We are anonymous, we are legion

Two Indians in Global Commission on Web Governance

praskrishna — 2014-04-04T09:56:05Z

Two Indians are among 25 internationally recognised experts named to assist a global body in identifying and prioritising web governance and Internet policy-related issues.

The article was published in Outlook,in the Economic Times and in Matters India on April 1, 2014. Sunil Abraham has been named as one of the experts.

Subimal Bhattacharjee, former country head of General Dynamics in India and a well known cyber security expert hailing from Assam, and Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society appointed to Research Advisory Network (RAN) of the Global Commission on Internet Governance (GCIG) are the two Indians named.

GCIG is a two-year initiative launched by the Centre for International Governance Innovation and Chatham House. RAN will assist in identifying and prioritising Internet governance and Internet policy related issues within the commission's mandate.

Members of RAN will provide expert briefings to the members of the commission and conduct research and analysis for the commission's preparatory work and final report.

Chaired by Sweden's Foreign Minister Carl Bildt, the commission will produce a comprehensive stand on the future of multi-stakeholder Internet governance.

Bhattacharjee works on cyber security and critical infrastructure protection policy issues.

He was one of the 31 experts invited by the UN through UNIDIR in 2008 to deliberate on the agenda for the 20 nations Group of Governmental Experts that was set up in 2009 to study the impact of cyber on international security.

He was also a member of the Expert Group on Global Initiatives under the Sam Pitroda Expert Committee to review the functioning of Prasar Bharati.

For more details visit https://cis-india.org/news/outlook-april-1-2014-two-indians-in-global-commission-on-web-governance

India's social media election battle

praskrishna — 2014-04-03T09:37:03Z

Ahead of the general elections, political parties in India are attempting to woo voters on social media for the first time.

The article by Atish Patel was published by BBC on March 31, 2014. Sunil Abraham is quoted.

Politicians are taking part in Google+ Hangouts, televised interviews organised by Facebook and using the Facebook-owned smart phone messaging app WhatsApp to connect with millions of tech-savvy urban voters.

India's 16th general election - to be held in nine phases over April and May - will be closely fought, with some observers saying social media will play a vital role in deciding which party wins the most seats.

According to a report published in April 2013 by the Internet and Mobile Association of India (IAMAI) and the Mumbai-based Iris Knowledge Foundation, Facebook users will "wield a tremendous influence" over the results of the polls in 160 of India's 543 constituencies.

It's a finding political parties have taken note of, with major contenders like the ruling Congress party and main opposition Bharatiya Janata Party (BJP) earmarking 2-5% of their election budgets for social media, according to an October 2013 study by IAMAI and Mumbai-based market researcher IMRB International.

Big data

During the last general election in 2009, social media usage in India was minuscule.

Today, however, Facebook has 93 million users and Twitter has an estimated 33 million accounts in the country. Many political parties have beefed up their online presence as a result.

The main opposition BJP's prime ministerial candidate, Narendra Modi, was among the first Indian politicians to set up a website and today is on Twitter, Facebook and Google+.

His main rival, Rahul Gandhi, the Congress party's undeclared candidate for PM, however, doesn't have a website and doesn't use any of the three major social networks.

Anti-corruption campaigner-turned-politician Arvind Kejriwal has amassed 1.5 million followers on Twitter since joining in November 2011, a year before he launched his Aam Aadmi Party (AAP) and over two years after Mr Modi, who has 3.6 million followers, opened his account.

"Now no serious politician is seen as being able to avoid social media altogether," said Congress government minister Shashi Tharoor, who until he was overtaken by Mr Modi last July, was the most followed Indian politician on Twitter.

"It does have a significant reach in certain segments of the population and as far as we're concerned, that's important enough to pay attention to and clearly the opposition is paying attention to it too," he added.

Taking a leaf from US President Barack Obama's presidential campaigns, India's parties are using tools to crunch the insurmountable amounts of information social media generates - what's known as big data analytics.


Rahul Gandhi doesn't have a website and doesn't use any of the three major social networks

Pinstorm, a digital marketing agency used by some of India's biggest companies to monitor what is being discussed online, now has political parties as clients.

From its Mumbai office, the agency has been collecting, storing and analysing tens of thousands of political statements from over 100 online platforms daily for the past six months to allow parties to find supporters and tweak their political message.

The agency is able to track conversations at national and local level, making it a useful tool for both national and regional parties.

The anti-corruption AAP, taking part in its first general election after an impressive debut in local polls in Delhi last year, uses Pinstorm to "compare how we are faring against others", said Ankit Lal, the party's social media strategist.

Professor Amit Sheth and a team of researchers at the Ohio Centre of Excellence in Knowledge-enabled Computing at Wright State University have also been tracking political sentiment online since July.

He says data collected from social media could in the future replace opinion polls, which many observers say are often rigged in India.

"With social media data, we can measure sentiments, for example, before a rally, during the rally, and post-analysis. It's much more frequent [than opinion polls]," Mr Sheth said.

'Dipstick of the elite'

There are some, however, who are doubtful about social media's expected effect.

Social media "is not a true dipstick. It really is only a dipstick of the elite," said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society.

