We are anonymous, we are legion

Three Years Later, IPaidABribe.com Pays Off

praskrishna — 2013-09-25T06:05:05Z

After reporting a bribe on IPaidABribe.com, one Bangalore student has had the satisfaction of seeing action taken against a corrupt public official.

This article by Jessica McKenzie was published in TechPresident on September 23, 2013. Sunil Abraham is quoted.

The student, Shubham Kahndelwal, was asked to give a bribe before getting a receipt for registering for an identity card called the AADHAAR card. He at first refused, but then gave in. In response, the official gave him a receipt for his father's registration (which he had submitted along with his own) but not his. He told I Paid A Bribe that he “never knew a simple complaint could make such a difference.”

Kahndelwal elaborated:

I was in Chennai when the incident happened and after that I was furious and was searching all over to look for a complaint mechanism, when I stumbled upon IPaidaBribe.com. It is a great day and event for me and for me to share with my friends.

IPaidABribe.com was launched in August 2010 by the Bangalore-based nonprofit Janaagraha, which focuses on civic engagement and improving governance.

When first launched, there were concerns over privacy issues and protecting the users who submit complaints. On the other hand, in an interview this May with techPresident's David Eaves, Sunil Abraham, the founder of the Center for Internet & Society, pointed out that in order to make a difference, I Paid A Bribe would somehow have to close the loop.

Abraham went on:

some of the things that go on with anonymous reporting cannot happen, and to close the loop it almost needs to become a paralegal infrastructure. It has to talk to law enforcement and people have to be arrested, prosecuted and put away.

That is apparently what happened in this case. The official in question has been blacklisted and had disciplinary action taken against him.

To put the success in perspective, however, the bribe requested was Rs 2000 (US$31.95) and the bribe ultimately given was only Rs 350 (US$5.59).

Abraham also pointed out to Eaves that the real problem in India is “high ticket bribes...at the top of the pyramid.”

So while complaints from people like Kahndelwal are what keep the feeds at IPaidABribe.com constantly refreshing, they're mere drops in the bucket when compared to the millions of dollars moving in scandals like the 2G spectrum scam.

Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.

For more details visit https://cis-india.org/news/tech-president-september-23-2013-jessica-mckenzie

Public Law and Jurisprudential Issues of Privacy: A Talk at CIS

praskrishna — 2013-12-30T12:39:23Z

On Friday, September 27, 2013, Abhayraj Naik will give a talk on public law and jurisprudential issues related to privacy. CIS will host the talk at its office in Bangalore from 4.30 p.m. to 6.00 p.m.

Abhayraj Naik

Abhayraj Naik is a graduate of the National Law School of India University, Bangalore, and the Yale Law School. He previously taught public law at the Jindal Global Law School of the OP Jindal Global University where he also co-directed the Centre for Public Law & Jurisprudence from September 2009 to July 2012.

Abhay is actively associated with the Environment Support Group, Bangalore (http://www.esgindia.org), and has also been associated with the Meiklejohn Civil Liberties Institute, Berkeley, USA; Universities Allied for Essential Medicines, USA; Culture Move, Bangalore and other national and international advocacy, activism and research groups for several years now.

Abhay's research interests include legal theory, philosophy, criminal justice reform, urban governance, ecology, and technology policy. His current research projects include interdisciplinary studies of urban street vending, information privacy, fiduciary duties, forgiveness, biopiracy, and criminal justice reform.

He enjoys cycling, travel, poetry, music, and radical educational and ecological activism.

Abhay currently teaches at the Azim Premji University in Bangalore.

VIDEO

For more details visit https://cis-india.org/internet-governance/events/public-law-and-jurisprudential-issues-of-privacy-talk-at-cis

Bangalore + Social Good

praskrishna — 2013-09-25T07:43:58Z

In conjunction with The Social Good Summit held in New York City on September 22 - 24, Ashoka India, IDEX + Green Lungi are partnering to host the Bangalore + Sustainability event! The Social Good Summit aims to explore creative ways that technology can be leveraged for positive social change. Green Lungi in collaboration with IDEX and Ashoka is holding the event at CIS, Bangalore on September 21.

Sharath Chandra Ram, a researcher at CIS is one of the panelists. A brief abstract of his talk is given below:

"Are digital networked technologies adopted or used in the same way globally across all communities? Were social networks and apps across Twitter or Facebook really that pivotal in the mass citizen uprisings of the recent past? In this session, we shall see how it is essential to consider cultural specificities while designing technological interventions. Furthermore, I shall discuss how an effective strategy for citizen activism is not that which relies solely on virtual networks, but one that bridges networks, across different mediums, to engage offline citizens as much as the online. There will be a few live demonstrations of solutions we developed at the Centre for Internet and Society which embrace openness in pervasive technologies that enable us to bridge this crucial trans-medial interface."

The Bangalore + Sustainability event will focus on devising creative applications of technologies to confront sustainability challenges. We believe that young people have the power to affect change, and its time that we provide them with more opportunities to solve the challenges they see around them. This event is a first step in the direction of developing these problem-solving skills in our young people. Through an innovative Make-a-thon format, participants will engage in developing creative tech-based solutions to everyday challenges like road safety, waste management, water management, improving green cover and safer spaces for women.

