We are anonymous, we are legion

Response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018

Gurshabad Grover, Elonnai Hickok, Arindrajit Basu, Akriti — 2019-02-07T08:06:41Z

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

This document presents the Centre for Internet & Society (CIS) response to the Ministry of Electronics and Information Technology’s invitation to comment and suggest changes to the draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 (hereinafter referred to as the “draft rules”) published on December 24, 2018. CIS is grateful for the opportunity to put forth its views and comments. This response was sent on the January 31, 2019.

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/response-to-the-draft-of-the-information-technology-intermediary-guidelines-amendment-rules-2018

CIS Submission to UN High Level Panel on Digital Cooperation

Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok — 2019-02-07T07:26:22Z

The UN high-level panel on Digital Cooperation issued a call for inputs that called for responses to various questions. CIS responded to the call for inputs.

The high-level panel on Digital Cooperation was convened by the UN Secretary-General to advance proposals to strengthen cooperation in the digital space among Governments, the private sector, civil society, international organizations, academia, the technical community and other relevant stakeholders. The Panel issued a call for input that called for responses to various questions. CIS responded to the call for inputs.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-un-high-level-panel-on-digital-cooperation

MediaNama roundtables on intermediary liability rules

Admin — 2019-02-17T15:59:33Z

MediaNama hosted one policy round-table on Intermediary Liability protections in Bangalore and another round-table in New Delhi, to discuss inputs sought by MEITY on the amendments to Safe Harbor for platforms (payments services, content services, ISPs, etc.) in India. Centre for Internet & Society is a community partner for the event.

One round-table was held at St. Mark's Hotel in Bangalore on January 25, 2019 and the next one will be held at India Habitat Centre in New Delhi on February 7, 2019. Gurshabad Grover participated in the meeting held on January 25, 2019. Participants discussed the draft amendments to the intermediary liability rules (under Section 79 of the IT Act) and recommendations stakeholders could respond with. For more info click here.

MediaNama has posted some pieces after the discussion that may be of interest:

No clarity on what constitutes offenses for intermediaries (by Alok Prasanna Kumar)
Should different sizes or categories of intermediaries be regulated differently? (by Nikhil Pahwa)
The Intent of Traceability is behavioral change (by Nikhil Pahwa)

For more details visit https://cis-india.org/a2k/news/medianama-roundtables-on-intermediary-liability-rules

DSCI's Bangalore chapter meet

Admin — 2019-02-02T01:47:51Z

On January 29, 2019, Karan Saini and Gurshabad Grover participated in the Bangalore chapter meet organized by Data Security Council of India in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/dscis-bangalore-chapter-meet

Conmen seed fake phone numbers in Google to trap people looking for customer care details

Admin — 2019-02-01T15:22:27Z

Googling for anything might seem like a good idea, but searching for contacts of businesses and customer care numbers is landing people in the hands of conmen.

The article by Tushar Kaushik was published in Economic Times on January 30, 2019.

Many use Google or other search engines for specific contact numbers — the customer care numbers of a bank, for instance. The search results do not throw up bona fide numbers, but those of conmen waiting to lure a victim. The conmen, knowing what the caller is seeking, and on the pretext of helping, cunningly makes them part with information such as bank account, debit/credit card and even the OTP.

About 20-odd people have been duped in this manner in the past month in Bengaluru, according to the city’s cybercrime police. About 20-30 victims have fallen prey in Gurugram in the last one-and-a-half months. In Maharashtra and Hyderabad, the trend of fake numbers being seeded on Google Maps and being used to dupe people is being observed since October 2018. The frauds are helped by the fact that any user can edit contact information on Google Maps. The Maharashtra cyber police reportedly notified Google authorities regarding this.

Inspector and in-charge of cyber police station at Gurugram, Anand Kumar, said another variant of such cases was on the rise. People searching for contacts to help them return products they bought from e-commerce websites have been led to fake numbers. “In the past one-and-half months, about 20-30 such complaints have been received,” Kumar said.

Srinivas Kodali, a Hyderabad-based data security researcher, said similar incidents using fake numbers being uploaded on Google Maps had occurred in Hyderabad 2-3 months ago. He claimed Google had been informed of the incidents.

