We are anonymous, we are legion

The seedy underbelly of revenge porn

praskrishna — 2015-09-27T14:25:43Z

Intimate photos posted by angry exes are becoming part of an expanding online body of dirty work.

The article by Sandhya Soman was published in the Times of India on August 23, 2015.

Three lakh 'Likes' aren't easy to come by. But Geeta isn't gloating. She's livid, and waiting for the day a video-sharing site will take down the popular clip of her having sex with her vengeful ex-husband. "Every other day somebody calls or messages to say they've seen me," says Geeta.

She is not alone. Two weeks ago, law student Shrutanjaya Bhardwaj Whatsapped women he knew asking if any of them had come across cases of online sexual harassment. In a few hours, his phone was filled with tales of harassment by ex-boyfriends and strangers. Instances ranged from strangers publishing morphed photographs on Facebook, to ex-husbands and boyfriends circulating intimate photos and videos on porn sites. Of the 40 responses, around 25 were cases of abuse by former partners. "I have heard friends talking about the problem, but never realized it was this bad," says Bhardwaj.

These days, revenge is best served online - it travels faster and has potential for greater damage. But despite the widespread nature of the crime, many targets hesitate to complain for fear of being shamed and blamed. "A 15-year-old girl is going to worry about how her parents will react if she talks about it," says Chinmayi Arun, research director, Centre for Communication Governance at Delhi National Law University. There is also fear of harassment by the police, says Rohini Lakshane, researcher, Centre for Internet and Society. Worst of all is the waiting. "Even if a police complaint is filed, it takes ages to find out who shot it, who uploaded it and where it is circulated. Such content is mirrored across many sites," she says.

Geeta is familiar with the routine. Her harassment started with photographs sent to family, friends and colleagues. After an acrimonious divorce, several videos were released in 2013. "There were some 25-30 videos on various sites.

After an FIR was filed, the police wrote to websites and some of the links were removed," says Geeta, who has been flagging content on a popular site, which has not yet responded to her privacy violation report. "My face is seen clearly on it. People even come up to me in restaurants saying they've seen it. How do I get on with my life?" asks a distraught Geeta. She also recently filed an affidavit supporting the controversial porn ban PIL in a last-ditch effort to erase the abuse that began after her divorce.

The cyber cell officer in charge of her case says he had got websites to shut down several URLs but was thwarted by the repeal of section 66A of the IT Act that dealt with offensive messages sent electronically. When asked why section 67 (cyber pornography) of the same act and various sections in the criminal law couldn't be used, the officer says that only 66A is applicable to the evidence he has. "I asked for more links and she sent them to me. We'll see if other sections can be applied," he says. Lawyers and activists, argue that existing laws are good enough like sections 354A (sexual harassment), 354C (voyeurism), 354D (stalking) and 509 (outraging modesty) of the IPC.

Though there are no official statistics for what is popularly referred to as 'revenge' porn, there is a flood of such images online. Lakshane, who studied consent in amateur pornography for the NGO-run EroTICs India project in 2014, found clandestinely shot clips to exhibitionist ones where faces are blurred or cropped.

Social activist Sunita Krishnan has raised the red flag over several video clips, including two that show gang rape, which were circulated on Whatsapp. Some of the content she came across showed familiarity between the man and woman, indicating an existing relationship. In one clip, the man says: "How dare you go with that fellow. What you did it to him, do it to me."

Most home-grown clips end up on desi sites with servers abroad, making it difficult to take down content. Some do have a policy of asking for consent of people in the frame. But Lakshane, who wanted to test this policy, says when she approached one website that has servers abroad saying that she had a sexually explicit video, the reply was a one-liner asking her to send it. "They didn't ask for any consent emails," she says. In lieu of payment, they offered her a free account on another file-sharing site, which seemed to partner with the site. With no financial links to those submitting videos, sites like these make money out of subscriptions from consumers, or ads.

A few months ago, the CBI arrested a man from Bengaluru for uploading porn clips, using high-end editing software and cameras. Kaushik Kuonar allegedly headed a syndicate and was supposed to be behind the rape clips reported by Krishnan. "I am skeptical of the idea of amateur porn being randomly available across the Internet. There seem to be people like the man in Bengaluru who are apparently sourcing, distributing and making money out of it," says Chinmayi Arun. "He had 474 clips, including some of rape," adds Krishnan.

Social media companies, meanwhile, say they're working with authorities to prevent such violations. Facebook spokesperson says the company removes content that violates its community standards. It also works with the women and child development ministry to help women stay safe online. Google, Microsoft, Twitter and Reddit have promised to remove links to revenge porn on request, while countries like Japan and Israel have made it illegal.

In India, the National Commission for Women started a consultation on online harassment but is yet to submit a report. In the absence of clarity, activists like Krishnan endorse the banning of porn sites. Not all agree with sweeping solutions. Lakshane says sometimes a court order helps to get tech companies to act faster on requests as in the case of a 2012 sex tape scandal where Google removed search results to 360 web pages. Also, the term 'revenge' porn, she says, is a misnomer as the videos are meant to shame women. "These are not movies where actors get paid. Somebody else is making money off this gross violation of privacy."

For more details visit https://cis-india.org/internet-governance/blog/the-times-of-india-sandhya-soman-august-23-2015-the-seedy-underbelly-of-revenge-porn

Stats from 2014 reveal horror of scrapped section 66A of IT Act

praskrishna — 2015-09-26T07:28:13Z

An average of six netizens were arrested every day in 2014 for posting offensive content online under section 66A of the Information Technology Act, a draconian and much abused law no longer in use.

The article by Aloke Tikku was published in the Hindustan Times on August 20, 2015. Pranesh Prakash gave inputs.

A first-of-its-kind set of statistics compiled by the National Crime Records Bureau reveals that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A — which was struck down in March by the Supreme Court that ruled that it violated the constitutional freedom of speech.

These arrests made up nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. It was also a little less than twice the number of people caught red-handed accepting bribes the same year.

“These statistics are shocking. I had assumed there may be a few hundred cases, at worst,” said Shreya Singhal, on whose petition the top court had scrapped the provision.

“It validates the judgment even more than when it was delivered,” said Singhal, a law student.

Quite like Rinu Srinivasan – one of two Mumbai girls arrested in 2012 for a Facebook post regarding Shiv Sena chief Bal Thackrey’s death — nearly half of those arrested (1,217) were in the 18-29 age group. This included nine girls. Another 1,015 were in the 30-44 age group while 166 were between 45 and 59 years old.

The now-repealed section 66A prescribed a three-year jail term for online content that could be construed to be offensive or false.

This is the first time the NCRB has collected detailed statistics on cyber crimes, listing out the number of cases registered under each section of the IT Act.

A government official conceded that the large number of cases registered under section 66A meant that the Centre’s guidelines — issued after a public outcry in November 2012 against its misuse — had served little purpose. In May 2013, the Supreme Court too put its weight behind the guidelines and made it legally binding on them.

In these guidelines, the Centre had made prior approval of an inspector general of police-rank officer mandatory for all arrests under section 66A. “Either this rule wasn’t followed or the IGPs did not rise to the occasion,” the official said.

The NCRB did not give a state-wise break-up of arrests under section 66A.

But in terms of cases registered, Uttar Pradesh led the pack with 898, followed by Karnataka (603), Assam (377), Maharashtra (375), Telangana (352), Rajasthan (291), Kerala (229), Punjab (123) and Delhi (137).

“It was “unconscionable that 2,402 persons were arrested in 2014, and many made to languish in jail, under a provision that we now know to have been unconstitutional,” said Pranesh Prakash at the Bengaluru-headquartered research and advocacy group, Centre for Internet and Society.