Event Format and Details

1:45 - 2:00 -- Registration + Welcome

2:00 - 2:45 -- Panel Discussion + Q&A

Panelists will give a brief talk (5 - 7 minutes), posing questions for participants to consider around the intersection of technology + behavioral change + sustainability + youth engagement. A panelist from each of these sectors will set the context for the Jam to follow:

Sustainability
Communications/Design
Technology
Young Changemakers

Click to download the event brochure for details on the panelists/speakers

For more details visit https://cis-india.org/internet-governance/events/bangalore-social-good

The Central Monitoring System: Some Questions to be Raised in Parliament

bhairav — 2013-09-25T10:30:10Z

The following are some model questions to be raised in the Parliament regarding the lack of transparency in the central monitoring system.

Preliminary

The Central Monitoring System (CMS) is a Central Government project to intercept communications, both voice and data, that is transmitted via telephones and the internet to, from and within India. Owing to the vast nature of this enterprise, the CMS cannot be succinctly described and the many issues surrounding this project are diverse. This Issue Brief will outline preliminary constitutional, legal and technical concerns that are presented by the CMS.
At the outset, it must be clearly understood that no public documentation exists to explain the scope, functions and technical architecture of the CMS. This lack of transparency is the single-largest obstacle to understanding the Central Government’s motives in conceptualising and operationalizing the CMS. This lack of public documentation is also the chief reason for the brevity of this Issue Note. Without making public the policy, law and technical abilities of the CMS, there cannot be an informed national debate on the primary concerns posed by the CMS, i.e the extent of envisaged state surveillance upon Indian citizens and the safeguards, if any, to protect the individual right to privacy.

Surveillance and Privacy

Surveillance is necessary to secure political organisation. Modern nation-states, which are theoretically organised on the basis of shared national and societal characteristics, require surveillance to detect threats to these characteristics. In democratic societies, beyond the immediate requirements of national integrity and security, surveillance must be targeted at securing the safety and rights of individual citizens. This Issue Brief does not dispute the fact that democratic countries, such as India, should conduct surveillance to secure legitimate ends. Concerns, however, arise when surveillance is conducted in a manner unrestricted and unregulated by law; these concerns are compounded when a lack of law is accompanied by a lack of transparency.
Technological advancement leads to more intrusive surveillance. The evolution of surveillance in the United States resulted, in 1967, in the first judicial recognition of the right to privacy. In Katz v. United States the US Supreme Court ruled that the privacy of communications had to be balanced with the need to conduct surveillance; and, therefore, wiretaps had to be warranted, judicially sanctioned and supported by probable cause. Katz expanded the scope of the Fourth Amendment of the US Constitution, which protected against unreasonable searches and seizures. Most subsequent US legal developments relating to the privacy of communications from surveillance originate in the Katz judgement. Other common law countries, such as the United Kingdom and Canada, have experienced similar judicial evolution to recognise that the right to privacy must be balanced with governance.

Right to Privacy in India

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around the homes of suspects. In the latter case, the Supreme Court found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011) that de-criminalised consensual homosexual acts; however, this judgment has been appealed to the Supreme Court.

Issues Pertaining to the CMS

While judicial protection from physical surveillance was cursorily dealt with in the Kharak Singh and Gobind cases, the Supreme Court of India directly considered the issue of wiretaps in the PUCL case. Wiretaps in India primarily occur on the strength of powers granted to certain authorities under section 5(2) of the Indian Telegraph Act, 1885. The Court found that the Telegraph Act, and Rules made thereunder, did not prescribe adequate procedural safeguards to create a “just and fair” mechanism to conduct wiretaps. Therefore, it laid down the following procedure to conduct wiretaps:

(a) the order should be issued by the relevant Home Secretary (this power is delegable to a Joint Secretary),
(b) the interception must be carried out exactly in terms of the order and not in excess of it,
(c) a determination of whether the information could be reasonably secured by other means,
(d) the interception shall cease after sixty (60) days.

Therefore, prima facie, any voice interception conducted through the CMS will be in violation of this Supreme Court judgement. The CMS will enforce blanket surveillance upon the entire country without regard for reasonable cause or necessity. This movement away from targeted surveillance to blanket surveillance without cause, conducted without statutory sanction and without transparency, is worrying.
Accordingly, the following questions may be raised, in Parliament, to learn more about the CMS project:

Which statutes, Government Orders, notifications etc deal with the establishment and maintenance of the CMS?
Which is the nodal agency in charge of implementing the CMS?
What are the powers and functions of the nodal agency?
What guarantees exist to protect ordinary Indian citizens from intrusive surveillance without cause?
What are the technical parameters of the CMS?
What are the consequences for misuse or abuse of powers by any person working in the CMS project?
What recourse is available to Indian citizens against whom there is unnecessary surveillance or against whom there has been a misuse or abuse of power?

For more details visit https://cis-india.org/internet-governance/blog/central-monitoring-system-questions-to-be-asked-in-parliament

The National Privacy Roundtable Meetings

bhairav — 2014-03-21T10:03:44Z

The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Background: The Roundtable Meetings and Organisers

CIS is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. FICCI is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. DSCI is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. Privacy International is a London-based non-profit organisation that defends and promotes the right to privacy across the world.

Privacy in the Common Law and in India

Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.[1]

The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons inter se demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.

Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.[2] In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.[3]

The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of Kharak Singh (1964)[4] and Gobind (1975)[5] considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the Rajagopal case (1994),[6] the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, Rajagopal dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case (1996)[7] and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.[8] A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011)[9] that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.

Attempts to Create a Statutory Regime

The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.[10]

Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.

Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")[11] — were subsequently reviewed by the Committee on Subordinate Legislation of the 15^th Lok Sabha.[12] The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.[13]

In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.

Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the Naz Foundation case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.[14] These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.

Criminal Procedure and Special Laws Relating to Privacy

While the Kharak Singh and Gobind cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.

The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007[15] to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the PUCL case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.[16] Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.

In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.[17]

The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings

In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:

New Delhi: April 13, 2013 (http://bit.ly/17REl0W) with 45 participants;
Bangalore: April 20, 2013 (http://bit.ly/162t8rU) with 45 participants;
Chennai: May 18, 2013 (http://bit.ly/12ICGYD) with 25 participants.
Mumbai, June 15, 2013 (http://bit.ly/12fJSvZ) with 20 participants;
Kolkata: July 13, 2013 (http://bit.ly/11dgINZ) with 25 participants; and
New Delhi: August 24, 2013 (http://bit.ly/195cWIf) with 40 participants.

The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.

[1]. See generally, Dan Solove, “A Taxonomy of Privacy” University of Pennsylvania Law Review (Vol. 154, No. 3, January 2006).

[2]. Wainwright v. Home Office [2003] UKHL 53.

[3]. See A v. B plc [2003] QB 195; Wainwright v. Home Office [2001] EWCA Civ 2081; R (Ellis) v. Chief Constable of Essex Police [2003] EWHC 1321 (Admin).

[4]. Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295.

[5]. Gobind v. State of Madhya Pradesh AIR 1975 SC 1378.

[6]. R. Rajagopal v. State of Tamil Nadu AIR 1995 SC 264.

[7]. People’s Union for Civil Liberties v. Union of India (1997) 1 SCC 30.

[8]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in Maneka Gandhi v. Union of India AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.

[9]. Naz Foundation v. Government of NCT Delhi (2009) 160 DLT 277.

[10]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law" International Data Privacy Law (47-69, Vol. 1, No. 1, March 2011).

[11]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.

[12]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14^th edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.

[13]. See the 31^st Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.

[14]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.

[15]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect vide Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.

[16]. See, inter alia, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.

[17]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.

For more details visit https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit https://cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india

Transparency Reports — A Glance on What Google and Facebook Tell about Government Data Requests

prachi — 2013-09-13T09:44:53Z

Transparency Reports are a step towards greater accountability but how efficacious are they really?

Prachi Arya examines the transparency reports released by tech giants with a special focus on user data requests made to Google and Facebook by Indian law enforcement agencies.

The research was conducted as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC.

According to a recent comScore Report India has now become the third largest internet user with nearly 74 million citizens on the Internet, falling just behind China and the United States. The report also reveals that Google is the preferred search engine for Indians and Facebook is the most popular social media website followed by LinkedIn and Twitter. While users posting their photos on Facebook can limit viewership through privacy settings, there isn’t much they can do against government seeking information on their profiles. All that can be said for sure in the post-Snowden world is that large-scale surveillance is a reality and the government wants it on their citizen’s online existence. In this Orwellian scenario, transparency reports provide a trickle of information on how much our government finds out about us.

The first transparency report was released by Google three years ago to provide an insight into ‘the scale and scope of government requests for censorship and data around the globe’. Since then the issuance of such reports is increasingly becoming a standard practice for tech giants. An Electronic Frontier Foundation Report reveals that major companies that have followed Google’s lead include Dropbox, LinkedIn, Microsoft and Twitter with Facebook and Yahoo! being the latest additions . Requests to Twitter and Microsoft from Indian law enforcement agencies were significantly less than requests to Facebook and Google. Twitter revealed that Indian law enforcement agencies made less than 10 requests, none of which resulted in sharing of user information. Out of the 418 requests made to Microsoft by India (excluding Skype), 88.5 per cent were complied with for non-content user data. The Yahoo! Transparency Report revealed that 6 countries surpassed India in terms of the number of user data requests. Indian agencies requested user data 1490 times from 2704 accounts for both content and non-content data and over 50 per cent of these requests were complied with.

The following is a compilation of what the latest transparency reports issued by Facebook and Google.

Google

"The information we share on the Transparency Report is just a sliver of what happens on the internet"
Susan Infantino, Legal Director for Google

Beginning from December 2009, Google has published several biannual transparency reports:

It discloses traffic data of Google services globally and statistics on removal requests received from copyright owners or governments as well as user data requests received from government agencies and courts. It also lays down the legal process required to be followed by government agencies seeking data.

There was a 90 per cent increment in the number of content removal requests received by Google from India. The requests complied with included:
- Restricting videos containing clips from the controversial movie “Innocence of Muslims” from view.
- Many YouTube videos and comments as well as some Blogger blog posts being restricted from local view for disrupting public order in relation to instability in North East India.
For User Data requests, the Google report details the number of user data requests and users/accounts as well as percentage of requests which were partially or completely complied with. In India the user data requests more than doubled from 1,061 in the July-December 2009 period to 2,431 in the July-December 2012 period. The compliance rate decreased from 79 per cent in the July-December 2010 period to 66 per cent in the last report.
Jurisdictions outside the United States can seek disclosure using Mutual Legal Assistance Treaties or any ‘other diplomatic and cooperative arrangement’. Google also provides information on a voluntary basis if requested following a valid legal process if the requests are in consonance with international norms, U.S. and the requesting countries' laws and Google’s policies.

Facebook

"We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations."
Colin Stretch, Facebook General Counsel

Facebook inaugurated its first ever transparency report last Tuesday with a promise to continue releasing these reports.