Illustrating another instance of the way Google searches are misused, dairy brand Amul issued a legal notice to Google, alleging that a series of fake B2B campaigns regarding Amul Parlours and Distributors have started through fake websites using Google search ads since September 2018.

Bengaluru-based app developer and co-founder of TBG Labs Harsha Halvi said it was fairly easy for any conman to seed his own number and masquerade as a contact number and make it appear in a Google search. He said all it takes is a very good understanding of search engine optimisation (SEO).

Gurshabad Grover, senior policy officer at The Centre for Internet and Society, Bengaluru, said, “The problem right now is Google is not making it clear whether something is verified information or is crowdsourced. On Google Maps, businesses can be claimed by legitimate owners. A suggestion is that Google verify the claimed entities,” Grover said. He added that people too should exercise vigilance while accessing information online.

Additional commissioner of police (crime) at Bengaluru Alok Kumar said Google could not be held responsible for such incidents as individuals seeded the fake numbers.

Reacting to the incidents, a spokesperson from Google India said, “Overall, allowing users to suggest edits provides comprehensive and up-to-date info, but we recognise there may be occasional inaccuracies or bad edits suggested by users.” The spokesperson said when such issues are reported to Google, the claims are investigated and action is taken in line with the findings.

For more details visit https://cis-india.org/internet-governance/news/economic-times-tushar-kaushik-january-30-2019-conmen-seed-fake-phone-numbers-in-google-to-trap-people-looking-for-customer-care-details

India’s largest bank SBI leaked account data on millions of customers

Admin — 2019-02-01T15:13:15Z

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

The blog post by Zack Whittaker was published Tech Crunch on January 30, 2019. Karan Saini was quoted.

The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.

SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back the current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.

It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.

A redacted example of some of the banking and credit information found in the database (Image: TechCrunch)

The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ridesharing app.

Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the glob,e with 740 million accounts.

Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.

Despite several emails, SBI did not comment prior to publication.

For more details visit https://cis-india.org/internet-governance/news/tech-crunch-zak-whittaker-january-30-2019-indias-largest-bank-sbi-leaked-account-data-on-millions-of-customers

Amazon and Walmart are about to take a big hit in India

Admin — 2019-02-01T15:03:56Z

India is the world’s biggest emerging digital economy, and Silicon Valley’s top companies have invested huge sums to cash in on it. Now new regulations are threatening their business.

The blog post was published in Q13 Fox on January 31, 2019. Gurshabad Grover was quoted.

E-commerce restrictions due to go into effect Friday will prevent global retailers such as Amazon and Walmart from using their deep pockets and massive scale to drive down prices in India.

And proposed legal changes would require social media companies like Facebook and Twitter to monitor and take down content at the request of Indian authorities, which critics say could be misused for censorship.

The new rules highlight the risk global tech giants are running in a country they see as their next growth frontier.

Amazon and Walmart push back

The new e-commerce rules, announced in late December, look to curb practices like steep discounts that have helped Amazon dominate the US market and already make huge inroads in India.

The rules state that foreign online retailers can no longer strike deals with companies to offer products that are not available elsewhere. They also prevent these platforms from selling products distributed by companies they have invested in.

That would strike at the heart of Amazon’s business in India — the US company has snapped up stakes in several local suppliers.

Amazon and India’s biggest online retailer, Walmart-owned Flipkart, had been pushing India to delay the introduction of the new rules, but the government said in a statement Thursday that it had decided “after due consideration” not to do so.

Amazon had written to the Indian government asking for a four-month extension to comply with the new rules, a company spokesperson said.

“With over [400,000] sellers and hundreds of thousands of transactions happening daily on the Amazon India Marketplace we need adequate time to understand the details of the policy,” the spokesperson added.

Flipkart had asked the government for a six-month extension, a person familiar with the matter told CNN.

The company reportedly warned of “significant customer disruption” if the new policy is implemented this week. Flipkart CEO Kalyan Krishnamurthy said in a letter to the Indian government that the new rules could “have undesirable impacts on the continued growth of e-commerce in India,” according to Reuters.