“Even after the Supreme Court laid down more stringent ad-hoc guidelines on arrests under Section 66A, it is clear they were not effective in the least: 860 charge-sheets were filed by the police under Section 66A in 2014,” the policy director at CIS said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

A Review of the Policy Debate around Big Data and Internet of Things

elonnai — 2015-08-17T08:36:18Z

This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.

Defining and Connecting Big Data and Internet of Things

The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the velocity at which data is generated, the volume of data that is generated, and the variety of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.

General Implications of Big Data and Internet of Things

Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.

At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article "Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon" propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " The Societal Impact of the Internet of Things" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]

Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]

Regulation of Big Data and Internet of Things

The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article "Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article "Big Data's Disparate Impact" explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]

The Impact of Big Data and IoT on Data Protection Principles

In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:

Collection Limitation: As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]
Consent: As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]
Data Minimization: As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]
Notice: As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]
Purpose Limitation: As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]
Necessity: As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]
Access and Correction: As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]
Opt In and Opt Out Choices: Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]
PI: As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]
Data Controller: In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]

Possible Technical and Policy Solutions

In a Report titled "Internet of Things: Privacy & Security in a Connected World" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:

Automatically delete data after a specified period of time [21] (addressing concerns of data retention)
Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)
Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)
Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)
Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)
Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)
Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)
Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)

Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]

Experts have also suggested that more emphasis should be placed on the principles and practices of:

Transparency,
Access and correction,
Use/misuse
Breach notification
Remedy
Ability to withdraw consent

Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]

Possible Regulatory Frameworks

To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]

Conclusion

A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.

Answering the 'how do we regulate Big Data” question requires re-conceptualization of data ownership and realities. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of critical national infrastructure of a nation, and accorded the security, protections, and legal backing thereof to prevent the misuse of the resource by the private or public sectors, local or foreign governments. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.

In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a National Data Archive with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.

[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf

[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/

[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf. Accessed: July 2^nd 2015.

[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564

[5] Danah Boyd, Kate Crawford. CRITICAL QUESTIONS FOR BIG DATA. Information, Communication & Society Vol. 15, Iss. 5, 2012. Available at: http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878. Accessed: July 2^nd 2015.

[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[7] ARTICLE 29 Data Protection Working Party. (2014). Opinion 8/2014 on the on Recent Developments on the Internet of Things. European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784

[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.

[13] Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).

[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf

[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14^th 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2nd 2015.

[20] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[21] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[22] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[23] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[24] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[31] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[33] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1^st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2^nd 2015.

[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf

[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25^th 2015. Available at: http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/. Accessed: August 8^th 2015.

[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7^th 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415

[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10^th 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/

For more details visit https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things

Right to Privacy in Peril

vipul — 2015-08-13T15:32:18Z

It seems to have become quite a fad, especially amongst journalists, to use this headline and claim that the right to privacy which we consider so inherent to our being, is under attack. However, when I use this heading in this piece I am not referring to the rampant illegal surveillance being done by the government, or the widely reported recent raids on consenting (unmarried) adults who were staying in hotel rooms in Mumbai. I am talking about the fact that the Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist.

In an order dated August 11, 2015 the Supreme Court finally gave in to the arguments advanced by the Attorney General and admitted that there is some “unresolved contradiction” regarding the existence of a constitutional “right to privacy” under the Indian Constitution and requested that a Constitutional Bench of appropriate strength.

The Supreme Court was hearing a petition challenging the implementation of the Adhaar Card Scheme of the government, where one of the grounds to challenge the scheme was that it was violative of the right to privacy guaranteed to all citizens under the Constitution of India. However to counter this argument, the State (via the Attorney General) challenged the very concept that the Constitution of India guarantees a right to privacy by relying on an “unresolved contradiction” in judicial pronouncements on the issue, which so far had only been of academic interest. This “unresolved contradiction” arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[1] and Kharak Singh v. State of U.P. & Others,[2] (decided by Eight and Six Judges respectively) the Supreme Court has categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[3] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India.[4] Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal & Another v. State of Tamil Nadu & Others,[5] (popularly known as Auto Shanker’s case) and People’s Union for Civil Liberties (PUCL) v. Union of India & Another.[6] However, as was noticed by the Supreme Court in its August 11 order, all these judgments were decided by two or three Judges only.

The petitioners on the other hand made a number of arguments to counter those made by the Attorney General to the effect that the fundamental right to privacy is well established under Indian law and that there is no need to refer the matter to a Constitutional Bench. These arguments are:

(i) The observations made in M.P. Sharma regarding the absence of right to privacy are not part of the ratio decidendi of that case and, therefore, do not bind the subsequent smaller Benches such as R. Rajagopal and PUCL.

(ii) Even in Kharak Singh it was held that the right of a person not to be disturbed at his residence by the State is recognized to be a part of a fundamental right guaranteed under Article 21. It was argued that this is nothing but an aspect of privacy. The observation in para 20 of the majority judgment (quoted in footnote 2 above) at best can be construed only to mean that there is no fundamental right of privacy against the State’s authority to keep surveillance on the activities of a person. However, they argued that such a conclusion cannot be good law any more in view of the express declaration made by a seven-Judge bench decision of this Court in Maneka Gandhi v. Union of India & Another.[7]

(iii) Both M.P. Sharma (supra) and Kharak Singh (supra) were decided on an interpretation of the Constitution based on the principles expounded in A.K. Gopalan v. State of Madras,[8] which have themselves been declared wrong by a larger Bench in Rustom Cavasjee Cooper v. Union of India.[9]

Other than the points above, it was also argued that world over in all the countries where Anglo-Saxon jurisprudence is followed, ‘privacy’ is recognized as an important aspect of the liberty of human beings. The petitioners also submitted that it was too late in the day for the Union of India to argue that the Constitution of India does not recognize privacy as an aspect of the liberty under Article 21 of the Constitution of India.

However these arguments of the petitioners were not enough to convince the Supreme Court that there is no doubt regarding the existence and contours of the right to privacy in India. The Court, swayed by the arguments presented by the Attorney General, admitted that questions of far reaching importance for the Constitution were at issue and needed to be decided by a Constitutional Bench.

Giving some insight into its reasoning to refer this issue to a Constitutional Bench, the Court did seem to suggest that its decision to refer the matter to a larger bench was more an exercise in judicial propriety than an action driven by some genuine contradiction in the law. The Court said that if the observations in M.P. Sharma (supra) and Kharak Singh (supra) were accepted as the law of the land, the fundamental rights guaranteed under the Constitution of India would get “denuded of vigour and vitality”. However the Court felt that institutional integrity and judicial discipline require that smaller benches of the Court follow the decisions of larger benches, unless they have very good reasons for not doing so, and since in this case it appears that the same was not done therefore the Court referred the matter to a larger bench to scrutinize the ratio of M.P. Sharma (supra) and Kharak Singh (supra) and decide the judicial correctness of subsequent two judge and three judge bench decisions which have asserted or referred to the right to privacy.

[1] AIR 1954 SC 300. In para 18 of the Judgment it was held: “A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction.”

[2] AIR 1963 SC 1295. In para 20 of the judgment it was held: “… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitutionand therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

[3] (1975) 2 SCC 148.

[4] It is interesting to note that while the decisions in both Kharak Singh and Gobind were given in the context of similar facts (challenging the power of the police to make frequent domiciliary visits both during the day and night at the house of the petitioner) while the majority in Kharak Singh specifically denied the existence of a fundamental right to privacy, however they held the conduct of the police to be violative of the right to personal liberty guaranteed under Article 21, since the Regulations under which the police actions were undertaken were themselves held invalid. On the other hand, while Gobind held that a fundamental right to privacy does exist in Indian law, it may be interfered with by the State through procedure established by law and therefore upheld the actions of the police since they were acting under validly issued Regulations.