The ‘Global Government Requests Report’ provides information on the number of requests received by the social media giant for user/account information by country and the percentage of requests it complied with. It also includes operational guidelines for law enforcement authorities.

The report covers the first six months of 2013, specifically till June 30. In this period India made 3,245 requests from 4,144 users/accounts and half of these requests were complied with.

Jurisdictions outside the United States can seek disclosure by way of mutual legal assistance treaties requests or letter rogatory. Legal requests can be in the form of search warrants, court orders or subpoena. The requests are usually made in furtherance of criminal investigations but no details about the nature of such investigations are provided.

Broad or vague requests are not processed. The requests are expected to include details of the law enforcement authority issuing the request and the identity of the user whose details are sought.

The Indian Regime

Section 69 and 69 B of the Information Technology (Amended) Act, 2008 prescribes the procedure and sets safeguards for the Indian Government to request user data from corporates. According to section 69, authorized officers can issue directions to intercept, monitor or decrypt information for the following reasons:

Sovereignty or integrity of India,
Defence of India,
Security of the state,
Friendly relations with foreign states,
Maintenance of public order,
Preventing incitement to the commission of any cognizable offence relating to the above, or
For investigation of any offence.

Section 69 B empowers authorized agencies to monitor and collect information for cyber security purposes, including ‘for identification, analysis and prevention of intrusion and spread of computer contaminants’. Additionally, there are rules under section 69 and 69 B that regulate interception under these provisions.

Information can also be requested through the Controller of Certifying Authority under section 28 of the IT Act which circumvents the stipulated procedure. If the request is not complied with then the intermediary may be penalized under section 44.

The Indian Government has been increasingly leaning towards greater control over online communications. In 2011, Yahoo! was slapped with a penalty of Rs. 11 lakh for not complying with a section 28 request, which called for email information of a person on the grounds of national security although the court subsequently stayed the Controller of Certifying Authorities' order. In the same year the government called for pre-screening user content by internet companies and social media sites to ensure deletion of ‘objectionable content’ before it was published. Similarly, the government has increasingly sought greater online censorship, using the Information Technology Act to arrest citizens for social media posts and comments and even emails criticizing the government.

What does this mean for Privacy?

The Google Transparency Report has thrown light on an increasing trend of governmental data requests on a yearly basis. The reports published by Google and Facebook reveal that the number of government requests from India is second only to the United States. Further, more than 50 per cent of the requests from India have led to disclosure by nearly all the companies surveyed in this post, with Twitter being the single exception.

Undeniably, transparency reports are important accountability mechanisms which reaffirm the company’s dedication towards protecting its user’s privacy. However, basic statistics and vague information cannot lift the veil on the full scope of surveillance. Even though Google’s report has steadily moved towards a more nuanced disclosure, it would only be meaningful if, inter alia, it included a break-up of the purpose behind the requests. Similarly, although Google has also included a general understanding of the legal process, more specifics need to be disclosed. For example, the report could provide statistics for notifications to indicate how often user’s under scrutiny are not notified. Such disclosures are important to enhance user understanding of when their data may be accessed and for what purposes, particularly without prior or retrospective intimation of the same. Till such time the report can provide comprehensive details about the kind of surveillance websites and internet services are subjected to, it will be of very limited use. Its greatest limitation, however, may lie beyond its scope.

The monitoring regime envisioned under the Information Technology Act effectively lays down an overly broad system which may easily lead to abuse of power. Further, the Indian Government has become infamous for their need to control websites and social media sites. Now, with the Indian Government’s plan for establishing the Central Monitoring System the need for intermediaries to conduct the interception may be done away with, giving the government unfettered access to user data, potentially rendering corporate transparency of data requests obsolete.

For more details visit https://cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests

A dangerous trend: social media adds fire to Muzaffarnagar clashes

praskrishna — 2013-09-12T10:50:26Z

As access to the Internet grows, especially in small Indian towns and cities, social media has revealed a darker side as a hatred-mongering tool capable of setting off serious violence.

This article by Zia Haq was published in the Hindustan Times on September 9, 2013. Sunil Abraham is quoted.

Malicious content, such as fake YouTube videos and morphed photographs, are usually spread rapidly to trigger rioting.

In UP’s Muzzafarnagar, a video clip purportedly showing a Muslim mob lynching two boys, which police now suspect is from neighboring Pakistan or Afghanistan, was used to stir unease, deepening hatred between Muslims and Hindus.

A series of rioting in western UP district has left at least 41 dead. The circulation of the video had led to violence spreading to new areas. The fake video that escalated clashes portends a new trend in India’s discordant politics.

“From word of mouth, communal polarization, especially by Hindutva organisations, is now moving online. This is a dangerous trend since the Internet is very potent,” said Prof Badri Narayan of the GB Pant Social Science Institute, Allahabad.

Research shows social media sites, including sites like Facebook, Twitter and YouTube, are more persuasive than television ads. Nearly 100 million Indians use the Internet each day, more than Germany’s population. Of this, 40 million have assured broadband, the ones who mostly subscribe to social-media accounts.

The country also has about 87 million mobile-Internet users, according to Internet and Mobile Association of India.

UP’s police have blocked the video, invoking sections under 420 (forgery), 153-A (promoting enmity on religious grounds) and 120-B (conspiracy) of the Indian Penal Code, along with section 66 of the Information Technology Act.

Section 66, however, is the heart of a free-speech debate. Activists say section 66 has been used at the drop of a hat.

Last November, two Mumbai girls faced arrests for questioning the city’s shutdown for Shiv Sena leader Bal Thackeray’s funeral. The arrests were declared illegal after being roundly criticised, including by the Supreme Court.