The rules will affect the Bangalore-based company’s sales of products like smartphones, many of which it offers exclusively to its customers.

Flipkart declined to comment.

The changes follow intensive lobbying by India’s small businesses against Amazon and Walmart’s outsized influence in the country. (Together they have more than 70% of the Indian online shopping market.) The Confederation of All India Traders, which says it represents more than 70 million local retailers, warned the government against granting an extension.

“If any deferment or extension is given, the small traders both offline and online will be compelled to resort to a national campaign against any such move … which may also have political repercussions,” the group said in a statement earlier this week, a thinly-veiled warning to the government in an election year.

The trade body expressed “deep satisfaction” at the government’s decision not to extend the deadline.

India’s WhatsApp problem

India’s effort to further regulate its internet isn’t restricted to retail.

In late December, two days before the e-commerce restrictions were unveiled, India’s technology ministry published a host of proposed changes to laws governing online content.

The changes state that “intermediaries” including internet providers and platforms like Facebook and Twitter must remove “unlawful” material within 24 hours at the request of Indian authorities. That covers content that goes against India’s sovereignty, national security or foreign relations as well as “public order, decency or morality,” the new rules state.

Experts say the broad phrasing leaves the rules open to misuse and could be used to suppress free speech. It could also lead to self censorship by tech companies to avoid government scrutiny.

“It can lead to en masse takedown of content,” said Gurshabad Grover, a policy officer at the Bangalore-based Centre for Internet and Society, a think tank. “Intermediaries are often happy to take down perfectly legal content just to avoid liability.”

Twitter said in a statement that it would continue to lobby the Indian government on the proposed regulations before they are passed into law.

“Our hope is that after this robust public consultation process any changes to the [rules] in India strike a careful balance that protects important values such as freedom of expression,” a Twitter spokesperson told CNN Business.

Google and Facebook declined to comment.

The Asia Internet Coalition, an industry group that counts all three companies as its members, also urged the Indian government to reconsider the rule changes.

“In addition to interfering with the fundamental rights of freedom of speech and expression, and right to privacy as guaranteed under the constitution, the [proposed regulations] impose burdensome obligations on the intermediaries,” the group said in a letter to India’s technology ministry.

The regulations appear to be driven by India’s growing battle with fake news and misinformation, with viral rumors on Facebook’s mobile messaging service WhatsApp blamed for more than a dozen lynchings last year.

The Indian government specifically called out the mob violence in its statement announcing the regulations, citing the “misuse of social media by criminals and anti-national elements” as a key factor.

The rules also state that platforms must enable the tracing of individual posts and messages at the government’s request, a requirement that WhatsApp has previously rejected as a non-starter.

India is WhatsApp’s biggest market, with more than 200 million users.

Why India matters

India has opened itself up to foreign investment in recent years, particularly in its fast-growing tech and retail industries, and companies from around the world have rushed in.

India’s internet is a particularly tempting prize. About 500 million people are already online, with nearly 900 million more yet to be connected.

Amazon has pledged at least $5 billion dollars to growing its business in the country, while Walmart spent $16 billion to buy Flipkart last year.

Facebook and Google have also identified India as their next big market, rolling out several features and services in the country before taking it to the rest of the world.

But the changing legal environment presents a huge challenge, and Big Tech is battling to keep the promise alive.

“An uncertain, constantly changing regulatory environment is not good for any business,” Mishi Choudhary, legal director at the New York-based advocacy group Software Freedom Law Center, told CNN.

“India must decide where it sees itself in the global landscape,” Choudhary added. “It can either be a democracy that will let the best company win and provide an open, free and secure internet to its citizens or turn the way our neighbors across the Himalayas [China] have. It can’t have it both ways.”

For more details visit https://cis-india.org/internet-governance/news/q-13-fox-january-31-2019-amazon-and-walmart-are-about-to-take-a-big-hit-in-india

January 2019 Newsletter

praskrishna — 2019-03-03T16:34:21Z

The Centre for Internet & Society (CIS) welcomes you to the first issue of its e-Newsletter for 2019.

