Technology, Government of India from November 3 to 9, 2016 in Hyderabad at Hyderabad International Convention Centre. Vidushi Marda participated in the event as a speaker.

As part of her work for the Cross Community Working Party on ICANN's Corporate and Social Responsibility to Respect Human Rights, Vidushi presented her work on the Human Rights Impact of new gTLD Subsequent Procedures in Hyderabad.

India’s Minister of Law & Justice and Minister of Electronics and Information Technology Ravi Shankar Prasad reiterated India’s commitment to the multistakeholder model during the Opening Ceremony of the Internet Corporation of Assigned Names and Numbers’ (ICANN’s) 57th Public Meeting. The meeting, also known as ICANN57, is taking place in Hyderabad, India, from November 3 – 9, 2016 and has convened thousands of the global Internet community members (both on-site and remotely) to discuss and develop policies related to the Internet’s Domain Name System (DNS). It is hosted by the Ministry of Electronics and Information Technology (MeitY), with support from the Government of Telangana.

ICANN57 is the first post-IANA stewardship transition public meeting and also the first Annual General Meeting under the new Meetings Strategy. ICANN meetings are held three times a year in different regions to enable attendees from around the world to participate in person. These meetings offer a variety of sessions such as workshops, open forums and working meetings on the development and implementation of Internet policies. ICANN meetings offer the best opportunity for face-to-face discussions and exchange of opinions among attendees dedicated to the continued stable and secure operation of the Domain Name System.

For more info about the event, visit the ICANN website.

For more details visit https://cis-india.org/internet-governance/news/icann-57-hyderabad

If the DIDP Did Its Job

asvatha — 2016-11-07T12:57:18Z

Over the course of two years, the Centre for Internet and Society sent 28 requests to ICANN under its Documentary Information Disclosure Policy (DIDP). A part of ICANN’s accountability initiatives, DIDP is “intended to ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”

Through the DIDP, any member of the public can request information contained in documents from ICANN. We’ve written about the process here, here and here. As a civil society group that does research on internet governance related topics, CIS had a variety of questions for ICANN. The 28 DIDP requests we have sent cover a range of subjects: from revenue and financial information, to ICANN’s relationships with its contracted parties, its contractual compliance audits, harassment policies and the diversity of participants in its public forum. We have blogged about each DIDP request where we have summarized ICANN’s responses.

Here are the DIDP requests we sent in:

Dec 2014	Jan/Feb 2015	Aug/Sept 2015	Nov 2015	Apr/May 2016
ICANN meeting expenditure	Revenue from gTLD auction	Implementation of NETmundial principles	IANA transition postponement	Board Governance Committee Reports
Granular revenue statements	Globalisation Advisory Groups	Raw data - Granular income data	Presumptive renewal of registries	Diversity Analysis
ICANN cyber attacks	Organogram	Compliance audits - registries	ICANN-RIR relationship	Compliance audits
Implementation of NETmundial outcome document	Involvement in NETmundial Initiative	Compliance audits - registrars		Harassment policy
Complaints to ICANN ombudsman	RIR contract fees	Registrar abuse contact		DIDP statistics *
		Verisign Contractual violations		gTLD applicant support program
		Contractual auditors		Root Zone Maintenance agreements
		Internal website

ICANN’s responses were analyzed and rated between 0-4 based on the amount of information disclosed. The reasons given for the lack of full disclosure were also studied.

DIDP response rating
0	No relevant information disclosed
1	Very little information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
2	Partial information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
3	Adequate information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
4	All information disclosed

ICANN has defined a set of preconditions under which they are not obligated to answer a request. These preconditions are generously used by ICANN to justify their lack of a comprehensive answer. The wording of the policy also allows ICANN to dodge answering a request if it doesn’t have the relevant documents already in its possession. The responses were also classified by the number of times a particular DIDP condition for non-disclosure was invoked. We will see why these weaken ICANN’s accountability initiatives.

Of the 28 DIDP requests, only 14% were answered fully, without the use of the DIDP conditions of non-disclosure. Seven out of 28 or 40% of the DIDPs received a 0-rated answer which reflects extremely poorly on the DIDP mechanism itself. Of the 7 responses that received 0-rating, 4 were related to complaints and contractual compliance. We had asked for details on the complaints received by the ombudsman, details on contractual violations by Verisign and abuse contacts maintained by registrars for filing complaints. We received no relevant information.

We have earlier written about the extensive and broad nature of the 12 conditions of non-disclosure that ICANN uses. These conditions were used in 24 responses out of 28. ICANN was able to dodge from fully answering 85% of the DIDP requests that they got from CIS. This is alarming especially for an organization that claims to be fully transparent and accountable. The conditions for non-disclosure have been listed in this document and can be referred to while reading the following graph.

On reading the conditions for non-disclosure, it seems like ICANN can refuse to answer any DIDP request if it so wished. These exclusions are numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain: Correspondence, internal information, information related to ICANN’s relationship with governments, information derived from deliberations among ICANN constituents, information provided to ICANN by private parties and the kicker - information that would be too burdensome for ICANN to collect and disseminate.

As we can see from the graph, the most used condition under which ICANN can refuse to answer a DIDP request is F. Predictably, this is the most vaguely worded DIDP condition of the lot: “Confidential business information and/or internal policies and procedures.” It is up to ICANN to decide what information is confidential with no justification needed or provided for it. ICANN has used this condition 11 times in responding to our 28 requests.

It is also necessary to pay attention to condition L which allow ICANN to reject “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.” This is perhaps the weakest point in the entire list due its subjective nature. Firstly, on whose standards must this information request be reasonable? If the point of a transparency mechanism is to make sure that information sought by the public is disseminated, should they be allowed to obfuscate information because it is too burdensome to collect? Even if this is fair given the time constraints of the DIDP mechanism, it must not be used as liberally as has been happening. The last sub point is perhaps the most subjective. If a staff member dislikes a particular requestor, this point would justify their refusal to answer a request regardless of its validity. This hardly seems fair or transparent. This condition has been used 9 times in our 28 requests.

Besides the DIDP non-disclosure conditions, ICANN also has an excuse built into the definition of DIDP. Since it is not obliged to create or summarize documents under the DIDP process, it can simply claim to not have the specific document we request and thus negate its responsibility to our request. This is what ICANN did with one of our requests for raw financial data. For our research, we required raw data from ICANN specifically with regard to its expenditure on staff and board members for their travel and attendance at meetings. As an organization that is answerable to multiple stakeholders including governments and the public, it is justified to expect that they have financial records of such items in a systematic manner. However, we were surprised to learn that ICANN does not in fact have these stored in a manner that they can send as attachments or publish. Instead they directed us to the audited financial reports which did little for our research. However, in response to our later request for granular data on revenue from domain names, ICANN explained that while they do not have such a document in their possession, they would create one. This distinction between the two requests seems arbitrary to us since we consider both to be important to public.

Nevertheless, there were some interesting outcomes from our experience filing DIDPs. We learnt that there has been no substantive work done to inculcate the NETmundial principles at ICANN, that ICANN has no idea which regional internet registry contributes the most to its budget, and that it does not store (or is not willing to reveal) any raw financial data. These outcomes do not contribute to a sense of confidence in the organization.

ICANN has an opportunity to reform this particular transparency mechanism at its Workstream 2 discussions. ICANN must make use of this opportunity to listen and work with people who have used the DIDP process in order to make it useful, effective and efficient. To that effect, we have some recommendations from our experience with the DIDP process.

That ICANN does not currently possess a particular document is not an excuse if it has the ability to create one. In its response to our questions on the IANA transition, ICANN indicated that it does not have the necessary documents as the multi stakeholder body that it set up is the one conducting the transition. This is somewhat justified. However, in response to our request for financial details, ICANN must not be able to give the excuse that it does not have a document in its possession. It and it alone has the ability to create the document and in response to a request from the public, it should.

ICANN must also revamp its conditions for non-disclosure and make it tighter. It must reduce the number of exclusions to its disclosure policy and make sure that the exclusion is not done arbitrarily. Specifically with respect to condition F, ICANN must clarify how information was classified as confidential and why that is different from everything else on the list of conditions.

Further, ICANN should not be able to use condition L to outright reject a DIDP request. Instead, there must be a way for the requester and ICANN to come to terms about the request. This could happen by an extension of the 1 month deadline, financial compensation by requester for any expenditure on ICANN’s part to answer the request or by a compromise between the requester and ICANN on the terms of the request. The sub point about requests made “by a vexatious or querulous individual” must be removed from condition L or at least be separated from the condition so that it is clear why the request for disclosure was denied.

ICANN should also set up a redressal mechanism specific to DIDP. While ICANN has the Reconsideration Requests process to rectify any wrongdoing on the part of staff or board members, this is not adequate to identify whether a DIDP was rejected on justifiable grounds. A separate mechanism that deals only with DIDP requests and wrongful use of the non-disclosure conditions would be helpful. According to the icann bylaws, in addition to Requests for Reconsideration, ICANN has also established an independent third party review of allegations against the board and/or staff members. A similar mechanism solely for reviewing whether ICANN’s refusal to answer a DIDP request is justified would be extremely useful.

A strong transparency mechanism must make sure that its objective are to provide answers, not to find ways to justify its lack of answers. With this in mind, we hope that the revamp of transparency mechanisms after workstream 2 discussions leads to a better DIDP process than we are used to.

For more details visit https://cis-india.org/internet-governance/blog/if-the-didp-did-its-job

Workshop on 'Privacy after Big Data' (Delhi, November 12)

sumandro — 2016-11-12T10:14:52Z

The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, invite you to a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12. This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It is an open event. Please register to participate.

Invitation note and agenda: Download (PDF)

Venue and RSVP

Venue: Centre for the Study of Developing Societies 29, Rajpur Road, Civil Lines, Delhi 110054.

Location on Google Maps: https://www.google.com/maps/place/CSDS/@28.677775,77.2162523,17z/.

Registration: Complete this form.

Concept Note

In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few.

With the UID (“Aadhaar”) project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision.

Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.

