We are anonymous, we are legion

What is net neutrality and why it is important

praskrishna — 2014-02-03T08:24:34Z

Internet is built around the idea of openness. It allows people to connect and exchange information freely, if the information or service is not illegal.

The article was published in the Times of India on January 20, 2014. Sunil Abraham is quoted.

Much of this is because of the idea of net neutrality. If you like the current state of the internet, you should know about net neutrality. Many web users are aware of it. But if you are not, don't worry. We explain it here:

What is net neutrality?
Net neutrality is an idea derived from how telephone lines have worked since the beginning of the 20th century. In case of a telephone line, you can dial any number and connect to it. It does not matter if you are calling from operator A to operator B. It doesn't matter if you are calling a restaurant or a drug dealer. The operators neither block the access to a number nor deliberately delay connection to a particular number, unless forced by the law. Most of the countries have rules that ask telecom operators to provide an unfiltered and unrestricted phone service.

When the internet started to take off in 1980s and 1990s, there were no specific rules that asked that internet service providers (ISPs) should follow the same principle. But, mostly because telecom operators were also ISPs, they adhered to the same principle. This principle is known as net neutrality. An ISP does not control the traffic that passes its servers. When a web user connects to a website or web service, he or she gets the same speed. Data rate for Youtube videos and Facebook photos is theoretically same. Users can access any legal website or web service without any interference from an ISP.

Some countries have rules that enforce net neutrality but most don't. Instead, the principle is followed because that is how it has always been. It is more of a norm than a law.

How did net neutrality shape the internet?
Net neutrality has shaped the internet in two fundamental ways.

One, web users are free to connect to whatever website or service they want. ISPs do not bother with what kind of content is flowing from their servers. This has allowed the internet to grow into a truly global network and has allowed people to freely express themselves. For example, you can criticize your ISP on a blog post and the ISP will not restrict access to that post for its other subscribers even though the post may harm its business.

But more importantly, net neutrality has enabled a level playing field on the internet. To start a website, you don't need lot of money or connections. Just host your website and you are good to go. If your service is good, it will find favour with web users. Unlike the cable TV where you have to forge alliances with cable connection providers to make sure that your channel reaches viewers, on internet you don't have to talk to ISPs to put your website online.

This has led to creation Google, Facebook, Twitter and countless other services. All of these services had very humble beginnings. They started as a basic websites with modest resources. But they succeeded because net neutrality allowed web users to access these websites in an easy and unhindered way.

What will happen if there is no net neutrality?
If there is no net neutrality, ISPs will have the power (and inclination) to shape internet traffic so that they can derive extra benefit from it. For example, several ISPs believe that they should be allowed to charge companies for services like YouTube and Netflix because these services consume more bandwidth compared to a normal website. Basically, these ISPs want a share in the money that YouTube or Netflix make.

Without net neutrality, the internet as we know it will not exist. Instead of free access, there could be "package plans" for consumers. For example, if you pay Rs 500, you will only be able to access websites based in India. To access international websites, you may have to pay a more. Or maybe there can be different connection speed for different type of content, depending on how much you are paying for the service and what "add-on package" you have bought.

Lack of net neutrality, will also spell doom for innovation on the web. It is possible that ISPs will charge web companies to enable faster access to their websites. Those who don't pay may see that their websites will open slowly. This means bigger companies like Google will be able to pay more to make access to Youtube or Google+ faster for web users but a startup that wants to create a different and better video hosting site may not be able to do that.

Instead of an open and free internet, without net neutrality we are likely to get a web that has silos in it and to enter each silo, you will have to pay some "tax" to ISPs.

What is the state of net neutrality in India?
Legally, the concept of net neutrality doesn't exist in India. Sunil Abraham, director of Centre for internet and Society in Bangalore, says that Trai, which regulates the telecom industry, has tried to come up with some rules regarding net neutrality several times. For example it invited comments on the concept of net neutrality from industry bodies and stakeholders in 2006. But no formal rules have been formed to uphold and enforce net neutrality.

However, despite lack of formal rules, ISPs in India mostly adhere to the principal of net neutrality. There have been some incidents where Indian ISPs have ignored net neutrality but these are few and far between.

Will the concept of net neutrality survive?
Net neutrality is sort of gentlemen's agreement. It has survived so far because few people realized the potential of internet when it took off around 30 years ago. But now when the internet is an integral part of the society and incredibly important, ISPs across the world are trying to get the power to shape and control the traffic. But there are ways to keep net neutrality alive.

Consumers should demand that ISPs continue their hands-off approach from the internet traffic. If consumers see a violation of net neutrality, they ought to take a proactive approach and register their displeasure with the ISP. They should also reward ISPs that uphold the net neutrality.

At the same time, as Abraham says, Trai needs to come out with a set of clear and precise rules that protect the net neutrality. "We have started seeing ISPs trying to take control of the traffic that flows from their servers but Trai can regulate them. It can keep the internet open and consumer-friendly by forming rules that protect net neutrality. These are early days so it is easy to do. If ISPs manage to change the system, it may become too late," he says.

For more details visit https://cis-india.org/news/times-of-india-january-20-2014-what-is-net-neutrality-and-why-is-it-important

GNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression

elonnai — 2014-01-20T06:17:46Z

Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.

Introduction

In January 2014, the Global Network Initiative (GNI) published the Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo. GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.

Overview of the Public Report

The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the GNI principles on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with Implementation Guidelines to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.

Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.

The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.

A number of findings came out of the assessments undertaken for the Report including:

As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.
The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights.
Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles.

The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:

Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies.
Consider the impact of hardware on freedom of expression and privacy.
Improve external and internal reporting.
Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations.
Review executive management training.
Improve stakeholder engagement.
Improve communication with users.
Increase sharing of best practices.
The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights.

NSA leaks, global push for governmental surveillance reform, and the Public Report

With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five Principles on Global Government Surveillance Reform. Similar to other efforts to end mass and disproportionate surveillance, such as the Necessary and Proportionate principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.

Along these lines, on January 14^th, GNI released the statement “Surveillance Reforms to Protect Rights and Restore Trust”, urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.

Conclusion and way forward

Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.

The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.

For more details visit https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression

Social Notworking - 'Murder by Twitter'

praskrishna — 2014-02-04T07:02:30Z

Suketu Mehta (@suketumehta) - terrible news about sunanda tharoor. this is murder by twitter.

The article by Malini Nair published in the Times of India quotes Nishant Shah.

Even before forensic science has declared the reasons behind Sunanda Pushkar's shocking death on Friday night, social media has been accused of murder. Writer Suketu Mehta wasn't the only one to point fingers. "First murder by @TwitterIndia , claps, fellow twitter matured guns!" is how another tweet went. Besides the deadly cocktail of depression, drugs, a strained marriage, questions have been raised about whether the vicious banter and collective howls of derision on social media over her very public meltdown — again on social media — pushed her over the edge.
Have we, the tweeple, in our eagerness to share every detail of our lives over an internet megaphone, not quite understood what the social media can do, especially its pitfalls? Is the line between the public and private blurring too fast? Commentators say that the rules that govern human and social behaviour haven't changed, and the fault lies in how we negotiate the cyber turf.

