We are anonymous, we are legion

What the government's draft IT intermediary guidelines say

Admin — 2019-02-13T00:31:29Z

Intermediaries will have to hand over to government agencies any information within 72 hours. Intermediaries will have to use automated tools to trace the person posting unlawful content.

The article by Abhijit Ahaskar was published in Livemint on February 12, 2019. CIS research was quoted.

With voices for regulating tech companies getting stronger in the wake of growing incidence of fake news being circulated through social media platforms, the Ministry of Electronics and Information Technology (MEITY) of India has decided to re-examine the Information Technology (IT) Intermediary Guidelines, 2011, under the IT Act, 2000.

Setting the wheel in motion, the ministry proposed a draft called Information Technology Intermediaries Guidelines (Amendment), 2018, and released the recommendations on its website for public comments in December 2018. The first round of comments ended on 31 January, 2019 and was made public last week. The second round of comments and counter-comments will close on 14 February, 2019.

What the draft proposes

The term intermediary refers to all tech companies that are hosting user data or are providing users with a platform for communication. This brings all internet, social media, telecom companies in its ambit.

The draft amendment proposes that intermediaries will have to hand over to governmentagencies any information that might be related to cyber security, national security and related with the investigation, prosecution or prevention of an offence, within 72 hours.

They will have to take down or disable content considered defamatory or against national security under Article 19 (2) of the Constitution within 24 hours on being notified by the appropriate government or its agency in addition to using automated tools to identify, remove and trace the origin of such content. Intermediaries with over 55 lakh users will be required to have a permanent registered office with physical address and a senior official who would be available for coordination with law enforcement agencies.

Concerns over the draft guidelines

Microsoft notes that the problem MEITY is trying to address is of fake news. “Existing regulations provide enough powers to work with social media platforms. There may be a case to bring out additional guidelines for certain types of intermediaries like social media platforms. There may also be a case to strengthen other laws which make the punishment of fake news and misuse of social media stringent. The focus should be on the perpetrators of the crime rather than the intermediaries," it has said in response to the guidelines. Regarding deployment of tools to proactively identify and remove unlawful content, Microsoft cautions that intermediaries will have to monitor all content passing through their systems for this, which is a violation of their individual privacy and right to freedom of expression. It will also be technically impractical due to the high cost of deploying such tech.

According to Broadband India Forum, one of the grounds for the Supreme Court striking down Section 66A of the IT Act, 2000, in Shreya Singhal vs Union of India was the vagueness of the terms used in the provision, such as offensive, menacing and dangerous, which invaded the right of free speech. However, words with a similar level of vagueness, such as grossly harmful, harassing and hateful exist in the proposed draft.

The Centre for Internet and Society (CIS) pointed out that existing laws provide enough teeth to the Indian agencies to act. For instance, Section 505 of the IPC has provisions to penalise disinformation while Sections 290 and 153A of the IPC have provisions if the disinformation is being used to create communal strife. CIS has also flagged the scope of the term unlawful as it is not clearly defined, leaving room for broad interpretation. On the traceability clause, CIS draws attention to the lack of clarity on whether it applies on just social media platforms and messaging services or all intermediaries.

This can be a bit of problem for ISPs which may have no access to contents of an encrypted communication sent and received on its network.

Threat to privacy

The traceability clause, which requires intermediaries to use automated tools to trace the person posting unlawful content, came in for a lot of criticism. While the Ministry in an official tweet in January 2018 clarified that it only requires intermediaries to trace the origin of messages which lead to unlawful activities without breaking encryption, experts believe it isn’t possible without lowering encryption standards or building a backdoor to access encrypted communications.

Amnesty International slammed the clause, arguing, “While governments can legitimately use electronic surveillance to protect people from crime, forcing companies to weaken encryption will affect all users’ online privacy. Such measures would be inherently disproportionate, and therefore impermissible under international human rights law."

Wipro in its response rues such a traceability requirement could lead to breaking of encryption on apps such as WhatsApp and Signal, and this will be a major threat to the privacy rights of citizens as enshrined in the Puttaswamy judgment of the Supreme Court.

Undue burden on small companies

Commenting on the 72 hours timeline for furnishing user data, the Internet Freedom Foundation says that such short deadline for compliance can only be fulfilled by large social media platforms. This might make smaller companies over compliant to government demands for immunity resulting in a total disregard for user privacy.

Regarding taking down of unlawful content, technology policy researchers form National Institute of Public Finance & Policy (NIPFP) caution that overzealous implementation along with over reliance on technological tools for the detection of unlawful content would lead to the curtailment of online speech. They pointed out the instance where Facebook had removed posts documenting the ethnic cleansing of Rohingyas as it had classified Rohingya organisations as dangerous militant groups.

For more details visit https://cis-india.org/internet-governance/news/livemint-abhijit-ahaskar-february-12-2019-what-the-governments-draft-it-intermediary-guidelines-say

Intermediary liability law needs updating

sunil — 2019-02-13T00:05:30Z

The time has come for India to exert its foreign policy muscle. There is a less charitable name for intermediary liability regimes like Sec 79 of the IT Act — private censorship regimes.