As key privacy principles are at loggerheads with big data activities, it is important to consider privacy as an embedded component in the processes, systems and projects, rather than being considered as an afterthought. These examples highlight the current state of discourse around data protection and privacy in India and the shapes they are likely to take in near future.

This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy.

Agenda

09:00-09:30 Tea and Coffee

09:30-10:00 Introduction

Mr. Amber Sinha and Mr. Sandeep Mertia
This session will introduce the topic of the workshop in the context of the ongoing works at CIS and Sarai.

10:00-11:00 From Privacy Bill(s) to ‘Habeas Data’

Dr. Usha Ramanathan and Mr. Vipul Kharbanda
This session will present a brief history of the privacy bill(s) in India and end with reflections on ‘habeas data’ as a lens for thinking and actualising privacy after big data.

11:00-11:30 Tea and Coffee

11:30-12:30 Digital ID, Data Protection, and Exclusion

Ms. Amelia Andersdotter and Mr. Srikanth Lakshmanan
This session will discuss national centralised digital ID systems, often operating at a cross-functional scale, and highlight its implications for discussions on data protection, welfare governance, and exclusion from public and private services.

12:30-13:30 Digital Money and Financial Inclusion

Dr. Anupam Saraph and Ms. Astha Kapoor
This session will focus on the rise of digital banking and online payments as core instruments of financial inclusion in India, especially in the context of the Jan Dhan Yojana and UPI, and reflect on the concerns around privacy and financial data.

13:30-14:30 Lunch

14:30-15:30 Big Data and Mass Surveillance

Dr. Anja Kovacs and Mr. Matthew Rice
This session will reflect on the rise of mass communication surveillance across the world, and the evolving challenges of regulating il/legal surveillance by government agencies.

15:30-16:15 Privacy is (a) Right

Mr. Apar Gupta and Ms. Kritika Bhardwaj
This brief session is to share initial ideas and strategies for articulating and actualising a constitutional right to privacy in India.

16:15-16:30 Tea and Coffee

16:30-17:30 Round Table

An open discussion session to conclude the workshop.

Speakers

Mr. Amber Sinha

Amber works on issues surrounding privacy, big data, and cyber security. He is interested in the impact of emerging technologies like artificial intelligence and learning algorithms on existing legal frameworks, and how they need to evolve in response. Amber studied humanities and law at National Law School of India University, Bangalore.

E-mail: amber at cis-india dot org.

Twitter: @ambersinha07.

Ms. Amelia Andersdotter

Amelia Andersdotter has been a Member of the European Parliament. She works on practical implications of data protection laws and consumer information security in Sweden, and digital rights in the Europe in general. Presently she is residing in Bangalore, where she is a visiting scholar with Centre for Internet and Society. She holds a BSc in Mathematics.

URL: https://dataskydd.net.

Twitter: @teirdes.

Dr. Anja Kovacs

Dr. Anja Kovacs directs the Internet Democracy Project in Delhi, India, which works for an Internet that supports free speech, democracy and social justice in India and beyond. Anja’s research and advocacy focuses especially on questions regarding freedom of expression, cybersecurity and the architecture of Internet governance. She has been a member of the of the Investment Committee of the Digital Defenders Partnership and of the Steering Committee of Best Bits, a global network of civil society members. She has also worked as an international consultant on Internet issues, including for the Independent Commission on Multilateralism, the United Nations Development Programme Asia Pacific and the UN Special Rapporteur on Freedom of Expression, Mr. Frank La Rue, as well as having been a Fellow at the Centre for Internet and Society in Bangalore, India.

Internet Democracy Project: https://internetdemocracy.in.

Twitter: @anjakovacs.

Dr. Anupam Saraph

Anupam Saraph has extensively researched India's UID number that has been widely regarded as the game changer in development programs. It has come to be linked with both public and private databases and become the requirement for access to entitlements, benefits, services and rights. Dr. Saraph, who has the design of at least two identification programs to his credit has researched the UID’s functional creep since its inception.

He has been dissecting the myths of what the UID is or is not. He has also tracked the consequences of its linkages on databases that protect national security, sovereignty, democratic status and the entire banking and money system in India. He has also highlighted the implications of its use for targeted delivery of cash subsidies from the Consolidated Fund of India. He has written and lectured widely about the devastating impact of the UID number on development programs, national security and the governability of India.

As a Professor of Systems, Governance and Decision Sciences, Environmental Systems and Business he mentors students and teaches systems, information systems, environmental systems and sustainable development at universities in Europe, Asia and the Americas. He has worked with the Rensselaer Polytechnic Institute, Rijksuniversitiet Groningen, RIVM, University of Edinburgh, Resource Use Institute, Systems Research Institute among others. Dr. Saraph has had the unique distinction of being India’s only person who has held the only office of a City CIO in India, in a PPP arrangement with government, industry and himself. He has also been the first e-governance Advisor to a State government. Dr. Saraph has held CxO and ministerial level positions and serves as an independent director on the boards of Public and Private Sector companies and NGOs. He is also the President of the Nagrik Chetna Manch, an NGO charged with the mission to bring accountability in governance.

Dr. Saraph is also actively engaged in civil society where he participates in several environmental, resource and nature conservation initiatives, has authored draft legislations for river and natural resource conservation, right to good governance and has contributed to governance, election and democratic reforms. Dr. Saraph is a regular columnist in newspapers and writes on issues of governance, future design, technology and education from a systems perspective.

As a future designer and recognized as a global expert on complex systems he helps individuals and organisations understand and design the future of their worlds. Together they address the toughest challenges, accomplish missions and achieve business goals. He also supports building capacity to address the challenges of today as well as to build future designs through teams and effective leadership. Since the eighties Dr. Saraph has modeled complex systems of cities, countries, regions and even the planet. His models have been awarded internationally and even placed in 10-year permanent exhibitions.

Dr Saraph works with business and government executives, civil society leaders, politicians, generals, civil servants, police, trade unionists, community activists, United Nations and ASEAN officials, judges, writers, media, architects, designers, technologists, scientists, entrepreneurs, board members and business leaders of small, mid and large single and trans-national companies, religious leaders and artists across a dozen countries and various industry sectors to help them and their organisations succeed in their missions. He advises the World Economic Forum through its Global Agenda Council for Complex Systems and the Club of Rome, Indian National Association as a founder life member.

Dr Saraph holds a PhD in designing sustainable systems from the faculty of Mathematics and Natural Sciences of the Rijksuniversiteit Groningen, the Netherlands.

Website: http://anupam.saraph.in.

Twitter: @anupamsaraph.

Mr. Apar Gupta

Apar Gupta practices law in Delhi. He is also one of the co-founders of the Internet Freedom Foundation. His work and writing on public interest issues can be accessed at his personal website www.apargupta.com.

Twitter: @aparatbar.

Ms. Astha Kapoor

Astha Kapoor is a public policy strategy consultant working on financial inclusion and digital payments. Currently, she is working with MicroSave. Her tasks involve a focus on government to people (G2P) payments - and her work spans strategy, advisory and evaluation with the DBT Mission, Office of the Chief Economic Advisor, NITI Aayog and ministries pertaining to food, fuel and fertilizer. She recently designed a pilot to digitize uptake of fertilizers in Krishna district, and evaluated the newly introduced coupon system in the Public Distribution System in Bengaluru.

Twitter: @kapoorastha.

Ms. Kritika Bhardwaj

Kritika Bhardwaj works as a Programme Officer at the Centre for Communication Governance (CCG), National Law University, Delhi. Her main areas of research are privacy and data protection. At CCG, she has written about the privacy implications of several contemporary issues such as Aadhaar (India's unique identification project), cloud computing and the right to be forgotten. A lawyer by training, Kritika has a keen interest in information law and human rights law.

Centre for Communication Governance, NLU Delhi: http://ccgdelhi.org.

Twitter: @Kritika12.

Mr. Matthew Rice

Matthew Rice is an Advocacy Officer at Privacy International working across the organisation engaging with international partners and strengthening their capacity on communications surveillance issues. He has previously worked at Privacy International as a consultant building the Surveillance Industry Index, the largest publicly available database on the private surveillance sector ever assembled. Matthew graduated from University of Aberdeen with an LLB (Hons.) and also has an MA in Human Rights from University College London.

Privacy International: https://privacyinternational.org.

Twitter: @mattr3.

Mr. Sandeep Mertia

Sandeep Mertia is a Research Associate at The Sarai Programme, Centre for the Study of Developing Societies, Delhi. He is an ICT engineer by training with research interests in Science & Technology Studies, Software Studies and Anthropology. He is conducting an ethnographic study of emerging modes of data-driven knowledge production in the social sector.

Sarai: http://sarai.net.

Twitter: @SandeepMertia.

Academia: https://daiict.academia.edu/SandeepMertia.

Mr. Srikanth Lakshmanan

Srikanth is a software professional with interests in Internet, follower of Internet policy discussions, volunteers for multiple online campaigns related to Internet. He is also fascinated by FOSS, opendata, localization, Wikipedia, maps, public transit, civic tech and occasionally contributes to them.

Site: http://www.srik.me.

Twitter: @logic.

Mr. Vipul Kharbanda

Vipul Kharbanda is a consultant with the Center for Internet and Society, Bangalore. After finishing his BA.LLB.(Hons.) from National Law School of India University in Bangalore, he worked for India’s largest corporate law firm for two and a half years in their Mumbai office for two years working primarily on the financing of various infrastructure projects such as Power Plants, Roads, Airports, etc. Since quitting his corporate law job, Vipul has been working as the Associate Editor in a legal publishing house which has been publishing legal books and journals for the last 90 years in India. He has also been involved with the Center for Internet and Society as a Consultant working primarily on issues related to privacy and surveillance.