[5] (1994) 6 SCC 632.

[6] (1997) 1 SCC 301.

[7] (1978) 1 SCC 248.

[8] AIR 1950 SC 27.

[9] (1970) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

elonnai — 2015-08-11T07:01:12Z

Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.

Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.

Below is an initial evaluation of how Big Data could impact India's current data protection standards.

India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000[1] define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:

Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as "Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."

The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.

Definition of personal and sensitive personal data: Rule 2(i) defines personal information as "information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."

Rule 3 defines sensitive personal information as:

Password,
Financial information,
Physical/physiological/mental health condition,
Sexual orientation,
Medical records and history,
Biometric information

The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.

The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.

By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.

Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.

Consent: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.

In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.

Notice of Collection: Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.

Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.

Access and correction: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.

This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.

Purpose Limitation: Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.

In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.

Security: Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.

This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.

Data Breach : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.

Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.

Opt in and out and ability to withdraw consent : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.

The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.

Disclosure of Information: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.

This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.

Privacy Policy : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.

In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.

Remedy : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.

This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.

The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.[2] Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.

Conclusion

The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities[3], city wide CCTV networks with facial recognition capabilities[4], and the implementation of an identity/authentication platform for public and private services[5], are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.

In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?

How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.

[1]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[2]Group of Experts on Privacy. (2012). Report of the Group of Experts on Privacy. New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[3] NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25^th 2015, Available at: http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857. Accessed: July 2^nd 2015.

[4]FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21^st 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/

[5]UIDAI Official Website. Available at: https://uidai.gov.in/

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011

Net Neutrality: India is a Keybattle Ground

praskrishna — 2015-09-20T07:08:42Z

Hardnews talks to Sunil Abraham, the executive director of the Centre for Internet and Society (CIS), about the future of the Internet in India.

The article by Abeer Kapoor was published in Hardnews on August 10, 2015.

There are competing definitions of net neutrality. What do you think an Indian definition of net neutrality should be?
It should be driven by an empirical understanding of the harms and benefits for Indian consumers. Any regulation should be based on evidence of harm. Forbearance should be the first option for any regulator. The second option is mandating transparency. The third option, as (Managing Director of the World Dialogue on Regulation for Network Economies Programme) William Melody says, should be raising competition before we consider other more intrusive regulatory measures such as price regulation, mandatory registration and licensing, etc. Telling network administrators how to run their networks should be the very last option we consider. Ideally, the Competition Commission of India should have started an investigation into the competition harms emerging from network neutrality violations. There are other harms emerging from network neutrality violations, such as free speech harms, diversity harms, innovation harms and privacy harms. These residual elements should have been the focus of the TRAI (Telecom Regulatory Authority of India) consultation paper process, the DoT (Department of Telecommunications) panel process and the consultations of the parliamentary standing committee.

There are certain rights that are essential, like privacy. How do you think the right to privacy will play into the definition of Indian net neutrality?
Deep packet inspection – which is a method that is used to manage Internet traffic and walled garden access via mobile applications – causes significant privacy harms and gives rise to a range of security vulnerabilities. These cannot be directly addressed in network neutrality policy. On privacy and security, it is not clear that the Indian situation is different from the global trend, so it is unlikely that we will have an India-specific privacy language in our network neutrality policy.

Privacy harms caused by network neutrality violations have to be addressed by enacting the privacy bill into law. The Department of Personnel and Training (DoPT) has been working on this Bill for the last five or six years. The latest draft has implemented the recommendations of the Justice AP Shah Committee. The last leak of the privacy Bill revealed that the DoPT has included the nine principles identified by the Shah Committee Report on Privacy. We hope that the government will introduce this Bill at the earliest. Section 43A of the IT Act may also need to be amended to address all the nine privacy principles.

The report drafted by DoT on net neutrality is ambiguous and almost reluctant to take a stand. What are the key points of this report?
The DoT panel report does take a stand. It clearly identifies network neutrality as a policy goal. Unfortunately, the panel did not provide its own definition of network neutrality, but instead quoted a definition submitted by civil society activists who testified before it without explicitly adopting it. The panel report examines zero rating and legitimate traffic management in quite a bit of detail and does prescribe some regulatory decision trees to the policymakers. When it comes to specialised services and walled gardens there could have been more detailed and specific recommendations. The biggest disappointment in the report is the call for licensing of those OTT (Over the Top) service providers that provide equivalent services to those provided by telcos. While the need to address regulatory arbitrage from the perspective of privacy and surveillance law may be virtuous, it may not be technically feasible to do so, especially if there is end-to-end encryption. Also, regulatory arbitrage could be addressed by reducing regulations for telcos rather than increasing them for OTT providers.

Do you think licensing and regulation of OTT services such as Google and WhatsApp are a necessity?
It is a myth that they exist in a regulatory vacuum. Many regulations do apply to them and a few of them do comply with Indian authorities on issues like speech regulation, legal interception and also data access. With competition law and taxation there is very little compliance. The trouble is not that there are regulatory vacuums, but rather that these services operate from foreign jurisdictions. Without offices, servers and human resources within the Indian jurisdiction it is very difficult for the courts to implement their orders, and for law enforcement to ensure compliance with Indian laws. This jurisdictional challenge affects most developing countries and not just India, and can only be solved by harmonising procedural and substantive law across jurisdictions, through the spread of soft norms, development of self-regulatory mechanisms using the multi-stakeholder models and through the creation of international law through various multilateral and pluri-lateral bodies.

The report reduces the neutrality debate to ‘access.’ Do you think this approach is reductive?
Access is very important in the Indian context so I don’t see how that is reductive. Many observers believe that the next round in the war for network neutrality will happen in the global South. India is a key battleground – what happens here will have global impact and implications. Network neutrality policies need to consider free speech, privacy, competition, diversity and innovation goals of the markets they seek to regulate. If we are not being doctrinaire about network neutrality we could adopt what (Professor of Internet & Media Law at the University of Sussex) Chris Marsden calls forward-looking “positive net neutrality” wherein “higher QoS (Quality of Service) for higher prices should be offered on fair, reasonable and non-discriminatory [FRAND] terms to all comers”. FRAND, according to Prof. Marsden, is well understood by the telcos and ISPs (Internet Service Providers) as it is the basis of common carriage. This understanding of network neutrality allows for technical and business model innovation by ISPs and telcos without the associated harms. There are zero-rating services being launched by Mozilla, Jaana, Mavin and others that are attempting to do this. I do not believe that they violate network neutrality principles, unlike Airtel Zero or Internet.org.

While this report attempts to arrive at a middle ground between the TSPs and the OTTs, how is this going to reflect in the government’s ‘Digital India’ programme?
We know we have a policy solution when all stakeholders are equally unhappy. But we also need an elegant solution that is easy to implement. Scholars like (Associate Professor of Computer Science at Columbia University) Vishal Mishra have a theoretical solution based on the Shapley Value, that assumes a multi-sided market model, but this may not work in real life. Professor V. Sridhar of the International Institute of Information Technology, Bengaluru (IIITB) has a very elegant idea of setting a ceiling and floor for price and speed and also for insisting on a minimum QoS of the whole of the Internet. These ideas I have not heard in the American and European debate around network neutrality. I remain hopeful that the Indian middle ground will be qualitatively different, given that the structure and constraints of the Indian telecom sector are very different from that in developed countries. Ensuring network neutrality is essential to the success of Digital India. Unfortunately, the Digital India plans that we have heard so far don’t make this explicitly clear.