The article was published in Business Standard on February 9, 2019.

Intermediaries get immunity from liability emerging from user-generated and third-party content because they have no “actual knowledge” until it is brought to their notice using “take down” requests or orders.

Since some of the harm caused is immediate, irreparable and irreversible, it is the preferred alternative to approaching courts for each case. When intermediary liability regimes were first enacted, most intermediaries were acting as common carriers — ie they did not curate the experience of users in a substantial fashion. While some intermediaries like Wikipedia continue this common carrier tradition, others driven by advertising revenue no longer treat all parties and all pieces of content neutrally. Facebook, Google and Twitter do everything they can to raise advertising revenues. They make you depressed. And if they like you, they get you to go out and vote. There is an urgent need to update intermediary liability law.

In response to being summoned by multiple governments, Facebook has announced the establishment of an independent oversight board. A global free speech court for the world’s biggest online country. The time has come for India to exert its foreign policy muscle. The amendments to our intermediary liability regime can have global repercussions, and shape the structure and functioning of this and other global courts.

While with one hand Facebook dealt the oversight board, with the other hand it took down APIs that would enable press and civil society to monitor political advertising in real time. How could they do that with no legal consequences? The answer is simple — those APIs were provided on a voluntary basis. There was no law requiring them to do so.

There are two approaches that could be followed. One, as scholar of regulatory theory Amba Kak puts it, is to “disincentivise the black box”. Most transparency reports produced by intermediaries today are on a voluntary basis; there is no requirement for this under law. Our new law could require a extensive transparency with appropriate privacy safeguards for the government, affected parties and the general public in terms of revenues, content production and consumption, policy development, contracts, service-level agreements, enforcement, adjudication and appeal. User empowerment measures in the user interface and algorithm explainability could be required. The key word in this approach is transparency.

The alternative is to incentivise the black box. Here faith is placed in technological solutions like artificial intelligence. To be fair, technological solutions may be desirable for battling child pornography, where pre-censorship (or deletion before content is published) is required. Fingerprinting technology is used to determine if the content exists in a global database maintained by organisations like the Internet Watch Foundation. A similar technology called Content ID is used pre-censor copyright infringement. Unfortunately, this is done by ignoring the flexibilities that exist in Indian copyright law to promote education, protect access knowledge by the disabled, etc. Even within such narrow application of technologies, there have been false positives. Recently, a video of a blogger testing his microphone was identified as a pre-existing copyrighted work.

The goal of a policy-maker working on this amendment should be to prevent repeats of the Shreya Singhal judgment where sections of the IT Act were read down or struck down. To avoid similar constitution challenges in the future, the rules should not specify any new categories of illegal content, because that would be outside the scope of the parent clause. The fifth ground in the list is sufficient — “violates any law for the time being in force”. Additional grounds, such as “harms minors in anyway”, is vague and cannot apply to all categories of intermediaries — for example, a dating site for sexual minorities. The rights of children need to be protected. But that is best done within the ongoing amendment to the POCSO Act.

As an engineer, I vote to eliminate redundancy. If there are specific offences that cannot fit in other parts of the law, those offences can be added as separate sections in the IT Act. For example, even though voyeurism is criminalised in the IT Act, the non-consensual distribution of intimate content could be criminalised, as it has been done in the Philippines.

Provisions that have to do with data retention and government access to that data for the purposes of national security, law enforcement and also anonymised datasets for the public interest should be in the upcoming Data Protection law. The rules for intermediary liability is not the correct place to deal with it, because data retention may also be required of those intermediaries that don’t handle any third-party information or user generated content. Finally, there have to be clear procedures in place for reinstatement of content that has been taken down.

Disclosure: The Centre for Internet and Society receives grants from Facebook, Google and Wikimedia Foundation

For more details visit https://cis-india.org/internet-governance/blog/business-standard-february-9-2019-sunil-abraham-intermediary-liability-law-needs-updating

CIS Comment on ICANN's Draft FY20 Operating Plan and Budget

akriti — 2019-02-12T23:44:46Z

At the Centre for Internet and Society, we are grateful for the opportunity to provide our comments on the proposed draft of ICANN’s FY20 Operating Plan and Budget along with their Five-Year Operating Plan Update. As part of the public comment process, ICANN provided a list of documents which can be found here that included their highlights of the budget, the total draft budget for FY20, an operating plan segregated by portfolios, amongst others.

The following are our comments on relevant aspects from the different documents:

There are several significant undertakings which have not found adequate support in this budget, chief among them being the implementation of the ICANN Workstream 2 recommendations on Accountability. The budget accounts for any expenses that arise from WS2 as emanating from its contingency fund which is a mere 4%. Totalling more than 100 recommendations across 8 sub groups, execution of these would require significant expenditure. Ideally, this should have been budgeted for in the FY20 budget considering the final report was submitted in June, 2018 and conversations about its implementation have been carried out ever since. It is wondered if this is because the second Workstream does not have the effectuation of its recommendations in its mandate and hence it is easier for ICANN to be slow on it.^[1] As a member of the community deeply interested in integrating human rights better in ICANN’s various processes, it is concerning to note the glacial pace of the approval of the aforementioned recommendations especially coupled with the lack of funds allocated to it. Further, there is 1 one person assigned to work on the WS2 implementation work which seems insufficient for the magnitude of work involved.^[2]

A topical issue with ICANN currently is its tussle with the implementation of the General Data Protection Regulation (GDPR) and despite the prominence and extent of the legal burden involved, resources to complying with it have not been allocated. Again, it is within the umbrella of the contingency budget.