The CIS newsletter aims to highlight developments in copyright and patent, free speech and expression, privacy, cyber security, telecom, etc. as well as Industry 4.0, big data, additive manufacturing and so on which are revolutionizing and moving the digital world forward. Through this newsletter we look to engage you with our research and build a strong bond by bringing you insightful articles and blog posts which will be beneficial for you and your business. Throughout the year we will send you stories and insights from our board, staff and community leaders. We welcome your feedback, suggestions or comments regarding our newsletter or any other aspect of our research.

Welcome to r@w blog!

CIS researchers@work programme (RAW) is delighted to announce the launch of its new blog hosted on Medium. The RAW blog will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society. The blog will also feature highlights and materials from ongoing research and events at the researchers@work programme.

Highlights for January 2019

Ambika Tandon and Aayush Rathi have produced a research paper that contextualises the narrative around Industry 4.0 and the future of work with reference to the female labour force in India.
Gurshabad Grover, Nikhil Srinath and Aayush Rathi (with inputs from Anubha Sinha and Sai Shakti) presented a response to the Telecom Regulatory Authority of India’s Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services. CIS appreciates the continual efforts of TRAI to have consultations on the regulatory framework that should be applicable to OTT services and Telecom Service Providers (TSPs).
Pranesh Prakash, Karan Saini and Elonnai Hickok authored a policy brief that recommends several changes pertaining to current legislation, policy and practice to the Government of India regarding coordinated vulnerability disclosure (“CVD”) for improving the overarching information and cyber security posture of the country.
The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe opened a public comment procedure to solicit comments and obtain additional feedback. Arindrajit Basu, Gurshabad Grover and Elonnai Hickok responded to the public call-offering comments on all six norms and proposing two further norms.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

How to make EVMs hack-proof, and elections more trustworthy (Pranesh Prakash; Times of India; December 9, 2018).
Registering for Aadhaar in 2019 (Sunil Abraham; Business Standard; January 2, 2019).
The DNA Bill has a sequence of problems that need to be resolved (Shweta Mohandas and Elonnai Hickok; Newslaundry; January 15, 2019).
India should reconsider its proposed regulation of online content (Gurshabad Grover; Hindustan Times; January 24, 2019). Akriti Bopanna and Aayush Rathi provided feedback for the article.
India’s proposed new internet bill is as repressive as the worst of Chinese laws (Nishant Shah; Indian Express; January 27, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves (Sanyukta Dharmadhikari; The News Minute; January 10, 2019).
Civic activism over WhatsApp and stories of and from cab drivers are part of a new narrative in Bengaluru (Sowmya Rajaram; Bangalore Mirror; January 13, 2019).
They know where you are (Tini Sara Anien; Deccan Herald; January 17, 2019).
Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears (Nishant Sharma; Bloomberg Quint; January 16, 2019).
Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data? (Devarsi Ghosh; Scroll.in; January 18, 2019).
Google Gives Wikimedia Millions—Plus Machine Learning Tools (Wired; January 22, 2019).
New movies lose out due to piracy (Surupasree Sarmmah; Deccan Herald; January 23, 2019).
Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data (Vidya Raja; Better India; January 24, 2019).
India’s largest bank SBI leaked account data on millions of customers (Zack Whittaker; Tech Crunch; January 30, 2019).
Open standards can disrupt Facebook’s messaging monopoly (Abhimanyu Ghoshal; The Next Web; January 30, 2019).
Conmen seed fake phone numbers in Google to trap people looking for customer care details (Tushar Kaushik; Economic Times; January 30, 2019).
Amazon and Walmart are about to take a big hit in India (Q13 Fox; January 31, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Submission

Response to GCSC on Request for Consultation: Norm Package Singapore (Gurshabad Grover, Arindrajit Basu and Elonnai Hickok; January 22, 2019).

Policy Brief

Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India (Pranesh Prakash; Karan Saini and Elonnai Hickok; January 23, 2019).

Privacy

Submission

CIS Submission to UN High Level Panel on Digital Co-operation (Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok; January 30, 2019).