The Internet was never meant to be monetised. Do you think that private players are eating into a public good that is absolutely necessary for development?
I have never heard that statement before. The Internet, after its early history, has been completely built using private capital. The public Internet has always been monetised. Collectively, the individual entrepreneurs and enterprises that build and run the components of the Internet have created a common public good – which is the globally interconnected network. But the motivation for private capital behind maintaining and building their corner or component of this network has also been profit maximisation.

What has contributed to the growing need to regulate and administer the Internet?
Technical advancements and business model innovations have resulted in both benefits and harms and therefore there could be a rationale for regulation. But more regulation per se is not a virtue and does not serve the interest of citizens and consumers. Expanding the regulatory scope of government infinitely will only result in failure, given the limited capacity and resources of the State. Therefore, whenever the State enters a new area of regulation it should ideally stop regulating in another area. In other words, there is no clear case that the regulation of the Internet is needed to keep growing exponentially – as evolving technologies may require specific regulation – if the resultant harms cannot be addressed using existing law. In most cases, traditional law is sufficient to deal with crimes and offences online.

This story is from the print issue of Hardnews: August 2015

For more details visit https://cis-india.org/internet-governance/news/hardnewsmedia-august-10-2015-abeer-kapoor-net-neutrality-india-is-a-keybattle-ground

CIS submission to the UNGA WSIS+10 Review

jyoti — 2015-08-09T16:24:04Z

The Centre for Internet & Society (CIS) submitted its comments to the non-paper on the UNGA Overall Review of the Implementation of the WSIS outcomes, evaluating the progress made and challenges ahead.

To what extent has progress been made on the vision of the peoplecentred, inclusive and development oriented Information Society in the ten years since the WSIS?
The World Summit on the Information Society (WSIS) in 2003 and 2005 played an important role in encapsulating the potential of knowledge and information and communication technologies (ICT) to contribute to economic and social development. Over the past ten years, most countries have sought to foster the use of information and knowledge by creating enabling environment for innovation and through efforts to increase access. There have been interventions to develop ICT for development both at an international and national level through private sector investment, bilateral treaties and national strategies.

However, much of the progress made in the past ten years in terms of getting people connected and reaping the benefits of ICT has not been sufficiently peoplecentred, nor have they been sufficiently inclusive.

These developments have not been sufficiently peoplecentred, since governments across the world have been using the Internet as a monumental surveillance tool, invading people’s privacy without legitimate justifications, in an arbitrary manner without due care for reasonableness, proportionality, or democratic accountability. These developments have not been sufficiently peoplecentred, since the largest and most profitable Internet businesses — businesses that have more users than most nationstates have citizens, yet have one-sided terms of service — have eschewed core principles like open standards and interoperability that helped create the Internet and the World Wide Web, and instead promote silos.

We still reside in a world where development has been very lopsided, and ICTs have contributed to reducing some of these gulfs, while exacerbating others. For instance, persons with visual impairment are largely yet to reap the benefits of the Information Society due to a lack of attention paid to universal, while sighted persons have benefited far more; the ability of persons who don’t speak a language like English to contribute to global Internet governance discussions is severely limited; the spread of academic knowledge largely remains behind prohibitive paywalls.

As ICTs have grown both in sophistication and reach, much work remains to achieve the peoplecentred, inclusive and developmentoriented information society envisaged in WSIS. While the diffusion of ICTs has created new opportunities for development, even today less than half the world has access to broadband (with only eleven per cent of the world’s population having access to fixed broadband). See International Telecommunication Union, ICT Facts and Figures: The World in 2015.

Ninety per cent of people connected come from the industrialized countries — North America (thirty per cent), Europe (thirty per cent) and the AsiaPacific (thirty per cent). Four billion people from developing countries remain offline, representing two-thirds of the population residing in developing countries. Of the nine hundred and forty million people residing in Least Developed Countries (LDCs), only eighty-nine million use the Internet and only seven per cent of households have Internet access, compared with the world average of forty-six per cent. See International Telecommunication Union, ICT Facts and Figures: The World in 2015. This digital divide is first and foremost a question of access to basic infrastructure (like electricity).

Furthermore, there is a problem of affordability, all the more acute since in the South in comparison with countries of the North due to the high costs related to access to the connection. Further, linguistic, educational, cultural and content related barriers are also contributing to this digital divide. Growth of restrictive regimes around intellectual property, vision of the equal and connected society. Security of critical infrastructure with in light of ever growing vulnerabilities, the loss of trust following revelations around mass surveillance and a lack of consensus on how to tackle these concerns are proving to be a challenge to the vision of a connected information society. The WSIS+10 overall review is timely and a much needed intervention in assessing the progress made and planning for the challenges ahead.

There were two bodies as major outcomes of the WSIS process: the Internet Governance Forum and the Digital Solidarity Fund, with both of these largely failing to achieve their intended goals. The Internet Governance Forum, which is meant to be a leading example of “multi-stakeholder governance” is also a leading example of what the Multi-stakeholder Advisory Group (MAG) noted in 2010 as “‘black box’ approach”, with the entire process around the nomination and selection of the MAG being opaque. Indeed, when CIS requested the IGF Secretariat to share information on the nominators, we were told that this information will not be made private. Five years since the MAG lamented its own blackbox nature, things have scarcely improved. Further, analysis of MAG membership since 2006 shows that 26 persons have served for 6 years or more, with the majority of them being from government, industry, or the technical community. Unsurprisingly, 36 per cent of the MAG membership has come from the WEOG group, highlighting both deficiencies in the nomination/selection
process as well as the need for capacity building in this most important area. The Digital Solidarity Fund failed for a variety of reason, which we have analysed in a separate document annexed to this response.

What are the challenges to the implementation of WSIS outcomes?

Some of the key areas that need attention going forward and need to be addressed include:

Access to Infrastructure

Developing policies aimed at promoting innovation and increasing affordable access to hardware and software, and curbing the ill effects of the currentlyexcessive patent and copyright regimes.

Focussing global energies on solutions to lastmile access to the Internet in a manner that is not decoupled from developmental ground realities.
This would include policies on spectrum sharing, freeing up underutilized spectrum, and increasing unlicensed spectrum.
This would also include governmental policies on increasing competition among Internet providers at the last mile as well as at the backbone (both nationally and internationally), as well as commitments for investments in basic infrastructure such as an openaccess national fibreoptic backbone where the private sector investment is not sufficient.
Developing policies that encourage local Internet and communications infrastructure in the form of Internet exchange points, data centres, community broadcasting.

Access to Knowledges

As the Washington Declaration on IP and the Public Interest5 points out, the enclosure of the public domain and knowledge commons through expansive “intellectual property” laws and policies has only gotten worse with digital technologies, leading to an unjust allocation of information goods, and continuing royalty outflows from the global South to a handful of developing countries. This is not sustainable, and urgent action is needed to achieve more democratic IP laws, and prevent developments such as extra judicial enforcement mechanisms such as digital restrictions management systems from being incorporated within Web standards.
Aggressive development of policies and adoption of best practices to ensure that persons with disabilities are not treated as secondgrade citizens, but are able to fully and equally participate in and benefit from the Information Society.
Despite the rise of video content on the Internet, much of that has been in parts of the world with already high literacy, and language and illiteracy continue to pose barriers to full usage of the Internet.
While the Tunis Agenda highlighted the need to address communities marginalized in Information Society discourse, including youth, older persons, women, indigenous peoples, people with disabilities, and remote and rural communities, but not much progress has been seen on this front.