For more details visit https://cis-india.org/internet-governance/events/privacy-after-big-data-delhi-nov-12-2016

Workshop on Democratic Accountability in the Digital Age (Delhi, November 14-15)

sumandro — 2016-12-15T09:27:22Z

IT for Change, along with Centre for Internet and Society (CIS), Digital Empowerment Foundation (DEF), Mazdoor Kisan Shakti Sangathan (MKSS) and National Campaign for People’s Right to Information (NCPRI), is organising a two day workshop on ‘Democratic Accountability in the Digital Age’. The workshop will focus on evolving a comprehensive policy approach to data based governance and digital democracy, grounded in a rights and social justice framework. It will be held at the United Service Institution of India, Delhi, during November 14-15, 2016. The CIS team to participate in the workshop includes Sumandro Chattapadhyay (speaker), Amber Sinha (speaker), Vanya Rakesh (participant), and Himadri Chatterjee (participant).

The workshop aims to:

Discuss the institutional norms, rules and practices appropriate to the rise of ‘governance by networks’ and ‘rule by data’ that can guarantee democratic accountability and citizen participation, and
Articulate the steps to claim the civic-public value of digital technologies so that data and the new possibilities for networking are harnessed for a vibrant grassroots democracy.

We hope the workshop can create a civil society coalition that can build effective strategies for legal and policy reform to further participatory democracy in the digital age. On the first day, the workshop will set the context through knowledge sharing and thematic presentations and discussions. On the second day, we aim to concretize strategies for collective action to further democratic accountability in the digital age.

Workshop Agenda (PDF)

Background Note (ODT)

For more details visit https://cis-india.org/internet-governance/events/workshop-on-democratic-accountability-in-the-digital-age-delhi-november-14-15

Behind Modi’s Heartwarming Diwali Ad for Soldiers, An App That’s Primed for Political Messaging

praskrishna — 2016-10-30T07:33:57Z

The campaign, which allows users to send Modi quotes on themes like Ayodhya and the perfidy of the Opposition, raises questions about the boundaries between government, party and personal promotion.

The article by Sangeeta Barooah Pisharoty was published in the Wire on October 29, 2016. Sunil Abraham was quoted.

On October 22, Prime Minister Narendra Modi launched a public campaign, Sandesh2Soldiers, urging the people to be a part of it. The prime minister prodded people to express their gratitude to soldiers guarding the borders through the campaign by sending them personalised messages on the occasion of Diwali.

Such messages can be sent through the Narendra Modi mobile app, the “official app of the prime minister”, or by logging on to www.mygov.in, a central government platform launched by the prime minister in 2014 to facilitate participatory governance by engaging the public. One can also send a message by recording it after dialing a 10-digit number – which would then be aired by All India Radio (AIR).

Media reports said a special module had been created within the mobile app to not only enable people to send text messages to soldiers but also to upload handwritten letters, decorated cards and videos to them expressing their Diwali wishes and feelings for the armed forces.

A special video that carried Modi’s appeal to the public to send messages to the armed forces was shared on social media along with a few other videos to promote the prime minister’s idea. One such video features a child sending a ‘thank you rocket’ to soldiers for defending the nation under hostile circumstances. That the call to send a personal message has come from the prime minister has upped the profile of this campaign.

Bollywood stars like Akshay Kumar, Aamir Khan and Salman Khan, and cricketers such as Virat Kohli, Virendra Sehwag and Mohammad Kaif have also posted their messages to soldiers on Twitter by using the prime minister’s campaign hashtag #Sandesh2Soldiers. Many Bharatiya Janata Party (BJP) politicians and ministers have also joined in.

As per a tweet by AIR on October 26, “Around 9,800 persons sent their good wishes to jawans of security forces so far during this festive season”. Last checked, www.mygov.in, run by the National Informatics Centre under the the Ministry of Electronics and Information Technology, showed 13,000 messages and video uploads recorded. The number is going up by the minute.

While the registration requirement at the government’s www.mygov.in portal only requires the sender to provide her or his name and e-mail address to be able to send a message or upload a video – a usual cyber safety procedure – those who want to use the Modi app for the purpose will have to do more: they will first have to agree to be personally profiled by the prime minister’s “official” mobile application.

Personally identifiable information

This is how things work: to register oneself through the app and send a message, a user not only has to disclose her name, mobile number and email address but also profession, the state and the district she belongs to, her voter identification card number, specific areas of interests and a personal description within “500 characters”.

This has left many potential senders and experts flummoxed. Why does a citizen, in order to express her gratitude to the armed forces on the occasion of Diwali at the call of her prime minister need to share additional information with the app, which amounts to profiling? At a time when the Supreme Court is hearing a bunch of petitions on the mandatory use of Aadhar cards by the government, some of which deal with issues of privacy and the possible misuse of the collected data, this is a relevant question.

“There was absolutely no need for the app to ask for additional information from a user just to send a message to the armed forces. As far as the additional information sought from a user is concerned, it allows the data collector to build a profile of the user but it is not profiling in the modern big data sense wherein multiple data sources are combined to create a complete profile of the data subject,” says Sunil Abraham, director of the Bangalore-based Centre for Internet and Society.

Abraham adds, “There is no guarantee that the data collected (through the app) won’t be used illegally by some commercial enterprise, etc. because our data protection law, Section 43A of the Information and Technology Act, doesn’t apply to the state but only to the private sector. In other words, if the personal information is shared with the government, then it is perfectly legal for the government to disclose the personal information to other government or commercial entities.”

Unlike the MyGov portal, where a user can type or upload a message, the Narendra Modi mobile app also automatically adds a quote from the prime minister below the one typed by the user. It expresses the prime minister’s pride over “the indomitable valour and supreme sacrifice of our armed forces etched in the memory of every Indian”.

The prime minister launched his official mobile app in August last year at a function reportedly organised by MyGov, thus making him the first prime minister to have a mobile app named after him. Designed by a team of six students from Delhi Technical University after winning a two-phased contest launched by MyGov in March last year, the app has been described as “a one-stop destination for knowing about all the latest day-to-day activities of the prime minister.”As per media reports, the app would correspond to the prime minister’s official website, www.pmindia.gov.in.

Obviously then, information on how to access the app and take part in the campaign have been publicised through his portal, www.pmindia.gov.in.

This raises another question. Even though www.pmindia.gov.in is not directly accepting public messages for the armed forces but is only promoting the campaign and giving information on how to download the mobile app for it (thereby proving that it corresponds to the app), it does direct an interested user to the prime minister’s personal website, www.narendramodi.in on clicking its publicity window designed for the campaign.

The user can then download the Modi app from his personal website, which was used extensively during the run-up to the 2014 parliamentary elections by Modi to reach out to voters. So the app not only corresponds to the official website of the prime minister but also with his personal website through the official website. Curiously, it is not possible to access the app from the MyGov portal even though the entity under the Ministry of Electronics and Information launched the app at a function on August 6 in New Delhi reportedly organised by it.

Thus, while the app that seemed to have been developed and launched by a government department can’t be accessed directly through a government portal, it can be accessed through the prime minister’s personal portal. Also, features in the app like “forget password” are handled by his personal website, which communicates with an app user as its “Admin”.

So who runs the app? Is it not the official app of the prime minister of the country? Who owns it? Is it his personal app that he considers “official”? These are questions to which answers are not easily available.

No answers

The Wire made multiple attempts to get an official response, both from the government and the BJP Cyber Cell, about these queries but failed to get an answer. The Wire also failed to get any official clarification to why the app seeks personal details of a user to just send messages to the armed forces.

Calls and text messages to the social media cell of the Press Information Bureau (PIB) – the government’s media interface in the digital space – the office of Anurag Jain, listed in the www.pmindia.gov.in as the “web information office”, and to MyGov, which launched the app at the second anniversary function of the Modi government on August 6 last year in New Delhi, failed to receive a reply. All that a PIB official was willing to say on condition of anonymity to this correspondent, “I think it has been outsourced, we don’t deal with it. May be you can contact the PMO.”

Anurag Jain’s office at the PMO said, “You won’t get any information here on the app and the response of the people for the campaign through it. Call the appointments section, it might know.” But that section didn’t respond.

A mail sent to Arvind Gupta of the BJP’s Cyber Cell too has so far remained unanswered. A BJP source, however, pointed out, “If you go to @narendramodi_in, it clearly mentions that it is the twitter account of narendramodi.in, the personal website of Narendra Modi and also of the Narendra Modi mobile app. So it is his personal app.”

The question of why a personal app of the prime minister is then called his “official” app remains unanswered. Also, why is it then that the bulk text messages sent by a government entity, MyGov, direct the public to the prime minister’s personal app to send a message to the armed forces? Is it personal or official?

Meanwhile, the traffic directed by the prime minister’s official website to his personal portal can make use of the e-greeting section in it to send a Diwali e-card to family, relatives, colleagues, etc.

To send such an e-card, the user needs to follow four mandatory steps – choosing a card from the available options, selecting a pre-written Diwali message; selecting a quote of the prime minister from an exhaustive list made available to the user, and adding the name, salutation and email address of the recipient of the card.

The list of quotes – in English and Hindi – have been culled out of the prime minister’s speeches that straddle a variety of categories including Pakistan, terrorism, ASEAN, Nepal, Bhutan, Swacchh Bharat mission, the idea of India, secularism, disability, caste, dalits, governance, yoga, youth, et al.

It also has “motivation” as a category of prime minister’s sayings. Clicking it will give a user the choice of a long list of the prime minister’s quotes which begins with the need for the world to recognise the sacrifice made by Indian soldiers in the two world wars and ends with a quote on the 2010 judgment given by the Allahabad high court on the disputed site at Ayodhya:

Diwali greetings that can be sent along with the prime minister’s quote on the Ayodhya judgement which has been stayed by the Supreme Court

The quote said, “The Ayodhya judgment will work as a catalyst to maintain peace and unity in the country. This judgment has given a respect to belief and self esteem of the people of India, and it should be linked to self esteem of the country.”

Reacting to the judgment in 2010, the Rashtriya Swayamsevak Sangh chief Mohan Bhagwat had expressed “satisfaction”, adding, “The judgment has paved the way for the construction of Ram temple in Ayodhya. The judgment is not a win or loss for anybody. We invite everybody, including Muslims, to help build the temple.”

Constructing the Ram temple in Ayodhya was also in the manifesto of the BJP for the 2014 Lok Sabha polls with Modi as the party’s prime ministerial candidate.

