We are anonymous, we are legion

ISO/IEC/ JTC 1/SC 27 Working Groups Meeting, Jaipur

vanya — 2015-12-21T02:38:46Z

I attended this event held from October 26 to 30, 2015 in Jaipur.

The Bureau of Indian Standards (BIS) in collaboration with Data Security Council of India (DSCI) hosted the global standards’ meeting – ISO/IEC/ JTC 1/SC 27 Working Groups Meeting in Jaipur, Rajasthan at Hotel Marriott from 26th to 30th of October, 2015, followed by a half day conference on Friday, 30th October on the importance of Standards in the domain. The event witnessed experts from across the globe deliberating on forging international standards on Privacy, Security and Risk management in IoT, Cloud Computing and many other contemporary technologies, along with updating existing standards. Under SC 27, 5 working groups parallely held the meetings on varied Projects and Study periods respectively. The 5 Working Groups are as follows:

WG1: Information Security Management Systems;
WG 2 :Cryptography and Security Mechanisms;
WG 3 : Security Evaluation, Testing and Specification;
WG 4 : Security Controls and Services; and
WG 5 :Identity Management and Privacy technologies; competence of security management

This key set of Working Groups (WG)met in India for the first time. Professionals discussed and debated development of standards under each working group to develop international standards to address issues regarding security, identity management and privacy.

CIS had the opportunity to attend meetings under Working Group 5. This group further had parallel meetings on several topics namely:

Privacy enhancing data de-identification techniques ISO/IEC NWIP 20889 : Data de-identification techniques are important when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles. The selection, design, use and assessment of these techniques need to be performed appropriately in order to effectively address the risks of re-identification in a given context. There is thus a need to classify known de-identification techniques using standardized terminology, and to describe their characteristics, including the underlying technologies, the applicability of each technique to reducing the risk of re-identification, and the usability of the de-identified data. This is the main goal of this International Standard. Meetings were conducted to resolve comments sent by organisations across the world, review draft documents and agree on next steps.
A study period on Privacy Engineering framework : This session deliberated upon contributions, terms of reference and discuss the scope for the emerging field of privacy engineering framework. The session also reviewed important terms to be included in the standard and identify possible improvements to existing privacy impact assessment and management standards. It was identified that the goal of this standard is to integrate privacy into systems as part of the systems engineering process. Another concern raised was that the framework must be consistent with Privacy framework under ISO 29100 and HL7 Privacy and security standards.
A study period on user friendly online privacy notice and consent: The basic purpose of this New Work Item Proposal is to assess the viability of producing a guideline for PII Controllers on providing easy to understand notices and consent procedures to PII Principals within WG5. At the Meeting, a brief overview of the contributions received was given,along with assessment of liaison to ISO/IEC JTC 1/SC 35 and other entities. This International Standard gives guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from PII principals online and is applicable to all situations where a PII controller or any other entity processing PII informs PII principals in any online context.
Some of the other sessions under Working Group 5 were on Privacy Impact Assessment ISO/IEC 29134, Standardization in the area of Biometrics and Biometric information protection, Code of Practise for the protection of personally identifiable information, Study period on User friendly online privacy notice and consent, etc.

ISO/IEC/JTC 1/ SC27 is a joint technical committee of the international standards bodies – ISO and IEC on Information Technology security techniques which conducts regular meetings across the world. JTC 1 has over 2600 published standards developed under the broad umbrella of the committee and its 20 subcommittees. Draft International Standards adopted by the joint technical committees are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote in favour of the same. In India, the Bureau of Indian Standards (BIS) is the National Standards Body. Standards are formulated keeping in view national priorities, industrial development, technical needs, export promotion, health, safety etc. and are harmonized with ISO/IEC standards (wherever they exist) to the extent possible, in order to facilitate adoption of ISO/IEC standards by all segments of industry and business.BIS has been actively participating in the Technical Committee work of ISO/IEC and is currently a Participating member in 417 and 74 Technical Committees/ Subcommittees and Observer member in 248 and 79 Technical Committees/Subcommittees of ISO and IEC respectively. BIS holds Secretarial responsibilities of 2 Technical Committees and 6 Subcommittees of ISO.

The last meeting was held in the month of May, 2015 in Malaysia, followed by this meeting in October, 2015 Jaipur. 51 countries play an active role as the ‘Participating Members, India being one, while a few countries as observing members. As a part of these sessions, the participating countries also have rights to vote in all official ballots related to standards. The representatives of the country work on the preparation and development of the International Standards and provide feedback to their national organizations.

There was an additional study group meeting on IoT to discuss comments on the previous drafts, suggest changes , review responses and identify standard gaps in SC 27.

On October 30, 2015 BIS-DSCI hosted a half day International conference on 30 October, 2015 on Cyber Security and Privacy Standards, comprising of keynotes and panel discussions, bringing together national and international experts to share experience and exchange views on cyber security techniques and protection of data and privacy in international standards, and their growing importance in their society. The conference looked at various themes like the Role of standards in smart cities, Responding to the Challenges of Investigating Cyber Crimes through Standards, etc. It was emphasised that due to an increasing digital world, there is a universal agreement for the need of cyber security as the infrastructure is globally connected, the cyber threats are also distributed as they are not restricted by the geographical boundaries. Hence, the need for technical and policy solutions, along with standards was highlighted for future protection of the digital world which is now deeply embedded in life, businesses and the government. Standards will help in setting crucial infrastructure for in data security and build associated infrastructure on these lines.

The importance of standards was highlighted in context of smart cities wherein the need for standards was discussed by experts. Harmonization of regulations with standards must be looked at, by primarily creating standards which could be referred to by the regulators. Broadly, the challenges faced by smart cities are data security, privacy and digital resilience of the infrastructure. It was suggested that in the beginning, these areas must be looked at for development of standards in smart cities. Also, the ISO/IEC has a Working Group and a Strategic Group focussing on Smart Cities. The risks of digitisation, network, identity management, etc. must be looked at to create the standards.

The next meeting has been scheduled for April 2016 in Tampa (USA).

This meeting was a good opportunity to interact with experts from various parts of the World and understand the working of ISO Meetings which are held twice/thrice every year. The Centre for Internet and Society will be continuing work and becoming involved in the standard setting process at the future Working group meetings.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-groups-meeting-jaipur

Porn. Panic. Ban: A Conversation on Sexual Expression, Pornography, Sexual Exploitation, Consent

praskrishna — 2015-11-29T07:36:58Z

Point of View and the Internet Democracy Project organized a conference to hold and facilitate an informed conversation on sexual expression, pornography, sexual exploitation and consent. Rohini Lakshané was a speaker. Tanveer Hasan also attended this conference held in New Delhi from October 28 to 30, 2015.

The conference was a first attempt to have an in-depth civil society conversation - among activists, lawyers, researchers working on either gender, sexuality or internet rights, or at their intersections. For more information on the event visit the Internet & Democracy website. Rohini presented her research on online amateur pornography and consent.

For more details visit https://cis-india.org/internet-governance/news/porn-panic-ban-a-conversation-on-sexual-expression-pornography-sexual-exploitation-consent

How India Regulates Encryption

Pranesh Prakash & Japreet Grewal — 2016-07-23T13:24:58Z

Governments across the globe have been arguing for the need to regulate the use of encryption for law enforcement and national security purposes. Various means of regulation such as backdoors, weak encryption standards and key escrows have been widely employed which has left the information of online users vulnerable not only to uncontrolled access by governments but also to cyber-criminals. The Indian regulatory space has not been untouched by this practice and constitutes laws and policies to control encryption. The regulatory requirements in relation to the use of encryption are fragmented across legislations such as the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) and several sector-specific regulations. The regulatory framework is designed to either limit encryption or gain access to the means of decryption or decrypted information.