Rights, Trust, and Governance

Ensuring effective and sustainable participation especially from developing countries and marginalised communities. Developing governance mechanisms that are accountable, transparent and provide checks against both unaccountable commercial interests as well as governments.
Building citizen trust through legitimate, accountable and transparent governance mechanisms.
Ensuring cooperation between states as security is influenced by global foreign policy, and is of principal importance to citizens and consumers, and an enabler of other rights.
As the Manila Principles on Intermediary Liability show, uninformed intermediary liability policies, blunt and heavy handed regulatory measures, failing to meet the principles of necessity and proportionality, and a lack of consistency across these policies has resulted in censorship and other human rights abuses by governments and private parties, limiting individuals’ rights to free expression and creating an environment of uncertainty that also impedes innovation online. In developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries, interoperable and harmonized regimes that can promote innovation while respecting users’ rights in line with the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the United Nations Guiding Principles on Business and Human Rights are needed and should be encouraged.
An important challenge before the Information Society is that of the rise of “quantified society”, where enormous amounts of data are generated constantly, leading to great possibilities and grave concerns regarding privacy and data protection.
Reducing tensions arising from the differences between cultural and digital nationalism including on issues such as data sovereignty, data localisation, unfair trade and the need to have open markets.
Currently, there is a lack of internationally recognized venues accessible to all stakeholders for not only discussing but also acting upon many of these issues.

What should be the priorities in seeking to achieve WSIS outcomes and progress towards the Information Society, taking into account emerging trends?
All the challenges mentioned above should be a priority in achieving WSIS outcomes and ensuring innovation to lead social and economic progress in society. Digital literacy, multilingualism and addressing privacy and user data related issues need urgent attention in the global agenda. Enabling increased citizen participation thus accounting for the diverse voices that make the Internet a unique medium should also be treated as priority. Renewing the IGF mandate and giving it teeth by adopting indicators for development and progress, periodic review and working towards tangible outcomes would be beneficial to achieving the goal of a connected information society.

What are general expectations from the WSIS + 10 High Level Meeting of the United Nations General Assembly?
We would expect the WSIS+10 High Level Meeting to endorse an outcome document that seeks to d evelop a comprehensive policy framework addressing the challenges highlighted above . It would also be beneficial, if the outcome document could identify further steps to assess development made so far, and actions for overcoming the identified challenges. Importantly, this should not only be aimed at governments, but at all stakeholders. This would be useful as a future road map for regulation and would also allow us to understand the impact of Internet on society.

What shape should the outcome document take?
The outcome document should be a resolution of the UN General Assembly, with high level policy statements and adopted agreements to work towards identified indicators. It should stress the urgency of reforms needed for ICT governance that is democratic, respectful of human rights and social justice and promotes participatory policymaking. The language should promote the use of technologies and institutional architectures of governance that ensure users’ rights over data and information and recognize the need to restrict abusive use of technologies including those used for mass surveillance. Further, the outcome document should underscore the relevance of the Universal Declaration of Human Rights, including civil, political, social, economic, and cultural rights, in the Information Society.

The outcome document should also acknowledge that certain issues such as security, ensuring transnational rights, taxation, and other such cross jurisdictional issues may need greater international cooperation and should include concrete steps on how to proceed on these issues. The outcome document should acknowledge the limited progress made through outcome-less multi-stakeholder governance processes such as the Internet Governance Forum, which favour status quoism, and seek to enable the IGF to be more bold in achieving its original goals, which are still relevant. It should be frank in its acknowledgement of the lack of consensus on issues such as “enhanced cooperation” and the “respective roles” of stakeholders in multi-stakeholder processes, as brushing these difficulties under the carpet won’t help in magically building consensus. Further, the outcome document should recognize that there are varied approaches to multi-stakeholder governance.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-unga-wsis-review

India partially lifts Porn Ban?

praskrishna — 2015-09-20T06:30:34Z

India is said to have partially removed the porn ban. But many internet service providers have refused to restore access, due to a 'vague' government order.

The blog post by Nazhat Khan was published in DESI blitz on August 7, 2015.

India has partially lifted the ban of online pornography, just days after blocking user access to 857 adult websites.

The Indian government enforced the ban on July 30, 2015, only to reverse its decision on August 4, 2015. Ravi Shankar Prasad, the Communications and IT Minister, clarifies the ban only targets websites promoting child pornography.

He says: “A new notification will be issued shortly. The ban will be partially withdrawn. Sites that do not promote child porn will be unbanned.” Under the new order, internet service providers (ISPs) in India are allowed to unblock these 857 websites – except for those that contain child pornography.

This has caused another outrage. ISPs complain it is not within their capability and responsibility to do so. Internet Service Providers Association of India (ISPAI) explains: “ISPs have no way or mechanism to filter out child pornography from URLs, and the further unlimited sub-links.

“Hence, we request your good self to advise us immediately on the future course of action in this regard.

“Till your further directive, the ISPs are keeping the said 857 URLs disabled.”

An executive at an Indian ISP tells the Wall Street Journal: “How can we go ahead? What if something comes up tomorrow [on one of these sites], which has child porn, or something else?”

Pranesh Prakash, policy director at the Centre for Internet and Society, points out it is not right for the government to pass the ball over to private companies.

He says: “The onus cannot be put on the service providers. What the government is doing is inherently unfair, it is not what the law requires.” In effect, porn sites in India are still blocked. The Supreme Court and senior officials are yet to provide clearer directives for ISPs.

For more details visit https://cis-india.org/internet-governance/news/desi-blitz-august-7-2015-nazhat-khan-india-partially-lifts-porn-ban

Genetic Profiling: Is it all in the DNA?

praskrishna — 2015-09-13T09:47:17Z

A Bill seeks to make genetic profiling mandatory for the fight against crime—and generates a debate about the clash of ethics, freedom, science and data.

The article by Ullekh NP was published in Open Magazine on August 7, 2015. Sunil Abraham gave his inputs.

When British geneticist Sir Alec Jeffreys first developed the DNA profiling test 31 years ago in his laboratory at Leicester University, he didn’t help the police prove a man guilty. His test—back then it took weeks to complete DNA profiling procedures as opposed to a few hours now—proved that a rape suspect in police custody was innocent. Details from the whole exercise also subsequently helped the local police nab the real criminal, who had killed his teenaged rape victim. Later, the police found that he was the one who had committed a similar crime three years earlier in a village nearby. Britain was destined to make great gains in solving crimes thanks to DNA identification, while the rest of the developed world, including the US, caught up later, but only after lagging initially thanks to the relentless—and sometimes ill-founded—opposition from civil liberties activists. In India, the Human DNA Profiling Bill, 2015, a proposed law that envisages collecting DNA finger prints—which are unique to an individual—especially of criminals, has been in the making for the past 12 years. The draft bill, which will shortly be placed before the Union Cabinet for its nod, has been prepared by the Department of Biotechnology and the Centre for DNA Fingerprinting & Diagnostics (CDFD), a Hyderabad-based Central Government-run agency, after examining and reviewing submissions by a panel of experts, holding consultations with various stakeholders and getting responses from the public. Notwithstanding the claims of safeguards against any misuse of the intended DNA data base, activists, lawyers, internet freedom fighters, civil liberty activists and columnists have been up in arms against the Government, arguing that the DNA profiling bill is ill- conceived and naïve—to the extent that it would destroy an individual’s right to privacy as it lacks provisions to check data tampering.

The international experience has proved otherwise. Ever since Sir Jeffreys extracted DNA from human muscle tissue, identified and processed genetic markers (which are unique to individuals except in the case of identical twins) from what was until then considered ‘seemingly purposeless segments of the human DNA’ in the words of writers Peter Reinharz and Howard Safir, more than 500,000 ‘otherwise unsolvable’ cases have been solved in the developed world thanks to the DNA identification, note CDFD scientists. DNA is the hereditary material in the human body. It is found in blood, saliva, urine, strands of hair, semen, tears, skin, etcetera.