Sceptics believe with so many Indians illiterate and lacking internet access, particularly in rural swathes of the country, it is still essential for political leaders to hold rallies and spend on billboard and newspaper advertising to reach the majority of the 814 million-strong electorate.

Parties are also interacting with voters on their mobile devices and it makes sense.


Facebook has 93 million users in India

There are more mobile phones in India today than toilets, according to the latest census data, and just over half of the country's 1.2 billion population owns one.

"Mobile is very integral to our strategy," said Arvind Gupta, who heads the BJP's IT and social media cell.

One of the BJP's most unique electioneering tools allows potential voters to listen in on Mr Modi's rally speeches in real time on their phones from anywhere in India. "It's our own innovation," said Mr Gupta.

The number of smartphone users is growing in India and it's how most of the country's web users go online.

That's why WhatsApp, recently purchased by Facebook, is being used by the likes of the BJP and Congress to send photos, videos and messages to potential voters.

"No other medium gives as much mass, simultaneous reach as mobile phones in India today," said Milind Pathak from One97 Communications, a Delhi-based mobile marketing firm.

Political parties like AAP have signed up tens of thousands of members by urging people to give them a missed call for free - party officers then get in touch and formally enrol them as supporters.

"Looking forward, I think the medium will continue to be a heavily-invested area for a political party," Mr Pathak said.

For more details visit https://cis-india.org/news/bbc-news-india-atish-patel-indias-social-media-election-battle

Leaked Privacy Bill: 2014 vs. 2011

elonnai — 2014-04-01T10:52:41Z

The Centre for Internet and Society has recently received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted.

Note: After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post.

This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in April 2011 and September 2011.

When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions. Below is an outline of significant changes from the September 2011 Privacy Bill to the 2014 Privacy Bill:

Scope: The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India. The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.
Definitions: The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.

Terms that have been added in the 2014 Bill and the definitions

Personal identifier: Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.
Legitimate purpose: A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.
Competent authority : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.
Notification: Notification issued under this Act and published in the Official Gazette
Control : And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.
Telecommunications system: Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.
Privacy standards: The privacy standards or protocols or codes of practice. developed by industry associations.

Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions

Communication data:The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications
Data subject : Any living individual, whose personal data is controlled by any person
Interception: In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication.
Person: Any natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban local body, or any other officer, agency or instrumentality of the state.
Sensitive personal data: Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation. Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.
Individual: a resident of Indian
Covert surveillance: covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual
Re-identify: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;
Process: “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;
Direct marketing: Direct Marketing means sending of a commercial communication to any individual
Data controller: any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;
Government: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;

Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:

Consent: Includes implied consent
Maintain: Includes maintain, collect, use, or disseminate.
Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller.
Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund.
Prescribed: Prescribed by rules made under this Act.
Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)
DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual.

Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):

Authority: The Data Protection Authority of India
Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.
Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject.
Member: Member of the Authority
Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data.
Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller.

Exceptions to the Right to Privacy: According to the 2011 Bill, the exceptions to the Right to Privacy included:

Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state
Preventing incitement to the commission of any offence
Prevention of public disorder or the detection of crime
Protection of rights and freedoms of others
In the interest of friendly relations with foreign state
Any other purpose specifically mentioned in the Act.

The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.

Acts not to be considered deprivations of privacy: The 2011 Bill lists five instances that will not be considered a deprivation of privacy - namely

For journalistic purposes unless it is proven that there is a reasonable expectation of privacy,
Processing data for personal or household purposes,
Installation of surveillance equipment for the security of private premises,
Disclosure of information via the Right to Information Act 2005,
And any other activity exempted under the Act.

The 2014 limits these instances to:

The processing of data purely for personal or household purposes,
Disclosure of information under the Right to Information Act 2005,
And any other action specifically exempted under the Act.

Privacy Principles: Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices.

Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:

Collection of personal data,
Processing of personal data,
Data quality,
Provisions relating to sensitive personal data,
Retention of personal data,
Sharing (disclosure) of personal data,
Security of personal data,
Notification of breach of security,
Access to personal data by data subject,
Updation of personal data by data subject
Mandatory processing of data,
Trans border flows of personal data.

Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:

Collection of personal data,
Processing of personal data,
Access to personal data,
Updating personal data
Retention of personal data
Data quality,

The 2014 Bill has further includes provisions addressing:

Openness and accountability,
Choice,
Consent,
Exceptions for personal identifiers.

The 2014 Bill has made changes to the provisions addressing:

Provisions relating to sensitive personal data,
Sharing (disclosure of personal data),
Notification of breach of security,
Mandatory processing of data
Security of personal data
Trans border flows of personal data.

The changes that have been made have been mapped out below:

Provisions Relating to Sensitive Personal Data: The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:

For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.
Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

Notification of Breach of Security: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach.

Notice: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:

The documented purposes for which such personal data is being collected
Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service
The consequences of the failure to provide the personal data
The recipient or category of recipients of the personal data
The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller
If such personal data is intended to be transferred out of the country, details of such transfer.

In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:

What data is being collected and
The legitimate purpose for the collection.

If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:

The use to which the personal data will be put
Whether or not the personal data will be disclosed to a third party and if so the identity of such person
If the personal data being collected is intended to be transferred outside India and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data.
The security and safeguards established by the data controller in relation to the personal data
The processes available to a data subject to access and correct his personal data
The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto
The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller.