Gender

Research Paper

A Gendered Future of Work (Ambika Tandon and Aayush Rathi; December 19, 2018).

Event Organized

RFCs We Love meetup (Organized by CIS and India Internet Engineering Society; CIS, Bangalore; January 19, 2019).

Events Participated / Partnered In

Webinar on the draft Intermediary Guidelines Amendment Rules (Organized by CCAOI and the ISOC Delhi Chapter; New Delhi; January 10, 2019). Gurshabad Grover was a discussant in the panel.
MediaNama roundtables on intermediary liability rules (St. Marks Hotel, Bangalore; January 25, 2019). CIS was a community partner. Gurshabad Grover participated in the meeting.
DSCI's Bangalore chapter meet (Organized by Data Security Council of India; Bangalore; January 29, 2019). Karan Saini and Gurshabad Grover participated in the meet.

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions.

Submission

Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services (Gurshabad Grover, Nikhil Srinath and Aayush Rathi with inputs from Anubha Sinha and Sai Shakti; January 10, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Internet Researchers' Conference 2019 (IRC19): #List, Jan 30 - Feb 1, Lamakaan (P.P. Sneha; January 9, 2019).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/january-19-newsletter

Open standards can disrupt Facebook’s messaging monopoly

Admin — 2019-02-02T01:59:37Z

Facebook made the news last week when The New York Times’ Mike Isaac reported that CEO Mark Zuckerberg intended to integrate the company’s three messaging platforms: WhatsApp, Messenger, and Instagram.

The blog post by Abhimanyu Ghoshal was published in The Next Web on January 30, 2019. Pranesh Prakash was quoted.

We don’t have all the details of exactly how this will work. The plan is still in its early stages, and there are plenty of moving parts – legal and technical – to take care of. What’s clear is this: with more than 2.6 billion users between the platforms, this is set to impact a lot of people if it goes through – and potentially many hundreds of millions more in the following years.

While the specifics of the move are yet to be revealed, a move like this could help Facebook create more detailed profiles of its users. Even if the company encrypts communications end-to-end as it seemed to imply in its responses to NYT, it could still leverage communications metadata to target ads more accurately than you might think.

Here’s an example: without looking at your messages (because they’re encrypted), Facebook could gather data on who you chat with most often and for how long, later correlating that with the recipients’ interests from Instagram. It could then show you ads for gifts that contact may like, right around the time their birthday comes up.

Integrating these platforms could also bolster Facebook’s efforts to keep users tied into its ecosystem. That’s problematic, when you consider the larger your network of contacts is on the company’s services, the harder it is for you to leave them and use an alternative you’re more comfortable with.

Is there a way out? Pranesh Prakash – a Fellow at the Center for Internet and Society, as well as a Fellow at the New America think tank – believes that the answer lies not in breaking up Facebook over privacy laws, but in competition, and regulators at the government level should demand Facebook use open standards for its messaging platforms.

Prakash explained that standards like SMTP and IMAP, which are used for facilitating email exchanges, allow for interoperability between services run by different organizations. They also let users choose the client apps they prefer for accessing their inboxes.

Facebook’s messaging services, meanwhile, run on closed standards and don’t play nice with platforms created by third parties.

This results in people becoming trapped in Facebook’s ecosystem: even if you’re opposed to using the company’s products, you can’t realistically ditch them all because your friends and family are all using its platforms.

In case you’re worried about open-source protocols not being up to the task of serving massive networks like the ones Facebook operates, consider the fact that WhatsApp runs on FunXMPP, a customized version of the open XMPP set of standards that anyone can use for their own projects.

If Facebook is doing the difficult legwork of unifying the underlying technical infrastructure of its three apps, Prakash argues, it’d do well to make its new protocol public and open-source. That way, anyone should be able to use the company’s services to reach people just the same as when they choose to use a service created by a separate entity.

Prakash said that the only way diminishing Facebook’s power in this regard is to open up access to its network of users. In doing so, it will see people stick with the company’s services because they like using them, not because they can’t stay in touch with their contacts.