So, even if the Supreme Court had put a stay on the judgment and has been hearing some petitions for and against it, this Diwali, if you wish to send an e-card using that quote of the prime minister to express his mind on the issue, you can.

“I think it is not only improper of the prime minister to allow such a quote to feature in an e-card with his name but it is also contempt of court. Being the prime minister of the country, he has to maintain neutrality. As per the constitution, there is separation of the state from religion. So being the prime minister, he can’t possibly allow someone to use that quote of him,” says well-known constitutional expert and senior Supreme Court lawyer Rajeev Dhavan.

Dhavan points out a precedent: “In 1969, the Supreme Court held as contempt a comment made by the then West Bengal chief minister P.C. Sen in a speech aired by All India Radio. The speech was made at a time when someone had challenged an order of the state government on milk production. Sen’s adverse comment supporting the order was presented first in front of the West Bengal High Court which took cognisance of it and termed it contempt of court. Thereafter, the case came to the SC which also termed it contempt of court as the comment was made while the case was pending in the court.”

Swaying public opinion

As per media reports, the comment on the September 30, 2010, HC order was made by Modi, then the Gujarat chief minister, on the same day, before the SC stayed that order in May, 2011.

Dhavan felt, “That he, as the prime minister, is now openly allowing a user to circulate that quote after the SC has begun hearing the case will attract criminal contempt of court as it can be seen as interfering with the working of the judiciary. He can obviously affect public opinion and can be seen as trying to decide the question. It can be seen as usurping the function of the Judiciary by the Executive.”

The traffic directed by the prime minister’s official website to the personal portal can also make use of any Diwali e-greeting card by picking a quote from a category named “political-general”. Many of the quotes under that category are from the prime minister’s multiple attacks on the main opposition party, the Congress, some of which must have been made before the 2014 Lok Sabha polls, such as this one: “The UPA government is non-serious, it has taken the people for granted & it is not bothered about the youth. Their approach shows lack of faith in democracy. Our goal is to win the trust of the people & give dignity to them…”

“That the prime minister’s official website links people to surf his personal website where they can send e-cards using anti-opposition quotes of the prime minister is extremely contentious. Whichever party had come to power, there has always been a Chinese wall between the institution of the prime minister and the politician. Unfortunately, both have come together in the current dispensation. The common man doesn’t understand it well, so it is taking advantage of technology to erase that difference,” former Information and Broadcasting minister and Congress spokesperson Manish Tiwari said.

Such e-cards are not restricted to Diwali. You can send them on occasions like “Holi, Rakshabandhan, Navaratri, Christmas, Independence Day, Gudi Padwa, Kite Festival, Namo Birthday, Ram Navami, Swami Vivekananda Janma Jayanti” and at any other time by opting for the “political (general)” category.

Narendra Modi implemented the idea of launching e-cards that could go with his quotes in the run-up to the 2014 parliamentary elections. Reports said that “Narendra Modi E-cards” were used by the BJP as a “new marketing strategy” to canvas for its prime ministerial candidate before Holi to bypass the Election Commission of India’s model code of conduct as there was “no mention of rules for social media usage by political parties”.

Meanwhile, those who have signed up for the Narendra Modi mobile app only to send a message to the armed forces have begun receiving regular “infographics” based on the prime minister’s speeches, and also data culled out of news and study reports that are deemed favourable to him and his government. A registered user can further pass on those “infographics” by sharing them on her Facebook page and twitter handle.

The app, though termed “official”, also forwards to a registered user tweets posted only from his personal twitter handle and not from his official handle, @pmoindia. One such tweet that this correspondent received through the app had little to do with the government and entirely with the persona of the politician behind the prime minister. The tweet said, “When @narendramodi demonstrated true leadership at the Patna rally, on this day in 2013…”

Clicking on the link in the tweet takes you to a write-up that talks of the “true grit” of the “BJP’s then prime ministerial candidate” by addressing a rally after a bomb blast in Patna.

For more details visit https://cis-india.org/internet-governance/news/the-wire-october-29-2016-sangeeta-barooah-pisharoty-behind-modis-heartwarming-diwal-ad-for-soldiers-an-app-that-is-primed-for-political-messaging

Bridging the gap: Tech giants bring the internet to women in rural India

praskrishna — 2016-10-30T07:23:05Z

This Diwali is going to be a cracker of a festival for Nisha Chanderwal, a second year BA student.

The article by KumKum Dasgupta was published in the Hindustan Times on October 28, 2016. Pranesh Prakash and Rohini Lakshané were quoted.

“I bought a bright red kurta with gold-colour zari dupatta from Snapdeal, my first online purchase,” the 19-year-old resident of Alwar’s Umren village told HT recently.

“No courier service reaches my village. So I gave my aunt’s home address in Alwar. They paid in cash…I paid her when I picked up the parcel,” she added, explaining the circuitous delivery and payment process that is common in rural India.

Nisha is elated for one more reason: She has finally got even with her 20-year-old brother, Ashok. “He has a smartphone, but doesn’t even let me touch it, saying girls should not use the Internet. But now thanks to Google’s Internet Saathi Programme (ISP), I don’t need his phone or his help,” said an elated Nisha.

In July 2015, technology giant Google launched ISP in partnership with Tata Trusts, one of the country’s oldest philanthropic organisations, to bring rural women online in India. Today, the initiative is live in 25,000 villages across 10 states with 1,900 saathis. The final mission is to reach 300,000 villages. Google is adding up to 500 additional ‘saathis’ per week. More than 100,000 women have been trained so far.

Google started this programme because Internet usage by women in rural areas is low.

“Only one in 10 Internet users in rural India is a woman,” Sapna Chadha, marketing head, Google India, told HT. “With ISP, we are creating an enabling environment that empowers them while also bridging the technology gender divide. We believe that easy access to information can transform lives. Our mission is to organise the world’s information and make it universally accessible”.

Along with access to information, getting more and more women online has other benefits: “If women are a minority online, they become vulnerable to harassment and violence. Women can’t only be consumers of the Internet but must contribute their views, and make the space equitable,” said Rohini Lakshané of the Bangalore-based The Centre for Internet and Society (CIS), which is funded by the Kusuma Trust.

Google and Tata Trusts are leveraging their core strengths for ISP. While Google provides the hardware (phones and tablets), training and Internet connectivity. Tata Trusts does the identification of saathis and the monitoring.

“We tie up with government departments to roll out the project. For example, in Rajasthan and Andhra Pradesh, we are working with the rural livelihood mission. The government helps us to identify villages, set selection criteria and logistics such as venues,” explained Prabhat Pani, project director, Tata Trusts.

The programme first chooses a few women and trains them on how to use a mobile phone, shoot photos and videos and the basics of Internet. Then the women are sent out on bicycles with a smartphone and a tablet to teach others in their villages.

The programme has opened a new world for many. “Google is like a book. You can get whatever information you need. I am illiterate but I use voice search for information,” said Phoolwati, a 45-year-old resident of Nangli Jamawat, Umren.

Her friend Manju is now the village’s undisputed ‘selfie queen’. “I love taking videos and photos,” she said, adding that she also searches for information on MGNREGA or education loans for her children.

According to Google, the new online entrants are searching for news, recipes, designs for clothes, images and information on pilgrimages, farming and cattle-related information and government schemes.

For Google, it makes immense sense to get more people online. “The company is targeting huge and untapped demographics who are entry-level users. Going forward, they will have a huge first-mover advantage if there is scope to monetise Google’s services,” explained Lakshané.

By 2020, about 315 million rural Indians will be connected to the Internet, compared to around 120 million now. That’s about 36% of the country’s online population. By 2020, this share of rural India will jump to 48%, creating a huge opportunity for brands and marketers in places where establishing stores is a challenge,” says a study by the Boston Consulting Group, The Rising Connected Consumer in Rural India.

The first signs of this market potential were evident during the pre-Diwali online festival season sale. E-tailers posted growth in sales compared to last year thanks to growing smartphone penetration in small towns and villages, cheaper data tariffs and free hotspots. While Google did not divulge the exact revenues that it is spending on ISP, Chadha said it has helped the company to understand the needs of users in rural areas and what role the Internet can play.

Along with ISP, Google is also working with the Indian government on two projects that aims to give more people access to the Internet.

First, the Project Loon, which uses high-altitude balloons to create an aerial wireless network with up to 4G speeds for providing Internet access to rural and remote areas.

Second, the company is partnering with RailTel to provide free wi-fi access in stations.

“The ISP has no immediate profits for Google. The average revenue Indian per user is less than say a user in US. But getting more people online helps Google because its search engine is most used,” Pranesh Prakash, policy director, CIS, told HT. “In the long run, the company will earn when people access its services and also from advertising revenue.”

Nevertheless, the ISP is addressing a major problem. “Many are afraid to go online because they don’t know how they can benefit. While the Saathi programme is not a philanthropic effort, it’s good that Google is addressing this issue through its training programmes,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-october-28-2016-kumkum-dasgupta-bridging-the-gap

Some Key Words Are Missing

praskrishna — 2016-10-23T01:40:12Z

Google manipulating search results? The Competition Commission is on its case.

The article by Arindam Mukherjee was published by Outlook on October 23, 2016. Nehaa Chaudhari was quoted.

G’s Global Woes

Google’s problems aren’t restricted to India. It is facing similar cases around the world.

Europe: The search giant has been accused of using its dominant position on the web to dominate the market for online product searches. There’s another probe on possible abuse of dominant position with Android.

Brazil: Is being investigated for favouring its own services over others on the internet

Hong Kong & Argentina: Facing issues about collecting user data

Spain: Had to shut down Google News over copyright issues.

Germany: Its Google Street View navigation service got into problems over privacy issues

Mexico: The local regulator has brought up issues similar to those in Europe

***

There is an uneasy calm at Google’s India offices these days. Spokespersons are giving measured statements, watched over by an army of lawyers who are busy looking at the finer points. A case against Google’s advertising and search practices with the Competition Commission of India (CCI) has the potential to derail the search giant’s operations in India. Why, a nervous Google has even sought to make hearings in this case in-camera to totally shut out the media.