Limiting encryption

The IT Act does not prescribe the level or type of encryption to be used by online users. Under Section 84A, it grants the Government the authority to prescribe modes and methods of encryption. The Government has not issued any rules in exercise of these powers so far but had released a draft encryption policy on September 21, 2015. Under the draft policy, only those encryption algorithms and key sizes were permitted to be used as were to be notified by the Government. The draft policy was withdrawn due to widespread criticism of various requirements under the policy of which retention of unencrypted user information for 90 days and mandatory registration of all encryption products offered in the country were noteworthy.

The Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), permits the use of encryption up to 40 bit key length in the symmetric algorithms or its equivalent in others.[1] The restriction applies not only to the ISPs but also to individuals, groups and organisations that use encryption. In the event an individual, group or organisation decides to deploy encryption that is higher than 40 bits, prior permission from the DoT must be obtained and the decryption key must be deposited with the DoT. There are, however no parameters laid down for use of the decryption key by the Government. Several issues arise in relation enforcement of these license conditions.

While this requirement is applicable to all individuals, groups and organisations using encryption it is difficult to enforce it as the ISP License only binds DoT and the ISP and cannot be enforced against third parties.
Further, a 40 bit symmetric key length is considered to be an extremely weak standard[2] and is inadequate for protection of data stored or communicated online. Various sector-specific regulations that are already in place in India prescribe encryption of more than 40 bits.

The Reserve Bank of India has issued guidelines for Internet banking^{^[3]} where it prescribes 128-bit as the minimum level of encryption and acknowledges that constant advances in computer hardware and cryptanalysis may induce use of larger key lengths. The Securities and Exchange Board of India also prescribes[4] a 64-bit/128-bit encryption for standard network security and use of secured socket layer security preferably with 128-bit encryption, for securities trading over a mobile phone or a wireless application platform. Further, under Rule 19 (2) of the Information Technology (Certifying Authorities) Rules, 2000 (CA Rules), the Government has prescribed security guidelines for management and implementation of information technology security of the certifying authorities. Under these guidelines, the Government has suggested the use of suitable security software or even encryption software to protect sensitive information and devices that are used to transmit or store sensitive information such as routers, switches, network devices and computers (also called information assets). The guidelines acknowledge the need to use internationally proven encryption techniques to encrypt stored passwords such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard as mentioned under Rule 6 of the CA Rules. These encryption algorithms are very strong and secure as compared to a 40 bit encryption key standard.
The ISP License also contains a clause which provides that use of any hardware or software that may render the network security vulnerable would be considered a violation of the license conditions.[5] Network security may be compromised by using a weak security measure such as the 40 bit encryption or its equivalent prescribed by the DoT but the liability will be imputed to the ISP. As a result, an ISP which is merely complying with the license conditions by employing not more than a 40 bit encryption may be liable for what appears to be contradictory license conditions.
It is noteworthy that the restriction on the key size under the ISP License has not been imported to the Unified Service License Agreement (UL Agreement) that has been formulated by the DoT. The UL Agreement does not prescribe a specific level of encryption to be used for provision of services. Clause 37.5 of the UL Agreement however makes it clear that use of encryption will be governed by the provisions of the IT Act. As noted earlier, the Government has not specified any limit to level and type of encryption under the IT Act however it had released a draft encryption policy that has been suspended due to widespread criticism of its mandate.

The Telecom Licenses (ISP License, UL Agreement, and Unified Access Service License) prohibit the use of bulk encryption by the service providers but they continue to remain responsible for maintaining privacy of communication and preventing unauthorized interception.

Gaining access to means of decryption or decrypted information

Besides restrictions on the level of encryption, the ISP License and the UL Agreement make it mandatory for the service providers including ISPs to provide to the DoT all details of the technology that is employed for operations and furnish all documentary details like concerned literature, drawings, installation materials and tools and testing instruments relating to the system intended to be used for operations as and when required by the DoT.[6] While these license conditions do not expressly lay down that access to means of decryption must be given to the government the language is sufficiently broad to include gaining such access as well. Further, ISPs are required to take prior approval of the DoT for installation of any equipment or execution of any project in areas which are sensitive from security point of view. The ISPs are in fact subject to and further required to facilitate continuous monitoring by the DoT. These obligations ensure that the Government has complete access to and control over the infrastructure for providing internet services which includes any installation or equipment required for the purpose of encryption and decryption.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

A decryption order usually entails a direction to a decryption key holder to disclose a decryption key, allow access to or facilitate conversion of encrypted information and must contain reasons for such direction. In fact, Rule 8 of the Decryption Rules makes it mandatory for the authority to consider other alternatives to acquire the necessary information before issuing a decryption order.
The Secretary in the Ministry of Home Affairs or the Secretary in charge of the Home Department in a state or union territory is authorised to issue an order of decryption in the interest of sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. It is useful to note that this provision was amended in 2009 to expand the grounds on which a direction for decryption can be passed. Post 2009, the Government can issue a decryption order for investigation of any offence. In the absence of any specific process laid down for collection of digital evidence do we follow the procedure under the criminal law or is it necessary that we draw a distinction between the investigation process in the digital and the physical environment and see if adequate safeguards exist to check the abuse of investigatory powers of the police herein.
The orders for decryption must be examined by a review committee constituted under Rule 419A of the Indian Telegraph Rules, 1951 to ensure compliance with the provisions under the IT Act. The review committee is required to convene atleast once in two months for this purpose. However, we have been informed in a response by the Department of Electronics and Information Technology to an RTI dated April 21, 2015 filed by our organisation that since the constitution of the review committee has met only once in January 2013.

Conclusion

While studying a regulatory framework for encryption it is necessary that we identify the lens through which encryption is looked at i.e. whether encryption is considered as a means of information security or a threat to national security. As noted earlier, the encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules. Would it help to analyse whether the prevailing scepticism of the Government is well founded against the need to have strong encryption? It would be useful to survey the statistics of cyber incidents where strong encryption was employed as well as look at instances that reflect on whether strong encryption has made it difficult for law enforcement agencies to prevent or resolve crimes. It would also help to record cyber incidents that have resulted from vulnerabilities such as backdoors or key escrows deliberately introduced by law. These statistics would certainly clear the air about the role of encryption in securing cyberspace and facilitate appropriate regulation.

[1] Clause 2.2 (vii) of the ISP License

[2] Schneier, Bruce (1996). Applied Cryptography (Second ed.). John Wiley & Sons

[3] Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations, 2011

[4] Report on Internet Based Trading by the SEBI Committee on Internet based Trading and Services, 2000; It is useful to note that subsequently SEBI had acknowledged that the level of encryption would be governed by DoT policy in a SEBI circular no CIR/MRD/DP/25/2010 dated August 27, 2010 on Securities Trading using Wireless Technology

[5] Clause 34.25 of the ISP License

[6] Clauses 22 and 23 of Part IV of the ISP License

For more details visit https://cis-india.org/internet-governance/blog/how-india-regulates-encryption

Net advocacy body probing linkages between telcos and Facebook’s auto-play video option

praskrishna — 2015-10-29T00:53:55Z

Centre for Internet and Society (CIS), India’s leading internet advocacy body, which has often been critical of Facebook’s Internet.org — now called Free Basics — initiative, has said that it is looking into the possibility of Facebook helping telecom companies through its auto-play video option.

The article by Prabhu Mallikarjunan was published in the Financial Express on October 28, 2015. Sunil Abraham gave inputs.

In an interaction with FE on Tuesday, Sunil Abraham, executive director of The Centre for Internet and Society, said CIS will inititiate research on the notion that the new video option will result in 50% increase in data billing for the telecom companies. It will also look into whether this, in turn, will encourage the telecom companies to be on the Internet.org platform.

This initiative from CIS comes on the eve of Facebook founder Mark Zuckerberg’s visit to India on Wednesday, where he will address a gathering at IIT, Delhi. Facebook has been trying to hard sell the Free Basics concept at a time when the Indian government is looking to work closely with the internet major to push the Digital India initiative. “The company (Facebook) has done some good things, and also done some not so good things. The good thing is that, they have changed the name of the application and called it Free Basics. Also, they have re-enabled https and have published “the technical requirements document, through which they have eliminated the exclusivity arm both on the telco end and for OTT (Over the top) players,” Abraham said.