Questions surrounding Facebook’s monopolistic domination of the messaging space will inevitably crop up when the company implements Zuckerberg’s plan, and this sounds like a healthy way to tackle those issues.

Naturally, that seems like it’d hurt Facebook’s bottom line – but it’s important to start thinking about realistic measures to comply with antitrust law – or risk being booted from countries that don’t appreciate the way the company does business.

For more details visit https://cis-india.org/internet-governance/news/the-next-web-abhimanyu-ghoshal-january-30-2019-open-standards-can-disrupt-facebooks-messaging-monopoly

CIS Submission to UN High Level Panel on Digital Co-operation

Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok — 2019-02-19T01:41:35Z

The High-level Panel on Digital Cooperation was convened by the UN Secretary-General to advance proposals to strengthen cooperation in the digital space among Governments, the private sector, civil society, international organizations, academia, the technical community and other relevant stakeholders. The Panel issued a call for input that called for responses to various questions. CIS responded to the call for inputs.

Download the submission here

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-un-high-level-panel-on-digital-co-operation

Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data

Admin — 2019-02-02T02:09:56Z

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

The blog post by Vidya Raja was published in the Better India on January 24, 2019. Pranesh Prakash was quoted.

Imagine someone hacking into your Netflix account – all you have to do is change the password. However, if there is a security breach with respect to your biometric details, there is no reversing it. So think carefully about how and where you submit your details. While the Supreme Court has said that it is no longer mandatory to link Aadhaar with your bank accounts or your telecom service provider, it does not lessen the importance of Aadhaar.

Pranesh Prakash, Policy Director, The Centre for Internet & Society, in a report published in The Mint, says, “Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner’s finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.” Over the last year, there has been so much chatter about the Aadhaar number and how one can protect one’s information.

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

In this article, we explain how you can do that.

Locking biometrics online:

Visit UIDAI’s online portal to lock or unlock your biometrics
Once there, you will need to click on ‘My Aadhaar’ and under the Aadhaar Services tab, click on Lock/Unlock Biometrics
You will then be redirected to a new page and prompted to enter the 12-digit Aadhaar number and the security code
Once the details have been entered, click on ‘Send OTP’
You will receive an OTP on your registered mobile number
Enter this and click on the Login button
This feature will allow you to lock your biometrics
Enter the 4-digit security code mentioned on the screen and click on the ‘Enable’ button
Your biometrics will be locked, and you will have to unlock it in case you want to access it again

Unlocking biometrics online:

To unlock your biometrics, click on the ‘Login’ button
Enter your Aadhaar number and the security code in the designated spaces
Now click on ‘Send OTP’
An OTP will be sent to your registered mobile number
Enter it in the space provided and click on ‘Login’
In case you want to temporarily unlock the biometrics, enter the security code and click on the unlock button
Your biometrics will be unlocked for 10 minutes
The locking date and time is mentioned on the screen after which biometrics will be automatically locked
When you do not want to lock your biometrics, you can disable the lock permanently.

Using mAadhaar to lock/unlock biometrics:

mAadhaar is the official mobile application developed by the Unique Identification Authority of India (UIDAI). Presently, it is available on the Android platform.

Once the mAadhaar app has been downloaded, the user must use their Aadhaar card registered mobile number to login.
You will then be sent an OTP that you are required to enter for authentication. Do remember to change your password once registered.
On the top right side, tap on ‘Biometric lock’, and enter your password to lock the biometrics. Once locked, it will show a small lock icon next to your profile.
To unlock, tap on the same icon followed by your password. The information will unlock for 10 minutes. After that, it will be locked again.
Once you lock this information, it ensures that even the Aadhaar holder will not be able to use their biometric data (iris scan and fingerprints) for authentication, until unlocked.
If you try to use this information without unlocking, it will show you an error code 330.

Remember to lock and unlock your biometrics through a trusted channel. The fact that there is no fee involved in either exercise will make this easier. Also, even with the biometric locked, you can continue to use the OTP-based authentication process for transactions, where you will receive the OTP on your registered mobile number and e-mail address.