Can our digital lives have serious offline consequences? Nishant Shah, director, research , Centre for Internet & Society, Bangalore, says people need to realize that though twitter amplifies everything, but the ability to hurt, be mean, fight, question, critique and bully is not new.

"These are human practices , which replay themselves across different media forms. What is perhaps new is that our most personal and darkest desires have become available for public spectacle," says Shah.

That the twitterati can be brutal has been shown often enough this last year. When Tehelka editor Tarun Tejpal was mired in allegations of sexual harassment, his daughter was hounded on social media. Recently when novelist Lavanya Sankaran wrote an op-ed for New York Times defending the decent Indian man, she was royally derided, so much so that another journalist Rahul Bhatia tweeted in her defence, asking people to lay off.

Sunanda's story hurtled towards a tragedy in a space of 48 hours after she went public. As Shah points out it wasn't as though there were no affairs and scandals before the dawn of social media but the tangle would have spun out differently and less brutally in another time and age. It all began, as Pushkar admitted to some papers and later denied, with the spilling of alleged BBMs sent by Pakistani journalist Mehr Tarar to Tharoor on his twitter account.

Predictably, the effect of the first round of revelations was explosive. In fact, Pushkar herself appeared taken aback by the fact that a twitter spat ended up making front page headlines.

The entire drama which, in another age, would have played out at home or a circle of family, friends and acquaintances — and at the most in far less dramatic gossip columns and on TV— was up on social media, provide enormous vicarious pleasure to thousands of social media bystanders. That Pushkar herself set the virtual assault in motion only adds to the bleak irony of it all. This was also not the first time Pushkar took a spat to twitter. @SPTVrocks tweeted about her fight with a journalist in Dubai earlier this month.

Clinical psychologist Varkha Chulani says it is the personality behind the media usage not the form itself that is to be blamed. "People choose to talk about their private lives to impress others, to get attention. We forget what is real and what is virtual." Shah, however, believes that we live in a world of digital striptease and that the ubiquitous and pervasive technologies that surround us have forever blurred the lines between real and virtual.

Activists have often pointed out that the social media has everything going for it — quick and vast connect and instant response — but what it lacks is empathy. It is easy enough to send out an RIP message, for instance, for someone you don't know or even care for, positioning yourself as a caring, empathetic soul in 140 characters.

Post Pushkar's death, news anchor Barkha Dutt tweeted that we need to limit viciousness , stop judging and use greater compassion on twitter.

Shah makes a similar plea for the human touch.

"We are all so self-involved , creating narratives of our selves, bit-stripping every moment , instagramming every event, tweeting every encounter, and liking all the various things that happen around us, that we don't always have enough time to stop, to respond, to think and reflect upon other people's conditions . We have become jaded, to the various 'great' moments in people's time lines, but we are also becoming jaded to the pain that our involvement in these social networks can bring to those who are the subject of our attention," he says.

With additional reporting by Shobita Dhar

For more details visit https://cis-india.org/news/the-times-of-india-january-19-2014-malini-nair-social-networking-murder-by-twitter

EU parliament report slams US surveillance

praskrishna — 2014-02-03T06:13:55Z

Report that outlines need for stringent laws for protecting citizen privacy, democratizing Internet governance holds lessons for India, say analysts.

The article by Moulishree Srivastava and Elizabeth Roche quotes Sunil Abraham. It was published in Livemint on January 17, 2014.

A European Union (EU) parliament report that outlines the need for stringent laws for protecting citizen privacy, democratizing Internet governance and rebuilding trust between Europe and the US holds many lessons for India, analysts and policymakers say.

The US government listened into Indian communications as part of its massive global surveillance, which was exposed last year in leaks to the media. The embassies of France, Italy, Greece, Japan, Mexico, South Korea and Turkey were also subjected to the surveillance put in place after the September 2001 terrorist attacks. According to the external affairs ministry, India has registered its protest at least thrice over the issue with US authorities.

A draft report on the US National Security Agency’s surveillance programme by the European parliament’s committee on civil liberties, justice and home affairs states that trust between the two transatlantic partners, trust among EU member-states, and trust between citizens and their governments were profoundly shaken because of the spying, and to rebuild trust in all these dimensions a comprehensive plan was urgently needed.

"It is very doubtful that data collection of such magnitude is only guided by the fight against terrorism, as it involves the collection of all possible data of all citizens; points therefore to the possible existence of other power motives such as political and economic espionage," says the report.

The report recommends prohibiting blanket mass surveillance activities and bulk processing of personal data, and asks EU member-states, including the UK, Germany, France, Sweden and the Netherlands, to revise their national legislation and practices governing the activities of intelligence services to ensure that they are in line with the standards of the European Convention on Human Rights.

It also calls on the US to revise its legislation without delay in order to bring it in line with international law, recognizing privacy and other rights as well as providing for judicial redress for EU citizens.

"The American approach to privacy regulation has been deeply flawed. The US dominance over the Internet affects the structure and substance of Internet governance and among other human rights, the right to privacy," said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based not-for-profit research organization. "The (EU) report, if implemented, may change the future of Internet governance by deepening the existing leadership provided by the EU in promoting their privacy standards globally."

On India’s rather restrained reaction to the spying, he said, “It is a tragedy that our politicians are not as proactive when it comes to protecting our rights. While India has only focused on changing its official email policy after the revelations of mass surveillance, it has done nothing as concrete and comprehensive as EU."

"There is neither the recognition of (the) pervasive nature of global mass surveillance, nor is there full appreciation (of) the damaging consequences," Abraham added.

J. Satyanarayana, secretary in India’s department of electronics and information technology, said the concerns over privacy are the same for India as for the EU, but declined to comment on what preventive steps the government is implementing due to security reasons. The EU report called for concluding the EU-US umbrella pact, a framework agreement on data protection in the field of police and judicial cooperation, to ensure proper redress mechanisms for EU citizens in the event of data transfers from the EU to the US for law enforcement purposes. The report asks EU policymakers not to initiate any new sectoral agreements or arrangements for the transfer of personal data for law enforcement purposes and suggests suspending the terrorist finance tracking programme until the umbrella agreement negotiations are concluded.

"EU wants to use EU-US umbrella agreement...to raise the US standards, to ensure the rights of EU citizens and perhaps all the citizens. All humans will need protection under US law as is currently the case in the EU,” said Abraham. “The prohibition of blanket surveillance that the report recommends will hopefully apply to all citizens regardless of their nationality."

The draft report goes as far as suggesting suspending Safe Harbour, the legal instrument used for the transfer of EU personal data to the US through Google, Microsoft, Yahoo, Facebook, Apple and LinkedIn, until a full review has been conducted and current loopholes are plugged. The report’s proposals and recommendations are likely to be implemented after election to the European parliament in May.

In addition to reforms in the existing systems, the report outlines the importance of development of European clouds as it notes that trust in US cloud computing and cloud services providers has been affected by the surveillance practices.

"Three of the major computerized reservation systems used by airlines worldwide are based in the US and that PNR (passenger name record) data are saved in cloud systems operating on US soil under US law...lacks data protection adequacy," states the report.

C.U. Bhaskar, analyst with the South Asia Monitor think tank, was of the view that India had “adequately” responded to the US through quiet diplomacy.

"It is unlikely that the US will give up cyber surveillance,” he said, adding, “We should acquire our own capacity to ensure adequate defensive and offensive firewalls and build up appropriate capacity for our cyber programmes."