“How does FB gain from making the videos autoplay. It doesn’t gain. Why should the telcos be made happy? We are looking into this theory of whether auto-play video option will result in 50% increase in data billing for the telecom companies,” Abraham said.

For more details visit https://cis-india.org/internet-governance/news/financial-express-prabhu-mallikarjunan-october-28-2015-net-advocacy-body-probing-linkages-between-telcos-and-facebooks-auto-play-video-option

Connected Trouble

sunil — 2015-10-28T16:47:58Z

The internet of things phenomenon is based on a paradigm shift from thinking of the internet merely as a means to connect individuals, corporations and other institutions to an internet where all devices in (insulin pumps and pacemakers), on (wearable technology) and around (domestic appliances and vehicles) humans beings are connected.

The guest column was published in the Week, issue dated November 1, 2015.

Proponents of IoT are clear that the network effects, efficiency gains, and scientific and technological progress unlocked would be unprecedented, much like the internet itself.

Privacy and security are two sides of the same coin―you cannot have one without the other. The age of IoT is going to be less secure thanks to big data. Globally accepted privacy principles articulated in privacy and data protection laws across the world are in conflict with the big data ideology. As a consequence, the age of internet of things is going to be less stable, secure and resilient. Three privacy principles are violated by most IoT products and services.

Data minimisation

According to this privacy principle, the less the personal information about the data subject that is collected and stored by the data controller, the more the data subject's right to privacy is protected. But, big data by definition requires more volume, more variety and more velocity and IoT products usually collect a lot of data, thereby multiplying risk.

Purpose limitation

This privacy principle is a consequence of the data minimisation principle. If only the bare minimum of personal information is collected, then it can only be put to a limited number of uses. But, going beyond that would harm the data subject. IoT innovators and entrepreneurs are trying to rapidly increase features, efficiency gains and convenience. Therefore, they don't know what future purposes their technology will be put to tomorrow and, again by definition, resist the principle of purpose limitation.

Privacy by design

Data protection regulation required that products and services be secure and protect privacy by design and not as a superficial afterthought. IoT products are increasingly being built by startups that are disrupting markets and taking down large technology incumbents. The trouble, however, is that most of these startups do not have sufficient internal security expertise and in their tearing hurry to take products to the market, many IoT products may not be comprehensively tested or audited from a privacy perspective.

There are other cyber security principles and internet design principles that are disregarded by the IoT phenomenon, further compromising security and privacy of users.

Centralisation

Most of the network effects that IoT products contribute to require centralisation of data collected from users and their devices. For instance, if users of a wearable physical activity tracker would like to use gamification to keep each other motivated during exercise, the vendor of that device has to collect and store information about all its users. Since some users always wear them, they become highly granular stores of data that can also be used to inflict privacy harms.

Decentralisation was a key design principle when the internet was first built. The argument was that you can never take down a decentralised network by bombing any of the nodes. Unfortunately, because of the rise of internet monopolies like Google, the age of cloud computing, and the success of social media giants, the internet is increasingly becoming centralised and, therefore, is much more fragile than it used be. IoT is going to make this worse.

Complexity

The more complex a particular technology is, the more fragile and vulnerable it is. This is not necessarily true but is usually the case given that more complex technology needs more quality control, more testing and more fixes. IoT technology raises complexity exponentially because the devices that are being connected are complex themselves and were not originally engineered to be connected to the internet. The networks they constitute are nothing like the internet which till now consisted of clients, web servers, chat servers, file servers and database servers, usually quite removed from the physical world. Compromised IoT devices, on the other hand, could be used to inflict direct harm on life and property.

Death of the air gap

The things that will be connected to the internet were previously separated from the internet through the means of an air gap. This kept them secure but also less useful and usable. In other words, the very act of connecting devices that were previously unconnected will expose them to a range of attacks. Security and privacy related laws, standards, audits and enforcement measures are the best way to address these potential pitfalls. Governments, privacy commissioners and data protections authorities across the world need to act so that the privacy of people and the security of our information society are protected.

For more details visit https://cis-india.org/internet-governance/blog/the-week-november-1-2015-sunil-abraham-connected-trouble

Encryption and Anonymity: Rights and Risks

praskrishna — 2015-10-27T02:37:45Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. ARTICLE 19 and Privacy International are organizing a workshop on Encryption and Anonymity on November 12, 2015. Pranesh Prakash is a speaker.

This was published on the IGF website.

Encryption and anonymity are two key aspects of the right to privacy and free expression online. From real-name registration in Iran to the UK Prime Minister's calls for Internet backdoors to encrypted communications, however, the protection of encrypted and anonymous speech is increasingly under threat. Recognising these challenges, the UN Special Rapporteur on freedom of expression, David Kaye, presented a report to the Human Rights Council in June 2015 which highlighted the need for greater protection of encryption and anonymity.

Five months on from the Special Rapporteur’s report, the participants in this roundtable will discuss his recommendations and the latest challenges to the protection of anonymity and encryption. For example, how can law enforcement demands be met while ensuring that individuals still enjoy strong encryption and unfettered access to anonymity tools? What steps should governments, civil society, individuals and the private sector take to avoid the legal and technological fragmentation of a tool now vital to expression and communication? How can individuals protect themselves from mass surveillance in the digital age?

At the end of the session, the participants should have identified areas for future advocacy both at the international and domestic levels as well as areas for further research for the protection of anonymity and encryption on the Internet.

Agenda

Moderator welcomes speakers and audience.
Outline of key issues on encryption and anonymity, including summary of the UN Special Rapporteur's report.
Each speaker speaks for 5-7 mins, giving their perspective re the issues.
Questions from participants, including remote participation via Twitter.
Conclusion and steps for further action.

About IGF 2015

Internet Governance Forum (IGF) is a multistakeholder, democratic and transparent forum which facilitates discussions on public policy issues related to key elements of Internet governance. IGF provides enabling platform for discussions among all stakeholders in the Internet governance ecosystem, including all entities accredited by the World Summit on the Information Society (WSIS), as well as other institutions and individuals with proven expertise and experience in all matters related to Internet governance.

After consulting the wider Internet community and discussing the overarching theme of the 2015 IGF meeting, the Multistakeholder Advisory Group decided to retain the title “Evolution of Internet Governance: Empowering Sustainable Development”. This theme will be supported by eight sub-themes that will frame the discussions at the João Pessoa meeting.

For more details visit https://cis-india.org/internet-governance/news/encryption-and-anonymity-rights-and-risks

The Social Role of the Communications and the Strengthening of the Freedom of Expression Panel - "Cultural Diversity and Freedom of Expression"

praskrishna — 2015-10-27T01:48:04Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. The Ministry of Culture and the Ministry of Communications of Brazil is organizing a panel on Cultural Diversity and Freedom of Expression on November 9, 2015, from 6.30 p.m. to 8.30 p.m., in the Sala de Concerto Maestro Jose Siqueria, located in the city of Jao Pessoa, Brazil. Sunil Abraham will be a panelist.

The experience of Internet as a global network has generated paradoxes in relation to the nationally established values and those practiced by companies providers of applications. In general, the challenge lies in fundamental civil rights balance such as freedom of expression and the personality's rights.

Although the 2005 UNESCO Convention on the Protection and Promotion of the Diversity of Cultural Expressions enables the countries to adopt national policies directed to the protection of their cultural diversity, terms of use and codes of conduct are globally uniform and establish common rules to users around the world, which may affect cultural diversity.

In order to address these issues the Ministry of Culture and the Ministry of Communications, Brazil are organizing this event at IGF 2015.

About IGF 2015

For more details visit https://cis-india.org/internet-governance/news/the-social-role-of-the-communications-and-the-strengthening-of-the-freedom-of-expression-panel-cultural-diversity-and-freedom-of-expression

The rise and rise of slacktivism

praskrishna — 2015-10-25T14:49:58Z

Can we change the world with the click of a mouse? Or is it just another feel-good phenomenon? The writer explores the growing penchant for online petitions and desktop activism.