The Cross Community Working Group on New gTLD Auction Proceeds is also, presently, developing recommendations on how to distribute the proceeds. It is unclear where these will be funded from since their work is funded by the core ICANN budget yet it is assumed that the recommendations will be funded by the auction proceeds. Almost 7 years after the new gTLD round was open, it is alarming that ICANN has not formulated a plan for the proceeds and are still debating the merits of the entity which would resolve this question, as recently as the last ICANN meeting in October, 2018.

Another important policy development process being undertaken right now is the Working Group who is reviewing the current new gTLD policies to improve the process by proposing changes or new policies. There are no resources in the FY20 budget to implement the changes that will arise from this but only those to support the Working Group activities.

Lastly, the budgets lack information on how much each individual RIR contributes.

Staff costs

ICANN’s internal costs on their personnel have been rising for years and slated to account for more than half their annual budget with an estimated 56% or $76.3 million in the next financial year. The community has been consistent in calling upon them to revise their staff costs with many questioning if the growth in staff is justified.^{^[3]} There was criticism from all quarters such as the GNSO Council who stated that it is “not convinced that the proposed budget funds the policy work it needs to do over the coming year”.^{^[4]} The excessive use of professional service consultants has come under fire too.

As pointed out in a mailing list, in comments on the FY19 budget, every single constituency and stakeholder group remarked that personnel costs presented too high a burden on the budget. One of the suggestions presented by the NCSG was to relocate positions from from the LA headquarters to less expensive countries such as those in Asia. This can be seen from the high increase this budget of $200,000 in operational costs though no clear breakdown of that entails was given.

The view seems to be that ICANN repeatedly chooses to retain higher salaries while reducing funding for the community. This is even more of an issue since there employment remuneration scheme is opaque. In a DIDP I filed enquiring about the average salary across designations, gender, regions and the frequency of bonuses, the response was either to refer to their earlier documents which do not have concrete information or that the relevant documents were not in their possession.^{^[5]}

ICANN Fellowship

The budget of the fellowship has been reduced which is an important initiative to involve individuals in ICANN who cannot afford the cost of flying to the global ICANN meetings. The focus should be not only be on arriving at a suitable figure for the funding but also to ensure that people who either actively contribute or are likely to are supported as opposed to individuals who are already known in this circle.

Again, our attempts at understanding the Fellowship selection were met with resistance from ICANN. In a DIDP filed regarding it with questions such as if anyone had received it more than the maximum limit of thrice and details on the selection criteria, no clarity was provided.^{^[6]}

Lobbying and Sponsorship

At ICANN 63 in Barcelona, I enquired about ICANN’s sponsorship strategies and how the decision making is done with respect to which all events in each region to sponsor and for a comprehensive list of all sponsorship ICANN undertakes and receives. I was told such a document would be published soon but in the 4 months since then, none can be found. It is difficult to comment on the budget for such a team where there is not much information on the work it specifically carries out and the impact of such sponsoring activities. When questioned to someone on their team, I was told that it depends on the needs of each region and events that are significant in such regions. However without public accountability and transparency about these, sponsorship can be seen as a vague heading which could be better spent on community initiatives.

Talking of Transparency, it has also been pointed out that the Information Transparency Initiative has 3 million dollars set aside for its activities in this budget. It sounds positive yet with no deliverables to show in the past 2 years, it is difficult to ascertain the value of the investment in this initiative.

Lobbying activities do not find any mention in the budget and neither do the nature of sponsorship from other entities in terms of whether it is travel and accommodation of personnel or any other kind of institutional sponsorship.

^{^[1]} https://cis-india.org/internet-governance/blog/icann-work-stream-2-recommendations-on-accountability

^{^[2]} https://www.icann.org/en/system/files/files/proposed-opplan-fy20-17dec18-en.pdf

^{^[3]} http://domainincite.com/22680-community-calls-on-icann-to-cut-staff-spending

^{^[4]} Ibid

^{^[5]}https://cis-india.org/internet-governance/blog/didp-request-30-enquiry-about-the-employee-pay-structure-at-icann

^{^[6]} https://cis-india.org/internet-governance/blog/didp-31-on-icanns-fellowship-program

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-february-8-2019-comment-on-icann-draft-fy-20-operating-plan-and-budget

The Future of Work in the Automotive Sector in India

Harsh Bajpai, Ambika Tandon, and Amber Sinha — 2020-03-18T09:00:31Z

This report empirically studies the future of work in the automotive sector in India. The report has been authored by Harsh Bajpai, Ambika Tandon and Amber Sinha. Rakhi Sehgal and Aayush Rathi have edited the report.