"Given our expertise in the IT (information technology) sector, as an analyst my opinion is that we have a reasonable capacity to build up our capabilities," Bhaskar added.

For more details visit https://cis-india.org/news/livemint-january-17-2014-moulishree-srivastava-elizabeth-roche-eu-parliament-slams-us-surveillance

Electoral Databases – Privacy and Security Concerns

snehashish — 2014-01-16T11:07:21Z

In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

[i] Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss

[ii] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

[iii] Section 74, Indian Evidence Act, 1872

[iv] eci.nic.in/eci_main1/the_function.aspx

[v] http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx

[vi] “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at eci.nic.in/eci_main/eroll&epic/ins06012010.pdf

[vii] http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

[viii] Section 70, Information Technology Act, 2000

[ix] Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure

[x] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[xi] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

For more details visit https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns

Surveillance and the Indian Constitution - Part 1: Foundations

pranesh — 2014-01-23T15:12:30Z

In this insightful seven-part series, Gautam Bhatia looks at surveillance and the right to privacy in India from a constitutional perspective, tracing its genealogy through Supreme Court case law and compares it with the law in the USA.

Note: This was originally posted on the Indian Constitutional Law and Philosophy blog.

On previous occasions, we have discussed the ongoing litigation in ACLU v. Clapper in the United States, a challenge to the constitutionality of the National Security Agency’s (NSA) bulk surveillance program. Recall that a short while after the initial Edward Snowden disclosures, The Hindu revealed the extent of domestic surveillance in India, under the aegis of the Central Monitoring System (CMS). The CMS (and what it does) is excellently summarized here. To put thing starkly and briefly:

“With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.”

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence. In a series of posts, we plan to discuss that.

Privacy is not mentioned in the Constitution. It plays no part in the Constituent Assembly Debates. The place of the right – if it exists – must therefore be located within the structure of the Constitution, as fleshed out by judicial decisions. The first case to address the issue was M. P. Sharma v. Satish Chandra, in 1954. In that case, the Court upheld search and seizure in the following terms:

"A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right. by some process of strained construction."

The right in question was 19(1)(f) – the right to property. Notice here that the Court did not reject a right to privacy altogether – it only rejected it in the context of searches and seizures for documents, the specific prohibition of the American Fourth Amendment (that has no analogue in India). This specific position, however, would not last too long, and was undermined by the very next case to consider this question, Kharak Singh.

In Kharak Singh v. State of UP, the UP Police Regulations conferred surveillance power upon certain “history sheeters” – that is, those charged (though not necessarily convicted) of a crime. These surveillance powers included secret picketing of the suspect’s house, domiciliary visits at night, enquiries into his habits and associations, and reporting and verifying his movements. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

As a preliminary matter, we may observe that the Regulations in question were administrative – that is, they did not constitute a “law”, passed by the legislature. This automatically ruled out a 19(2) – 19(6) defence, and a 21 “procedure established by law” defence – which were only applicable when the State made a law. The reason for this is obvious: fundamental rights are extremely important. If one is to limit them, then that judgment must be made by a competent legislature, acting through the proper, deliberative channels of lawmaking – and not by mere administrative or executive action. Consequently – and this is quite apart from the question of administrative/executive competence - if the Police Regulations were found to violate Article 19 or Article 21, that made them ipso facto void, without the exceptions kicking in. (Paragraph 5)

It is also important to note one other thing: as a defence, it was expressly argued by the State that the police action was reasonable and in the interests of maintaining public order precisely because it was “directed only against those who were on proper grounds suspected to be of proved anti-social habits and tendencies and on whom it was necessary to impose some restraints for the protection of society.” The Court agreed, observing that this would have “an overwhelming and even decisive weight in establishing that the classification was rational and that the restrictions were reasonable and designed to preserve public order by suitable preventive action” – if there had been a law in the first place, which there wasn’t. Thus, this issue itself was hypothetical, but what is crucial to note is that the State argued – and the Court endorsed – the basic idea that what makes surveillance reasonable under Article 19 is the very fact that it is targeted – targeted at individuals who are specifically suspected of being a threat to society because of a history of criminality.

Let us now move to the merits. The Court upheld secret picketing on the ground that it could not affect the petitioner’s freedom of movement since it was, well secret – and what you don’t know, apparently, cannot hurt you. What the Court found fault with was the intrusion into the petitioner’s dwelling, and knocking at his door late at night to wake him up. The finding required the Court to interpret the meaning of the term “personal liberty” in Article 21. By contrasting the very specific rights listed in Article 21, the Court held that:

“Is then the word “personal liberty” to be construed as excluding from its purview an invasion on the part of the police of the sanctity of a man’s home and an intrusion into his personal security and his right to sleep which is the normal comfort and a dire necessity for human existence even as an animal? It might not be inappropriate to refer here to the words of the preamble to the Constitution that it is designed to “assure the dignity of the individual” and therefore of those cherished human value as the means of ensuring his full development and evolution. We are referring to these objectives of the framers merely to draw attention to the concepts underlying the constitution which would point to such vital words as “personal liberty” having to be construed in a reasonable manner and to be attributed that these which would promote and achieve those objectives and by no means to stretch the meaning of the phrase to square with any preconceived notions or doctrinaire constitutional theories.” (Paragraph 16)

A few important observations need to be made about this paragraph. The first is that it immediately follows the Court’s examination of the American Fifth and Fourteenth Amendments, with their guarantees of “life, liberty and property…” and is, in turn, followed by the Court’s examination of the American Fourth Amendment, which guarantees the protection of a person’s houses, papers, effects etc from unreasonable searches and seizures. The Court’s engagement with the Fourth Amendment is ambiguous. It admits that “our Constitution contains no like guarantee…”, but holds that nonetheless “these extracts [from the 1949 case, Wolf v Colorado] would show that an unauthorised intrusion into a person’s home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man – an ultimate essential of ordered liberty”, thus tying its own holding in some way to the American Fourth Amendment jurisprudence. But here’s the crucial thing: at this point, American Fourth Amendment jurisprudence was propertarian based – that is, the Fourth Amendment was understood to codify – with added protection – the common law of trespass, whereby a man’s property was held sacrosanct, and not open to be trespassed against. Four years later, in 1967, in Katz, the Supreme Court would shift its own jurisprudence, to holding that the Fourth Amendment protected zones where persons had a “reasonable expectation of privacy”, as opposed to simply protecting listed items of property (homes, papers, effects etc). Kharak Singh was handed down before Katz. Yet the quoted paragraph expressly shows that the Court anticipated Katz, and in expressly grounding the Article 21 personal liberty right within the meaning of dignity, utterly rejected the propertarian-tresspass foundations that it might have had. To use a phrase invoked by later Courts – in this proto-privacy case, the Court already set the tone by holding it to attach to persons, not places.

While effectively finding a right to privacy in the Constitution, the Court expressly declined to frame it that way. In examining police action which involved tracking a person’s location, association and movements, the Court upheld it, holding that “the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

The “therefore” is crucial. Although not expressly, the Court virtually holds, in terms, that tracking location, association and movements does violate privacy, and only finds that constitutional because there is no guaranteed right to privacy within the Constitution. Yet.