The article by Divya Gandhi was published in the Hindu on October 3, 2015. Pranesh Prakash was quoted.

“I am a female journalist and Kumudam’s history of objectifying and judging women sickens me,” writes reporter Kavitha Muralidharan in a no-holds-barred petition on change.org. Tamil magazine Kumudam, which last week published pictures of women in leggings describing them as “vulgar”, must apologise, she said. The apology didn’t come, but on last count the letter to Kumudam’s editor had galvanised over 20,000 signatures and, at least in part, the petition’s aim — to flag sexism in the media — had been met.

Online activism forums such as change.org, jhatkaa.org, avaaz.org or bitgiving.com have turned the Net into a vibrant space for debate, influencing public opinion and, to varying degrees, catalysing change.

Slacktivism — if we must call it that — has existed a while and cannot be dismissed, says Policy Director at the Centre for Internet and Society, Pranesh Prakash. “We can’t underestimate the power of the collective, the power of the word in influencing public opinion and policy.”

Take, for instance, the three-minute ‘Kodaikanal Won’t’ video promoted by Jhatkaa where artist Sofia Ashraf raps about Unilever’s flouting of environmental and safety norms at its thermometer unit in Kodaikanal. The video was watched over 3,00,000 times in its first 48 hours, and a parallel online petition, which asks the company to clean up its “toxic mess” got 91,054 signatures.

No, Unilever has not formally committed to ‘clean up its mess’ yet but what the campaign did was to create public pressure on the company to engage with the mainstream media, says Nityanand Jayaram, an environmental activist who has worked on the Kodaikanal case since 2001. “We had 14 years of invisible hard work behind us. That shroud of invisibility was removed with one social media campaign.”

“Most petitions I can think of have been accompanied by actions on the ground as well,” says Kavita Krishnan, Secretary, All India Progressive Women’s Association. “For instance, if an online petition that says arrest those threatening John Dayal gets 6,000 signatures in 48 hours, these are 6,000 people across the country. I cannot collect them on a Delhi street within 48 hours. It is not that these people would not join a demonstration if they could, but there is no real difference between their having attended a demonstration and their having signed that petition. There are other issues for which you need sustained action or quiet, behind-the-scenes work, but in terms of protests, I think online petitions are very effective.”

How do the views and shares and signatures turn into yardsticks to measure the success of a campaign? In the case of BitGiving, virality translates into crowdfunding. Among its success stories, it counts a campaign to help send India’s ice hockey team, which got no government support, to the Ice Hockey Championship Cup of Asia this year. The campaign came alive on social media, was highlighted in mainstream media, captured the interest of several high-profile funders, and managed to raise more money than the team needed for training, accommodation, airfare and equipment. Jhatkaa measures its campaigns by various criteria, says Deepa Gupta, Executive Director. “We track outcome, the number of people impacted… and we track media coverage.”

A quick scroll down some of these sites reflects the staggering range of subjects that has captured the urban imagination — from OROP to hyper-local issues (garbage in Bengaluru) or animal rights (the culling of stray dogs in Kerala). Just this past week on change.org, “#Khans4Kisaans” shouted out to Shah Rukh, Salman and Aamir to “help the farmers dying in Bollywood’s backyard”; another called for the declassification of Netaji-related files; and a third protested the ban on beef.

So are these forums then turning the apathetic urbanite into a political animal, someone who takes a stance? “Yes and no,” says Prakash. “It really is about how much people get involved in the issue. Often we have citizen groups that form around issues offline, and we have seen very real action on the ground, say, cleaning a lake or even getting a road repaired.”

Gupta says that Jhatkaa’s baseline assumption is not that Indians are apolitical, but that there aren’t enough meaningful ways for them to participate in our democracy outside of elections. “As individuals who aren’t issue experts, many citizens feel powerless when it comes to affecting change on the issues that they care most about.”

She was perplexed, she says, at how difficult it can be for citizens to meaningfully engage with government institutions or corporations in a way that they are heard. “I knew the only way to build a nation-wide constituency of citizens who could take collective action would be if we mobilised people with the help of modern communications and social media.”

Ghousiya Sultana, a PhD student, agrees. She has signed several online petitions and believes that she is, in some small way, making a difference. “I want to feel like I fought a good fight.” On the other hand, corporate executive Anant Kumar says he doesn’t believe in this trend. He is concerned about transparency, how his donation might be used or misused, and he does not see how a letter with a few thousand signatures can have much of a bearing on issues.

But, as Krishnan says, “An online petition doesn’t work like an on-off switch that resolves an issue immediately. It is about whether you successfully shamed them in public. It is about sparking a dialogue.”

With inputs from Zara Khan

For more details visit https://cis-india.org/internet-governance/news/hindu-october-3-2015-divya-gandhi-the-rise-and-rise-of-slacktivism

Do we need a Unified Post Transition IANA?

Pranesh Prakash, Padmini Baruah and Jyoti Panday — 2015-10-27T00:46:37Z

As we stand at the threshold of the IANA Transition, we at CIS find that there has been little discussion on the question of how the transition will manifest. The question we wanted to raise was whether there is any merit in dividing the three IANA functions – names, numbers and protocols – given that there is no real technical stability to be gained from a unified Post Transition IANA. The analysis of this idea has been detailed below.

The Internet Architecture Board, in a submission to the NTIA in 2011 claims that splitting the IANA functions would not be desirable.[1] The IAB notes, “There exists synergy and interdependencies between the functions, and having them performed by a single operator facilitates coordination among registries, even those that are not obviously related,” and also that that the IETF makes certain policy decisions relating to names and numbers as well, and so it is useful to have a single body. But they don’t say why having a single email address for all these correspondences, rather than 3 makes any difference: Surely, what’s important is cooperation and coordination. Just as IETF, ICANN, NRO being different entities doesn’t harm the Internet, splitting the IANA function relating to each entity won’t harm the Internet either. Instead will help stability by making each community responsible for the running of its own registers, rather than a single point of failure: ICANN and/or “PTI”.

A number of commentators have supported this viewpoint in the past: Bill Manning of University of Southern California’s ISI (who has been involved in DNS operations since DNS started), Paul M. Kane (former Chairman of CENTR's Board of Directors), Jean-Jacques Subrenat (who is currently an ICG member), Association française pour le nommage Internet en coopération (AFNIC), the Internet Governance Project, InternetNZ, and the Coalition Against Domain Name Abuse (CADNA).

The Internet Governance Project stated: “IGP supports the comments of Internet NZ and Bill Manning regarding the feasibility and desirability of separating the distinct IANA functions. Structural separation is not only technically feasible, it has good governance and accountability implications. By decentralizing the functions we undermine the possibility of capture by governmental or private interests and make it more likely that policy implementations are based on consensus and cooperation.”[2]

Similarly, CADNA in its 2011 submission to NTIA notes that that in the current climate of technical innovation and the exponential expansion of the Internet community, specialisation of the IANA functions would result in them being better executed. The argument is also that delegation of the technical and administrative functions among other capable entities (such as the IETF and IAB for protocol parameters, or an international, neutral organization with understanding of address space protocols as opposed to RIRs) determined by the IETF is capable of managing this function would ensure accountability in Internet operation. Given that the IANA functions are mainly registry-maintenance function, they can to a large extent be automated. However, a single system of automation would not fit all three.

Instead of a single institution having three masters, it is better for the functions to be separated. Most importantly, if one of the current customers wishes to shift the contract to another IANA functions operator, even if it isn’t limited by contract, it is limited by the institutional design, since iana.org serves as a central repository. This limitation didn’t exist, for instance, when the IETF decided to enter into a new contract for the RFC Editor role. This transition presents the best opportunity to cleave the functions logically, and make each community responsible for the functioning of their own registers, with IETF, which is mostly funded by ISOC, taking on the responsibility of handing the residual registries, and a discussion about the .ARPA and .INT gTLDs.