Dr Madhusudan Reddy Nandineni, staff scientist and group leader, laboratory of DNA fingerprinting services and laboratory of genomics and profiling applications, CDFD, is worried that opposition to the Bill is gaining momentum in India due to a raft of reasons. Of course, the West, too, has witnessed sharp protests against DNA profiling laws. One of the key reasons anti-profiling activists have an edge, says a senior Home Ministry official who asks not to be named, is that there is a “general public anxiety” over “anything to do with disclosing personal details”. He agrees that the tests are going to be intrusive, because muscle tissue may have to be collected from private parts. The procedure of DNA sample collection—as explained in the draft Bill submitted in January by a committee headed by TS Rao, senior adviser to the department of biotechnology—talks about obtaining intimate body samples of living persons (on page 6-7 of the 48- page document) from ‘the genital or anal area, the buttocks and also breasts in the case of a female’. According to the draft Bill, it also involves external examination of private parts, taking samples from pubic hair or by swabs or washing or by vacuum suction, by scraping or by lifting by tape and taking of a photograph or video recording of, or an impression or cast of a wound in those areas. “But then, it is par for the course,” says the Home Ministry official by way of justification.

American military historian and author Edward Luttwak agrees that DNA profiling is a significant intrusion into the “very body of a citizen”. That is the price one has to pay in the choice between liberty and equality before investigation, he posits. Luttwak is glad that in the US, as well as in other countries that have such profiling laws, DNA identification has yielded results. “It protects suspicious/ low status but innocent people from false accusations and helps to catch clever/high-status law-breakers,” he says.

+++

For his part, Dr Nandineni says that every aspect of the Human DNA Profiling Bill for India is based on similar legislation that has already been implemented in the US, Canada, UK, Australia and Continental Europe for more than 20 years. He also contends that the benefits that have accrued there are enormous, which India has missed out on for all these years. “In all these countries, the concerns of the general public on privacy matters have been allayed in their legislation,” he adds. He points out that the retention of DNA profiles in a ‘DNA Data Bank’ is meant to apprehend repeat offenders and thus serve a larger societal good. As regards privacy concerns, Dr Nandineni says that consultations on the preparations of the Bill lasted for 2-3 years and took into account the views of an expert committee whose members included representatives of NGOs.

Dr Nandineni is of the view that the opponents of the Bill have managed to get an upper hand in a national debate thanks to their media-savvy backgrounds. Agrees the Home Ministry official: “Perhaps the drafters of the Bill have not been communicative enough in getting their points across to the public and the media. Which might explain why the Bill has come under tremendous attack in the media. Even otherwise, global trends also show that civil liberty rights activists have had great initial advantage in their campaign against DNA profiling.” After all, the potential for misuse of DNA samples is not restricted to biological material collected under the provisions of the DNA Bill alone, Nandineni offers. “Any and every blood sample collected by a clinical laboratory has the same potential for misuse,” he says.

While Dr J Gowrishankar, director, CDFD, has been vocal about the positives of the Bill, its opponents have been louder. Many of those who oppose the Bill say the question is not one of being loud or feeble, but about being naïve or not.

The likes of Sunil Abraham, executive director of Bangalore-based internet research organisation Centre for Internet and Society (CIS), have no argument against DNA profiling being the gold standard for all forensic investigations. “There is nothing wrong with using DNA evidence for forensic purposes,” says Abraham, “However, the draft Bill is filled with techno-utopianism; it assumes that the people and machines that leverage DNA technologies are infallible.” He goes on, “This is not true. It is easier to tamper with DNA evidence than it is to tamper with a video recording. Therefore, all we are asking for are process checks that prevent compromised persons and machines from using DNA evidence to convict or exonerate the wrong person.” His contention is that if the DNA sample is sent to two different labs and both labs come back with exactly the same result, then the courts can be convinced of the veracity of the result. “Also the Bill says that DNA labs will give courts ‘yes’ or ‘no’ answers to questions related to DNA matching. But ideally, the lab must give the exact match percentage along with all the detailed information that emerges from the match process so that the court can fully appreciate the significance of the DNA evidence,” he suggests.

Abraham and legal scholar Usha Ramanathan—both members of the expert panel who filed notes of dissent and disagreed with various aspects of the Bill—have a problem with the claim that the proposed DNA data bank will cover only criminals and not the general public. Points out Ramanathan: “The Bill does not restrict the data base to criminals alone, not by a long shot. The provision in the proposed Bill reads: ‘(Clause 31(4)) Every DNA Data Bank shall maintain following indices for various categories of data, namely: (a) a crime scene index; (b) a suspects’ index; (c) an offenders’ index; (d) a missing persons’ index; (e) unknown deceased persons’ index; (f) a volunteers’ index; and (g) such other DNA indices as may be specified by regulations.’ That is an elaborate set of indices. There is certainly a lot of the ‘general public’ in it.”

Supporters of the DNA Profiling Bill have maintained that a DNA data bank is not for the public but only for a limited category of individuals. The proposed law also provides for storing profiles with the consent of relatives of missing children and grownups so that relationship identities can be established.

Ramanathan is also worried that apart from purposes of criminal justice, DNA profiling may be extended to parental disputes (maternity or paternity), issues related to pedigree, those related to assisted reproductive technologies (surrogacy, in vitro fertilisation or IVF, intrauterine implantation or IUI, and so on), to transplantation of human organs (donor and recipient) under the Transplantation of Human Organs Act, 1994, and also related to immigration or emigration. She had objected to the requirement of revealing a person’s caste in the application form for offering blood samples. “This Bill is certainly not a convict data base. The ambitions are much much vaster, and little to do with crime control,” she alleges.

Abraham agrees that some safeguards have been built in the proposed law to prevent any misuse of DNA data under pressure from expert panel members such as him. However, he says, cyber security and privacy-related issues are not addressed in a comprehensive manner. “The Bill basically hopes that the Privacy Bill will address all of this when it becomes law. But unfortunately, a bill could take 7-10 years before it becomes law,” he says.

Dr Gowrishankar of CDFD and others have conceded that it was the decision of the expert panel to include an enabling provision for the privacy issues of DNA profiling to comply with the proposed Privacy Bill.

Abraham says that various measures to prevent ‘privacy harms’ to volunteers are missing in the latest draft of the Bill. “Given that biometric technology works on probabilistic matching, the larger the size of the database, the larger the incidence of mistaken identification. Therefore it is important that the database remain as small as necessary,” he asserts.

+++

The estimated cost of the Bill is Rs 20 crore—to create the infrastructure for the DNA Profiling Board and the data bank, which includes buildings, furniture, computer servers and so on. Among other things, the DNA Profiling Board is tasked with the responsibility of laying down and implementing standards for laboratories and proper protocols for ‘Data Bank’ operations.

CDFD scientists and government officials are keen to highlight the ‘under- hyped’ benefits of DNA profiling –similar to the Innocence Project in the US, which was aimed at securing the release of people who were erroneously convicted on the basis of other lines of evidence. Abraham has no patience for such comparisons. “DNA profiling for forensic purposes is very advanced and sophisticated, but technologies do not exist in a vacuum,” he says, “These advanced technologies have to work within traditional institutions with vulnerabilities and flaws. We need to, therefore, have non-technological procedural fixes that ensure that these technologies are not compromised by money and power. The choice is between the right to privacy and the rights and requirements of the criminal justice process.”