There is a lot at stake. An investigation report of the CCI has found Google squarely guilty of abusing its dominant position to manipulate search results on the internet and online advertising results to its own advantage and to those of companies paying for it. Google was found to “have abused its dominant position in the relevant markets of online general web search service in India and online search advertising in India in violation of the Competition Act 2002”.

Indeed, the report (which has been reviewed by Outlook) is blunt on many of the issues: “Google is found to be indulging in practices of search bias and by doing so it causes harm to its competitors as well as users.... Google steers users to its own products and services and produces biased results. This structure offers abundant opportunities for leveraging and has also raised issues of conflict of interest.” It says that through such practices Google was adversely affecting the competitive landscape in the markets for online general web search, search advertising as well as adjacent markets like travel, maps, social networking and e-commerce.

The whole brouhaha started with complaints from two parties—Chennai-based matchmaking portal Bharatmatrimony.com and Jaipur-based consumer rights organisation CUTS International—in 2012. “People who are subscribing to Google’s Adwords and are paying Google or are buying keywords are getting preference in their search results. Many of the search results on Google are either ads or sponsored links and not genuine search results. Google is pushing ads as news items which normal users would be unable to distinguish,” says Sharad Bhansali, managing partner, APJ SLG Law Offices which is representing CUTS.

CUTS also complained that Google was promoting its own products through search. Says Udai Singh Mehta, CUTS director, “Preference was being given by Google to its products and subsidiaries in search.” This, being a dominant player in search and online advertising, amounts to abusing its position. According to market estimates, Google enjoys a 93 per cent share of the search market and gets about 85 per cent of the revenues of online advertising. Says Nikhil Pahwa, editor-in-chief of Medianama: “In search cases, Google is clearly the dominant player in the market. So when they start integrating content into search, there is a problem and it becomes an issue.”

“In search cases, Google is clearly the dominant player. So when they integrate content into search, it’s a problem.”
Nikhil Pahwa, Medianama

In the course of the investigation, the CCI D-G also sought opinion from about 30 companies—most of them gave similar feedback about Google’s practices. The list includes Flipkart, mapmyindia.com, makemytrip.com, Microsoft and Nokia Maps.

Google will now have to appear before the full CCI bench on September 17 for a hearing based on the D-G report. After this, the CCI will take a final call on the issue. Of course, Google can seek an extension of this hearing. According to company insiders, they have not sought an extension yet. Google will have the right to appeal any order the CCI comes out with. The first appeal would be at the court of a competition appellate tribunal headed by a retired SC judge. The final appeal can happen only with the Supreme Court.

As expected, Google denies any wrongdoing and says the abuse of dominant position will need to be proved. Manas Chaudhuri, lawyer with Khaitan & Co which deals with competition cases, told Outlook, “The report says that Google is dominant, which is correct. If it is dominant, there is nothing wrong under the Competition Act. The issue is whether or not it has abused its dominance. The ‘abuse’ is a rule-of-reason argument and as such the CCI will have to assess quite a few international best practices theories eg, ‘objective justification’, ‘analysing the statutory mandate of meeting the competition in the relevant market’, ‘consumer harm’ and ‘counterfactuals’.”

In response to queries, a Google spokesperson said, “We’re currently reviewing the report from the CCI’s ongoing investigation. We continue to work closely with the CCI and remain confident that we comply fully with India’s competition laws. Regulators and courts around the world, including in the US, Germany, Taiwan, Egypt and Brazil, have looked into and found no concerns on many of the issues raised in this report.” Actually, Google is facing a similar case in the EU, while similar issues have been raised in Brazil, Hong Kong, Argentina and Mexico (see box).

Outlook’s cover from Oct 28, 2013

Sure, at first blush, the report appears tilted against Google. What may go in its favour is the CCI’s dismal record in treating such cases. Though it is the final investigation report, experts say it is not sacrosanct: the CCI bench might not agree with it. In the last six years, over 20 such investigation reports have been dismissed by the CCI after the final hearing. And Google will try its best to bring forth the fact that it has been exonerated in similar cases in the US, Germany and Taiwan.

But with the D-G’s final investigation report giving a clear verdict against Google’s practices, it might not be so easy for the search giant to come out cleanly from this one. Says Nehaa Chaudhari, lawyer with the Centre for Internet and Society (cis), “Given that India is not the only jurisdiction where Google is using its secret algorithm to promote its own products, there is enough for the CCI to proceed on against it.” What will also help is the testimony of several companies who have said that they have suffered because of Google’s web practices.

The entire world is watching India. Clearly, if the CCI upholds the D-G report and pronounces Google guilty, it could seriously affect the search giant’s growth in India, one of the fastest growing internet markets for Google with over 300 million internet users and an even faster growing Android landscape (where also it is a dominant player). With the final EU verdict on the case yet to come out, will India set a new example for the world to follow?

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-october-23-2016-some-key-words-are-missing

How Long Have Banks Known About The Debit Card Fraud?

tiwari — 2016-10-22T08:06:51Z

The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.

The article was published by Bloomberg on October 22, 2016.

The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.

Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.

The Modus Operandi

According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.

The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.

Massive Financial Implications


Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News)

The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.

This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.

Are Banks Concealing Information?


A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)

The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.

Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud

RBI Directions on Account Aggregators

Vipul Kharbanda and Elonnai Hickok — 2016-10-21T15:25:01Z

The Reserve Bank of India's (RBI) Directions for account aggregator services in India seem to lay great emphasis on data security by allowing only direct access between institutions and do away with data scraping techniques.

These days’ people have access to various financial services and manage their finances in a diverse manner while dealing with a large number of financial service providers, each providing one or more services that the user may need such as banking, credit card services, investment services, etc. This multiplicity of financial service providers could make it inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place. This problem is sought to be solved by the account aggregators by providing all the financial data of the user at a single place. Account aggregation is the consolidation of online financial account information (e.g., from banks, credit card companies, etc.) for online retrieval at one site. In a typical arrangement, an intermediary (e.g., a portal) agrees with a third party service provider to provide the service to consumers, the intermediary would then generally privately label the service and offer consumers access to it at the intermediary’s website.[1] There are two major ways in which account aggregation takes place, (i) direct access: wherein the account aggregator gets direct access to the data of the user residing in the computer system of the financial service provider; and (ii) scraping: where the user provides the account aggregator the username and password for its account in the different financial service providers and the account aggregator scrapes the information off the website/portal of the different financial service providers.

Since account aggregation involves the use and exchange of financial information there could be a number of potential risks associated with it such as (i) loss of passwords; (ii) frauds; (iii) security breaches at the account aggregator, etc. It is for this reason that on the advice of the Financial Stability and Development Council,[2] the Reserve Bank of India (“RBI”) felt the need to regulate this sector and on September 2, 2016 issued the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 to provide a framework for the registration and operation of Account Aggregators in India (the “Directions”). The Directions provide that no company shall be allowed to undertake the business of account aggregators without being registered with the RBI as an NBFC-Account Aggregator. The Directions also specify the conditions that have to be fulfilled for consideration of an entity as an Account Aggregator such as:

the company should have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify;
the company should have the necessary resources and wherewithal to offer account aggregator services;
the company should have adequate capital structure to undertake the business of an account aggregator;
the promoters of the company should be fit and proper individuals;
the general character of the management or proposed management of the company should not be prejudicial to the public interest;
the company should have a plan for a robust Information Technology system;
the company should not have a leverage ratio of more than seven;
the public interest should be served by the grant of certificate of registration; and
Any other condition that made be specified by the Bank from time to time.[3]

The Direction further talk about the responsibilities of the Account Aggregators and specify that the account aggregators shall have the duties such as: (a) Providing services to a customer based on the customer’s explicit consent; (b) Ensuring that the provision of services is backed by appropriate agreements/ authorisations between the Account Aggregator, the customer and the financial information providers; (c) Ensuring proper customer identification; (d) Sharing the financial information only with the customer or any other financial information user specifically authorized by the customer; (e) Having a Citizen's Charter explicitly guaranteeing protection of the rights of a customer.[4]

The Account Aggregators are also prohibited from indulging in certain activities such as: (a) Support transactions by customers; (b) Undertaking any other business other than the business of account aggregator; (c) Keeping or “residing” with itself the financial information of the customer accessed by it; (d) Using the services of a third party for undertaking its business activities; (e) Accessing user authentication credentials of customers; (f) Disclosing or parting with any information that it may come to acquire from/ on behalf of a customer without the explicit consent of the customer.[5] The fact that there is a prohibition on the information accessed from actually residing with the Account Aggregator will ensure greater security and protection of the information.

Consent Framework

The Directions specify that the function of obtaining, submitting and managing the customer’s consent should be performed strictly in accordance with the Directions and that no information shall be retrieved, shared or transferred without the explicit consent of the customer.[6] The consent is to be taken in a standardized artefact, which can also be obtained in electronic form,[7] and shall contain details as to (i) the identity of the customer and optional contact information; (ii) the nature of the financial information requested; (iii) purpose of collecting the information; (iv) the identity of the recipients of the information, if any; (v) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (vi) Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI.[8] The account aggregator is required to inform the customer of all the necessary attributes to be contained in the consent artefact as well as the customer’s right to file complaints with the relevant authorities.[9] The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.[10]

Comments: While the Directions have specific provisions regarding how the financial data shall be dealt with, it is pertinent to note that the actual consent artefact also has personal information and it is not clear whether Account Aggregators are allowed disclose that information to third parties are not.

Disclosure and sharing of financial information

Financial information providers such as banks, mutual funds, etc. are allowed to share information with account aggregators only upon being presented with a valid consent artifact and also have the responsibility to verify the consent as well as the credentials of the account aggregator.[11] Once the verification is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real time, as per the terms of the consent.[12] In order to ensure smooth flow of data, the Directions also impose an obligation on financial information providers to:

implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and enable secure flow of financial information;
adopt means to verify the consent including digital signatures;
implement means to digitally sign the financial information; and
maintain a log of all information sharing requests and the actions performed pursuant to such requests, and submit the same to the Account Aggregator.[13]

Comments: The Directions provide that the Account Aggregator will not support any transactions by the customers and this seems to suggest that in case of any mistakes in the information the customer would have to approach the financial information provider and not the Account Aggregator.