Introduction

The adoption of information and communication based technology (ICTs) for industrial use is not a new phenomenon. However, the advent of Industry 4.0 hasbeen described as a paradigm shift in production, involving widespread automation and irreversible shifts in the structure of jobs. Industry 4.0 is widely understood as the technical integration of cyber-physical systems into production and logistics, and the use of Internet of Things (IoTs) in processes and systems. This may pose major challenges for industries, workers, and policymakers as they grapple with shifts in the structure of employment and content of jobs, bring about significant changes in business models, downstream services and the organisation of work.

The adoption of information and communication based technology (ICTs) for industrial use is not a new phenomenon. However, the advent of Industry 4.0 hasbeen described as a paradigm shift in production, involving widespread automation and irreversible shifts in the structure of jobs. Industry 4.0 is widelyunderstood as the technical integration of cyber-physical systems into production and logistics, and the use of Internet of Things (IoTs) in processes and systems.This may pose major challenges for industries, workers, and policymakers as they grapple with shifts in the structure of employment and content of jobs, bringabout significant changes in business models, downstream services and the organisation of work.

Industry 4.0 is characterised by four elements. First, the use of intelligent machines could have significant impact on production through the introduction of automated processes in ‘smart factories.’ Second, real-time production would begin optimising utilisation capacity, with shorter lead times and avoidance of standstills. Third, the self-organisation of machines can lead to decentralisation of production. Finally, Industry 4.0 is commonly characterised by the individualisation of production, responding to customer requests. The advancement of digital technology and consequent increase in automation has raised concerns about unemployment and changes in the structure of work. Globally, automation in manufacturing and services has been posited as replacing jobs with routine task content, while generating jobs with non-routine cognitive and manual tasks.

Some scholars have argued that unemployment will increase globally as technology eliminates tens of million of jobs in the manufacturing sector. It could then result in the lowering of wages and employment opportunities for low skilled workers, and increased investment in capital-intensive technologies for employer.

However, this theory of technologically driven job loss and increasing inequality has been contested on numerous occasions, with the assertion that technology will be an enabler, will change task content rather than displace workers, and will also create new jobs . It has further been argued that other factors such as increasing globalisation, weakening trade unions and platforms for collective bargaining, and disaggregation of the supply chain through outsourcing has led to declined wages, income inequality, inadequate health and safety conditions, and displacement of workers.

In India, there is little evidence of unemployment caused by adoption of technology due to Industry 4.0, but there is a strong consensus that technology affects labour by changing the job mix and skill demand. It should be noted that technological adoption under Industry 4.0 in advanced industrial economies has been driven by cost-benefit analysis due to accessible technology, and a highly skilled labour force. However, these key factors are serious impediments in the Indian context, which brings the large scale adoption of cyber-physical systems into question.

The diffusion of low cost manual labour across a large majority of roles in manufacturing raises concerns about the cost-benefit analysis of investing capital inexpensive automative technology, while also accounting for the resultant displacement of labour. Further, the skill gap across the labour force implies that the adoption of cyber-physical systems would require significant up-skilling or re-skilling to meet the potential shortage in highly skilled professionals.

This is an in-depth case study on the future of work in the automotive sector in India. We chose to focus on the future of work in the automotive sector in India for two reasons: first, the Indian automotive sector is one of largest contributors to the GDP at 7.2 percent, and second, it is one of the largest employment generators among non-agricultural industries. The first section details the structure of the automotive industry in India, including the range of stakeholders, and the national policy framework, through an analysis of academic literature, government reports, and legal documents.

The second section explores different aspects of the future of work in the automotive sector, through a combination of in-depth semi-structured interviews and enterprise-based surveys in the North Indian belt of Gurgaon-Manesar-Dharuhera-Bawal. Challenges posed by shifts in the industrial relations framework, with increasing casualization and emergence of a typical forms of work, will also be explored, with specific reference to crises in collective bargaining and social security. We will then move onto looking at the state of female participation in the workforce in the automotive industry. The report concludes with policy recommendations addressing some of the challenges outlined above.

Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/harsh-bajpai-ambika-tandon-and-amber-sinha-february-8-2019-the-future-of-work-in-automotive-sector-in-india

Internet Speech: Perspectives on Regulation and Policy

akriti — 2019-04-01T16:38:54Z

The Centre for Internet & Society and the University of Munich (LMU), Germany are jointly organizing an international symposium at India Habitat Centre in New Delhi on April 5, 2019

Click to download the agenda

For more details visit https://cis-india.org/internet-governance/events/internet-speech-perspectives-on-regulation-and-policy

Response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018

Gurshabad Grover, Elonnai Hickok, Arindrajit Basu, Akriti — 2019-02-07T08:06:41Z

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

This document presents the Centre for Internet & Society (CIS) response to the Ministry of Electronics and Information Technology’s invitation to comment and suggest changes to the draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 (hereinafter referred to as the “draft rules”) published on December 24, 2018. CIS is grateful for the opportunity to put forth its views and comments. This response was sent on the January 31, 2019.

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/response-to-the-draft-of-the-information-technology-intermediary-guidelines-amendment-rules-2018

CIS Submission to UN High Level Panel on Digital Cooperation

Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok — 2019-02-07T07:26:22Z

The UN high-level panel on Digital Cooperation issued a call for inputs that called for responses to various questions. CIS responded to the call for inputs.