(Edited by Shruti Singhal)

For more details visit https://cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india

India should reconsider its proposed regulation of online content

gurshabad — 2019-01-24T16:59:07Z

The lack of technical considerations in the proposal is also apparent since implementing the proposal is infeasible for certain intermediaries. End-to-end encrypted messaging services cannot “identify” unlawful content since they cannot decrypt it. Presumably, the government’s intention is not to disallow end-to-end encryption so that intermediaries can monitor content.

The article was published in the Hindustan Times on January 24, 2019. The author would like to thank Akriti Bopanna and Aayush Rathi for their feedback.

Flowing from the Information Technology (IT) Act, India’s current intermediary liability regime roughly adheres to the “safe harbour” principle, i.e. intermediaries (online platforms and service providers) are not liable for the content they host or transmit if they act as mere conduits in the network, don’t abet illegal activity, and comply with requests from authorised government bodies and the judiciary. This paradigm allows intermediaries that primarily transmit user-generated content to provide their services without constant paranoia, and can be partly credited for the proliferation of online content. The law and IT minister shared the intent to change the rules this July when discussing concerns of online platforms being used “to spread incorrect facts projected as news and designed to instigate people to commit crime”.

On December 24, the government published and invited comments to the draft intermediary liability rules. The draft rules significantly expand “due diligence” intermediaries must observe to qualify as safe harbours: they mandate enabling “tracing” of the originator of information, taking down content in response to government and court orders within 24 hours, and responding to information requests and assisting investigations within 72 hours. Most problematically, the draft rules go much further than the stated intentions: draft Rule 3(9) mandates intermediaries to deploy automated tools for “proactively identifying and removing [...] unlawful information or content”.

The first glaring problem is that “unlawful information or content” is not defined. A conservative reading of the draft rules will presume that the phrase means restrictions on free speech permissible under Article 19(2) of the Constitution, including that relate to national integrity, “defamation” and “incitement to an offence”.

Ambiguity aside, is mandating intermediaries to monitor for “unlawful content” a valid requirement under “due diligence”? To qualify as a safe harbour, if an intermediary must monitor for all unlawful content, then is it substantively different from an intermediary that has active control over its content and not a safe harbour? Clearly, the requirement of monitoring for all “unlawful content” is so onerous that it is contrary to the philosophy of safe harbours envisioned by the law.

By mandating automated detection and removal of unlawful content, the proposed rules shift the burden of appraising legality of content from the state to private entities. The rule may run afoul of the Supreme Court’s reasoning in Shreya Singhal v Union of India wherein it read down a similar provision because, among other reasons, it required an intermediary to “apply [...] its own mind to whether information should or should not be blocked”. “Actual knowledge” of illegal content, since then, has held to accrue to the intermediary only when it receives a court or government order.

Given the inconsistencies with legal precedence, the rules may not stand judicial scrutiny if notified in their current form.

The lack of technical considerations in the proposal is also apparent since implementing the proposal is infeasible for certain intermediaries. End-to-end encrypted messaging services cannot “identify” unlawful content since they cannot decrypt it. Internet service providers also qualify as safe harbours: how will they identify unlawful content when it passes encrypted through their network? Presumably, the government’s intention is not to disallow end-to-end encryption so that intermediaries can monitor content.

Intermediaries that can implement the rules, like social media platforms, will leave the task to algorithms that perform even specific tasks poorly. Just recently, Tumblr flagged its own examples of permitted nudity as pornography, and Youtube slapped a video of randomly-generated white noise with five copyright-infringement notices. Identifying more contextual expression, such as defamation or incitement to offences, is a much more complex problem. In the lack of accurate judgement, platforms will be happy to avoid liability by taking content down without verifying whether it violated law. Rule 3(9) also makes no distinction between large and small intermediaries, and has no requirement for an appeal system available to users whose content is taken down. Thus, the proposed rules set up an incentive structure entirely deleterious to the exercise of the right to freedom of expression. Given the wide amplitude and ambiguity of India’s restrictions on free speech, online platforms will end up removing swathes of content to avoid liability if the draft rules are notified.