Ramanathan agrees with that view. “In the Indian context, the state of investigation is so poor that we have been looking for ways of circumventing our problems, not addressing them. That is how narco-analysis began to be used, till the court struck it down. DNA may be more reliable than most other scientific tools available to us today, but it is not all about the science. We also have to worry about contamination, what happens in the chain of custody, its potential for being planted or otherwise abused, and the errors even in the laboratory. You may remember the avowed mix-up of results in the Aarushi [Talwar murder] case, something the lab said they noticed over two years after they had given it to the investigators. The danger of treating DNA as conclusive and not needing corroboration is exacerbated in this kind of a vulnerable system. Which is why bringing this into a DNA data base law and not putting any checks on criminal procedure is less than wise,” she elaborates. She is least impressed with the ‘idea’ of ‘pedigree’ and of ‘population genetics’ in the Bill. “Institutions like the CDFD have been collecting DNA from suspects and asking for the caste of the person on the form. How does this seem innocent and safeguarded?” she asks.

Meanwhile, columnist and author Salil Tripathi says that it is sheer hubris to think that technology will provide all the answers to crime-fighting. “Tech- nology is enormously useful and powerful, but it is value-neutral; it can be used for good or bad ends… There have to be sufficient safeguards, overseen not only by technologists, law enforcement officers and bureaucrats, but also by lawyers and civil liberties experts, who can point out potential flaws and misuse and prevent those.”

Tripathi, too, is piqued that one of the markers sought is of caste. “Why?” he asks, emphatic that the country’s people should be concerned about allowing the state so much power over their lives. “And it may not be only the state; given that the scope of its future expansion is undefined, what guarantees are there that private actors won’t have access to the data, and if so, what security protocols would apply?”

Dr Gowrishankar and Dr Nandineni are right in saying that without DNA fingerprinting, many international criminals would still be at liberty, and the opponents of the Bill do not disagree with the efficacy of the technique developed by Sir Jeffreys. Instead, they are placing the spotlight on various objectionable aspects in the proposed law. In a country which first needs—according to former RAW chief Vikram Sood—to ensure access to Photofit (a technique to create an accurate image of a person that gels with a witness’ description) for its ground-level police operatives to combat crime, critics of the Bill seem to have won the war of words.

For more details visit https://cis-india.org/internet-governance/news/open-magazine-august-7-2015-ullekh-np-genetic-profiling

Ban on pornography temporary, says government

pranesh — 2015-09-13T08:46:24Z

The government has taken a dramatic U-turn from its stated position on internet pornography.

The article was published in Business Standard on August 4, 2015. Pranesh Prakash has been quoted.

A year after conveying to the Supreme Court that a blanket ban on internet pornography was not possible, through the department of electronics and information technology, it has asked internet providers to disable 857 websites that carry adult content. A senior official from the department of telecommunications (DoT) said the ban was a temporary measure, till the final order is announced by the apex court on August 10.

The government is looking at setting up an ombudsman to oversee cyber content, which will have representatives from NGOs, child activists and the government. The DoT official said, “There has to be some kind of regulatory oversight away from the government intervention… An ombudsman might be set up for overseeing cyber related content issues.”

The genesis of the current notification lies in the public interest litigation (PIL) filed by advocate Vijay Panjwani in April 2013. The PIL has sought curbs on these websites on the internet, especially the ones showing child pornography. The senior DoT official conveyed that the blocking of 857 websites was in compliance with the SC directive asking for measures to block porn sites, particularly those dealing with child pornography.

The July 31 notification from DoT has advised internet service licensees to disable content on 857 websites, as the content "hosted on these websites relates to morality and decency as given in Article 19(2) of the Constitution of India". The government had stated last year that it was not technologically feasible to monitor such contents as it would require physical intervention, which would impact data speeds.

In December 2014, the government had approached telecom providers and internet service providers to help identify such sites, but the service providers did not cooperate. Consequently, the government has gone ahead and identified 857 websites. However, the government has not given any detail as what was the criterion to identify such websites.

Pranesh Prakash, policy director at the Centre for Internet and Society, says DoT has used the provision of 79 (3) (b) of the IT Act, which is a convoluted Section that the intermediatory (ISPs) may lose protection from liability. This section is very convulated, the provisions for website blocking does not allow blocking porn. In section 69 (a), the entire procedure is that it allows an opportunity for the blocked website to be heard. “I can't comment on the reasons that the government for doing this. I know the order says the ban relates to morality, decency," adds Prakash.

Last year, the government took a position that said blocking these websites was not feasible, given that these sites are hosted outside India. In case of any ban, these sites can be relocated within hours to bypass it. Pavan Duggal, an advocate who specialises in cyber laws, has called the disablement 'cosmetic,' as it will not have the requisite deterrent effect. Duggal says: "This is a lost battle from the word go, as it is impossible to disable access permanently."

Watching such content in India is currently not an offence and, thus, the government is invoking “morality and decency” while seeking a curb on a fundamental right — Freedom of Speech & Expression. Under Article 19 (2) of the Constitution, the state can curb a fundamental right in order to maintain public order, decency or morality.

TO BAN OR NOT TO BAN

2013

Advocate Vijay Panjwani & Kamlesh Vaswani file PIL seeking curbs on internet pornography

Aug 2014

Supreme Court bench under Chief Justice R M Lodha agreed with the PIL and sought strict laws to curb online content

8 Jul 2015

Chief Justice of India H L Dattu upholds personal liberty and refuses to pass an interim order. Asks government to take a stand on the issue
CJI, heading a three-judge Bench, asks government to a detailed affidavit within four weeks

Jul 31

DoT sends notification seeking ban on 857 websites
Currently, there are no laws banning internet pornography in India, other than those related to children
Government’s stated position has been that it is difficult to curb online content

For more details visit https://cis-india.org/internet-governance/news/business-standard-august-4-2015-ban-on-pornography-temporary-says-government

Indian Porn Ban is Partially Lifted But Sites Remain Blocked

pranesh — 2015-09-13T09:00:03Z

The Indian government made a quick about-face on its order to block hundreds of pornography websites on Tuesday, partially lifting the ban after political backlash against the moral policing.

The article was published in Wall Street Journal on August 5, 2015. Pranesh Prakash gave his inputs.

But the websites remained blocked because Internet service providers were afraid of legal trouble.

The new order from the Department of Telecommunications said that Internet service providers could unblock any of the 857 websites, so long as they don’t contain child pornography. However, the websites remain blocked because service providers say they have no way of knowing whether they contain child porn, and no control over whether they will in the future.

Ravi Shankar Prasad, the IT minister, said Tuesday night that the government would trim down the list of banned sites, to focus only on those that contain child porn.

“A new notification will be issued shortly. The ban will be partially withdrawn. Sites that do not promote child porn will be unbanned,” said Mr. Prasad on the TV news channel India Today.

The wording of the new order created confusion, because it appears to put the responsibility for policing the Internet for child pornography on service providers.

“How can we go ahead? What if something comes up tomorrow [on one of these sites], which has child porn, or something else?,” said an executive at an Indian service provider who asked not to be named.

“The onus cannot be put on the service providers. What the government is doing is inherently unfair, it is not what the law requires,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bangalore-based civil liberties advocacy group. It is the government’s job to determine what violates the law, not private companies, Mr. Prakash said.

For more details visit https://cis-india.org/internet-governance/news/the-wall-street-journal-august-5-2015-sean-mclain-indian-porn-ban-is-partially-lifted-but-sites-remain-blocked

Porn block in India sparks outrage

pranesh — 2015-08-05T02:10:46Z

India’s government has triggered a storm of protest after blocking 857 alleged pornography websites, with privacy and internet freedom campaigners, as well as consumers, condemning the move as arbitrary and unlawful.