From the above discussion, three main points emerge:

Splitting of the IANA functions allows for technical specialisation leading to greater efficiency of the IANA functions.
Splitting of the IANA functions allows for more direct accountability, and no concentration of power.
Splitting of the IANA functions allows for ease of shifting of the {names,number,protocol parameters} IANA functions operator without affecting the legal structure of any of the other IANA function operators.

[1]. IAB response to the IANA FNOI, July 28, 2011. See: https://www.iab.org/wp-content/IAB-uploads/2011/07/IANA-IAB-FNOI-2011.pdf

[2]. Internet Governance Project, Comments of the Internet Governance Project on the NTIA's "Request for Comments on the Internet Assigned Numbers Authority (IANA) Functions" (Docket # 110207099-1099-01) February 25, 2011 See: http://www.ntia.doc.gov/federal-register-notices/2011/request-comments-internet-assigned-numbers-authority-iana-functions

For more details visit https://cis-india.org/internet-governance/blog/do-we-need-a-unified-post-tranistion-iana

CIS Participation at ICANN 54

praskrishna — 2016-01-18T12:47:19Z

Centre for Internet and Society (CIS), India participated in the 54th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) held at the Convention Center in Dublin from 17 October 2015 to 22 October 2015. Pranesh Prakash, Jyoti Panday and Padmini Baruah attended the meeting.

CIS representation was possible at the meeting due to the generous support of MacArthur grant, NCUC ICANN Travel Grant and financial support from the National Internet Exchange of India (NIXI). The issue-wise detail of CIS engagement is set out below.

At the Public Forum, Jyoti Panday asked the ICANN Board to clarify its role and the role of the community in the development of the proposal with Verisign on its role as the Root Zone Maintainer. ICANN CEO confirmed what many feared, that there will be no community involvement on this proposal as ICANN's relationship with Verisign is an "implementation" detail. He added the assurance that post transition, on the decision of renewal of the contract and whether it will be awarded to Verisign, ICANN will seek inputs from the community. Jyoti's statement is replicated below:

"I want to ask the Board why when asked by the NTIA to develop a draft proposal for the with Verisign on its Root Zone Maintainer role, did you not pass on that mandate to the community, to the CWG which already exists, and ask the community to draft out the proposal with VeriSign? Will the ICANN Board seek public comments on the final proposal before it is approved? After all, ICANN cannot claim that it is an inverted pyramid where all decisions start from the community and flow up to the Board when on a crucial issue like this, the ICANN Board and staff have not taken the community in confidence nor invited its participation."

Padmini Baruah reiterated CIS message at the Public Forum on the lack of diversity observed through the transition and presented new data. Padmini's statement is replicated below:
Today, more than 50% of Internet users are in the Asia-Pacific region, and less than 10% are in North America. Yet, when one studies diversity within the ICANN community and in ICANN processes, one finds that diversity is sorely lacking, and it is dominated by people from the United States of America. Take the IANA transition, for instance. CIS studied participant data from ICANN, NRO, and IETF's lists related to the IANA transition. Of the substantive contributors, of which there were 98, we found:
* 1 in 4 (39 of 98) were from a single country: the United States of America.
* 4 in 5 (77 of 98) were from countries which are part of the WEOG grouping, which only has developed countries.
* None were from readily identifiable as being based in Eastern European and Russia, and only 5 of 98 from all of Latin American and the Caribbean.
* 4 in 5 (77 of 98) were male and 21 were female.
* 4 in 5 (76 of 98) were from industry or the technical community, and only 4 (or 1 in 25) were identifiable as primarily speaking on behalf of governments.
It would be a travesty of language to call this the "global multistakeholder community".
Further this problem is pervasive in the ICANN community:
* 66% (34 of 51) of the Business Constituency at ICANN, as per their own data, are from a single country: the United States of America.
* 3 in 5 registrars are from the United States of America (624 out of 1010, as of March 2014, according to ICANN's accredited registrars list), with only 0.6% being from the 54 countries in Africa (7 out of 1010).
* 45% of all the registries are from the United States of America! (307 out of 672 registries listed in ICANN’s registry directory in August 2015.)
Please take this as your top priority, since ICANN's legitimacy depends on being able to call itself globally representative.

CIS attended also raised a series of concerns at the following sessions:

Enhancing ICANN Accountability Open Engagement: CIS intervened with its stance on jurisdiction and their enforcement models, and our concerns about transparency.
GAC sessions
NCSG meeting
IANA Transition Stewardship Transition Engagement Session
CCWG Accountability Working Session
Illicit Internet Pharmacies
NCUC Meeting+engagement with Larry Strickling: Jyoti Panday asked about the dual role of Verisign as a Root zone maintainer and TLD operator. Padmini Baruah asked him about jurisdiction. He said the US Congress will not support a shift in ICANN's jurisdiction.
NCSG/gNSO (CIS work on DIDP got public mention)
Contractual Compliance Programme Update
CWG Stewardship working session
Role of Voluntary Practices in Combating Abuse and Illegal Activity
Joint meeting of the ICANN Board and NCSG

For more details visit https://cis-india.org/internet-governance/news/icann-54

The 'Global Multistakholder Community' is Neither Global Nor Multistakeholder

pranesh — 2016-11-03T10:42:53Z

CIS research shows how Western, male, and industry-driven the IANA transition process actually is.

In March 2014, the US government announced that they were going to end the contract they have with ICANN to run something called the Internet Assigned Numbers Authority (IANA), and hand over control to the “global multistakeholder community”. They insisted that the plan for transition had to come through a multistakeholder process and have stakeholders “across the global Internet community”.

Analysis of the process since then shows how flawed the “global multistakeholder community” that converges at ICANN has not actually represented the disparate interests and concerns of different stakeholders. CIS research has found that the discussions around IANA transition have not been driven by the “global multistakeholder community”, but mostly by males from industry in North America and Western Europe.

CIS analysed the five main mailing lists where the IANA transition plan was formulated: ICANN’s ICG Stewardship and CCWG Accountability lists; IETF’s IANAPLAN list; and the NRO’s IANAXFER list and CRISP lists. What we found was quite disheartening.

A total of 239 individuals participated cumulatively, across all five lists.
Only 98 substantively contributed to the final shape of the ICG proposal, if one takes a count of 20 mails (admittedly, an arbitrary cut-off) as a substantive contribution, with 12 of these 98 being ICANN staff some of whom were largely performing an administrative function.

We decided to look at the diversity within these substantive contributors using gender, stakeholder grouping, and region. We relied on public records, including GNSO SOI statements, and extensive searches on the Web. Given that, there may be inadvertent errors, but the findings are so stark that even a few errors wouldn’t affect them much.

2 in 5 (39 of 98, or 40%) were from a single country: the United States of America.
4 in 5 (77 of 98) were from countries which are part of the WEOG UN grouping (which includes Western Europe, US, Canada, Israel, Australia, and New Zealand), which only has developed countries.
None were from the EEC (Eastern European and Russia) group, and only 5 of 98 from all of GRULAC (Latin American and Caribbean Group).
4 in 5 (77 of 98) were male and 21 were female.
4 in 5 (76 of 98) were from industry or the technical community, and only 4 (or 1 in 25) were identifiable as primarily speaking on behalf of governments.

This shows also that the process has utterly failed in achieving the recommendation of Paragraph 6 of the 3 in 5 registrars are from the United States of America (624 out of 1010, as of March 2014, according to ICANN's accredited registrars list), with only 0.6% being from the 54 countries in Africa (7 out of 1010).

45% of all the registries are from the United States of America! (307 out of 672 registries listed in ICANN’s registry directory in August 2015.)

66% (34 of 51) of the Business Constituency at ICANN are from a single country: the United States of America. (N.B.: This page doesn’t seem to be up-to-date.)