In his partly concurring and partly dissenting opinion, Subba Rao J. went one further, by holding that the idea of privacy was, in fact, contained within the meaning of Article 21: “it is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Privacy he defined as the right to “be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures.” On this ground, he held all the surveillance measures unconstitutional.

Justice Subba Rao’s opinion also explored a proto-version of the chilling effect. Placing specific attention upon the word “freely” contained within 19(1)(d)’s guarantee of free movment, Justice Subba Rao went specifically against the majority, and observed:

“The freedom of movement in clause (d) therefore must be a movement in a free country, i.e., in a country where he can do whatever he likes, speak to whomsoever he wants, meet people of his own choice without any apprehension, subject of course to the law of social control. The petitioner under the shadow of surveillance is certainly deprived of this freedom. He can move physically, but he cannot do so freely, for all his activities are watched and noted. The shroud of surveillance cast upon him perforce engender inhibitions in him and he cannot act freely as he would like to do. We would, therefore, hold that the entire Regulation 236 offends also Art. 19(1)(d) of the Constitution.”

This early case, therefore, has all the aspects that plague the CMS today. What to do with administrative action that does not have the sanction of law? What role does targeting play in reasonableness – assuming there is a law? What is the philosophical basis for the implicit right to privacy within the meaning of Article 21’s guarantee of personal liberty? And is the chilling effect a valid constitutional concern?

We shall continue with the development of the jurisprudence in the next post.

You can follow Gautam Bhatia on Twitter

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-1

Election panel rejects Google’s proposal for electoral services tie-up

praskrishna — 2014-01-31T08:58:01Z

EC had earlier signed a non-disclosure agreement with Google but had not shared or handed over any data to the Internet giant so far.

The article by Anuja and Moulishree Srivastava was published in Livemint on January 9, 2014. Lawrence Liang is quoted.

The Election Commission (EC) on Thursday rejected a proposal by Internet search engine operator Google Inc. to provide electoral information services to EC ahead of the general election due later this year. Google’s proposal, made earlier this week, was criticized by experts and political parties on the grounds of security.

Google, which deals with Internet-related services and products, had made a presentation at EC where it proposed to deliver voter facilitation services through a tie-up with the Commission.

“Google made a presentation to the Commission for electoral hook up services for citizens to help in efforts of the Commission for better electoral information services. However, after due consideration, the Commission has decided not to pursue the proposal any further,” EC said in a statement.

Its decision came at a meeting of senior EC officials on Thursday, called to discuss the proposal. Security was one of the main issues before it.

“Security and controlling the data were the main points which were considered. By ways of such a tie-up all the data would have been up for access. It was always a question of whether Indian laws would apply to it or not, so we decided against it,” a senior official from EC said.

PTI reported that the meeting was attended by the chief election commissioner V.S. Sampath and election commissioners H.S. Brahma and S. N. A. Zaidi.

The Times of India in a report on Sunday said there were concerns over the EC move to tie up with Google for voter registration.

EC had earlier signed a non-disclosure agreement with Google but it had not shared any data with it. The move was criticised by the ruling Congress party as well as the main opposition Bharatiya Janata Party. The legal cell of the Congress had written to EC raising concerns over national security and asking whether the tie-up would affect the electoral process. The BJP’s complaint was that stakeholders, including political parties, should have been consulted.

Experts say that in the event of such a tie-up, concerns about protection of privacy would have outweighed national security fears.

“The concern is not so much about national security as it is about privacy issues. This kind of database is too important and too powerful to be controlled by a private company. There have been too many instances of this kind of data being skewed and riots happening during the election process. Privately owned databases could lead to potential misuse of the data,” said Lawrence Liang, co-founder of Alternative Law Forum and chairman of the board at the Bangalore-based Centre for Internet and Society.

“It is not a question of how and what service Google could have provided for elections, but how the state can bring itself to provide that kind of service,” he said.

In the US, when George W. Bush was re-elected president in 2004, the company that manufactured the voting machines was accused of rigging the polls, Liang added.

Google called the EC’s rejection “unfortunate”, pointing out that the company has already helped governments with such services in countries like the Philippines, Egypt, Mexico and Kenya.

“It is unfortunate that our discussions with the Election Commission of India to change the way users access their electoral information, that is publicly available, through an online voter look up tool, were not fruitful,” Google said in a statement.

“Google will continue to develop tools and resources to make civic information universally accessible and useful, help drive more informed citizen participation, and open up new avenues for engagement for politicians, citizens, and civic leaders,” it added.

For more details visit https://cis-india.org/news/livemint-january-31-2014-anuja-moulishree-srivastava-election-panel-rejects-google-proposal-for-electoral-services-tie-up

Worldwide: International Privacy - 2013 Year in Review - Asia

praskrishna — 2014-01-31T08:44:20Z

Asian Data Privacy Updates

The article by Gonzalo S. Zeballos, James A. Sherer and Alan M. Pate was published in Mondaq's yearly review on January 8, 2014.

China

China's Personal Information Protection Law Proposal was submitted to the State Council in 2008, which was followed by the Ministry of Industry and Information Technology's non-binding Internet Information Services Market Order Provisions of 2011. However, little direct progress was made until the standing committee of the National People's Congress (NPC) introduced its Decision on Strengthening Internet Information Protection (the Decision) on December 28, 2012. Echoing Directive 95/46/EC in the EU by stipulating that the collection and use of information will be "legitimate, proper, and necessary," the Decision seeks to protect network information security; the lawful interest of citizens, legal persons, and other organizations; and safeguard China's security and social order through its Articles.

he Decision's first Article states that "[n]o organization or individual may steal or obtain in other illegal manners [ ] citizens' individual electronic information, sell or illegally provide citizens' individual electronic information to other persons." Instruction to Internet Service Providers (ISPs) continues, where providers must, among other activities:

Clearly indicate the purposes, methods, and scope of collection and use of citizens' data;
Obtain agreement from citizens before collecting their data;
Publicize rules for the collection and use of personal data;
Preserve the secrecy of collected data;
Not divulge, distort, or damage the data;
Refrain from selling or otherwise illegally providing the data to others; and
Adopt technical measures and other methods to ensure information security and prevent damage to or loss of the data.

Among the provisions of the Decision is Article Six, specifically directed at network service providers, whereby users of the services must "provide real identity information" prior to "website access," "fixed telephone, mobile telephone," "other surfing formalities," or "information publication services." In response to criticism that Article Six would be used to discourage whistleblowers and other Chinese dissention, the government-sponsored Xinhua News Agency argued that the Decision "will help, rather than harm, the country's netizens."

Japan

On May 24, 2013, the LDP-led ruling coalition directed the passage of the "Common Number" Bill through both Diet chambers. The Common Number Bill plans to assign every Japanese resident, including mid-to-long-stay foreigners and special permanent residents, a personal identification number beginning in January 2016. Additionally, a portal site through which people can check their social security records and other information via the Internet is planned for 2017. The numbering system was originally proposed in 2009, but remained quiescent until the LDP-New Komeito ruling coalition mustered sufficient support based, in part, on a philosophical foundation for fair social welfare and tax systems.

To oversee some aspects of the ID system, a third-party independent committee with independent authority will oversee allegations of data mishandling by public officials. Those who leak or illegally commercialize ID information will face up to four years in prison or a ¥2 million fine. While the use of a single number system has raised some concerns, including the potential for "forcible data-matching," the government push for support has focused on efficiencies in administration and easier detection of tax evasion and welfare fraud.