Disclosure of personal data: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing. In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. As a safeguard, the 2014 Bill requires that any person to whom personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.

Transborder flow of information: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

Mandatory Processing of Data: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.

Security of Personal Data: The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of security.

Conditions on which provisions do not apply: Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy will not apply to personal data. Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill carves out an exception for Government Intelligence Agencies - stating that the provisions of updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.
Privacy Officers: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.
Power of Authority to Exempt: Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .

The Data Protection Authority: The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority. For example, new functions of the Authority include:

Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act,
Suggesting international instruments relevant to the administration of the Act,
Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.

The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.

At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement, if for the objectives of (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.

This power is instead vested with a court of competent jurisdiction.

The National Data Controller Registry: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.
Direct Marketing: Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’ and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.
Interception of Communications: Though maintaining some of the safeguards defined in the 2011 Bill for interception, 2014 Bill changes the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees, removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.
Video Recording Equipment in public places: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed.

The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.

Privacy Standards and Self Regulation: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them. For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.
Settlement of Disputes and Appellate Tribunal: The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish. If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court.

In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.

Offences and Penalties: The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section.

Offences: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:

Unauthorized interception of communications
Disclosure of intercepted communications
Undertaking unauthorized Covert Surveillance
Unauthorized use of disclosure of communication data

The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.

Penalties: The 2014 Bill provides a list of penalties including:

Penalty for obtaining personal data on false pretext
Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers
Penalty for disclosure of other personal information
Penalties for contravention of directions of the Authority
Penalties for data theft
Penalties for unauthorised collection, processing, and disclosure of personal data
Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines

Adjudicating Officer: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default

Civil Remedies and compensation: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense.

The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.

Exceptions for intelligence agencies: Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.

The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.

In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.

For more details visit https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011

Intermediary Liability Resources

elonnai — 2014-07-03T06:45:48Z

We bring you a list of intermediary resources as part of research on internet governance. This blog post will be updated on an ongoing basis.

Shielding the Messengers: Protecting Platforms for Expression and Innovation. The Centre for Democracy and Technology. December 2012, available at: https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.
Internet Intermediaries: Dilemma of Liability: Article 19. 2013, available at: http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law, the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.
Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries: Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.
Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries. The Electronic Frontier Foundation. February 2011, available at: http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.
Study on the Liability of Internet Intermediaries. Contracted by the European Commission. 2007, available at: http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.
Internet Intermediary Liability: Identifying Best Practices for Africa. Nicolo Zingales for the Association for Progressive Communications, available at: https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model.
The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda: An uncertain terrain. Association for Progressive Communications. October 2012, available at: http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability.
The Fragmentation of intermediary liability in the UK. Daithi Mac Sithigh. 2013, available at: http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to.
Regimes of Legal Liability for Online Intermediaries: an Overview. OECD, available at: http://www.oecd.org/sti/ieconomy/45509050.pdf. This article provides an overview of different intermediary liability regimes including EU and US.
Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose. GNI. 2014, available at: http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf. This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy.
Intermediary Liability in India. Centre for Internet and Society. 2011, available at: http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf. This report reviews and ‘tests’ the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right.
The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf

Click to read the newsletter from the Association of Progressive Communications. The summaries for the reports can be found below:

Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: http://www.apc.org/en/node/19279/. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.

APC’s Frequently Asked Questions on Internet Intermediary Liability: APC, May 2014, available at: http://www.apc.org/en/node/19291/. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.

New Developments in South Africa: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.

Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.

New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.

New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.

Internet Policies That Affect Africans: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.

Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but responsibility, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-liability-resources

The Age of Shame

nishant — 2014-04-04T04:05:31Z

The ability to capture private images is breeding a dangerous form of digital shaming. Within the online space, where wonderments often run rife, and conspiracy theories travel at the speed of light, there are many dark recesses where netizens half-jokingly, self-referentially, in a spirit of part-truth, part-exaggeration, often wonder on what the real reason is for the internet to exist.

Dr. Nishant Shah's column was published in the Indian Express on March 30, 2014.

Within the online space, where wonderments often run rife, and conspiracy theories travel at the speed of light, there are many dark recesses where netizens half-jokingly, self-referentially, in a spirit of part-truth, part-exaggeration, often wonder on what the real reason is for the internet to exist.

One suggestion, and probably the most persuasive one, drawing from the Broadway musical Avenue Q, is that the internet was made for porn. Positing a competing argument is a clowder of cat lovers, who insist that the internet was made for cats. Or, at least, it is definitely made of cats.

From the first internet memes like LOL Cats (and then subsequently Grumpy Cat, Ceiling Cat and Hipster Kitty), which had pictures of cats used for strong social, cultural and political commentary, to Caturday — a practice where users on the Web’s largest unmoderated discussion board, 4Chan, post pictures of cats every Saturday — cats are everywhere.

I want to add to this list and suggest that the internet was meant for “shame”. With the explosion of the interactive Web, more people getting access to mobile computing devices, and more websites inviting users to write reviews, leak pictures, expose videos and reveal more personal and private information online, there seems to be no doubt that we live in the age of digital shaming.