This shows that businesses from the United States of America continues to dominate ICANN to a very significant degree, and this is also reflected in the nature of the dialogue within ICANN, including the fact that the proposal that came out of the ICANN ‘global multistakeholder community’ on IANA transition proposes a clause that requires the ‘IANA Functions Operator’ to be a US-based entity. For more on that issue, see this post on the jurisdiction issue at ICANN (or rather, on the lack of a jurisdiction issue at ICANN).

For more details visit https://cis-india.org/internet-governance/blog/global-multistakeholder-community-neither-global-nor-multistakeholder

How To Win Friends, FB Style

praskrishna — 2015-10-18T12:02:10Z

True to form—and Facebook—there was a warm, friendly and familial feel to Prime Minister Narendra Modi’s townhall meeting at Melon, California, with Mark Zuckerberg on September 27. Modi got emotional (yet again) while talking about his mother. Zuckerberg, the youngish founder of the world’s largest social networking site, got his parents to meet and pose with Modi.

The article by Arindam Mukherjee was published in Outlook on October 12, 2015. Sunil Abraham was quoted.

“The most amazing moment was when I talked about our families,” Zuckerberg wrote in a post, “and he (Modi) shared stories of his childhood....” That’s just the kind of stuff we would see and post on Facebook—the benign visage of a profitable, all-pervasive US-based corporation. (Needless to say, everyone who has worked on this story is a registered user).

Of course, we know Modi too is on Facebook. No other Indian politician has so effectively utilised the power of ‘likes’: and he has got 30 million. The problem with this chummy approach is that one could almost forget that the PM is also the supreme leader of a country that is Facebook’s second-largest market in the world with 125 million users. A few days earlier, Zuckerberg flew to Seattle to meet Chinese President Xi Jinping. Facebook is not present in China. “On a personal note, this was the first time I’ve ever spoken with a world leader entirely in a foreign language,” wrote Zuckerberg in another post.

In contrast, Modi and Zuckerberg were speaking the same language. In fact, they even jointly updated their profile picture on Facebook—wrapped in the shades of the Indian tricolour—to support the Modi government’s Digital India initiative. Millions of Indians followed suit. And that’s when the shit hit the internet—it was discovered that people supporting the Digital India campaign were also putting in a ‘yes’ vote for Facebook’s contentious initiative internet.org (free but restricted net access; see accompanying faqs for all the details). Immediately, Modi became a party to the raging debate in India over net neutrality. This is unfortunate as the Modi government is yet to put on paper its stand on net neutrality. The nervous reaction to this engagement is also a function of the new truism of our times—“with this government, you never know”.

What we do know is that the internet.org class name was built into the code for support for Digital India. Many experts feel this is not a coincidence; rather a clever ploy by Facebook to get the support of Indians and promote its internet.org initiative. This upset a vocal community of activists who see internet.org on the opposite camp. This led to the charge that Facebook was trying to influence the debate. Says Sunil Abraham, executive director with the Bangalore-based Centre for Internet and Society (CIS), “The moves by Facebook are quite juvenile as it is trying to use the Modi visit to further muddy the net neutrality debate. We should be concerned about Facebook trying to damage the debate in India to spin the PM’s participation in its own favour.” Of course, there are two sides to this debate. There are many people within the government who feel net neutrality is an elitist concern—increasing internet penetration, which Facebook and other such initiatives promise, is the way forward in a poor, unconnected country like India. “Today to talk about net neutrality is to talk about the 20 per cent who have access to the internet,” says telecom expert Mahesh Uppal. “It is unreasonable to dismiss out of hand anybody who offers free service to a subset of websites or services. Eventually, access to internet must come first before we talk about net neutrality.”

Facebook promoted internet.org along with Samsung, Nokia, Qualcomm, Ericsson, MediaTek and Opera Software, the aim being to provide free internet service to developing nations. India, obviously, is a hot target for Facebook. Facebook has a partnership with Reliance in the country; the free internet service will be available only to Reliance users and the free access will be limited to Facebook’s partner sites. The debate over internet.org too has picked up steam in India—big media companies like NDTV and Times of India have pulled out of it on these issues. While Facebook has stressed that internet.org will ensure that the internet reaches people who do not have access to it, there have been concerns that it will restrict internet access only to sites that are internet.org’s partners.

On its part, Facebook has been quick to refute the charge. A spokesperson in the US said, “There is absolutely no connection between updating your profile picture for Digital India and internet.org. An engineer mistakenly used the words ‘internet.org profile picture’ as a shorthand name he chose for part of the code.” The code was changed soon after. Despite repeated requests, representatives from Facebook India were unavailable for comment.

But the damage has been done. Many now openly question Facebook’s motives in India and whether they have been truthful or not. Given all this brouhaha, questions will naturally be raised about Modi’s alignment with Facebook. Digital India is many things—but obviously increasing net penetration is one its goals. “Now whatever he does on net neutrality, it will be seen in terms of whether it will benefit Google or Facebook. That is the risk he took. I would like to know why the diplomatic advisors took the risk of putting the PM in a bargaining position instead of a bonus at the end of a deal,” says Prof Narendar Pani, who teaches at the National Institute of Advanced Studies, Bangalore.

All this matters because the Modi government positions itself as digital-friendly, even though its moves on this front have been invasive (the push for Aadhar despite a legal sanction and increasing reports of monitoring digital conversations), and contradictory (the abortive porn and WhatsApp bans, among others). “The PM is going way beyond the e-governance plan to a stage where the government will just sit and watch people speaking. It is scary,” says internet activist Usha Ramanathan. She feels it doesn’t make sense to have companies like Google sharing ideas with the government while Indian people are being kept out of the loop. “And now Facebook will be joining that gang, it doesn’t make sense. What has Facebook done to get that privilege?” she asks.

Here again there is a carefully worded counter-argument. Former telecom entrepreneur and Rajya Sabha MP Rajeev Chandrashekhar says, “Net neutrality is a definition that would be made in the public domain. It will not be influenced by the PM’s engagement with Facebook and Mark Zuckerberg. Anyone who tries to mess with the definition of net neutrality will be met with a public outcry and judicial intervention.” The substance of this view is that Modi was within his rights to speak to corporations to further Digital India, or Make in India for that matter, and that there should be an open debate on the future direction of net neutrality.

Clearly, the political knives are out. “Either the prime minister is not being briefed properly or he does not read his brief properly,” says former UPA minister Manish Tewari. Arguing that governments should be discussing rules of engagement in cyberspace, and not stakeholders, he asks, “Is India comfortable with that construct especially when the bulk of the technology companies, the root servers which form the underlying hardware of the internet, are all based in the US, and one being in Europe?”

Although the government is yet to firm up its decision on net neutrality and a policy on it is yet to be announced, the debate has already acquired political colour in India, with the Congress and Aam Aadmi Party putting their weight behind the people’s voice. This is the first time that there has been a nation-wide upsurge of such an unprecedented size and magnitude on an internet policy. Says AAP’s Adarsh Shastri, “Facebook, Google etc are just tools. People can use them at will. To make them the mainstay of your programme for digital empowerment is to step on the civil rights and liberties of citizens. Doing this is a complete no-no. Let people access internet as they want is the way to go.”

A consultation paper floated by telecom regulator Telecom Regulatory Authority of India (TRAI) got almost 15 lakh responses from the Indian public in support of net neutrality. There was also strong opposition to zero rating platforms announced by telecom companies like Airtel which sought to provide free access to some websites on their platform in much the same way that internet.org proposes. And the reactions to the Facebook coding error are a pointer to what people in India think. Says Nikhil Pahwa, editor of Medianama and a leading net neutrality activist, “The reactions of the people to the Facebook event were heartening and showed that people are emotive and there is still mass support for net neutrality. The reaction to the TRAI paper was not a flash in the pan.”

Interestingly, a couple of months ago, a department of telecommunications committee had said that internet.org was a violation of net neutrality and should not be allowed. It will be difficult for Modi and the government to overrule that and give it full and free access in India. Internet experts feel that the engagement with India and Modi was a desperate move by Facebook to get numbers from India. Says internet expert Mahesh Murthy, “Facebook is pulling out all stops to get favour for internet.org and is desperate about it. If India says yes, many others will say yes, but if India says no, other countries will follow.”