Use of Information

The Directions provide that in cases where financial information has been provided by a financial information provider to an Account Aggregator for transferring the same to a financial information user with the explicit consent of the customer, the Account Aggregator shall transfer the same in a secure manner in accordance with the terms of the consent artefact only after verifying the identity of the financial information user.[14] Such information, as well as information which may be provided for transferring to the customer, shall not be used or disclosed by the Account Aggregator or the Financial Information user except as specified in the consent artefact.[15]

Data Security

The Directions specify that the business of an Account Aggregator will be entirely Information Technology (IT) driven and they are required to adopt required IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users.[16] This technology should also be scalable to cover any other financial information or financial information providers as may be specified by the RBI in the future.[17] The IT systems should also have adequate safeguards to ensure they are protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.[18] Information System Audit of the internal systems and processes should be in place and be conducted at least once in two years by CISA certified external auditors whose report is to be submitted to the RBI.[19] The Account Aggregators are prohibited from asking for or storing customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the financial information providers and their access to customer’s information will be based only on consent-based authorisation (for scraping).[20]

Grievance Redressal

The Directions require the Account Aggregator to put in place a policy for handling/ disposal of customer grievances/ complaints, which shall be approved by its Board and also have a dedicated set-up to address customer grievances/ complaints which shall be handled and addressed in the manner prescribed in the policy.[21] The Account Aggregator also has to display the name and details of the Grievance Redressal Officer on its website as well as place of business.[22]

Supervision

The Directions require the Account Aggregators to put in place various internal checks and balances to ensure that the business of the Account Aggregator does not violate any laws or regulations such as constitution of an Audit Committee, a Nomination Committee to ensure the “fit and proper” status of its Directors, a Risk Management Committee and establishment of a robust and well documented risk management framework.[23] The Risk Management Committee is required to (a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities; and b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.[24] Further the RBI also has the power to inspect any Account Aggregator at any time.[25]

Penalties

The Directions themselves do not provide for any penalties for non compliance, however since the Directions are issued under Section 45JA of the Reserve Bank of India Act, 1934 (“RBI Act”), this means that any contravention of these directions will be punishable under Section 58B of the RBI Act which provides for an imprisonment of upto 3 years as well as a fine for any contravention of such directions.

Conclusion

The Directions by the RBI provide a number of regulations and checks on Account Aggregators with the view to ensure safety of customer financial data. These Directions appear to be quite trendsetting in the sense that in most other jurisdictions such as the United States or even Europe there are no specific regulations governing Account Aggregators but their activities are mainly being governed under existing privacy or consumer protection legislations.[26]

The entire regulatory regime for Account Aggregators seems to suggest that the RBI wants Account Aggregators to be like funnels to channel information from various platforms right to the customer (or financial information user) and it does not want to take a chance with the information actually residing with the Account Aggregators. Further, by prohibiting Account Aggregators from accessing user authentication credentials, the RBI is trying to eliminate the possibility of this information being leaked or stolen. Although this may make it more onerous for Account Aggregators to provide their services, it is a great step to ensure the safety and security of customer data.

In recent months the RBI has been trying to actively engage with the various new products being introduced in the financial sector owing to various technological advancements, be it the circular informing the public about the risks of virtual currencies including Bitcoin, the consultation paper on P2P lending platforms or these current guidelines on Account Aggregators. These recent actions of the RBI seem to suggest that the RBI is well aware of various technological advancements in the financial sector and is keeping a keen eye on these technologies and products, but appears to be taking a cautious and weighted approach regarding how to deal with them.

[1] Ann S. Spiotto, Financial Account Aggregation: The Liability Perspective, Fordham Journal of Corporate & Financial Law, 2006, Volume 8, Issue 2, Article 6, available at http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1181&context=jcfl

[2] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=34345

[3] Clause 4.2.2 of the Directions.

[4] Clause 5 of the Directions.

[5] Clause 5 of the Directions.

[6] Clauses 6.1 and 6.2 of the Directions.

[7] Clause 6.4 of the Directions.

[8] Clause 6.3 of the Directions.

[9] Clause 6.5 of the Directions.

[10] Clause 6.6 of the Directions.

[11] Clauses 7.1 and 7.2 of the Directions.

[12] Clauses 7.3 and 7.4 of the Directions.

[13] Clause 7.5 of the Directions.

[14] Clause 7.6.1 of the Directions.

[15] Clause 7.6.2 of the Directions.

[16] Clause 9(a) of the Directions.

[17] Clause 9(c) of the Directions.

[18] Clause 9(d) of the Directions.

[19] Clause 9(f) of the Directions.

[20] Clause 9(b) of the Directions.

[21] Clauses 10.1 and 10.2 of the Directions.

[22] Clause 10.3 of the Directions.

[23] Clauses 12.2, 12.3 and 12.4 of the Directions.

[24] Clause 12.4 of the Directions.

[25] Clause 15 of the Directions.

[26] http://www.canadiancybersecuritylaw.com/2016/07/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/

For more details visit https://cis-india.org/internet-governance/blog/rbi-directions-on-account-aggregators

The Big Debit Card Breach: Three Things Card Holders Need To Understand

praskrishna — 2016-10-21T13:43:17Z

A total of 32 lakh debit cards across 19 banks could have been compromised on account of a purported fraud, the National Payment Corporation of India said in a statement.

The article by Alex Mathew was published by Bloomberg on October 20, 2016. Udbhav Tiwari was quoted.

The issue was brought to light when State Bank of India blocked the debit cards of 6 lakh customers on October 14. This was done after the bank was alerted to a possible fraud by the National Payment Corporation of India, MasterCard and Visa, said Managing Director Rajnish Kumar in a telephonic interview with BloombergQuint.

In a statement released on Thursday evening, the NPCI clarified that the problem was brought to their attention when they received complaints from a few banks that customers’ cards were used fraudulently, mainly in China and the U.S., while those cardholders were in India.

“The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI,” the payments corporation said.

SISA Security, a Bengaluru-based company is currently undertaking a forensic study to identify the extent of the problem and will submit a final report in November.

Based on the advisory issued by NPCI and other schemes, it is gathered that banks have advised their customers to change their debit card PIN. In situations where customers could not be contacted, the cards have been blocked and fresh cards are being issued by member banks.

NPCI statement

State Bank of India has blocked 6 lakh cards, while other banks have sent notifications to customers advising them to change their personal identification numbers.

How The Breach Could Have Occured

The breach that has apparently given hackers access to the PIN codes of several bank customers is likely to be on account of a malware attack. This attack is believed to have originated at an ATM.

The actual modus operandi of the hackers will only become clear once the forensic audit is released in November, but BloombergQuint spoke to cyber security expert Udbhav Tiwari to find out how the attack could have been orchestrated.

First, the hacker would have had to gain physical access to an ATM. The malware was then likely injected by connecting a laptop or another special device to a port on the cash disbursing machine, said Tiwari, a consultant at Centre For Internet & Society in Bengaluru.

Once the malware is injected, it automatically spreads across the network and infects other devices that are not protected against it. In this case, the malware could have infected a payment switch provider’s network.

A payment switch provider is an entity that facilitates a transaction either from an ATM or an online payment gateway. The service provider decides to whom the request for authorisation will be sent and then transmits the request back to the merchant or the ATM where the transaction originated.

In this case, one payment switch provider, Hitachi Payment Services, which manages close to 50,000 ATMs across the country, was asked by banks to investigate 30 of its ATMs on account of around 400 suspicious transactions that took place outside India, Managing Director Loney Antony told BloombergQuint in a telephonic interview.

The company had earlier said in a statement that an interim report by the audit agency does not suggest any breach or compromise in its systems.

The Scale Of The Breach

According to a study conducted by NPCI in collaboration with the banks, the number of debit cards that were infected by the malware has been set at 32 lakh. But Tiwari said this number could be higher.

The hypothetical limit to how much the malware can spread is dependent on the vulnerability of the systems, and if one of the payment switch provider’s systems was vulnerable and they still haven’t decided how many systems are vulnerable, it is quite possible that the malware is spreading at this point.

Udbhav Tiwari, Consultant, Centre For Internet & Society

What A Customer Should Do

The first, and most important step a customer should take is to immediately change their debit card PIN, Tiwari pointed out.

State Bank of India has said that its customers can opt to restrict the usage of their debit cards, for example whether it can be used both internationally and domestically or only domestically. Also, the daily limit of the debit card can be changed.

Once these steps have been taken, according to Tiwari, it is most important that customers stay vigilant and keep monitoring their bank statements. If an unauthorised transaction takes place, a customer should immediately contact their bank and block their card.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach

Intelligence agencies will not have open access to Aadhaar data: UIDAI chief

praskrishna — 2016-10-21T01:32:56Z

Intelligence agencies will not have free access to Aadhaar data, a top government official said on Thursday, looking to assuage fears of abuse of personal information.

The article by Aloke Tikku was published in the Hindustan Times on October 20, 2016. Sunil Abraham was quoted.

The Unique Identification Authority of India (UIDAI), which issued identity cards to 1.07 billion Indians, last month decided to retain data related to the verification of Aadhaar-enabled transactions for seven years, leading to security concerns over data safety.

As reported by HT on Monday, privacy experts expressed concerns that transaction data retained for so long could be accessed by the security establishment for surveillance on individuals without sufficient grounds.

“This fear is completely misplaced,” ABP Pandey, UIDAI’s chief executive officer told HT in an interview.

Security agencies can access the data only in case of national security after they get the nod of an oversight committee headed by the cabinet secretary. This committee has to clear every order made by the designated joint secretary-level officer before the information is shared, he said.

“You cannot have any legal protection stronger than this,” Pandey added.

Aadhaar transaction data is not only protected by the most powerful, contemporary law to restrict access but also by strong cryptography.

“Even if someone attempts, the 2048-bit encryption is so strong that it will take them millions of computers and billions of years to decrypt the data,” he said.