The aesthetic, also embedded in peer-to-peer platforms like chatroulete, or snapchat, where people often engage in sexting, is also becoming common in popular media. The ability to spy, to capture private images and videos, and expose the people who violate some imagined moral code has dangerous implications for the future of the Web and our own private lives. And as more of it goes unpunished and gets naturalised in our everyday digital practices, it is time to realise that the titillation it offers through scandal is far outweighed by the growing stress and grief it causes to victims. While there are some values to public shaming that ask for more transparency and accountability, we need to reflect on how it is creating societies of shame.

It sometimes emerges as an attempt to shame governments, private institutions, places of consumption, for compromise of the rights of the users.

Anything, from denial of service and corruption in government offices to bad food and substandard goods in restaurants and malls, is now reported in an attempt to shame the people responsible for it. This kind of “citizen journalism” allows for individual voices and experiences to be heard and documented, and the people in question are forced to be accountable for their jobs.

From fascinating websites like IPaidABribe.com to restaurant review sites like Zomato, we have seen an interesting phenomenon of “naming and shaming” that gives voice to individual discontent and anger. And so commonplace has this become, that most managers of different services and goods track, respond and mitigate the situation, often offering apologies and freebies to make up for that one bad experience.

Most big organisations have Twitter handles that function in a similar way, addressing grievances of users in real time, and helping to deliver better services and products. It is a new era of granular accountability that ensures that individual acts of discrimination, neglect or just disservice get reported and have direct impact on those responsible for it.

On the other end of the spectrum of this call for transparent and accountable structures, is the phenomenon of shaming and cyber bullying that is also increasing, especially with digital natives who spend more time online. On social networking sites, it has become almost passé, for personal and sensitive information to be leaked in order to shame and expose a person’s weaknesses and vulnerabilities. Especially for young teens who might be in a disadvantaged position — for reasons of sexual orientation, location, practices or interests — the shaming through exposing their private information often creates extremely traumatic conditions, even leading people to take their lives.
Shaming takes up particularly dire forms on websites and platforms that are designed to leak this kind of information. Hunter Moore, who has recently earned the title of being the most hated man on the internet, was the founder of a revenge-porn website, which invited male users to reveal sexual and embarrassing pictures of their former girlfriends and even spouses, to reveal them in compromising positions and shame them for being “sluts”.

Moore’s website has been shut down now and he is facing multiple charges of felony in the US, but that one site was just the tip of the iceberg. Slut shaming and trying to humiliate women has become a strong underground practice on the dark web. Hidden by anonymity and the security that the Web can sometimes offer, people betray the trust of their friends and lovers and expose them to be punished by voyeuristic audiences.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-march-30-2014-nishant-shah-the-age-of-shame

Governance issues for private data stores

praskrishna — 2014-04-04T10:30:23Z

Malavika Jayaram is a speaker at this event co-hosted by Harvard Faculty Club and Web Science Trust at 20 Quincy Street, Cambridge on March 28, 2014.

Agenda

8.30: Introductory remarks - Meeting in the shadow of the Presidents 90 day plan for Big Data and Privacy: are we right to have a hopeful expectation that algorithms can resolve questions that algorithms pose?

Prof. Jim Waldo, CTO, Harvard University, Sun Distinguished Engineer

Prof. Andreas Weigend, Stanford University (past Chief Scientist Amazon)

8.45 - 10.00: The network is always on: and you are always on the network.

The worker and the workplace - Anna Burger (past Secretary Treasurer, SEIU)/Carol Rose, Director Ma., ACLU
Personalised messages - targeted advertising - George Pappachen (WPP) /Mike Smith (Hearst Corpn.)
Sensor sensibility:Smart metering/Transport/Home - Yves Alexandre de Montjoye, MIT /John Taysom
Personal medicine - John Wilbanks, Chief Commons Officer, Sage Bionetworks, Senior Fellow, Ewing
Marion Kaufman Foundation
Education - Prof. Jim Waldo, CTO Harvard
National Security - Dr. Malavika Jayaram, Berkman Centre, Harvard, The Indian national id system.

10.00-10.15: Coffee

10.15 - 11.30: The dual nature of the web - publisher and data gatherer

Is the problem a web protocol problem? Is there a protocol solution?
Brendan Eich, CEO Mozilla
Steve MacBeath Product Lead, Microsoft Personal Cloud
John Taysom, Can we build a DMZ for individual id information?

11.30 - 12.30: Governance systems for private data stores - what wont work, and what might?

An example of multi-generational national asset management : Sir Henry Studholme, Chair, UK Forestry Commission.
Mozilla.com and Mozilla.org - Denelle Dixon-Thayer, GC Mozilla
DigiTrust - Jordan Mitchell

12.30: working lunch: Privacy as a competitive advantage

The Microsoft view - Steve MacBeath
The Mozilla view - Brendan Eich
The SalesForce view - JPRangaswami, Chief Scientist, Salesforce.com

1.30 - 2.15: Essential additional policy considerations

Is “privacy” anyway the wrong target - did we really mean “intimacy”? Dorothy Zinberg, Harvard/ How would we police privacy policies anyway? Adam Towvim, TrustLayers
AOB from the floor

2.15 - 2.30: Interim Conclusions - John Taysom

2.30 - 3.00: Discussion and critique of interim conclusions - Prof. Nico Mele, Harvard/ Prof. Dame Wendy Hall, WST

3.00- 3.30: Conclusions and proposed draft recommendations - J Taysom

For more details visit https://cis-india.org/news/governance-issues-for-private-data-stores

Cyber Dialogue Conference 2014

praskrishna — 2014-04-08T05:09:54Z

The Cyber Dialogue conference, presented by the Canada Centre for Global Security Studies at the Munk School of Global Affairs, University of Toronto, will convene an influential mix of global leaders from government, civil society, academia and private enterprise to participate in a series of facilitated public plenary conversations and working groups around cyberspace security and governance.