Murthy says Facebook’s real problem is that it is finding it difficult to justify its price to earnings ratio as against its user numbers vis-a-vis Google which is much better in this respect. For this, it is desperately trying to get numbers, and with China banning Facebook, the only country left to get numbers is India. The massive electronic and print campaign at the cost of Rs 40-50 crore is a pointer towards this. He says everything about internet.org is about hooking Indians to it.

No wonder, Facebook has been cultivating Indian media. The Modi visit has also been tarnished by the news that Facebook paid for the travel and accommodation of journalists from three Indian newspapers and one magazine to go and cover the Facebook-Modi meeting and get favourable coverage. Says writer-activist Arundhati Roy, “Many journalists covering the event for the Indian media were flown in from India by Facebook. So were some who asked pre-assigned questions at the event. I don’t know who sponsored the crocodile tears and the clothes.” It is also quite strange that the entire display picture and source code controversy got almost no play in the national media which chose instead to talk about Modi’s speech and his tears.

All said and done, it is obvious that Facebook may be seeing India as an easy and vulnerable target which can be manipulated for its own advantage. Says Parminder Jeet Singh, executive director with IT for Change, an NGO working on information society, “India has low internet penetration and lots of people want to get on to the internet. There is low purchasing power but lots of aspiration. So the moment a free service is offered, a whole lot of people are likely to jump on it.” And that is something Facebook may be looking and aiming at.

Currently, three processes are on that will determine how India will look at net neutrality—one at the DoT, one at TRAI and a third one at a parliamentary standing committee. But given the massive people’s response net neutrality has got vis-a-vis TRAI’s paper and also during the present Facebook issue, the outcome is predictable. Or so it seems. There’s a lot of money power at stake. For now, millions of internet Indians have already voted with that dislike button. And then, governments move in mysterious ways.

For more details visit https://cis-india.org/internet-governance/news/outlook-india-october-12-2015-arindam-mukherjee-how-to-win-friends-fb-style

Supreme Court provides partial relief for Aadhaar

praskrishna — 2015-10-18T05:01:49Z

In a small but significant win for the government, the Supreme Court on Thursday allowed the use of the Aadhaar number for the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), the Pradhan Mantri Jan Dhan Yojana, pensions by central and state governments, and the Employees’ Provident Fund Scheme, in addition to its current use in the public distribution system (PDS) and the distribution of cooking gas and kerosene.

The article by Apurva Vishwanath and Saurabh Kumar was published in Livemint on October 15, 2015. Sunil Abraham was quoted.

In an interim order on 11 August, the apex court had restricted the use of Aadhaar, the unique identity number, to the PDS and the distribution of cooking gas and kerosene.

Subsequently, several state governments, government departments and regulatory agencies put up a joint defence seeking a modification of the interim order. They included the Reserve Bank of India (RBI), the Securities and Exchange Board of India and the Telecom Regulatory Authority of India, the governments of Jharkhand, Maharashtra, Uttarakhand, Himachal Pradesh, Gujarat and Rajasthan, and industry body Indian Banks’ Association, along with the Unique Identification Authority of India (UIDAI), the issuer of Aadhaar.

A five-judge constitutional bench comprising Chief Justice H.L Dattu and justices M.Y Eqbal, C. Nagappan, Arun Mishra and Amitava Roy said in an order on Thursday: “We are of the opinion that in para 3 of the interim order, we can include schemes like MGNREGS, pensions by state and central government, Jan Dhan Yojana and Employees’ Provident Fund Scheme along with PDS and LPG (liquefied petroleum gas).”

Para 3 of the 11 August interim order had allowed the voluntary use of Aadhaar only for direct benefit transfer in foodgrain, kerosene and cooking gas schemes.

The court’s interim order threw an element of uncertainty around flagship government programmes such as biometric attendance for government employees; the Jan Dhan Yojana, the Prime Minister’s ambitious financial inclusion initiative; digital certificates, and pension payments.

It also threatened to derail India’s progress towards a cashless economy where payments banks are expected to play an important role.

All of these depend on linking accounts to individuals electronically, and are dependent on the Aadhaar number.

“The government was able to convince the court on the utility of Aadhaar which is critical to provide services to the most vulnerable section of the society,” said a government official who spoke on condition of anonymity.

The apex court, however, did not allow the use of Aadhaar for the e-know-your-customer (e-KYC) specifically, which would have helped banks, including payments banks, to enrol new customers and telecom operators for issuing SIM cards. However, it is noteworthy that while obtaining bank accounts under the Jan Dhan scheme, banks use e-KYC. The clarification that RBI sought from the court, on whether the Aadhaar number can be used as proof of identification to open a bank account, still remains uncertain.

This will affect banks, mutual funds and companies that have won in-principle payments bank licences such as Airtel M Commerce Services Ltd (from the stable of Bharti Airtel Ltd, which had a customer base of 231.6 million as of July) and Vodafone m-pesa Ltd (a part of Vodafone India Ltd, which had a customer base of 185.4 million as of July).

The licensees also include the department of posts, which has 155,015 post offices across the country, of which 139,144 are in rural areas. The sheer reach of these entities is unrivalled. These entities hope to ride on the technology platform to reach customers, and e-KYC is critical to the process.

“The reason why the court has allowed use of Aadhaar for Jan Dhan Yojana and not other banking services is perhaps because the government made a humanitarian argument that the poorest will be able to avail banking services. It is, however, a technologically flawed argument, deeply so,” said Sunil Abraham, executive director of Bengaluru-based research organization Centre for Internet and Society.

The bench ordered the Union government to follow all earlier interim orders issued by the Supreme Court starting September 2013. Some of these orders include restrain on sharing of biometrics and keeping Aadhaar voluntary.

As of now, 920 million Indian citizens have been allotted Aadhaar numbers. The interim stay was affecting beneficiaries of the MGNREGS (91.7 million), pensioners (27.1 million) and recipients of scholarships (25.7 million), among others, according to data from the Unique Identification Authority of India (UIDAI). Till now, 187 million bank accounts have been opened under the Pradhan Mantri Jan Dhan Yojana.

The apex court made the interim ruling in an ongoing hearing where several pleas related to Aadhaar were clubbed together. Some relate to Aadhaar numbers being made mandatory to enable people to avail of certain government benefits and services. Others deal with the number being a violation of privacy, especially in the absence of any backing regulation or oversight, and yet others deal with possible misuse of the information.

However, the constitution bench had clarified on Wednesday that only pleas seeking clarification and modification of the interim order will be decided, and the issue concerning the right to privacy will be heard subsequently by another constitution bench.

“I am very disappointed with the court’s order. The government claims that Aadhaar is voluntary, but actually it will not be till it is delinked from all government schemes. This way, people who do have Aadhaar are excluded and will have to run from pillar to post to receive benefits if they do not have the number,” said Kamayani Bali Mahabal, a Mumbai-based lawyer, human rights activist and a petitioner in the UIDAI case. She added that the order may increase the incidents of fake Aadhaar numbers as ineligible people choose to gain from all schemes, depriving the poor and aged of real benefits.

The attorney general, Mukul Rohatgi, on Wednesday assured the court that the government has issued advertisements in over 20 languages that Aadhaar is a voluntary scheme.

On 14 Wednesday, PTI reported that a Right to Information application has showed that the UIDAI has identified more than 25,000 duplicate Aadhaar numbers till August.

Mathew Thomas, one of the petitioners challenging the use and validity of the Aadhaar scheme, also expressed disappointment at the court’s ruling today. “Aadhaar is a case of great importance to the billion citizens of India. It is unfortunate that the constitution bench spent only a few hours in hearing the issues,” he said.

The Supreme Court will appoint a larger bench of at least nine judges to hear the privacy issue. The court in 1954, in the case of M.P. Sharma vs Satish Chandra, ruled that the right to privacy was not a fundamental right recognized by the Constitution. This case was decided by an eight-judge bench of the apex court, and only a bench of equal or larger strength will be able to override that decision.