“In this case, the government has a legitimate reason to censor speech. However, this requires the authorities to very focused and action should be targeted, rather than sweeping,” said Sunil Abraham of the Bangalore-based The Centre for Internet and Society.

The government’s action, Abraham said, tended to be broad-based. He said in such situations, the government could use public-service messaging to present the alternate view.

“Legal provisions could be made whereby Twitter users from India, for example, (compulsorily) see the public service message by default when they log in,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-september-9-2013-zia-haq-a-dangerous-trend

Privacy Law Must Fit the Bill

sunil — 2013-09-12T06:25:35Z

The process of updating Indian privacy policy has gained momentum ever since the launch of the UID project and also the leak of the Radia tapes. The Department of Personnel and Training has lead the drafting of privacy bill for the last three years. This bill will ideally articulate privacy principles and establish the office of the privacy commissioner and most importantly have an over-riding effect over 50 odd existing laws, rules and policies with privacy implications.

The article was published in the Deccan Chronicle on September 9, 2013.

Given the harmonizing impact of the proposed privacy bill, we must ensure that rigorous debate and discussion happens before the bill is finalized otherwise there may be terrible consequences.

Here is a short list of what can possibly go wrong:

One, the privacy bill ignores the massive power asymmetry in Indian societies undermining the right to information – in other jurisdictions referred to as freedom of information and access to information. The power asymmetry is addressed via a public interest test. The right to privacy would be the same for everyone except when public interest is at stake. This enables protection of the right to privacy to be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power. In other words, the poor would have greater privacy than a middle-class citizens who in turn would have greater privacy than political and economic elites. And transparency requirements would be greatest for economic and political elites and lower for middle-class citizens and lowest for the poor. If this is not properly addressed in the language of the bill – privacy activists would have undone the significant accomplishments of the right to information or transparency movement in India over the last decade.

Two, the privacy bill has chilling effect on free speech. This can happen either by denying the speaker privacy, or by affording those who are spoken about too much privacy. For the speaker - Know Your Customer (KYC) and data retention requirements for telecom and internet infrastructure necessary to participate in the networked public sphere can result in the death of anonymous and pseudonymous speech. Anonymous and pseudonymous speech must be protected as it is a necessary for good governance, free media, robust civil society, and vibrant art and culture in a democracy. For those spoken about - privacy is clearly required in certain cases to protect the victims of certain categories of crimes. However, the right to privacy could be abused by those occupying public office and those in public life to censor speech that is in the public interest. If for example a sport person does not publicly drink the aerated drink that he or she endorses in advertisements then the public has a right to know.

Three, the privacy bill has a limited scope. Jurisprudence in India derives the right to privacy from the right to life and liberty through several key judgments including Naz Foundation v. Govt. of NCT of Delhi decided by the Delhi High Court. The right to life and liberty or Article 21 unlike other constitutionally guaranteed fundamental rights does not distinguish between citizens and non-citizens. As a consequence the privacy bill must also protect residents, visitors and other persons who may never visit India, but whose personal information may travel to India as part of the global outsourcing phenomena. Also the obligations and safeguards under the privacy bill must equally apply to both the state and the private sector entities that could potentially infringe upon the individual's right to privacy. Different levels of protection may be afforded to citizens, residents, visitors and everybody else. Government and private sector data controllers may be subject to different regulations – for ex. an intelligence agency may not require 'consent' of the data subject to collect personal information and may only provide 'notice' after the investigation has cleared the suspect of all charges.

Four, the privacy bill is expected to fix poorly designed technology. There are two diametrically opposite definitions of projects like NATGRID, CMS and UID. The government definition is that all these systems will allow only for targeted interception and surveillance, however the majority of civil society believes that these system will be used for blanket surveillance. If these systems are indeed built in a manner that supports blanket surveillance then legal band-aid in the form of a new law or provision that prohibits blanket surveillance will be a complete failure. The principle of 'privacy by design' is the only way to address this. For ex. shutters of digital cameras are silent and this allows for a particular form of voyeurism called upskirt. Almost a decade ago, the Korean government enacted a law that requires camera and mobile phone manufacturers to ensure that audio recording of a mechanical shutter is played every time the camera function is used. It is also illegal for the user to circumvent or disable this feature. In this example, the principle of notice is hardwired within the technology itself. To remix Spiderman's motto – with great power comes great temptation. We know that a rogue NTRO official installed a spy camera in the office toilet to make recording female colleagues and most recently that NSA officers confessed to spying on their love interests. If the technology can be abused it will be abused. Therefore legal safeguards are a poor substitute for technological safeguards. We need both simultaneously.

Five, the bill does not require compliance with internationally accepted privacy principles including the ones discussed so far 'consent', 'notice' and 'privacy by design'. Apart from human rights considerations – the most important imperative to modernize India privacy laws is trade. We have a vibrant ITES, BPO and KPO sector which handles personal information of foreigners mostly from the North American and European continents. The Justice AP Shah committee in October 2012 identified privacy principle that required for India - notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. A privacy bill that does include all these principles will increase the regulatory compliance overhead for Indian enterprise with foreign clients and for multinationals operating in India. There is also the risk that privacy regulators in these jurisdictions will ban outsourcing to Indian firms because our privacy laws are not adequate by their standards.

To conclude, it is not sufficient for India to enact a privacy law it is essential that we get it right so that there are no unintended consequences on other equally important rights and dimensions of our democracy.