Malavika Jayaram is participating in this event being held on March 30 and 31, 2014. Full event details here.

After Snowden, Whither Internet Freedom?

A recent stream of documents leaked by former NSA contractor Edward Snowden has shed light on an otherwise highly secretive world of cyber surveillance. Among the revelations — which include details on mass domestic intercepts and covert efforts to shape and weaken global encryption standards — perhaps the most important for the future of global cyberspace are those concerning the way the U.S. government compelled the secret cooperation of American telecommunications, Internet, and social media companies with signals intelligence programs.

For American citizens, the NSA story has touched off soul-searching discussions about the legality of mass surveillance programs, whether they violate the Fourth and Fifth Amendments of the U.S. Constitution, and whether proper oversight and accountability exist to protect American citizens' rights. But for the rest of the world, they lay bare an enormous “homefield advantage” enjoyed by the United States — a function of the fact that AT&T, Verizon, Google, Facebook, Twitter, Yahoo!, and many other brand name giants are headquartered in the United States.

Prior to the Snowden revelations, global governance of cyberspace was already at a breaking point. The vast majority of Internet users — now and into the future — are coming from the world’s global South, from regions like Africa, Asia, Latin America, and the Middle East. Of the six billion mobile phones on the planet, four billion of them are already located in the developing world. Notably, many of the fastest rates of connectivity to cyberspace are among the world’s most fragile states and/or autocratic regimes, or in countries where religion plays a major role in public life. Meanwhile, countries like Russia, China, Saudi Arabia, Indonesia, India, and others have been pushing for greater sovereign controls in cyberspace. While a US-led alliance of countries, known as the Freedom Online Coalition, was able to resist these pressures at the Dubai ITU summit and other forums like it, the Snowden revelations will certainly call into question the sincerity of this coalition. Already some world leaders, such as Brazil’s President Rousseff, have argued for a reordering of governance of global cyberspace away from U.S. controls.

For the fourth annual Cyber Dialogue, we are inviting a selected group of participants to address the question, “After Snowden, Whither Internet Freedom?” What are the likely reactions to the Snowden revelations going to be among countries of the global South? How will the Freedom Online Coalition respond? What is the future of the “multi-stakeholder” model of Internet governance? Does the “Internet Freedom” agenda still carry any legitimacy? What do we know about “other NSA’s” out there? What are the likely implications for rights, security, and openness in cyberspace of post-Snowden nationalization efforts, like those of Brazil’s?

As in previous Cyber Dialogues, participants will be drawn from a cross-section of government (including law enforcement, defence, and intelligence), the private sector, and civil society. In order to canvass worldwide reaction to the Snowden revelations, this year’s Cyber Dialogue will include an emphasis on thought leaders from the global South, including Africa, Asia, Latin America, and the Middle East.

For more details visit https://cis-india.org/news/cyber-dialogue-conference-2014

CIS Statement at ICANN 49's Public Forum

pranesh — 2014-06-04T05:31:44Z

This was a statement made by Pranesh Prakash at the ICANN 49 meeting (on March 27, 2014), arguing that ICANN's bias towards the North America and Western Europe result in a lack of legitimacy, and hoping that the IANA transition process provides an opportunity to address this.

Good afternoon. My name is Pranesh Prakash, and I'm with the Yale Information Society Project and the Centre for Internet and Society.

I am extremely concerned about the accountability of ICANN to the global community. Due to various decisions made by the US government relating to ICANN's birth, ICANN has had a troubled history with legitimacy. While it has managed to gain and retain the confidence of the technical community, it still lacks political legitimacy due to its history. The NTIA's decision has presented us an opportunity to correct this.

However, ICANN can't hope to do so without going beyond the current ICANN community, which while nominally being 'multistakeholder' and open to all, grossly under-represents those parts of the world that aren't North America and Western Europe.

Of the 1010 ICANN-accredited registrars, 624 are from the United States, and 7 from the 54 countries of Africa. In a session yesterday, a large number of the policies that favour entrenched incumbents from richer countries were discussed. But without adequate representation from poorer countries, and adequate representation from the rest of the world's Internet population, there is no hope of changing these policies.

This is true not just of the business sector, but of all the 'stakeholders' that are part of global Internet policymaking, whether they follow the ICANN multistakeholder model or another. A look at the boardmembers of the Internet Architecture Board, for instance, would reveal how skewed the technical community can be, whether in terms of geographic or gender diversity.

Without greater diversity within the global Internet policymaking communities, there is no hope of equity, respect for human rights -- civil, political, cultural, social and economic --, and democratic funtioning, no matter how 'open' the processes seem to be, and no hope of ICANN accountability either.