The high-level panel on Digital Cooperation was convened by the UN Secretary-General to advance proposals to strengthen cooperation in the digital space among Governments, the private sector, civil society, international organizations, academia, the technical community and other relevant stakeholders. The Panel issued a call for input that called for responses to various questions. CIS responded to the call for inputs.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-un-high-level-panel-on-digital-cooperation

MediaNama roundtables on intermediary liability rules

Admin — 2019-02-17T15:59:33Z

MediaNama hosted one policy round-table on Intermediary Liability protections in Bangalore and another round-table in New Delhi, to discuss inputs sought by MEITY on the amendments to Safe Harbor for platforms (payments services, content services, ISPs, etc.) in India. Centre for Internet & Society is a community partner for the event.

One round-table was held at St. Mark's Hotel in Bangalore on January 25, 2019 and the next one will be held at India Habitat Centre in New Delhi on February 7, 2019. Gurshabad Grover participated in the meeting held on January 25, 2019. Participants discussed the draft amendments to the intermediary liability rules (under Section 79 of the IT Act) and recommendations stakeholders could respond with. For more info click here.

MediaNama has posted some pieces after the discussion that may be of interest:

No clarity on what constitutes offenses for intermediaries (by Alok Prasanna Kumar)
Should different sizes or categories of intermediaries be regulated differently? (by Nikhil Pahwa)
The Intent of Traceability is behavioral change (by Nikhil Pahwa)

For more details visit https://cis-india.org/a2k/news/medianama-roundtables-on-intermediary-liability-rules

DSCI's Bangalore chapter meet

Admin — 2019-02-02T01:47:51Z

On January 29, 2019, Karan Saini and Gurshabad Grover participated in the Bangalore chapter meet organized by Data Security Council of India in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/dscis-bangalore-chapter-meet

Conmen seed fake phone numbers in Google to trap people looking for customer care details

Admin — 2019-02-01T15:22:27Z

Googling for anything might seem like a good idea, but searching for contacts of businesses and customer care numbers is landing people in the hands of conmen.

The article by Tushar Kaushik was published in Economic Times on January 30, 2019.

Many use Google or other search engines for specific contact numbers — the customer care numbers of a bank, for instance. The search results do not throw up bona fide numbers, but those of conmen waiting to lure a victim. The conmen, knowing what the caller is seeking, and on the pretext of helping, cunningly makes them part with information such as bank account, debit/credit card and even the OTP.

About 20-odd people have been duped in this manner in the past month in Bengaluru, according to the city’s cybercrime police. About 20-30 victims have fallen prey in Gurugram in the last one-and-a-half months. In Maharashtra and Hyderabad, the trend of fake numbers being seeded on Google Maps and being used to dupe people is being observed since October 2018. The frauds are helped by the fact that any user can edit contact information on Google Maps. The Maharashtra cyber police reportedly notified Google authorities regarding this.

Inspector and in-charge of cyber police station at Gurugram, Anand Kumar, said another variant of such cases was on the rise. People searching for contacts to help them return products they bought from e-commerce websites have been led to fake numbers. “In the past one-and-half months, about 20-30 such complaints have been received,” Kumar said.

Srinivas Kodali, a Hyderabad-based data security researcher, said similar incidents using fake numbers being uploaded on Google Maps had occurred in Hyderabad 2-3 months ago. He claimed Google had been informed of the incidents.

Illustrating another instance of the way Google searches are misused, dairy brand Amul issued a legal notice to Google, alleging that a series of fake B2B campaigns regarding Amul Parlours and Distributors have started through fake websites using Google search ads since September 2018.

Bengaluru-based app developer and co-founder of TBG Labs Harsha Halvi said it was fairly easy for any conman to seed his own number and masquerade as a contact number and make it appear in a Google search. He said all it takes is a very good understanding of search engine optimisation (SEO).

Gurshabad Grover, senior policy officer at The Centre for Internet and Society, Bengaluru, said, “The problem right now is Google is not making it clear whether something is verified information or is crowdsourced. On Google Maps, businesses can be claimed by legitimate owners. A suggestion is that Google verify the claimed entities,” Grover said. He added that people too should exercise vigilance while accessing information online.

Additional commissioner of police (crime) at Bengaluru Alok Kumar said Google could not be held responsible for such incidents as individuals seeded the fake numbers.

Reacting to the incidents, a spokesperson from Google India said, “Overall, allowing users to suggest edits provides comprehensive and up-to-date info, but we recognise there may be occasional inaccuracies or bad edits suggested by users.” The spokesperson said when such issues are reported to Google, the claims are investigated and action is taken in line with the findings.

For more details visit https://cis-india.org/internet-governance/news/economic-times-tushar-kaushik-january-30-2019-conmen-seed-fake-phone-numbers-in-google-to-trap-people-looking-for-customer-care-details

India’s largest bank SBI leaked account data on millions of customers

Admin — 2019-02-01T15:13:15Z

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

The blog post by Zack Whittaker was published Tech Crunch on January 30, 2019. Karan Saini was quoted.

The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.

SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back the current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.

It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.