For more details visit https://cis-india.org/internet-governance/blog/deccan-chronicle-september-9-2013-sunil-abraham-privacy-law-must-fit-the-bill

Young Scholar Tutorials

praskrishna — 2013-09-30T11:21:25Z

Communication Policy Research South organised this workshop on September 3 and 4, 2013. Nehaa Chaudhari participated in the event organised by CPR South.

Rohan Samarajiva, Christoph Stork, Marcio Aranha, Ang Peng Hwa, and Sujata Gamage were the speakers. Unedited notes from the workshop can be accessed by clicking on the links below:

CPR South Tutorial Note (1)
CPR South Tutorial Note (2)

Click to read the original here.

For more details visit https://cis-india.org/news/young-scholar-tutorials

An Interview with Suresh Ramasubramanian

elonnai — 2013-09-06T09:37:47Z

Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud.

You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?
a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.

In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.

This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.

There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.
In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?
a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.

The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.

It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.

Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.

There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.
What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?
a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.

Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.

Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.

The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.
How is the jurisdiction of the data on the cloud determined?
This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.

However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.

The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.

In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.

In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.
Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?
a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].

A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.
What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?
a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.

Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html). Some standards you absolutely have to comply with for legal reasons.

Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.

The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.
What do you see as the big challenges for privacy in the cloud in the coming years?
a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.
Do you think encryption the answer to the private and public institutions snooping?
a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.

There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.

As a very popular XKCD cartoon that has been shared around social media and has been cited in multiple security papers says -

“A crypto nerd’s imagination”

“His laptop’s encrypted. Let us build a million dollar cluster to crack it”
“No good! It is 4096 bit RSA”
“Blast, our evil plan is foiled”

“What would actually happen”
“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”
“Got it”
Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?
a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.

The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.

Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.

Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.

Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.
There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?
a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.

Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.

Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.

This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.

User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian

Indien: Regierung will Nutzung von US-Mailprovidern in Verwaltungen verbieten

praskrishna — 2013-09-05T10:59:51Z

Die indische Regierung wird in Kürze all ihre Mitarbeiter auffordern, keine US-amerikanischen Mailprovider, allen voran Gmail, für ihre offizielle Kommunikation zu nutzen.

This was published in Netzpolitik (German Newspaper) on September 3, 2013. Sunil Abraham is quoted.

Ziel der Regierung ist es, die Sicherheit von vertraulichen Information der Regierung zu erhöhen. Die indische Regierung sieht sich zu diesem Schritt gezwungen, nachdem die flächendeckende Überwachung des Internets durch die USA bekannt wurde, an dem auch amerikanische Unternehmen gezwungenermaßen beteiligt sind.

Wie The Times of India berichtet, gab ein leitender Beamter der indischen Regierung an, dass die Regierung plane rund 500.000 Angestellte darüber zu informieren, dass die Nutzung amerikanischer Mailprovider zur offiziellen Kommunikation nicht mehr gestattet sei. Stattdessen sollen die Angestellten zum offiziellen Mailservice des indischen National Informatics Center wechseln.

“Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data,” said J Satyanarayana, secretary in the department of electronics and information technology.

Dass Angestellte der indischen Regierung und selbst Minister in Indien die Dienste von Gmail in Anspruch nehmen, statt auf Lösungen der eigenen Regierung zu setzen scheint nach Aussagen der Times of India keine Seltenheit zu sein.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

Ein Grund hierfür scheint die einfache und unbürokratische Anmeldung bei solchen Diensten zu sein. Wer eine offizielle Adresse der indischen Regierung haben wolle, müsse diese erst beantragen und in einem langwierigen Prozess seine tatsächliche Identität beweisen. Bei Gmail und anderen Mailprovidern hingegen sei eine Anmeldung oftmals mit wenigen Klicks durchführbar, wie ein leitender Angestellter im IT-Ministerium sagte.

Eine Pressesprecherin von Google Indien gab an, dass der Konzern bisher nicht von dem Verbot erfahren habe und es sich daher um reine Spekulation handele, auf die der Konzern nicht weiter eingehen wolle.

Erst in der letzten Woche gab der indische IT-Minister Kapil Sibal neue Richtlinien für im Ausland lebende Mitarbeiter der indischen Regierung bekannt. The Times of India berichtete:

[...] the new policy will make it mandatory for all government officials stationed in Indian missions abroad to use only static IP addresses, virtual private networks and one-time passwords for accessing Indian government email services.

Sibal ergänzte, dass alle Mails automatisch verschlüsselt würden und nur über indische Server des National Informatics Centers abgewickelt würden.

“All Indian missions will use NIC servers which are directly linked to a server in India and that will keep government information safe”

Sunil Abraham, Direktor des indischen Centre for Internet & Soceity in Bangalore nannte den Entschluss der Regierung “eine späte Reaktion”, begrüßte den Schritt aber dennoch:

“Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance.”

For more details visit https://cis-india.org/news/netzpolitik-indien-regierung-will-nutzung-von-us-mailprovidern-in-verwaltungen-verbieten

Syllabus: “Policy and regulation conducive to rapid ICT sector growth in Myanmar: An introductory course”

praskrishna — 2013-10-24T03:56:31Z

A five-day course is being offered by LIRNEasia in collaboration with Myanmar ICT Development Organization, with support from the Open Society Foundation and the International Development Research Centre of Canada in Myanmar from September 28 to October 5, 2013.