For more details visit https://cis-india.org/internet-governance/blog/icann49-public-forum-statement

Panel Discussion – Intermediary Liability & Freedom of Expression in India

praskrishna — 2014-04-04T10:10:32Z

Bhairav Acharya will participate in a panel discussion on ‘Intermediary Liability & Freedom of Expression’ on Wednesday evening (26th March 2014) from 6:00 pm onwards at the India International Centre Annex. The event is organized by the Centre for Communication Governance at NLU Delhi in association with the Global Network Initiative, Washington D.C.

The panel comprises of three eminent personalities: Shyam Divan, Senior Advocate, Supreme Court of India; Siddharth Varadarajan, Journalist and Senior Fellow, Centre for Public Affairs and Critical Theory, New Delhi and; Jermyn Brooks, Independent Chair, Global Network Initiative, Washington D.C.

The objective of the panel was to focus on the Indian legal framework governing Internet platforms and explore questions related to Internet intermediaries and the balance that should be involved in regulations affecting user-generated content, in the context of the civil liberties that are key to democracy, in particular free expression and privacy. The discussion was aimed at drawing connections between this ostensibly Internet-related issue and the traditional media, to highlight recurring issues and useful perspectives.

For more details, click here.

For more details visit https://cis-india.org/news/panel-discussion-intermediary-liability-and-freedom-of-expression-in-india

ICANN and Global Internet Governance: The Road to São Paulo, and Beyond

praskrishna — 2014-04-03T09:54:08Z

A conference to be held on Friday 21 March 2014 at the ICANN 49 meeting venue, the Raffles City Convention Centre, Singapore, in the Olivia Room, from 10:00 to 18:00. Organized by the NonCommercial Users Constituency (NCUC) of the Generic Names Supporting Organization, with the generous support of ICANN. Geetha Hariharan participated in this event.

Click to read more on the conference here.

The NETMundial Global Multistakeholder Meeting on the Future of the Internet Governance will be held in São Paulo, Brazil on 23-24 April 2014.

Initiated by Brazilian President Dilma Rousseff and ICANN CEO Fadi Chehadé, and co-organized by the Brazilian Internet Steering Committee and /1Net, the meeting will bring together a wide range of government, business, technical community, civil society and academic participants from around the world. The organizers describe its objectives as, “crafting Internet governance principles and proposing a roadmap for the further evolution of the Internet governance ecosystem.”

The purpose of this NCUC conference is to provide a first opportunity for intensive, F2F cross-community dialogue on the main substantive topics likely to be addressed in São Paulo. Stakeholders from across the ICANN community have expressed a range of views and uncertainties about the meeting’s precise substantive focus, expected outcomes, and potential significance in the continuing evolution of the global Internet governance ecosystem. It is hoped that the NCUC conference will help the community to work through the issues at stake and to prepare for its participation in the NETMundial.

On Site Participation
The meeting is free of charge and open to all members of the ICANN community. People wishing to attend must register for the conference and indicate whether they wish to be included in the lunch and/or the reception. Attendees must also register for the ICANN meeting in order to access the conference venue.

Remote Participation
ICANN will provide live remote participation via Adobe Connect, audiocast, and telephone dial-in. They also will videotape the conference for subsequent web access. For access please visit http://singapore49.icann.org/en/schedule/fri-ncuc-ig

Written Inputs
Members of the ICANN community are invited to provide personal or organizational written inputs related to the four panel topics indicated on the conference program. These will be added to the online repository associated with each of the sessions. If interested, please send your inputs to ncuc@ncuc.org.

Programme details here

For more details visit https://cis-india.org/news/non-commercial-users-constituency-icann-and-global-internet-governance

Twenty-five distinguished experts appointed to Global Commission on Internet Governance’s Research Advisory Network

praskrishna — 2014-04-03T07:20:24Z

Twenty-five distinguished scholars and internationally recognized experts have been appointed to the Global Commission on Internet Governance’s (GCIG) new Research Advisory Network (RAN).

Sunil Abraham is one the 25 experts appointed to the Global Commission on Internet Governance’s Research Advisory Network. Read the original published by the Global Commission on Internet Governance here.

The Global Commission is a two-year initiative launched in January 2014, by the Centre for International Governance Innovation (CIGI) and Chatham House. Chaired by Sweden’s Foreign Minister Carl Bildt, the commission will produce a comprehensive stand on the future of multi-stakeholder Internet governance.

The commission’s RAN, led by CIGI Senior Fellow Laura DeNardis, will assist in identifying and prioritizing Internet governance and Internet policy related issues within the commission’s mandate. Members of the RAN will provide expert briefings to the members of the commission and conduct research and analysis for the commission’s preparatory work and final report.

“The research advisory network will be an indispensable component of the Global Commission on Internet Governance,” said Fen Osler Hampson, co-director of the commission and director of CIGI’s Global Security & Politics program. “Under the direction of Laura DeNardis, the RAN will be of great benefit to this initiative’s critical analysis and findings. I’m grateful that these experts have agreed to participate.”