A redacted example of some of the banking and credit information found in the database (Image: TechCrunch)

The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ridesharing app.

Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the glob,e with 740 million accounts.

Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.

Despite several emails, SBI did not comment prior to publication.

For more details visit https://cis-india.org/internet-governance/news/tech-crunch-zak-whittaker-january-30-2019-indias-largest-bank-sbi-leaked-account-data-on-millions-of-customers

Amazon and Walmart are about to take a big hit in India

Admin — 2019-02-01T15:03:56Z

India is the world’s biggest emerging digital economy, and Silicon Valley’s top companies have invested huge sums to cash in on it. Now new regulations are threatening their business.

The blog post was published in Q13 Fox on January 31, 2019. Gurshabad Grover was quoted.

E-commerce restrictions due to go into effect Friday will prevent global retailers such as Amazon and Walmart from using their deep pockets and massive scale to drive down prices in India.

And proposed legal changes would require social media companies like Facebook and Twitter to monitor and take down content at the request of Indian authorities, which critics say could be misused for censorship.

The new rules highlight the risk global tech giants are running in a country they see as their next growth frontier.

Amazon and Walmart push back

The new e-commerce rules, announced in late December, look to curb practices like steep discounts that have helped Amazon dominate the US market and already make huge inroads in India.

The rules state that foreign online retailers can no longer strike deals with companies to offer products that are not available elsewhere. They also prevent these platforms from selling products distributed by companies they have invested in.

That would strike at the heart of Amazon’s business in India — the US company has snapped up stakes in several local suppliers.

Amazon and India’s biggest online retailer, Walmart-owned Flipkart, had been pushing India to delay the introduction of the new rules, but the government said in a statement Thursday that it had decided “after due consideration” not to do so.

Amazon had written to the Indian government asking for a four-month extension to comply with the new rules, a company spokesperson said.

“With over [400,000] sellers and hundreds of thousands of transactions happening daily on the Amazon India Marketplace we need adequate time to understand the details of the policy,” the spokesperson added.

Flipkart had asked the government for a six-month extension, a person familiar with the matter told CNN.

The company reportedly warned of “significant customer disruption” if the new policy is implemented this week. Flipkart CEO Kalyan Krishnamurthy said in a letter to the Indian government that the new rules could “have undesirable impacts on the continued growth of e-commerce in India,” according to Reuters.

The rules will affect the Bangalore-based company’s sales of products like smartphones, many of which it offers exclusively to its customers.

Flipkart declined to comment.

The changes follow intensive lobbying by India’s small businesses against Amazon and Walmart’s outsized influence in the country. (Together they have more than 70% of the Indian online shopping market.) The Confederation of All India Traders, which says it represents more than 70 million local retailers, warned the government against granting an extension.

“If any deferment or extension is given, the small traders both offline and online will be compelled to resort to a national campaign against any such move … which may also have political repercussions,” the group said in a statement earlier this week, a thinly-veiled warning to the government in an election year.

The trade body expressed “deep satisfaction” at the government’s decision not to extend the deadline.

India’s WhatsApp problem

India’s effort to further regulate its internet isn’t restricted to retail.

In late December, two days before the e-commerce restrictions were unveiled, India’s technology ministry published a host of proposed changes to laws governing online content.

The changes state that “intermediaries” including internet providers and platforms like Facebook and Twitter must remove “unlawful” material within 24 hours at the request of Indian authorities. That covers content that goes against India’s sovereignty, national security or foreign relations as well as “public order, decency or morality,” the new rules state.

Experts say the broad phrasing leaves the rules open to misuse and could be used to suppress free speech. It could also lead to self censorship by tech companies to avoid government scrutiny.

“It can lead to en masse takedown of content,” said Gurshabad Grover, a policy officer at the Bangalore-based Centre for Internet and Society, a think tank. “Intermediaries are often happy to take down perfectly legal content just to avoid liability.”

Twitter said in a statement that it would continue to lobby the Indian government on the proposed regulations before they are passed into law.

“Our hope is that after this robust public consultation process any changes to the [rules] in India strike a careful balance that protects important values such as freedom of expression,” a Twitter spokesperson told CNN Business.

Google and Facebook declined to comment.

The Asia Internet Coalition, an industry group that counts all three companies as its members, also urged the Indian government to reconsider the rule changes.

“In addition to interfering with the fundamental rights of freedom of speech and expression, and right to privacy as guaranteed under the constitution, the [proposed regulations] impose burdensome obligations on the intermediaries,” the group said in a letter to India’s technology ministry.

The regulations appear to be driven by India’s growing battle with fake news and misinformation, with viral rumors on Facebook’s mobile messaging service WhatsApp blamed for more than a dozen lynchings last year.

The Indian government specifically called out the mob violence in its statement announcing the regulations, citing the “misuse of social media by criminals and anti-national elements” as a key factor.

The rules also state that platforms must enable the tracing of individual posts and messages at the government’s request, a requirement that WhatsApp has previously rejected as a non-starter.

India is WhatsApp’s biggest market, with more than 200 million users.

Why India matters

India has opened itself up to foreign investment in recent years, particularly in its fast-growing tech and retail industries, and companies from around the world have rushed in.