Sunil Abraham will be supporting Prof. Samarajiva on the last optional day of this course in Yangon. Read about the Introductory course on “Policy and regulation conducive to rapid ICT sector growth in Myanmar”

Goal

To enable members of Myanmar civil-society groups (including academics and those from the media) to marshal available research and evidence for effective participation in policy and regulatory processes, thereby improving policy processes and helping achieve the government’s objective of providing ICT access to all.

Outcomes

The objective of the course is to produce discerning and knowledgeable consumers of research who are able to engage in an informed manner in ICT policy and regulatory processes in Myanmar. The course will benefit those working in government and operators as well.

At the end of the course attendees will:

Have an understanding of telecom policy and regulatory processes
Be able to find and assess relevant research & evidence
Be able to summarize the research in a coherent and comprehensive manner
Have the necessary tools to improve their communication skills

- Have some understanding of how media functions and how to effectively interact with media

Assignments

Participants will be formed into teams on Day1. Each group will work on an assignment that addresses both substantive and procedural aspects of law, policy and regulation. Teams will be assigned topic areas that are being developed into regulations under the new Act. They will have to make presentations on what the desirable provisions should be. We will emphasize the procedural aspects as well as the substantive. Disciplined and focused team presentations, preferably using slides, are required.

It is necessary to use the Internet for the assignments. All who have laptops are encouraged to bring them. Arrangements will be made for Internet connectivity at the hotel.

Tentative topic areas

Licensing and authorization regulations
Essential facilities and anti-competitive practices
Universal service policy
Price and quality regulation
Independence of regulatory agency

Course schedule

	Day 1 (September 28)	Day 2 (September 29)	Day 3 (September 30)	Day4 (October 1)	Day 5 (October 2) (optional)
09:00-10:30	S1 Introduction to course: What have been the results of reform & rationale for regulation. Rohan Samarajiva (RS)	S5 Regulatory legitimacy, including procedural legitimacy (RS)	S10 Challenges of monitoring complex license commitments (HG)	S14 How does the Internet work? (TBA)	S16 Internet governance The big picture. Sunil Abraham (SA)
10:30-11:00	Break	Break	Break	Break
11:00-12:00	S2 Interrogating supply-side indicators & research based on them. Helani Galpaya (HG)	S6 Current status of telecom law and policy in Myanmar (RS)	S11 How evidence is used in policy & regulation (panel discussion, KS, RS	S15 The art of media interaction (RS)	S17 Economic & technical interface with telecom industry (RS)
12:00-13:00	S3 Finding information on the web. Roshanthi Lucas Gunaratne (RLG)	S7 Presenting evidence in slides & written submissions (HG)	S12 Essential facilities and anti-competitive practices (RS)	A3 Mock public hearing (RS & panel)	S18 How Internet is governed within India (SA)
13:00-14:00	Lunch	Lunch	Lunch	Lunch
14:00-15:00	A1 Group formation; Assignment explained (HG and RLG)	S8 Licensing and authorization (RS)	A2 Midpoint check on assignment/group work (HG and RLG)	A4 Mock public hearing & critique (RS & panel)	S19 Content regulation (TBA)
15:00-15:30	Break	Break	Break
15:30-17:00	S4 Demand-side research (RS)	S9 Price and quality regulation (RS & HG)	S13 Universal service subsidies: Theory & practice (RS & KS)	Reflection on the course	S20 Surveillance & privacy (SA & RS)
17:00	Group work	Group work	Group work
19:00	Welcome dinner Speaker: TBA

Faculty

Sunil Abraham is the Executive Director of CIS. He is also a social entrepreneur and Free Software advocate. He founded Mahiti in 1998 which aims to reduce the cost and complexity of Information and Communication Technology for the Voluntary Sector by using Free Software. Today, Mahiti employs more than 50 engineers and Sunil continues to serve on the board as a board member. Sunil was elected an Ashoka fellow in 1999 to 'explore the democratic potential of the Internet' and was granted a Sarai FLOSS fellowship in 2003. Between June 2004 and June 2007, he managed the International Open Source Network, a project of the UNDP's Asia-Pacific Development Information Programme serving 42 countries in the Asia-Pacific region. Between September 2007 and June 2008, he also managed ENRAP, an electronic network of International Fund for Agricultural Development projects in the Asia-Pacific facilitated and co-funded by International Development Research Centre, Canada.

Helani Galpaya is LIRNEasia’s Chief Executive Officer. Helani leads LIRNEasia’s 2012-2014 IDRC funded research on improving customer life cycle management practices in the delivery of electricity and e-government services using ICTs. She recently completed an assessment of how the poor in Bangladesh and Sri Lanka use telecenters to access government services. For UNCTAD and GTZ she authored a report on how government procurement practices can be used to promote a country’s ICT sector and for the World Bank/InfoDev Broadband Toolkit, a report on broadband strategies in Sri Lanka. She has been an invited speaker at various international forums on topics ranging from m-Government to ICT indicators to communicating research to policy makers. Prior to LIRNEasia, Helani worked at the ICT Agency of Sri Lanka, implementing the World-Bank funded e-Sri Lanka initiative. Prior to her return to Sri Lanka, she worked in the United States at Booz & Co., Marengo Research, Citibank, and Merrill Lynch. Helani holds a Masters in Technology and Policy from the Massachusetts Institute of Technology, and a Bachelor’s in Computer Science from Mount Holyoke College, USA.