A vocal critic of Aadhaar’s design, Sunil Abraham of the Centre for Internet and Society (CIS) suggested he wouldn’t rely too much on the legal framework. “You cannot put a legal band-aid on a broken technological solution. You need to get privacy and security right by design,” the director of the Bengaluru-based research body said.

Abraham said the problem could have been averted if the UIDAI did not store the data in a centralised form. Instead, it could have used its digital signature to sign proof of authentication that could be stored by the authenticating agency and the citizen on a smart card.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-20-2016-intelligence-agencies-will-not-have-open-access-to-aadhaar-data

MLATs and the proposed Amendments to the US Electronic Communications Privacy Act

Vipul Kharbanda and Elonnai Hickok — 2016-12-28T01:09:34Z

In continuance of our blog post on mutual legal assistance treaties (MLATs), we examine a new approach to international bilateral cooperation being suggested in the United States, by creating a mechanism for certain foreign governments to directly approach the data controllers.

Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document.

In the previous article on MLATs we discussed, in some detail, what MLATs are and why they are needed. One area which was briefly focused upon in that article was the limitations and criticisms of the MLAT mechanism, of which one of the main criticisms being the problems caused due to different legal standards in various jurisdictions as well as the time taken to process a request for information sent from one country to another. Talking specifically about the United States, where most internet companies are headquartered and hold large amounts of data, it typically takes months to process requests under MLATs and foreign governments often struggle to comprehend and comply with the legal standards in the United States for obtaining data for use in their investigations.[1] The requirement that a foreign government should take permission from, and comply with the requirements of a foreign government simply because the data needed happens to be controlled by a service provider based in a foreign country strikes many foreign law enforcement officials as damaging to security and law enforcement efforts, especially when they are requesting data pertaining to a crime between two of their own citizens that primarily took place on their soil.[2]

These inefficiencies of the MLAT process lead to further problems of foreign governments attempting to apply their search and surveillance laws in an extraterritorial manner for example in 2014 the UK passed the Data Retention and Investigatory Powers Act, 2014 with gives the government the power to directly access data from foreign service providers if sought for specific purposes and the request is approved by the Secretary of State or other specified executive branch official.[3] Another response that may occur is if, frustrated by such inefficiencies of the existing systems, courts in foreign states start assuming extra territorial jurisdiction, as happened when a District Court in Vishakhapatnam restrained Google from complying with a subpoena issued by the Superior Court of California, ordering Google to share the password of the Gmail account belonging to an Indian citizen residing in Vishakhapatnam.[4]

Solution proposed in the United States

In order to overcome these inefficiencies, at least in the American context, the Department of Justice has proposed a legislation which seeks to make the process of foreign governments getting information from US based entities more streamlined by amending the provisions of the Electronic Communications Privacy Act (ECPA) of the United States (the “Amendment”). These amendments have been proposed primarily for the US and UK to effectuate a proposed bilateral agreement whereby the UK government will be able to approach US companies directly with requests for information without going through the MLAT process or getting an order from a US court.

The Amendment seeks to ensure that requests from foreign governments for information from US entities get answered in a smooth manner by including those requests in the process for seeking information under the ECPA itself. This move would no doubt, make it easier for foreign governments to access data in the US, but such a move can be criticized on the ground that it would then allow all states, irrespective of their legal standards of privacy, etc. to get access to such information. This problem has been overcome in the amendment by adding a new section to Title 18 which would allow the Attorney General, with the concurrence of the Secretary of State to certify to the Congress that the legal standards in the contracting state which is being given access to the mechanism under the ECPA satisfies certain requirements specified in the chapter (and discussed below). Only after such a certification has been received by the Congress, a contracting state would be able to receive the benefits sought to be granted under the Amendment.

It is important to note that the US administration is looking to use the US-UK Agreement as a standard to be followed for similar potential agreements with a number of other countries wherein the agencies in those countries could request information from US based entities through court orders through a properly specified legal framework. Though to our knowledge India has not been formally approached by the US government to enter into such an agreement, it is important to ask the question viz. if approached:

Does India's present legal system meet the standards laid down in the amendment to the ECPA?
And if they do, should India also seek to enter into such an Agreement with the United States?
And if India does, what could be the implications for citizens and for countries in a similar position as India?

We hope to be able to answer the above three questions, or at least throw some light on them, in the conclusion of this paper by relying upon the discussions contained herein.

Criticisms of the Amendment

While such a mechanism may be very effective in addressing the needs of security agencies in investigation and prevention of criminal activities, one cannot accept such an overarching change in cross border enforcement without analyzing the consequences that such a proposal will have on the right to privacy. Some of these consequences have been highlighted by experts responding to the amendment:

Lack of Judicial Authorisation: The Amendment requires that the foreign governments have a process whereby a person could seek post-disclosure review by an independent entity instead of a warrant by a court.[5] Although a court order is not the norm for interception even in Indian law, however under American law such protection is given to data held by American companies even though the data may belong to Indian citizens and this protection will no longer be available if the Amendment is passed.

Vague Standard for requests: Under the domestic law of any state there is usually a large amount of jurisprudence regarding when search orders can be issued, such as the “probable cause” standard that is followed in the United States or similar standards that may be followed in other jurisdictions. This ensures that even when the wording of the law is not precise, which it cannot be for such a subjective issue, there is still some amount of clarity around when and under what circumstances such warrants may be issued. In contrast, the Amendment requires that the orders be based on “requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” Although the language here may seem reasonable but in the absence of any jurisprudence backing it, it becomes very vague and susceptible to misuse. Disclosure without a Warrant: Under the current MLAT process as followed in the United States, a judge in the U.S. must issue a warrant based on probable cause in order for a U.S. company to turn over content to a foreign government. This requirement protects individuals abroad by requiring their governments to meet certain standards when seeking information held by U.S. companies. The Amendment seeks to remove this essential safeguard for a judicial warrant. The Amendment does not require requests from foreign governments to be based on a prior judicial authorization, since a large number of countries (including India) do not always require judicial orders for such orders.[6]

Allows Real Time Surveillance by Foreign Governments: American privacy rights activists have raised the concern that the Amendment would allow foreign governments to conduct ongoing surveillance by asking American companies to turn over data in real time. The requirements that the foreign governments would have to fulfill to execute such an order are less stringent than those which have to be fulfilled by the American security agencies if they want to indulge in similar activities. When the U.S. government wants to conduct real-time surveillance, it must comply with the Wiretap Act, which imposes heightened privacy protections.[7] The court orders for this purpose also require minimization of irrelevant information, are strictly time-limited, only available for certain serious crimes, etc.[8] In Indian law any such request, apart from being time limited and being available only for certain specified purposes, also has to satisfy that interception is the only reasonable option to acquire such information.

Process to determine which countries can make demands is not credible: Under the Amendment, the Attorney General and the Secretary of State, would decide whether the laws and practices of the foreign government adequately meet the standards set forth in the legislation for entering into a bilateral agreement. Their decisions would not be liable to be reviewed by a court or in any administrative procedure. They could make their determinations based on information which is not available to the public and the criteria for making the decision are vague and flexible. Further these criteria have been described as “factors” and not “requirements”[9] so that even if some of them are not satisfied, the certification process can still be completed.

Companies do not have the resources to determine if a request complies with the terms of the agreement: The Amendment does not provide any oversight to ensure that technology companies are only turning over information permitted in a specific bilateral agreement. For example, a bilateral agreement may permit disclosure of information only in response to orders that do not discriminate on the basis of religion, however, it may not be possible for the companies receiving the request to determine whether a particular request complies with that condition or not. The Amendment does not require that individual companies put in place requisite processes to weed out requests that may be non compliant with the provisions of the agreement; nor are there periodic audits to ensure that companies are properly responding to foreign government information requests.[10]

Non compliance with Human Rights Standards: Under international human rights law, governments are allowed to conduct surveillance only based on individualized and sufficient suspicion; authorized by an independent and impartial decision-maker; necessary and proportionate to achieve a legitimate aim, including by being the least intrusive means possible.[11] However the mechanism proposed by the Amendment falls woefully short of these standards.[12]

One must not lose sight of the fact that most of the criticisms of the proposal that have been discussed above have been made in the context of, and based on the standards of privacy protection that are available to American citizens. If we look at it from an Indian perspective most of those protections are not available to Indian citizens in any case since independent judicial oversight is not a sine qua non for access to information by the security agencies in India. Although the Amendment leaves open the question of how a request would be made by the foreign government to the individual Agreements, it may be safe to assume that were India to enter into such an Agreement with the United States, it would require the orders for access to comply with the standards laid down under Indian law before the relevant authorities send the request to the US based data controllers. At the least, this would ensure that the rights of Indian citizens currently guaranteed under Indian law, howsoever flawed they might be, would in all likelihood be safeguarded as per Indian law.

Certification from the Attorney General to the US Congress

In the above background if India were to enter into the agreement with the U.S Government apart from actually negotiating and signing that Agreement, the Indian government will also have to ensure (if the Amendment is passed) that the Attorney General of the United States, with the concurrence of the Secretary of State gives a certificate to the Congress that Indian law satisfies the requirements set forth in the proposed section XXXX of Title 18.

It must be kept in mind that if the negotiations between India and the United States in this regard reach such a mature stage that the certification from the Attorney General is required, then that would mean that there is enough political will on both sides to ensure that such an arrangement actually comes to fruition. In this context it would not be unfair to assume that the Attorney General may have a slight bias towards opining that Indian laws do conform to the requirements of the Amendment, as the Attorney General would want to support the decision taken by the administration, and our analysis shall have a similar bias in order to be more contextual.