The article by Amanda Hodge was published in the Australian on August 5, 2015. Pranesh Prakash gave his inputs.

The order, enforced since Sunday by the country’s main internet service providers, comes amid debate about the influence of pornography on sex crime in India, and as the Supreme Court considers a petition by lawyer Kamlesh Vaswani to ban pornographic websites that harm children.

The government has been forced to defend the move, saying it was taken in response to Supreme Court criticism at inaction against child pornography websites, although the Supreme Court itself has refused to impose any interim ban while it considers the petition. The websites — a fraction of the world’s millions of internet pornography sites — will remain blocked until the government figures out how to restrict access, a spokesman said.

Critics have slammed the measure as unconstitutional and pointed out the list includes adult humour sites that contain no pornographic content. Others have suggested it is another intrusion into the private lives of ordinary Indians by an administration intent on pushing a puritanical Hindu agenda, citing the recent ban on beef in several states and an alleged “Hindu-isation” of school textbooks.

That prompted outrage from Telecom Minister Ravi Shankar Prasad. “I reject with contempt the charge that it is a Talibani government. Our government supports free media, respects communication on social media and has respected freedom of communication always,” he said.

While India has no law preventing citizens accessing internet pornography, regulations do restrict the publishing of “obscene information in electronic form”. Centre for Internet and Society policy director Pranesh Prakash told The Australian yesterday that some elements of that act were welcome — such as prohibition of child pornography and the uploading of a person’s private parts without consent — but “the provisions relating to ‘sexually explicit materials’ are far too broad, with no exceptions made for art, architecture, education or literature”.

Mr Prakash said the pornography ban amounted to an “abdication of the government’s duty”, given the list of sites blocked was provided on request to the government by one of the Vaswani petitioners. “The additional solicitor-general essentially asked one of the petitioners to provide a list of websites, which she passed on to the Department of Information Technology, which in turn passed to Department of Telecommunications asking for them to be blocked or disabled.

“That is not acceptable in a democracy where it is not the government which has actually found any of these websites to be unlawful.” Mr Prakash also criticised the secrecy surrounding the order, which he said contravened Indian law requiring a public declaration of any intended ban so that it might be challenged. The bans were made under “Rule 12” of India’s IT Act, which empowers the government to force ISPs to block sites when it is “necessary or expedient”.

For more details visit https://cis-india.org/internet-governance/news/the-australian-news-august-5-2015-amanda-hodge-porn-block-in-india-sparks-outrage

Porn ban: People will soon learn to circumvent ISPs and govt orders, expert says

pranesh — 2015-08-05T01:47:52Z

The article by Karthikeyan Hemalatha was published in the Times of India on August 2. Pranesh Prakash gave inputs.

The government used other sections of the Act to circumvent this provision. Sources in the Department of Telecommunication, which comes under the ministry of communications and information technology, said a notification had been issued under Section 79 (b) of IT Act under which internet service providers could be penalized for not following government orders. "Though the section protects an internet service provider (ISP) from legal action for the content it may allow, it can be penalized for not following government orders to ban them," said Prakash.

Last month, the Supreme Court declined to pass an interim order to block websites which have pornographic content. "Such interim orders cannot be passed by this court. Somebody may come to the court and say 'look I am above 18 and how can you stop me from watching it within the four walls of my room?' It is a violation of Article 21 [right to personal liberty]," said Chief Justice H L Dattu.

The judge was reacting to a public interest litigation filed by advocate Kamlesh Vashwani who was seeking to block porn websites in the country. "The issue is definitely serious and some steps need to be taken. The Centre is expected to take a stand. Let us see what stand the Centre will take," the Chief Justice said and directed the Centre to reply within four weeks. Over the weekend, the stance became clear.

Sources also say that Section 19 (2) of the Constitution was used for the ban. The section allows the government to impose "reasonable restrictions in the interest of sovereignty and integrity of India, security of the state, decency or morality or in relation to contempt of court."

For netizens, the government could actually be providing crash courses on proxy sites. "This is the best way to teach people on how to circumvent ISPs and government orders," said Prakash, adding that real abusive porn sites might still be available.

"There is no dynamic mechanism to block all sites with pornographic content. The government has to individually pick URLs (uniform resource locator) to ban websites. Right now, only popular websites have been banned and the little known abusive sites like those that propagate revenge porn or child porn," said Prakash. "No ban can be comprehensive," he added.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-august-2-2015-karthikeyan-hemalatha-porn-ban

Nanny state rules porn bad for you

praskrishna — 2015-08-05T01:39:28Z

The article by Anahita Mukherji was published in the Times of India on August 4, 2015. Pranesh Prakash gave his inputs.

Half a century ago, India banned the DH Lawrence classic, Lady Chatterley's Lover. The ban, though lambasted for its Victorian view of modesty and obscenity, was fair and square; the matter was debated in the Supreme Court, which upheld the ban. Over 50 years later, a diverse spectrum of civil society has slammed a much more insidious and far less transparent ban on internet pornography.

For starters, the 857 sites that vanished from India's internet sphere haven't been officially banned, they just don't show up when you type the url. The order blocking them isn't public. For a list of the 857 sites, one must rely on leaked documents put out on Twitter by Pranesh Prakash, policy director, Centre for Internet and Society. "The ban on Lady Chatterley's Lover was public. As for the blocked websites, the government has gone out of its way to hide the list of sites pulled down. A secret order banning material violates all principles of transparency in a democracy," says Prakash.

The document, with 'Restricted' written on it, is a letter from the department of telecom asking ISPs to disable 857 sites as they bear content related to "morality" and "decency," violating Article 19 (2).

Strangely, the order's been issued under Sec 79 (3)(b) of the IT Act dealing with intermediaries having to remove material used to commit unlawful acts. "Watching porn isn't illegal in India. Disseminating 'obscene' content can be illegal, but for that, the government must file a case against the sites, and they must be allowed a representation," says Prakash.

"Sec 79 (3)(b) of the IT act isn't the section under which governments can block sites. It should use Sec 69 that has a review process," says Nikhil Pahwa, a champion of internet freedom.

The government drew up its list of 857 sites even as SC is in the process of hearing a petition to ban porn and is yet to pass an order. It includes playboy.com that, says Prakash, is a legitimate adult site. Pahwa points to the ban's "bizarrely moralistic undertones".

"As society evolves, government and regulatory regime are stuck in medieval ages," he says, adding a ban on websites will be rendered ineffective, pushing users to VPNs, a black hole for government monitoring mechanisms.

"A government that hasn't succeeded with Make in India is trying to prevent Make out in India," says venture capitalist Mahesh Murthy, who earlier backed net neutrality.

"The government is blocking websites to keep Rightwing lunatic fringes happy after its unsuccessful bid to pass the land bill," says Murthy.

"It isn't merely looking at blocking porn, but is trying to bring back Sec 66A (IT Act), ruled unconstitutional by the SC," he adds. "It's part of the bid to restrict individual freedom, create an artificial separation between Indian culture and anything erotic, driven by a diktat from Hindutva forces. It's ironic as Modi came to power as someone looking to activate individual agency. Now he's wary about where that leads to," says Subir Sinha, professor at the School of Oriental and African Studies (London). Murthy and Sinha believe the issue stems from a refusal to accept Indian culture in totality. "Victorian morality is considered Hindu, Khajuraho isn't," says Murthy.

"The government seems to be acting in a more high-handed manner than previous ones. The press and public opinion should wake up to this," says sociologist Andre Beteille.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-august-4-2015-anahita-mukherji-nanny-state-rules-porn-bad-for-you