Roshanthi Lucas Gunaratne is a Research Manager at LIRNEasia and is currently managing the Ford Foundation Funded project on Giving Broadband Access to the Poor in India. She is also contributing to the IDRC Customer Lifecycle Management Practices Project by conducting research on customer lifecycle management practices in telecommunication sector in Bangladesh. Before joining LIRNEasia, Roshanthi worked at the Global Fund to fight AIDS, Tuberculosis and Malaria, Geneva, Switzerland as a Strategic Information Officer. She contributed to the process of defining the Global Fund Key Performance Indicators, and also worked on improving the performance measurements of their grants. Prior to that, she worked as a telecom project manager at Dialog Telecom, and Suntel Ltd in Sri Lanka. As Suntel she managed the design and implementation of corporate customer projects. She holds a MBA from the Judge Business School, University of Cambridge, UK and a BSc. Eng (Hons) specializing in Electronics and Telecommunication from the University of Moratuwa, Sri Lanka.

Rajat Kathuria, PhD

Rohan Samarajiva, PhD, is founding Chair of LIRNEasia, an ICT policy and regulation think tank active across emerging Asian and Pacific economies. He was Team Leader at the Sri Lanka Ministry for Economic Reform, Science and Technology (2002-04) responsible for infrastructure reforms, including participation in the design of the USD 83 million e-Sri Lanka Initiative. He was Director General of Telecommunications in Sri Lanka (1998-99), a founder director of the ICT Agency of Sri Lanka (2003-05), Honorary Professor at the University of Moratuwa in Sri Lanka (2003-04), Visiting Professor of Economics of Infrastructures at the Delft University of Technology in the Netherlands (2000-03) and Associate Professor of Communication and Public Policy at the Ohio State University in the US (1987-2000). Dr. Samarajiva was also Policy Advisor to the Ministry of Post and Telecom in Bangladesh (2007-09).

Koesmarihati Sugondo

Resource Material

infodev, ICT regulation toolkit. http://www.ictregulationtoolkit.org/en/Index.html

infoDev. Broadband strategies toolkit. http://broadbandtoolkit.org/en/toolkit/contents

infoDev (2011). Tenth anniversary telecom regulation handbook. http://www.infodev.org/En/Publication.1057.html

ITU (2011). The role of ICT in advancing growth in least developed countries: Trends, challenges and opportunities. Geneva: ITU. http://www.itu.int/ITU-D/ldc/turkey/docs/The_Role_of_ICT_in_Advancing_Growth_in_LDCs_Trends_Challenges_and_Opportunities.pdf

Samarajiva, Rohan (2000). The role of competition in institutional reform of telecommunications: Lessons from Sri Lanka, Telecommunications Policy, 24(8/9): 699-717. http://www.comunica.org/samarajiva.html

Samarajiva, Rohan (2002). Why regulate?, chapter 2 of Effective regulation: Trends in Telecommunication Reform 2002. Geneva: International Telecommunication Union.

Samarajiva, Rohan (2006). Preconditions for effective deployment of wireless technologies for development in the Asia-Pacific, Information Technology and International Development, 3(2): 57-71. http://itidjournal.org/itid/article/view/224/94

Samarajiva, Rohan & Zainudeen, Ayesha (2008). ICT infrastructure in emerging Asia: Policy and regulatory roadblocks, New Delhi & Ottawa: Sage & IDRC http://www.idrc.ca/en/ev-117916-201-1-DO_TOPIC.html

For more details visit https://cis-india.org/news/policy-and-regulation-conducive-to-rapid-ict-growth-in-myanmar

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit https://cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Gmail ban looms for Indian gov't workers

praskrishna — 2013-09-19T07:19:11Z

Government workers in India will soon be banned from using Google’s Gmail service for official communication in a move said to be in response to revelations of widespread cyberspying by the US, a national paper reported.

Beatrice Thomas's blog post was published in Arabian Business.com on September 1, 2013. Sunil Abraham is quoted.

Two weeks after Dubai announced a ban on private emails by Government staff, a senior official in India’s Ministry of Communications and Information Technology said the crackdown would apply to 500,000 government employees, according to The Times of India.

They would be banned from using providers such as Gmail, which had servers based in the US, and instead asked to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, secretary in the Department of Electronics and Information Technology, told the Times.

“Currently, we are looking to address this in the Government domain, where there are large amounts of critical data.”

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies such as Google, Facebook and Apple through a program called PRISM.

The Times said several senior government officials in India, including ministers of state for communications and IT, Milind Deora and Kruparani Killi, had their Gmail IDs listed in government portals as their official email.

However, IT Minister Kapil Sibal said last week there had been no evidence of the US accessing internet data from India.

The newspaper quoted a senior official in the IT Department saying Gmail was preferred by employees because, compared to official email services, it was easy to set up.

Sibal said the new policy would require all government officials living abroad to use NIC servers that were directly linked to a server in India while accessing government email services.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agreed with the ban.

“After Snowden’s revelations, we can never be sure to what extent foreign governments are intercepting government emails," he told the Times.

It emerged last month that Dubai government employees had been banned from sending and receiving private emails at work, including the use of independent email providers such as Hotmail, Yahoo! and Gmail.

The new regulations announced by Sheikh Mohammed bin Rashid Al Maktoum, Vice President, Prime Minister and ruler of Dubai, specifically referred to religious and political communication as well as messages relating to charitable causes.

Workers are also not allowed to open unsolicited mail, spam or emails that contain viruses, or alter the date, time, source of destination information on an email.

For more details visit https://cis-india.org/news/arabian-business-september-1-2013-beatrice-thomas-gmail-ban-looms-for-indian-govt-workers