The twenty-five member network consists of:

Sunil Abraham
Izumi Aizu
Peng Hwa Ang
Subimal Bhattacharjee
David Clark
Sadie Creese
Leslie Daigle
Oleg Demidov
William Dutton
Lorraine Eden
Laurent Elder
Patrik Fältström
Tobias Feakin
Urs Gasser
Clem Herman
Jeanette Hofmann
Konstantinos Komaitis
Ronaldo Lemos
Meryem Marzouki
Carolina Rossini
Michael Schmitt
Emily Taylor
Rolf H. Weber
Andrew Wyckoff
Christopher S. Yoo

Additional RAN members will be confirmed over time. For more information on the GCIG, including its twenty-nine commissioners and twenty-five research advisers, please visit: www.ourinternet.org. Follow the commission on Twitter @OurInternetGCIG.

For more details visit https://cis-india.org/news/25-experts-appointed-to-global-commission-on-ig-research-advisory-network

No to homosexuals, yes to their vote

praskrishna — 2014-04-04T09:54:39Z

The ad appears at the bottom of the page. It has BJP’s symbol and Modi’s photograph displayed prominently.

The article by Yogesh Pawar was published in DNA on March 21, 2014. Sunil Abraham is quoted.

In a hotly contested election where every vote will count, the scramble among political parties to scrounge for votes is understandable. Yet, what would you make of a party that hates a community but wants their votes? The BJP had opposed any move to nullify Supreme Court's order re-criminalizing consensual sex among consenting adults, dealing a huge setback to any move to scrap or dilute Section 377 of the Indian Penal Code (IPC). Party chief Rajnath Singh went to the extent of saying, "Gay sex is not natural and we cannot support something which is unnatural."

This is why the gay community across the country has expressed surprise to find a BJP ad asking for votes on the popular gay social media dating website grindr. The ad which will obviously lead to to a lot of red faces in the BJP, appears at the bottom of the page has both the party' lotus symbol and their prime-ministerial candidate Narendra Modi's photograph displayed prominently. It exhorts voters to vote BJP to stop price rise.

"This exposes the party's hypocrisy," guffawed India's pioneering gay rights activist Ashok Row Kavi. "So you want our votes and not us. I'm glad this has happened. The country will finally know the true face of falsehood of the party."

He's not alone. Many from the community have taken to social media sites like facebook and twitter to make their disgust known. Counselling psychologist Deepak Kashyap is one of them. "So, #BJP says it'd never support the "unnatural act" of homosexuality, but #NaMO has no qualms about asking for support on gay dating apps, like grindr! What a sham(e)!" he posted.

Linking most homophobia with an intense struggle with latent homosexuality Kashyap, the University of Bristol pass-out and equal rights activist for the LGBTQ community told dna, "Whatever makes you jump up in your chair, essentially makes you insecure about your own condition in some way or the other." According to him, similar results were shown in a research called 'Is Homophobia Associated with Homosexual Arousal?', by Georgia University published in the Journal of Abnormal Psychology.

When reached for comment, the BJP's National IT head Arvind Gupta said, "I am not aware of such an ad being placed on this website. If this is indeed true we will take it up with the advertising agency responsible." BJP spokesperson and Lok Sabha candidate from New Delhi Meenakshi Lekhi too told dna, "This is the first I am hearing of such an advertisement," and added, "In the first instance it seems like a deliberate act of mischief in the poll season to embarrass our party."

Centre for Internet and Society, Executive Director Sunil Abraham felt the ad on grindr may have to do more with the lack of knowledge than anything else. "We find many ads by top Indian corporate brands on pirate websites. This happens because people are still not completely conversant with negotiating with advertising networks when it comes to websites."

For more details visit https://cis-india.org/news/dna-march-21-2014-yogesh-pawar-no-to-homosexuals-yes-to-their-vote

C-DoT's surveillance system making enemies on internet

praskrishna — 2014-04-04T09:45:37Z

Reporters Without Boundaries says it gives unbridled power to law- enforcement agencies to snoop on citizens.

The article by Krishna Bahirwani was published in DNA on March 21, 2014. Sunil Abraham is quoted.

The Central Monitoring System (CMS) developed by the Centre for Development of Telematics (C-DoT) has come under fire from a France based non-profit organisation, which claims the system has the capacity to directly snoop on all forms of communications over phone and internet, without involving telecom operators.

The NGO's Reporters Without Boundaries report 2014, 'Enemies Of The Internet' has equated C-DoT with Government Communications Headquarters (GCHQ) in the UK, and the US's National Security Agency (NSA), which recently came under criticism for spying on citizens.

CMS, India's mass electronic surveillance system, was rolled out in 2013.

Before the CMS, tapping was done by the telecom operators, but not before taking prior permission. The CMS gives direct access to C-DoT employees and law-enforcement agencies.

CMS has created an automated front containing central and regional databases, which central and state government agencies can use to intercept and monitor any landline, mobile or internet connection in India.

Minister of state for information technology Milind Deora said, "The new data collection system will actually improve citizens' privacy because telecommunications companies would no longer be directly involved in the surveillance."

Asked what would prevent C-DoT employees, who would have access to data, from misusing it, Deora said, "There is a switching mechanism (that) diverts the call to law-enforcement agencies and eliminates layers. The existing surveillance and interception system is actually insecure as the operator, people from the home ministry and other government officials have access to the data. The CMS will erase such people from play."