Malaysia

On November 15, 2013, the Personal Data Protection Act (PDPA) of 2010 was entered into force, introducing an omnibus privacy regime in Malaysia for the first time. This new regulation carries a host of requirements, including registration with the Personal Data Protection Department of Malaysia (PDPD) for a number of industries, including (among others) banking and financial institutions. The PDPA also includes the threat of severe consequences for non-compliance, including "fines for companies and/or fines and imprisonment for directors and officers of the company."

Khazaksthan

On November 26, 2013, Kazakhstani Law No. 94-V on Personal Data and its Protection came into force, defining such concepts as "personal data" among others, but left some ambiguity in how data might be transferred and/or stored internationally. It also contained a number of limitations: Law No. 94-V does not extend to the collection of personal data for personal and family needs; the use of information for the Kazakhstani National Archive; the collection, processing, and protection of personal data related to Kazakhstani state secrets; or the use of information related to intelligence, counter-intelligence, and criminal activities, within legal limits.

South Korea

Article 16 of South Korea's Personal Information Protection Act (effective September 30, 2011) was amended on August 6, 2013 to incorporate an affirmative obligation on the part of a personal information processor, requiring notification to data subjects that data subjects may deny consent for the collection of any personal information other than for any purposes under Article 15(1). This continues South Korea's stringent efforts to promote data privacy, and provides another instance of South Korea's articulation of a minimum data collection regime.

Singapore

Singapore's Personal Data Protection Act (PDPA), passed in 2012, went into effect on January 2, 2013, the same day Singapore's Personal Data Protection Commission (PDPC) was established; some portion of PDPA does not come into full effect until July 2, 2014. The PDPC followed-up the implementation of the PDPA with a further guidance note on September 24, 2013 which, among other topics, gave direction to organizations regarding notification requirements for the collection, use, or disclosure of personal data as well as the anonymization of personal data. This guidance outlined the use of 'cookies' for internet user's online activity, distinguishing in part between active consent on one hand, and "the mere failure of an individual to actively manage his browser settings" on the other.

Hong Kong

Revisions to Hong Kong's Personal Data (Privacy) Ordinance – Code of Practice on Consumer Credit Data – took effect on April 1, 2013. These revisions require consent prior to the use of personal data in the context of targeted, direct advertising, and instruct individuals that, while direct marketers must notify individuals of their opt-out right prior to using personal data for the first time, individuals may choose to opt out at any time at no cost to the individual opting out. The Ordinance also provides for the following penalties: if "the transfer of personal data to third parties [is] for gain, the maximum penalty is a fine of HK$1,000,000 and imprisonment for 5 years. For other direct marketing contraventions, the maximum penalty is a fine of HK$500,000 and imprisonment for 3 years."

India

While India currently adheres to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions of the Rules, with a focus on protection of personal data through limitations on use and requirements for notice. The collection of personal data would be prohibited unless "necessary for the achievement of a purpose of the person seeking its collection," and, subject to sections 6 and 7 of the Bill, "no personal data may be collected under this Act prior to the data subject being given notice, in such form and manner as may be prescribed, of the collection." The Bill acknowledges the collection of data with and without consent; the regulation of personal data storage, processing, transfer, and security; and discusses the different types of disclosure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For more details visit https://cis-india.org/news/mondaq-january-8-2014-gonzalo-s-zeballos-james-a-sherer-alan-m-pate-worldwide-international-privacy-2013-year-in-review-asia

Letter requesting public consultation on position of GoI at WGEC

snehashish — 2014-01-08T18:36:09Z

Snehashish Ghosh on behalf of the Centre for Internet and Society sent a letter to the Ministry of Communication and Information Technology, requesting for a public consultation on India's position at the Working Group on Enhanced Cooperation (WGEC).

January 3, 2014

Shri Kapil Sibal,
Honourable Minister for Communication and Information Technology
Ministry of Communication and Information Technology,
Government of India

Subject: Public consultation at the domestic level on the position of Government of India at WGEC

Dear Sir,

We at the Centre for Internet and Society, Bangalore (“CIS”) commend, Government of India’s participation at the Working Group on Enhanced Cooperation (WGEC), working under the aegis of United Nations Commission on Science and Technology and Development (CSTD). The Working Group was set up in pursuance of General Assembly Resolution A/Res/67/195, to identify a shared understanding of enhanced cooperation on public policy issues pertaining to the internet. The WGEC after its first meeting circulated a questionnaire to collect the views and positions of the stakeholders on various aspects of enhanced cooperation. The Government of India responded to the questionnaire and also represented its position at the second meeting of WGEC held in Geneva from November 6-8, 2013. We would like the Government to take cognizance of representations from concerned stakeholders before finalizing its position.

In this regard, we would like to note, Government of India’s commitment towards multi-stakeholder approach in formulation of public policy pertaining to the internet. At the Internet Governance Forum, 2012 held in Baku, the Honourable Minister for Communications and Information Technology noted that the “issues of public policy related to the internet have to be dealt with, by adopting a multi-stakeholder, democratic and transparent approach”. Furthermore, the Government of India’s stand at the World Conference on International Telecommunications, 2012 in Dubai supported and recognized the multi-stakeholder nature of the internet.

However, it seems that the Government has digressed from its previous stand on internet governance whereas it fell short of having a multi-stakeholder public consultation on India’s position on enhanced cooperation at the WGEC. We earnestly urge you to hold domestic public consultation before the next WGEC meeting.

Thank you.
Sincerely,

Snehashish Ghosh,
Policy Associate,
Centre for Internet and Society, Bangalore

Copied to: Dr. Ajay Kumar, Joint Secretary, DietY, MOCIT and Shri. J. Satyanarayana, Secretary, DietY, MOCIT

Download a copy of the letter here

For more details visit https://cis-india.org/internet-governance/blog/public-consultation-at-domestic-level-on-position-of-goi-at-wgec

Digital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression

praskrishna — 2014-01-08T04:59:10Z

Michael Oghia will give a presentation which will show why cyber security and online privacy are vital for democracy and freedom of expression.

In the time when Edward Snowden is fighting for both clemency and to be known as a brave whistle blower that exposed government wrongdoing, cyber security and online privacy have never been more important. As Jacob Applebaum discussed in May last year, and CIS’ Maria Xynou presented recently in December, surveillance throughout the world is increasing. With security apparatus’ likethe NSA and now India’s Central Monitoring System, coupled with corporate data centers around the world storing our e–mails, address books, preferences, and passwords, it is easy to see how our online privacy is increasingly being threatened and often, violated.

Indeed, online privacy is inextricably linked to freedom of expression, and freedom of expression is a fundamental civil liberty imperative to democracy. Moreover, online security and privacy are essential to good, transparent, and accountable democratic governance. This is largely because surveillance, censorship, and monitoring ultimately create environments where self-censorship is the norm, as is the fear of the government instead of spaces that allow for freedom of expression and democratic dialogue and dissent.