India’s internet is a particularly tempting prize. About 500 million people are already online, with nearly 900 million more yet to be connected.

Amazon has pledged at least $5 billion dollars to growing its business in the country, while Walmart spent $16 billion to buy Flipkart last year.

Facebook and Google have also identified India as their next big market, rolling out several features and services in the country before taking it to the rest of the world.

But the changing legal environment presents a huge challenge, and Big Tech is battling to keep the promise alive.

“An uncertain, constantly changing regulatory environment is not good for any business,” Mishi Choudhary, legal director at the New York-based advocacy group Software Freedom Law Center, told CNN.

“India must decide where it sees itself in the global landscape,” Choudhary added. “It can either be a democracy that will let the best company win and provide an open, free and secure internet to its citizens or turn the way our neighbors across the Himalayas [China] have. It can’t have it both ways.”

For more details visit https://cis-india.org/internet-governance/news/q-13-fox-january-31-2019-amazon-and-walmart-are-about-to-take-a-big-hit-in-india

January 2019 Newsletter

praskrishna — 2019-03-03T16:34:21Z

The Centre for Internet & Society (CIS) welcomes you to the first issue of its e-Newsletter for 2019.

The CIS newsletter aims to highlight developments in copyright and patent, free speech and expression, privacy, cyber security, telecom, etc. as well as Industry 4.0, big data, additive manufacturing and so on which are revolutionizing and moving the digital world forward. Through this newsletter we look to engage you with our research and build a strong bond by bringing you insightful articles and blog posts which will be beneficial for you and your business. Throughout the year we will send you stories and insights from our board, staff and community leaders. We welcome your feedback, suggestions or comments regarding our newsletter or any other aspect of our research.

Welcome to r@w blog!

CIS researchers@work programme (RAW) is delighted to announce the launch of its new blog hosted on Medium. The RAW blog will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society. The blog will also feature highlights and materials from ongoing research and events at the researchers@work programme.

Highlights for January 2019

Ambika Tandon and Aayush Rathi have produced a research paper that contextualises the narrative around Industry 4.0 and the future of work with reference to the female labour force in India.
Gurshabad Grover, Nikhil Srinath and Aayush Rathi (with inputs from Anubha Sinha and Sai Shakti) presented a response to the Telecom Regulatory Authority of India’s Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services. CIS appreciates the continual efforts of TRAI to have consultations on the regulatory framework that should be applicable to OTT services and Telecom Service Providers (TSPs).
Pranesh Prakash, Karan Saini and Elonnai Hickok authored a policy brief that recommends several changes pertaining to current legislation, policy and practice to the Government of India regarding coordinated vulnerability disclosure (“CVD”) for improving the overarching information and cyber security posture of the country.
The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe opened a public comment procedure to solicit comments and obtain additional feedback. Arindrajit Basu, Gurshabad Grover and Elonnai Hickok responded to the public call-offering comments on all six norms and proposing two further norms.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

How to make EVMs hack-proof, and elections more trustworthy (Pranesh Prakash; Times of India; December 9, 2018).
Registering for Aadhaar in 2019 (Sunil Abraham; Business Standard; January 2, 2019).
The DNA Bill has a sequence of problems that need to be resolved (Shweta Mohandas and Elonnai Hickok; Newslaundry; January 15, 2019).
India should reconsider its proposed regulation of online content (Gurshabad Grover; Hindustan Times; January 24, 2019). Akriti Bopanna and Aayush Rathi provided feedback for the article.
India’s proposed new internet bill is as repressive as the worst of Chinese laws (Nishant Shah; Indian Express; January 27, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves (Sanyukta Dharmadhikari; The News Minute; January 10, 2019).
Civic activism over WhatsApp and stories of and from cab drivers are part of a new narrative in Bengaluru (Sowmya Rajaram; Bangalore Mirror; January 13, 2019).
They know where you are (Tini Sara Anien; Deccan Herald; January 17, 2019).
Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears (Nishant Sharma; Bloomberg Quint; January 16, 2019).
Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data? (Devarsi Ghosh; Scroll.in; January 18, 2019).
Google Gives Wikimedia Millions—Plus Machine Learning Tools (Wired; January 22, 2019).
New movies lose out due to piracy (Surupasree Sarmmah; Deccan Herald; January 23, 2019).
Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data (Vidya Raja; Better India; January 24, 2019).
India’s largest bank SBI leaked account data on millions of customers (Zack Whittaker; Tech Crunch; January 30, 2019).
Open standards can disrupt Facebook’s messaging monopoly (Abhimanyu Ghoshal; The Next Web; January 30, 2019).
Conmen seed fake phone numbers in Google to trap people looking for customer care details (Tushar Kaushik; Economic Times; January 30, 2019).
Amazon and Walmart are about to take a big hit in India (Q13 Fox; January 31, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Submission

Response to GCSC on Request for Consultation: Norm Package Singapore (Gurshabad Grover, Arindrajit Basu and Elonnai Hickok; January 22, 2019).

Policy Brief

Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India (Pranesh Prakash; Karan Saini and Elonnai Hickok; January 23, 2019).