"I want the people to know the design aspects and how the system is being used for lawful interceptions, so that they can shed their inhibitions We do not want to put power in the hands of the bureaucrats" he said.

Harold Dcosta, a cyber security expert who trains Maharashtra and Goa police, said, "It's possible that employees of CDoT/law enforcement agencies could use the information gathered by CMS for personal or political use although 43 and 43 A of the IT Act would protect people when something like that happens and will give the person compensation.

He said, "There should be more transparency with regard to CMS".

Sunil Abraham, executive director of Bangalore-based non-profit Centre for Internet and Society said the mistaken assumption in their thinking is technology will serve as a check and balance.

"Technology can always be compromised," he said. There is no way to find out about what is actually going on. If the CMS is abused it is very difficult to prove."

Deora said a privacy law is being drafted to address these issues. Last month, a parliamentary standing committee rejected the government claim that IT Act protects citizens' privacy. The committee, chaired by former Congress MP Rao Inderjit Singh, said, "The committee is extremely unhappy to note that the government is yet to institute a legal framework on privacy."

For more details visit https://cis-india.org/news/dna-march-21-2014-krishna-bahirwani-c-dots-surveillance-system-making-enemies-on-internet

European Union Draft Report Admonishes Mass Surveillance, Calls for Stricter Data Protection and Privacy Laws

divij — 2014-09-30T08:52:45Z

Ever since the release of the “Snowden files”, the secret documents evidencing the massive scale of surveillance undertaken by America’s National Security Agency and publically released by whistle-blower Edward Snowden, surveillance in the digital age has come to the fore of the global debate on internet governance and privacy.

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in its draft report on global surveillance has issued a scathing indictment of the activities of the NSA and its counterparts in other member nations and is a welcome stance taken by an international body that is crucial to the fight against surveillance.

The "European Parliament Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs" released on the 8^th of January, 2014, comprehensively details and critiques the mass surveillance being undertaken by government agencies in the USA as well as within the EU, from a human rights and privacy perspective. The report examines the extent to which surveillance systems are employed by the USA and EU member-states, and declares these systems in their current avatars to be unlawful and in breach of international obligations and fundamental constitutional rights including "the freedom of expression, of the press, of thought, of conscience, of religion and of association, private life, data protection, as well as the right to an effective remedy, the presumption of innocence and the right to a fair trial and non-discrimination".

Furthermore, the report points to the erosion of trust between the EU and the US as well as amongst member states as an outcome of such secret surveillance, and criticises and calls for a suspension of the data-sharing and transfer agreements like the Terrorist Finance Tracking Program (TFTP), which share personal information about EU citizens with the United States, after examining the inadequacy of the US Safe Harbour Privacy principles in ensuring the security of such information.

After considering the secret and unregulated nature of these programmes, the report points to the need of restricting surveillance systems and criticizes the lack of adequate data protection laws and privacy laws which adhere to basic principles such as necessity, proportionality and legality.. It also questions the underlying motives of these programmes as mere security-tools and points to the possible existence of political and economic motives behind their deployment. Recognizing the pitfalls of surveillance and the terrible potential for misuse, the report "condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries."

Amongst the recommendations in the 51-page report are calls for a prohibition of mass surveillance and bulk data collection, and an overhaul of the existing systems of data-protection across the European Union and in the US to recognize and strengthen the right to privacy of their citizens, as well as the implementation of democratic oversight mechanisms to check security and intelligence agencies. It also calls for a review of data-transfer programmes and ensuring that standards of privacy and other fundamental rights under the European constitution are met. The committee sets out a 7-point plan of action, termed the European Digital Habeus Corpus for Protecting Privacy, including adopting the Data Protection Package, suspending data transfers to the US until a more comprehensive data protection regime is through an Umbrella Agreement, enhancing fundamental freedoms of expression and speech, particularly for whistleblowers, developing a European Strategy for IT independence and developing the EU as a reference player for democratic and neutral governance of the internet.

Though this draft report has no binding legal value as yet, the scathing criticism has assisted in calling to the attention of the global community the complex issues of internet governance and privacy and surveillance, and generated debate and discourse around the need for an overhaul of the current system. The recent decision of the US government to ‘democratize’ the internet by handing control of the DNS root zone to an international body, and thereby relinquishing a large part of its means of controlling the internet, is just one example of the systemic change that this debate is generating.

For more details visit https://cis-india.org/internet-governance/blog/european-union-draft-report-admonishes-mass-surveillance

Privacy worries cloud Facebook's WhatsApp Deal

sunil — 2014-03-20T05:59:28Z

Privacy activists in the United States have asked the competition regulator or the Federal Trade Commission to put on hold Facebook's acquisition of WhatsApp. Why have they done this when Facebook has promised to leave WhatsApp untouched as a standalone app?

Read the original published in the Economic Times on March 14, 2014

Activists have five main concerns.

Facebook has a track record of not keeping its promises to users.
The ethos of both companies when it comes to privacy is diametrically opposite.
The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
Facebook slurping WhatsApp's large repository of phone numbers.
Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-march-14-2014-sunil-abraham-privacy-worries-cloud-facebook-whatsapp-deal