What I would like to accomplish my speaking at CIS is not to merely educate about the dangers posed to Internet security or to world democracy, but rather to:

Reiterate the importance of digital privacy and cyber security to the success of democracy and the continued protection of free expression.
Encourage citizens, technology specialists, Internet and privacy advocates, and others to see themselves as part of a larger system of democratic governance and civic participation. This means understanding how technical capabilities intersect with civil society, and then use them to advocate for a more open, accessible, and private cyberspace.
Reinforce that digital media literacy education is vital to ensuring a free, open, accessible, and democratic Internet.

Additionally, I want to present ideas and recommendations for what you can do to engage with these problems, and how we can collaborate together to address them.

About the Public Intelligence Project

The Public Intelligence Project is an independent, non-partisan, not-for-profit think tank conducting research, education, and advocacy on the importance of diversity, critical thinking, dialogue, and freedom of expression. We seek to promote more robust systems of participatory democracy, civic engagement, and conflict prevention in order to create a culture of democracy.

Michael Oghia

Michael is responsible for a new project at Meta-Culture called the Public Intelligence Project, which focuses on expanding participatory democracy, civic engagement, and conflict prevention by conducting research, education, and advocacy on the intersections between diversity, dialogue, critical thinking, and freedom of expression. While new to the conflict resolution field, as a poet, musician, editor, writer, blogger, and activist, he is well-versed in the importance of freedom of expression and participating in the democratic process. He was born in Kentucky to Lebanese-Syrian parents, and after graduating with a BS in sociology from the University of Louisville, he moved to Lebanon to pursue an MA in sociology from the American University of Beirut. There, he had the opportunity to witness the Arab Revolutions first-hand while research about topics such as Internet ownership in the Middle East, social movements, Arab media, globalization, Arab youth and family, and his thesis subject, romantic love in the Arab world. Michael enjoys engaging Twitter conversations, and has an unnatural affinity for crunchy peanut butter.

Date: Tuesday, January 14, 2014
Time: 6.30 p.m. to 8.00 p.m.
Talk by: Michael Oghia
Title: Research & Advocacy Consultant, and Project Manager
Organisation: Meta-Culture / Public Intelligence Project
Websites: www.meta-culture.in <http://www.meta-culture.in> & www.publicintelligenceproject.org <http://www.publicintelligenceproject.org>

For more details visit https://cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression

Despite apex court order, IOC proceeds with Aadhaar-linked DBT

praskrishna — 2014-01-31T06:50:33Z

Once DBT starts, there is no other method to avail of subsidy: IOC official.

The article by Deepa Kurup was published in the Hindu on January 6, 2014. Sunil Abraham is quoted.

Despite an interim order by the Supreme Court disallowing the government from making the Aadhaar number mandatory for accessing State subsidies and benefits, Indian Oil Corporation (IOC) Ltd. continues to inform consumers that they will not get their LPG subsidy if they do not seed their Aadhaar-linked bank accounts to the IOC database.

SMSes and publicity material released by IOC in the past week indicate that the company is going ahead with the Union government’s deadlines for the Direct Benefit Transfer scheme for LPG. While the deadline for Udupi and Dharwad districts has been extended till January-end, the “grace period” for Bangalore Urban will expire on March 1.

Over the past week, LPG consumers have been receiving frequent SMSes requesting them to submit their Aadhaar number to their LPG distributor and their bank, with “no further delay”. Though the SMS does not state whether or not this is mandatory, frequent messages have been instilling a sense of urgency and panic among consumers. Further, several consumers told The Hindu that, upon enquiry, distributors had been telling them that they would have to forego their subsidy amount (for nine cylinders a year) if they failed to register their details with the IOC database. Once the DBT scheme is enforced, the IOC will migrate customers entirely to the new system — that is, consumers will have to pay the market price, and the subsidy amount will be credited to their bank accounts.

‘No other method’

Senior IOC officials said that while the oil manufacturing company was desisting from making statements on whether or not this was mandatory, in effect those whose details would not be seeded to the database would not be able to avail of the benefit. “Basically, once the DBT scheme starts there is no other method to receive or avail of the subsidy. As of now, there is no alternative method,” said R.K. Arora, executive director, Karnataka State office. He pointed out that in rural areas several other subsidies were already linked to Aadhaar, and the DBT scheme was at 100 per cent in Tumkur and Mysore districts.

As of January 1, an IOC official said, only 30 per cent of LPG consumers in the Bangalore Circle had ‘seeded’ their accounts to the IOC database, while in Udupi and Dharwad it was roughly around 50 per cent.

“We are not claiming it’s mandatory, and currently all companies have submitted an affidavit seeking the order be reconsidered. Meanwhile, we have just asked people to submit the details to the distributor as soon as they can,” the official said. He added that IOC was likely to keep extending the deadline to “be on the safe side”.

Meanwhile, there is confusion among consumers on the issue. Krishnan Pillai, a resident of R.T. Nagar here, said Aadhaar numbers were being delayed, and there was huge anxiety among people. “Last week, I saw an advertisement that implied that I will lose subsidy if I don’t submit my number. Is the Supreme Court verdict not applicable?” he said. Sumitra Gupta, a charted accountant from Majestic, said distributors were telling them to “ignore news report on the Supreme Court verdict”.

“This is arm twisting,” she said.

‘So-called voluntary’

Sunil Abraham of the Centre for Internet and Society, a Bangalore-based NGO that has been part of the anti-Aadhaar campaign, said IOC was “pushing the boundary”. “From the very beginning, people have been objecting to the so-called voluntary nature of the scheme. It’s unfortunate that the will of the Supreme Court in its interim order on such as a critical component of our citizenship is also being ignored,” he said.

For more details visit https://cis-india.org/news/hindu-january-6-2014-deepa-kurup-despite-apex-court-order-ioc-proceeds-with-aadhar-linked-dbt

Big Brother is watching you

chinmayi — 2014-01-06T09:31:22Z

India has no requirements of transparency whether in the form of disclosing the quantum of interception or in the form of notification to people whose communication was intercepted.

The article by Chinmayi Arun was published in the Hindu on January 3, 2014.

The Gujarat telephone tapping controversy is just one of many kinds of abuse that surveillance systems enable. If a relatively primitive surveillance system can be misused so flagrantly despite safeguards that the government claims are adequate, imagine what is to come with the Central Monitoring System (CMS) and Netra in place.

News reports indicate Netra — a “NEtwork TRaffic Analysis system” — will intercept and examine communication over the Internet for keywords like “attack,” “bomb,” “blast” or “kill.” While phone tapping and the CMS monitor specific targets, Netra is vast and indiscriminate. It appears to be the Indian government’s first attempt at mass surveillance rather than surveillance of predetermined targets. It will scan tweets, status updates, emails, chat transcripts and even voice traffic over the Internet (including from platforms like Skype and Google Talk) in addition to scanning blogs and more public parts of the Internet. Whistle-blower Edward Snowden said of mass-surveillance dragnets that “they were never about terrorism: they’re about economic spying, social control, and diplomatic manipulation. They’re about power.”

So far, our jurisprudence has dealt with only targeted surveillance; and even that in a woefully inadequate manner. This article discusses the slow evolution of the right to privacy in India, highlighting the context and manner in which it is protected. It then discusses international jurisprudence to demonstrate how the right to privacy might be protected more effectively.