Privacy

Submission

CIS Submission to UN High Level Panel on Digital Co-operation (Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok; January 30, 2019).

Gender

Research Paper

A Gendered Future of Work (Ambika Tandon and Aayush Rathi; December 19, 2018).

Event Organized

RFCs We Love meetup (Organized by CIS and India Internet Engineering Society; CIS, Bangalore; January 19, 2019).

Events Participated / Partnered In

Webinar on the draft Intermediary Guidelines Amendment Rules (Organized by CCAOI and the ISOC Delhi Chapter; New Delhi; January 10, 2019). Gurshabad Grover was a discussant in the panel.
MediaNama roundtables on intermediary liability rules (St. Marks Hotel, Bangalore; January 25, 2019). CIS was a community partner. Gurshabad Grover participated in the meeting.
DSCI's Bangalore chapter meet (Organized by Data Security Council of India; Bangalore; January 29, 2019). Karan Saini and Gurshabad Grover participated in the meet.

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions.

Submission

Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services (Gurshabad Grover, Nikhil Srinath and Aayush Rathi with inputs from Anubha Sinha and Sai Shakti; January 10, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Internet Researchers' Conference 2019 (IRC19): #List, Jan 30 - Feb 1, Lamakaan (P.P. Sneha; January 9, 2019).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/january-19-newsletter

Open standards can disrupt Facebook’s messaging monopoly

Admin — 2019-02-02T01:59:37Z

Facebook made the news last week when The New York Times’ Mike Isaac reported that CEO Mark Zuckerberg intended to integrate the company’s three messaging platforms: WhatsApp, Messenger, and Instagram.

The blog post by Abhimanyu Ghoshal was published in The Next Web on January 30, 2019. Pranesh Prakash was quoted.

We don’t have all the details of exactly how this will work. The plan is still in its early stages, and there are plenty of moving parts – legal and technical – to take care of. What’s clear is this: with more than 2.6 billion users between the platforms, this is set to impact a lot of people if it goes through – and potentially many hundreds of millions more in the following years.

While the specifics of the move are yet to be revealed, a move like this could help Facebook create more detailed profiles of its users. Even if the company encrypts communications end-to-end as it seemed to imply in its responses to NYT, it could still leverage communications metadata to target ads more accurately than you might think.

Here’s an example: without looking at your messages (because they’re encrypted), Facebook could gather data on who you chat with most often and for how long, later correlating that with the recipients’ interests from Instagram. It could then show you ads for gifts that contact may like, right around the time their birthday comes up.

Integrating these platforms could also bolster Facebook’s efforts to keep users tied into its ecosystem. That’s problematic, when you consider the larger your network of contacts is on the company’s services, the harder it is for you to leave them and use an alternative you’re more comfortable with.

Is there a way out? Pranesh Prakash – a Fellow at the Center for Internet and Society, as well as a Fellow at the New America think tank – believes that the answer lies not in breaking up Facebook over privacy laws, but in competition, and regulators at the government level should demand Facebook use open standards for its messaging platforms.

Prakash explained that standards like SMTP and IMAP, which are used for facilitating email exchanges, allow for interoperability between services run by different organizations. They also let users choose the client apps they prefer for accessing their inboxes.

Facebook’s messaging services, meanwhile, run on closed standards and don’t play nice with platforms created by third parties.

This results in people becoming trapped in Facebook’s ecosystem: even if you’re opposed to using the company’s products, you can’t realistically ditch them all because your friends and family are all using its platforms.

In case you’re worried about open-source protocols not being up to the task of serving massive networks like the ones Facebook operates, consider the fact that WhatsApp runs on FunXMPP, a customized version of the open XMPP set of standards that anyone can use for their own projects.

If Facebook is doing the difficult legwork of unifying the underlying technical infrastructure of its three apps, Prakash argues, it’d do well to make its new protocol public and open-source. That way, anyone should be able to use the company’s services to reach people just the same as when they choose to use a service created by a separate entity.

Prakash said that the only way diminishing Facebook’s power in this regard is to open up access to its network of users. In doing so, it will see people stick with the company’s services because they like using them, not because they can’t stay in touch with their contacts.

Questions surrounding Facebook’s monopolistic domination of the messaging space will inevitably crop up when the company implements Zuckerberg’s plan, and this sounds like a healthy way to tackle those issues.

Naturally, that seems like it’d hurt Facebook’s bottom line – but it’s important to start thinking about realistic measures to comply with antitrust law – or risk being booted from countries that don’t appreciate the way the company does business.

For more details visit https://cis-india.org/internet-governance/news/the-next-web-abhimanyu-ghoshal-january-30-2019-open-standards-can-disrupt-facebooks-messaging-monopoly

CIS Submission to UN High Level Panel on Digital Co-operation

Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok — 2019-02-19T01:41:35Z

The High-level Panel on Digital Cooperation was convened by the UN Secretary-General to advance proposals to strengthen cooperation in the digital space among Governments, the private sector, civil society, international organizations, academia, the technical community and other relevant stakeholders. The Panel issued a call for input that called for responses to various questions. CIS responded to the call for inputs.

Download the submission here

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-un-high-level-panel-on-digital-co-operation