The certification would, inter alia, contain the determination of the Attorney General:

That the domestic law of India affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the Indian government that will be subject to the agreement.It should be noted that the Amendment specifies various factors that should be taken into account to reach such a determination, which include whether the Indian government:

(i) has adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated through accession to the Budapest Convention on Cybercrime, or through domestic laws that are consistent with definitions and the requirements set forth in Chapters I and II of that Convention; Although India is not a signatory to the Budapest Convention the Information Technology Act, 2000 (which is the main legislation dealing with cybercrime) has penal provisions which have borrowed heavily from the provisions of the Budapest Convention.

demonstrates respect for the rule of law and principles of nondiscrimination;

The provisions of Article 14 as well as Article 21 of the Constitution of India demonstrates that the legal regime in India is committed to the rule of law and principles of non discrimination.

adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights (including but not limited to protection from arbitrary and unlawful interference with privacy; fair trial rights; freedoms of expression, association and peaceful assembly; prohibitions on arbitrary arrest and detention; and prohibitions against torture and cruel, inhuman, or degrading treatment or punishment);

India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India.

has clear legal mandates and procedures governing those entities of the foreign government that are authorized to seek data under the executive agreement, including procedures through which those authorities collect, retain, use, and share data, and effective of oversight of these activities;

India has a number of legislations which govern the interception and request for information such as the Information Technology Act, 2000, the Indian Telegraph Act, 1885, Code of Criminal Procedure, 1973, etc. which put in place mechanisms governing the authorities and entities which can ask for information.

has sufficient mechanisms to provide accountability and appropriate transparency regarding the government’s collection and use of electronic data; and

The Right to Information Act, 2005 provides the citizens the right to access any public document unless access to the same is prohibited due to the specific exemptions provided in the Act. It may be noted here that the provisions of the Right to Information Act are often frustrated by the bureaucracy by using exceptions such as “national security”, but for the purposes of this write up we are already assuming a bias towards fulfillment of these factors/conditions and therefore as long as there is even some evidence of compliance, the conditions will be considered as fulfilled by the Attorney General for the purposes of his certificate.

demonstrates a commitment to promote and protect the global free flow of information and the open, distributed, and interconnected nature of the Internet.

The Telecom Regulatory Authority of India, which regulates telecom services in India has also issued the Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016 which prohibits service providers from charging discriminatory tariffs for data services on the basis of content.

Other than Indian law, the certificate from the Attorney General will also have to certify certain issues which would have to be addressed in the bilateral agreement itself, viz.:

That the Indian government has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement.
That the agreement requires the following with respect to orders subject to the agreement:

(i) The Indian government may not intentionally target a United States person or a person located in the United States, and must adopt targeting procedures designed to meet this requirement;

(ii) The Indian government may not target a non–United States person located outside the United States if the purpose is to obtain information concerning a United States person or a person located in the United States;

(iii) The Indian government may not issue an order at the request of or to obtain information to provide to the United States government or a third-party government, nor shall the Indian government be required to share any information produced with the United States government or a third-party government;

(iv) Orders issued by the Indian government must be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism;

(v) Orders issued by the Indian government must identify a specific person, account, address, or personal device, or any other specific identifier as the object of the Order;

(vi) Orders issued by the Indian government must be in compliance with the domestic laws of India, and any obligation for a provider of an electronic communications service or a remote computing service to produce data shall derive solely from Indian law;

(vii) Orders issued by the Indian government must be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation;

(viii) Orders issued by the Indian government must be subject to review or oversight by a court, judge, magistrate, or other independent authority;

(ix) Orders issued by the Indian government for the interception of wire or electronic communications, and any extensions thereof, must be for a fixed, limited duration; interception may last no longer than is reasonably necessary to accomplish the approved purposes of the order; and orders may only be issued where that same information could not reasonably be obtained by another less intrusive method;

(x) Orders issued by the Indian government may not be used to infringe freedom of speech;

(xi) The Indian government must promptly review all material collected pursuant to the agreement and store any unreviewed communications on a secure system accessible only to those trained in applicable procedures;

(xii) The Indian government must segregate, seal, or delete, and not disseminate material found not to be information that is, or is necessary to understand or assess the importance of information that is, relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or seriously bodily harm to any person;

(xiii) The Indian government may not disseminate the content of a communication of a U.S. person to U.S. authorities unless the communication (a) may be disseminated pursuant to Section 4(a)(3)(xii) and (b) relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud;

(xiv) The Indian government must afford reciprocal rights of data access to the United States government;

(xv) The Indian government must agree to periodic review of its compliance with the terms of the agreement by the United States government; and

(xvi) The United States government must reserve the right to render the agreement inapplicable as to any order for which it concludes the agreement may not properly be invoked.

Conclusion

It is clear from the discussion above that the proposed Amendment is a controversial piece of legislation which will affect the way law enforcement is carried out in the internet. While there is no doubt that proposing an alternate mechanism to the existing inefficient MLAT structure is definitely the need of the hour, whether the mechanism proposed in the proposed Amendment, with all the negative implications on privacy, is the right way forward is far from certain.

As for the three questions that we had sought out to answer in the beginning of this paper, we would not like to say that Indian law definitely conforms to all the requirements listed in the Amendments, but it can safely be said that it appears that if the governments of India and the United States so wish, it would not be difficult for the Attorney General of the United States to be able to give a certification to the Congress as required in the proposed Amendment.

The other two questions as to whether India should try to opt for such an arrangement if given a chance and what would be the consequence for its people are somewhat related, in the sense that it is only by examining the consequences on its citizens that we will arrive at an answer as to whether India should opt for such an arrangement or not. The level of protections offered to Indian citizens under India law in terms of protection of their private data from government surveillance is lower than that which is offered to American citizens under American law. The growing influence of the internet is changing the citizen-state dynamic giving rise to increasing incidents where the government has to approach private actors for permission in order to carry out their governmental functions of providing security. This is because more and more private data of individual citizens is being uploaded on to the internet and controlled by private actors such as telecom companies, social media sites, etc. and the governments have to approach these private actors in case they want access to this information. The fact that the government has to approach private actors to get access to data gives private citizens some leverage to ask for better privacy protections in the context of state surveillance.

Although this proposed Amendment may not affect the local surveillance laws in India, however it would definitely have an effect on the way that citizens’ data is protected and accessed by the government.

[1] Explanation by the Assistant Attorney General attached to the proposed Amendment.

[2] https://www.justsecurity.org/24145/u-s-u-k-data-sharing-treaty/

[3] https://www.justsecurity.org/24145/u-s-u-k-data-sharing-treaty/

[4] http://spicyip.com/2012/04/clash-of-courts-indian-district-court.html

[5] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[6] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[7] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[8] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[9] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[10] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[11] International Covenant on Civil and Political Rights, art. 17, Dec. 19, 1966, U.N.T.S 999, cf. https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[12] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

For more details visit https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act

New regulations in place; Aadhaar Card records to be preserved for 7 yrs by Centre

praskrishna — 2016-10-17T14:46:31Z

UIDAI chief executive office ABP Pandey said that the concerns regarding Aadhar card-related benefits were "exaggerated" and that the agency will keep the records in case any disputes arise in the future.

The article was published in the Financial Express on October 17, 2016. Sunil Abraham was quoted.

As per new regulations, the government will now keep a record for seven years of all services and benefits that are availed using Aadhaar number. Fearing that the database might be used for surveillance, the Unique Identification Authority of India (UIDAI) will preserve the records.

UIDAI chief executive office ABP Pandey said that the concerns regarding Aadhar card-related benefits were “exaggerated” and that the agency will keep the records in case any disputes arise in the future.

Pandey added that the information will be available online for two years and shall be shifted to the offline archives for the next five years. In that case, users will be able to check the records only for two years. However, the rules won’t apply for security agencies and that they will need a district judge’s permission to access the data.

According to HT, the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.

Talking about this Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society said that once Aadhar becomes mandatory, it can be misused to conduct a 360-degree surveillance on any person.

Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.
The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily, reports HT.

Meanwhile, The Unique Identification Authority of India (UIDAI) has launched a drive to enrol any leftover population for Aadhaar in 22 states and UTs that have “statistically” hit 100 per cent coverage for adults.

The ‘Challenge drive’ starts from October 15 for a month, a UIDAI statement said, adding that as of today, over 106.69 crore Aadhaar numbers have been generated across the country.

For more details visit https://cis-india.org/internet-governance/news/financial-express-october-17-2016-new-regulations-in-place-aadhaar-card-records-to-be-preserved-for-7-yrs-by-centre

Govt to keep Aadhaar record for 7 years, activists worried

praskrishna — 2016-10-17T01:53:24Z

The government will keep for seven years a record of all the services and benefits availed using the Aadhaar number, say new rules, prompting fears that the database could be used for surveillance.

The article by Aloke Tikku was published in the Hindustan Times on October 17, 2016. Sunil Abraham was quoted.

The Unique Identification Authority of India (UIDAI), which issues the 12-digit biometric identity to all Indian residents, will be required to preserve its record of verification of an Aadhaar number for the duration.

“This is an unprecedented centralised data retention provision,” said Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society.

UIDAI chief executive officer ABP Pandey said the concerns were exaggerated. The agency was keeping records in case a dispute arose over a transaction.

The information will be retained online for two years and another five years in the offline archives, say the rules notified in September.

Users will be able to check the records but only for two years.

This restriction won’t apply to security agencies. Pandey, however, said the records would not be available to them without a district judge’s permission.

But, HT found that the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.

“Once Aadhaar becomes mandatory for all services, it can be used by benign and malignant actors to conduct a 360-degree surveillance on any individual,” Abraham said.

This is how the system, which will need millions of fingerprint-reading machines, works.

Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.

The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily.

“You can think of it as Natgrid Plus,” Abraham said, a reference to the National Intelligence Grid being built by the government.

A one-stop database for counter-terrorism agencies, Natgrid will collate information real time from databases of various agencies such as bank, rail and airline networks.

“…we do not record the purpose for which an authentication request was received but only the details of the agency that sent it,” UIDAI’s Pandey said.

But seven years is a long time. Only a select category of government files are kept for longer than five years.

Asked about two-year deadline for users, Pandey said it would have been a logistic nightmare to let people access the records once the information was offline.

The Supreme Court has a ruled that Aadhaar is not a must for availing welfare schemes and is to decide if collecting biometric data for the 12-digit number infringed an individual’s privacy.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-17-2016-govt-to-keep-aadhaar-record-for-seven-years-activitsts-worried