Privacy and the Constitution

A proposal to include the right to privacy in the Constitution was rejected by the Constituent Assembly with very little debate. Separately, a proposal to give citizens an explicit fundamental right against unreasonable governmental search and seizure was also put before the Constituent Assembly. This proposal was supported by Dr. B.R. Ambedkar. If accepted, it would have included within our Constitution the principles from which the United States derives its protection against state surveillance. However, the proposed amendment was rejected by the Constituent Assembly.

Fortunately, the Supreme Court has gradually been reading the right to privacy into the fundamental rights explicitly listed in the Constitution. After its initial reluctance to affirm the right to privacy in the 1954 case of M.P. Sharma vs. Satish Chandra, the court came around to the view that other rights and liberties guaranteed in the Constitution would be seriously affected if the right to privacy was not protected. In Kharak Singh vs. The State of U.P., the court recognised “the right of the people to be secure in their persons, houses, papers, and effects” and declared that their right against unreasonable searches and seizures was not to be violated. The right to privacy here was conceived around the home, and unauthorised intrusions into homes were seen as interference with the right to personal liberty.

If the Kharak Singh judgment was progressive in its recognition of the right to privacy, it was conservative about the circumstances in which the right applies. The majority of judges held that shadowing a person could not be seen to interfere with that person’s liberty. Dissenting with the majority, Justice Subba Rao maintained that broad surveillance powers put innocent citizens at risk, and that the right to privacy is an integral part of personal liberty. He recognised that when a person is shadowed, her movements will be constricted, and will certainly not be free movements. His dissenting judgment showed remarkable foresight and his reasoning is consistent with what is now a universally acknowledged principle that there is a “chilling effect” on expression and action when people think that they are being watched.

The right to privacy as defined by the Supreme Court now extends beyond government intrusion into private homes. After Govind vs. State of M.P., and Dist. Registrar and Collector of Hyderabad vs. Canara Bank, this right is seen to protect persons and not places. Any inroads into this right for surveillance of communication must be for permissible reasons and according to just, fair and reasonable procedure. State action in violation of this procedure is open to a constitutional challenge.

Our meagre procedural safeguards against phone tapping were introduced in PUCL vs. Union of India (1997) after the Supreme Court was confronted with extensive, undocumented phone tapping by the government. The apex court found itself compelled to lay down what it saw as bare minimum safeguards, consisting mostly of proper record-keeping and internal executive oversight by senior officers such as the home secretary, the cabinet secretary, the law secretary and the telecommunications secretary. These safeguards are of little use since they are opaque and rely solely on members of the executive to review surveillance requests.

Right and safeguards

There is a difference between targeted surveillance in which reasons have to be given for surveillance of particular people, and the mass-surveillance which Netra sets up. The question of mass surveillance and its attendant safeguards has been considered by the European Court of Human Rights in Liberty and Others vs. the United Kingdom. Drawing upon its own past jurisprudence, the European Court insisted on reasonable procedural safeguards. It stated quite clearly that there are significant risks of arbitrariness when executive power is exercised in secret and that the law should be sufficiently clear to give citizens an adequate indication of the circumstances in which interception might take place. Additionally, the extent of discretion conferred and the manner of its exercise must be clear enough to protect individuals from arbitrary interference. The principles laid down by the European Court in relation to phone-tapping also require that the nature of the offences which may give rise to an interception order, the procedure to be followed for examining, using and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which recordings may or must be erased or the tapes destroyed be made clear.

Opaque and ineffective

Our safeguards apply only to targeted surveillance, and require written requests to be provided and reviewed before telephone tapping or Internet interception is carried out. CMS makes the process of tapping more prone to misuse by the state, by making it even more opaque: if the state can intercept communication directly, without making requests to a private telecommunication service provider, then it is one less layer of scrutiny through which the abuse of power can reach the public. There is no one to ask whether the requisite paperwork is in place or to notice a dramatic increase in interception requests.

India has no requirements of transparency whether in the form of disclosing the quantum of interception taking place each year, or in the form of subsequent notification to people whose communication was intercepted. It does not even have external oversight in the form of an independent regulatory body or the judiciary to ensure that no abuse of surveillance systems takes place. Given these structural flaws, the Amit Shah controversy is just the beginning of what is to come. Unfettered mass surveillance does not bode well for democracy.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-january-3-2014-chinmayi-arun-big-brother-is-watching-you

Biometrics or Bust? Implications of the UID for Participation and Inclusion

praskrishna — 2014-01-06T08:56:51Z

Malavika Jayaram will give a talk on biometrics and the implications of UID for participation and inclusion at the office of the Centre for Internet and Society in Bangalore on January 10, 2014 at 6.00 p.m.

Abstract

Privacy is often portrayed as a luxury, as the intellectual preoccupation of nerdy privileged liberals, and an issue of salience only to the elite. This ignores the reality of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The collusion of public and private agendas towards implementing large welfare projects is generally seen as progressive and neutral, yet the consequences of even well-intentioned efforts that trade privacy for convenience, welfare, security or a host of other compelling goals is troubling. The use of biometric technologies further complicates matters: the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, is not without its catalogue of failures. This talk will examine the notion of biometric representations as a kind of capital, the possibility that failures are endemic to their functioning, and the implications of systemic errors on equality, participation and democracy.

Malavika Jayaram

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series.  Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers and one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, she was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania. She is working on completing her PhD at the National Law School.

For more details visit https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion

Seminar on "Hate Speech and Social Media"

praskrishna — 2014-02-13T06:22:41Z

NALSAR University of Law, in collaboration with the British Deputy High Commission organized a seminar on Hate Speech and Social Media in Hyderabad on January 4 and 5, 2014. Chinmayi Arun was one of the speakers at the seminar.

Richa Kaul Padte was a keynote speaker on the panel on ‘Marginalised Communities and the Experience of Social Media’, while Anja Kovacs was the keynote speaker on the panel on ‘Internet - A Democratic Space?’.

This seminar focused on emerging debates on free speech, marginalisation and radicalisation in the context of the internet. Long hailed as a great democratiser, the internet has been instrumental in granting a voice to millions of people, and yet, in permitting anonymity it raises important questions of liability and responsibility. Over the course of two days, the seminar explored issues through conversations between people who have worked on various aspects of this issue, including leading jurists, lawyers, bloggers and activists who have embraced new technologies. Some of the prominent speakers at the seminar included Hon’ble Justice Madan B Lokur, Hon’ble Dr. Justice S Muralidhar, Teesta Setalvad, Geeta Seshu, Chinmayi Arun, Anja Kovacs and Apar Gupta.

Click to read the details posted on Internet Democracy Project website.

For more details visit https://cis-india.org/news/nalsar-seminar-hate-speech-social-media

Rise of the bot: all you need to know about the latest threat online

praskrishna — 2014-01-31T07:16:36Z

In the last week of December, 2013, former union railway minister Pawan Kumar Bansal lodged a police complaint in Chandigarh after witnessing “an unusual rise in his online fan following”. The former minister told the police that his Facebook page had received more than 10,000 likes, within a span of 24 hours. While his allegation that the ‘likes’ were “fabricated” may be true, information technology experts believe a bot was at work.

The article by Danish Raza was published in the Hindustan Times on January 5, 2014. Snehashish Ghosh is quoted.

A bot is a software that mimics human behaviour on the Internet. Bots can be used to create artificial accounts on social media, provide numerous likes on a particular page, send tweets or visit various websites. All this is done without any human involvement.