The Chief Justice in the order on Thursday said that the larger bench, with nine or 11 judges, will be constituted at the earliest to hear the matter on Aadhaar potentially violating privacy and other intervening applications.

The petitioners have argued that UIDAI was approved only by an empowered group of ministers during the United Progressive Alliance tenure and has no statutory authority to collect biometrics of residents. Senior counsel for the petitioners, Shyam Divan, said: “The only law in India which allows the government to collect fingerprints is the Prisoner’s Act of 1920, which is a colonial enactment.”

The UIDAI does not have any legislative backing and was constituted by notification in 2009 by the erstwhile Planning Commission. Divan, however, said that the Planning Commission notification has no effect since the body itself has ceased to exist, and added that the centre is not introducing a legislation empowering the Aadhaar scheme as it realizes the vulnerability of the entire exercise.

The National Identification Authority of India Bill was introduced in the Rajya Sabha in 2010.

In 2012, the centre was mulling a privacy law that could be enacted to support the UIDAI scheme and, in connection, the Planning Commission then formed an expert committee on privacy under A.P Shah, a former chairperson of the Law Commission.

For more details visit https://cis-india.org/internet-governance/news/livemint-october-15-2015-apurva-vishwanath-saurabh-kumar-supreme-court-provides-partial-relief-for-aadhaar

Digital India: Did Modi get it wrong in Silicon Valley?

praskrishna — 2015-10-18T04:44:52Z

A bear hug, a photo filter and a new debate on net neutrality - Ayeshea Perera examines the domestic fallout of Indian Prime Minister Narendra Modi's Facebook townhall in US.

This was published by BBC News on October 16, 2015. Sunil Abraham was quoted.

It was supposed to be a moment that rocked the virtual world. Mr Modi, widely acknowledged as one of the world's most influential politicians on social media, enveloped a slightly stunned Mark Zuckerberg in a bear hug.

But what was it that really happened in Menlo Park? Why did some people think Mr Modi wasn't acting in India's best digital interests when he hugged Mr Zuckerberg?

India with an internet population of 354 million - which has already grown by 17% in the first six months of 2015 - is an obvious target for not only Facebook, but other Silicon Valley giants. And they have all been more than happy to pledge their support for digital India - a recently launched government initiative aimed at reinvigorating an $18bn (£11.6bn) campaign to strengthen India's digital infrastructure.

Google offered to provide 500 railway stations with free WiFi and Microsoft pledged to connect 500,000 Indian villages with cheap broadband access.

Digitally colonised?

But this huge show of support and the increased interest in India has caused some concern within the country.

"Is Digital India going to only make India a consumer of services offered by global tech companies in lieu of data? Personal data is the currency of the digital world. Are we going to give that away simply to become a giant market for a Facebook or a Google? Look at the way the tech world is skewed. Only China has been able to come up with companies that can take on these MNCs" Prabir Purkayasta, chairman of the Society for Knowledge Commons in India, told the BBC.

"The British ruled the world because they controlled the seas," he said. "Is India going to be content to just be a digital consumer? To being colonised once again?"

And in the aftermath of the Facebook townhall in particular, some talk has begun to surface about what Mr Zuckerberg's real India ambitions are.

Soon after the townhall ended, both Mr Modi and Mr Zuckerberg declared their support for digital India by using a special Facebook filter to tint their profile pictures in the tri-colour of the Indian flag.

Multitudes of Indians followed suit and timelines were awash with snazzy tinted profile pictures, all in support of "Digital India".

'Innocent mistake'

But then a tech website released what it claimed to be a portion of Facebook's source code, which allegedly "proved" that the "Support Digital India" filter was actually a "Support Internet.Org" filter.

Facebook quickly issued a denial, blaming the text in the code on an "engineer mistake" in choosing a shorthand name he used for part of the code.

But the "mistake" which has been coupled with a huge advertising blitz for Internet.Org across television channels and newspapers has raised suspicion about Facebook's motives. A Facebook poll on Internet.Org that frequently appears on Indian user timelines has also been ridiculed for not giving users an option to say no.

Instead the answer options to the poll question "Do you want India to have free basic services?" are "Yes" and "Not now".

Internet.org (now called free basics), aims to extend internet services to the developing world by offering a selection of apps and websites free to consumers.

Facebook's vice-president of infrastructure engineering, Jay Parikh has described the initiative as an "attempt to connect the two-thirds of the world who do not have access to the Internet" by trying to solve issues pertaining to affordability, infrastructure and access.

When Facebook launched the initiative in India in February, it was criticised by Indian activists who expressed concerns that the project threatened freedom of expression, privacy and the principle of net neutrality.

On the other end of the debate, Indian columnist Manu Joseph wrote in the Hindustan Times newspaper, hitting out at the "selfish" stand on net neutrality. He said concerns over the issue should be "subordinate to the fact that the poor have a right to some Internet".

Wrong signal

A massive campaign by India's Save the Internet Coalition exhorting Indians to speak out against initiatives threatening net neutrality caught public imagination and saw more than a million emails to India's regulator, the Telecom Regulatory Authority of India (TRAI), demanding a free and fair internet in the country. Internet.Org was one of the initiatives immediately affected.

TRAI since released a draft policy on net neutrality, but a question that has been asked is whether it was appropriate for Mr Modi to visit Facebook given that the policy was still under consideration.

Mr Purkayasta is of the opinion that it could have been avoided. "It was not the time or the place to go. Even if it was simply a publicity gimmick, it still sends a signal to officials involved in drafting the policy," he said.

However, Sunil Abraham from the Centre for Internet and Society told the BBC he believed that while Facebook's intentions were suspect, Mr Modi's visit had the potential to safeguard net neutrality in India.

"India is a hugely important market for Facebook, and the prime minister has the power to force positive changes to its policies," he said. "We gain nothing by shutting them out."

For more details visit https://cis-india.org/internet-governance/news/bbc-october-16-2015-digital-india-did-modi-get-it-wrong-in-silicon-valley

Cyber Security Policy Research

praskrishna — 2015-10-16T16:47:12Z

Tim Maurer will give a presentation on cybersecurity policy research at the Centre for Internet & Society's New Delhi office on October 18, 2015, from 2 p.m. to 5 p.m. Geetha Hariharan and Sunil Abraham will participate in this event.

Tim Maurer's talk will give an outline of the definitional issues involved, the various threats to the confidentiality, integrity, and availability of information and underlying infrastructure, the actors involved and international efforts to address cybersecurity. The talk will also provide an overview of existing and ongoing cyber security policy research.

Tim Maurer

Tim Maurer is an associate at the Carnegie Endowment for International Peace. His work focuses on cyberspace and international affairs, with a concentration on global cybersecurity norms, human rights online, Internet governance, and their interlinkages. He is writing a book on cybersecurity and proxy actors.

Maurer serves as a member of the Research Advisory Network of the Global Commission on Internet Governance, the Freedom Online Coalition’s cybersecurity working group “An Internet Free and Secure,” and co-chaired the Civil Society Advisory Board of the Global Conference on CyberSpace. In 2014, he developed the Global Cyber Definitions Database for the chair of the OSCE to support the implementation of the OSCE’s cyber confidence-building measures. In 2013 and 2014, Maurer spoke about cybersecurity at the United Nations in New York and Geneva and co-authored “Tipping the Scale: An Analysis of Global Swing States in the Internet Governance Debate,” published by the Global Commission on Internet Governance. His work has also been published by Jane’s Intelligence Review, TIME, Foreign Policy, CNN, Slate, and other academic and media venues.

Prior to joining Carnegie, Maurer was the director of the Global Cybersecurity Norms and Resilience Project at New America and head of research of New America’s Cybersecurity Initiative. He also gained experience with the United Nations in Rwanda, Geneva, and New York focusing on humanitarian assistance and the coordination of the UN system.

For more details visit https://cis-india.org/internet-governance/events/cyber-security-policy-research