Bots already constitute a significant percentage of Non Human Traffic (NHT) online, which has, according to some estimates, eclipsed human traffic. Comscore, a US-based Internet technology company noted on its blog that NHT, also known as Artificial Traffic, increased from approximately 6% of the total web traffic in 2011, to 36% in 2012. Last month, a report from Incapsula, a cloud-based security service, which aids the security and performance of websites, stated that more than 60% of web traffic was non-human in 2013. The figure was based on data collected from the 20,000 sites on Incapsula’s network .

Other than bots, NHT on the web includes traffic generated by Internet routers and back end services used by websites to communicate with third parties.

India is not immune to the problem. According to the Symantec Internet Security Threat Report for 2012, there was a 280% increase in bot infections in India between 2011 and 2012. 17% of bot-infected computers, the highest in the world, are in India and 15% of global bot-net spam is generated here. The report also states that 69 Indian cities are prone to bot infections which includes Bhubaneswar, Surat, Cochin, Jaipur, Visakhapatnam, Indore, Kota, Ghaziabad and Mysore.

Bot spotting
How do you spot a bot? When a bot or its friend is at work, the browser directs you to sites other than the ones you intend to visit, you get full-page pop ups and pop unders, and when you quit the browser, it gets relaunched after a few minutes. Chances are your computer is part of a chain of online events which create NHT on the web, the purpose of which may be to attack a site or a server.

Why you should be wary
Malicious traffic, malware, hacking attempts, viruses slow down the Internet and delay legitimate traffic and services. Used to target systems or take down websites, NHT generates fake clicks on advertisements to increase website statistics.

One of the perils of ignoring artificial web traffic is that it gets counted for real impressions for which clients end up paying. For example, a website owner may hire the services of a digital marketing firm to publicise the site. In the guise of increasing page views, the marketing firm can produce a bill for fake impressions, supplementing actual human traffic to the page with bot usage.

“Unless there is a curb on this practice of malicious NHT, one stands at risk of being duped by marketers, agencies and even clients,” said Chiragh Cherian, director, online PR at Perfect Relations, a brand management firm. Recent studies have estimated bot traffic to be between 4 - 31% of total web traffic in the US, which translates to between $650 million and $4.7 billion in wasted marketing spend. According to Miaozhen Systems, a leading Chinese advertising technology company, NHT caused advertisers in China to lose approximately US$ 1.6 billion between July 2012 and June 2013.

How to combat Non-Human Traffic
Most servers have defence mechanisms to tackle spam and cyber attacks. Websites are also now developing mechanisms such as asking for human authentication which is difficult for a bot to execute. “But even personal computers should be equipped with strong Internet security applications such as anti-virus and anti-spyware to prevent hacking and phishing attempts and to prevent being used as slave machines for distributed cyber attacks,” said Chintu Cherian Abraham, a digital media professional. Figures show that we need to watch out where and how we go online. According to Norton Report, 2013, 61% Indians access their social network accounts from unsecured wi-fi connections, while 42% access bank accounts and 44% shop online using unsecured wi-fi connections.

Social media companies are gradually devising mechanisms to filter bots. “When a page and a fan connect on Facebook, we want to ensure that connection involves a real person interested in hearing from a specific page and engaging with that brand’s content. As such, we have recently increased our automated efforts to remove Likes on Pages that may have been gained by means that violate our terms,” mentions Facebook’s site integrity policy.

Agency-client intervention is necessary to ensure that artificial traffic is not presented as real. “It’s also important to make all agencies, advertisers and clients aware of their responsibility to keep the Internet free from malicious NHT,” said Chiragh Cherian.

Government involvement is also needed to control the problem of malicious bots. “A lot needs to be done from the government’s side to tackle bots which can be used to target the country’s critical infrastructure such as banking websites,” said Jiten Jain, a cyber security analyst, adding, “Last year, I highlighted the flaws in HDFC’s net banking website which have been rectified now. They could have been exploited to block the net-banking service.”

Until we have a robust mechanism to filter out bogus traffic from real, it will be difficult to say whether the social media followers of Bansal and other public figures are human or not.

Know your Bots
Not all bots are used with a negative intent. Some help in research and monitoring.

The Malicious
Bots can be effectively used to impersonate and to hack accounts leading to financial losses and intellectual property theft. “Theft of personal details, username and password to operate one’s bank account is a classic example of how bots can lead to financial losses. It is an organised cyber crime,” explained Commander (Retd) Mukesh Saini, former national information security coordinator, Government of India. In May 2013, cyber criminals broke into the Mumbai-based account of the RPG group and siphoned off `2.4 crore. Three people were arrested in the case.

“The rate at which NHT is increasing is alarming,” says Tinu Cherian Abraham. “Any computer connected to the Internet is vulnerable to such attacks. The user will not get to know about it unless he or she has installed an Internet security application.”

Besides bots, computers also generate other kinds of secondary activities, while the user is surfing the Internet. This activity remains in the background and is never seen by the user, unlike the bot-generated pop ups, observes Comscore. For example, your computer might be being used as a channel to reach a server with the intention of hacking it. And you will never know.

The Good
Not all NHT is bad, though. In fact, good bots such as scrapers can be effectively used to conduct research. “Wikipedia can be scraped to investigate the frequency of edits on a Wikipedia page and track the increase in the number of editors,” explained Snehashish Ghosh, policy associate at the Bangalore-based Centre for Internet & Society.

Good bots are also used by search engines to track content on websites and enhance their search results. Search bots and other good bots formed 31% of total bots, the Incapsula report noted.

The Social
Apart from malicious and good bots, there are social media bots too. “Extensive analysis is done on social media traffic for monitoring, business lead generation, as well as reputation management. This has amounted to a lot of automated or non-human traffic,” said Abraham.

According to Facebook’s filings published in a Forbes report in February 2012, around 83 million of its users are bogus. “It’s a violation of our policies to use a fake name or operate under a false identity, and we encourage people to report any user they suspect of doing this, either through the report links we provide on the site or through the contact forms in our help centre,” a Facebook spokesperson told HT.

Twitter bots have also made its presence felt on the platform. “Twitter has witnessed very interesting bots which have found appreciation from the community for being funny and creative. The microblogging site cracked down on some harmful bots, but still some of the advanced level bots slip through the net,” said Ghosh.

In August 2012, London-based firm Digital Evaluators, which evaluates social media presence of worldwide companies, released an analysis of Twitter followers of the US Presidential Election candidates Barack Obama and Mitt Romney. 21.9% of Barack Obama’s 17.82 million Twitter followers were found to be bogus.

The Big Brother
Ghosh said that the increase in NHT related to the Internet of things, the concept which enables communication between two or more devices, results in privacy issues. “Take a situation where your mobile device is constantly tracking your location for the purpose of switching on the air conditioner at your home before you reach. Such applications produce huge amounts of personal data and there is no clarity whether this data is being stored,” he said.

“As the new networks link data from products, company assets, or the operating environment, they will generate better information and analysis, which can enhance decision making significantly. Some organisations are starting to deploy these applications in targeted areas, while more radical and demanding uses are still in the conceptual or experimental stages,” noted a McKinsey & Company report on Internet of things.

For more details visit https://cis-india.org/news/hindustan-times-january-5-2014-danish-raza-rise-of-the-bot