The use of draconian laws to quell dissent plays a recurring role in the history of the Indian state. The draft rules follow India’s proclivity to join the ignominious company of authoritarian nations when it comes to disrespecting protections for freedom of expression. To add insult to injury, the draft rules are abstruse, ignore legal precedence, and betray a poor technological understanding. The government should reconsider the proposed regulation and the stance which inspired it, both of which are unsuited for a democratic republic.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-gurshabad-grover-january-24-2019-india-should-reconsider-its-proposed-regulation-of-online-content

New movies lose out due to piracy

Admin — 2019-02-02T02:24:42Z

Piracy continues to be a huge concern among filmmakers but it can also be a marketing strategy for small-budget films.

The article by Surupasree Sarmmah was published in Deccan Herald on January 23, 2019. Akriti Bopanna was quoted.

Despite a slew of measures taken by filmmakers, pirated versions of recently released films like ‘Uri: The Surgical Strike’, ‘Viswasam’, ‘KGF’ and ‘Why Cheat India’ were leaked online on websites like TamilRockers. Piracy has been a huge concern for all movie industries in India, national and regional, but experts say that not much can be done when a film is leaked online.

Neville J Kattakayam, author of the book ‘The All Seeing Digital Eyes: A Guide To Privacy, Security and Literacy’, says, “The maximum one can do is to control the servers in a particular jurisdiction. But there are servers in unlikely places — like somewhere out in the sea. These places don’t fall under any jurisdiction, national or international. It becomes impossible to control the servers then.”

Talking about the process of piracy, he explains that once a content is leaked, it mirages into different servers across to the world; not just online but offline too. “There are mirror sites having the same content that are immediately born. Accessibility wise, it’s all out there; there is nothing that one can completely restrict,” he says.

Neville feels that it is largely in the hands of the producers to restrict access to their material until the movie is released. With people usually preferring good quality prints, theatrical replicas are not favoured much, he told Metrolife.

“From what I have heard, the piracy usually happens when the copy is being sent to the censor board. Some intermediate source, who really wants to kill a movie, leaks it from there. That is the real challenge,” says Neville.

Hemanth M Rao, a director, says that when a movie is leaked online, the effort, time and money put in is at stake. “You feel robbed. Most people would want to go to the theatres to watch a film but with incidents of piracy on the rise, the life span of a movie is shortened,” he says.

However, he adds that the audience is beginning to understand the impact piracy has on the movie industry, especially at a time when there is intense competition between regional language industries.

He has a word of praise for the Kannada Film Industry, which he feels is safeguarding interests of the artistes.

“We have a close tie-up with the city police. We monitor where all a film is playing after its release. In case we come to know about any illegal activities, we intimate the police who act swiftly. This way, the access is cut down.”

“Another thing that upsets me is the habit of going live on Facebook while one is at the theatre. I don’t understand what pleasure people get out of it,” he says.

According to a new draft rule, being contemplated by the IT Ministry, host websites will be liable for any illegal content uploaded on their platform. Currently, a website is liable only for unlawful actions; like uploading copyrighted content without permission.

“The Government can block access to the original host of the pirated content if needed however the traction and virality these kinds of content get make it very difficult to contain their spread. It ends up being a blanket ban on sites such as torrent sites where all the content is not illegal yet the site is blocked as a whole,” says Akriti Bopanna, Policy Officer, Centre for Internet and Society.

The time taken for legal recourse doesn’t help either. Though filmmakers can approach the court for a ban on the website or server, the time taken for a legal remedy is way too long. By that time, the same link would have appeared in two or three other websites, says Akriti. “A leaked movie can be easily downloaded and sent to someone instantly.”

She feels that a more effective method than banning a website or a server would be to educate people.

“Not many know about copyright infringement, it is important to spread awareness from the grassroots level. Though we have messages on piracy shown at the start of every movie, these need to be more creative and fun so they will stay in the audience’s minds. Maybe the industry, as a whole, can do this as a community initiative,” she opines.

Small players don’t care much about piracy

Small-budget movies take piracy as a marketing strategy. They feel that once people watch the movie and write reviews, the film will get an overall boost — allowing them to sell more tickets in theatres.

However, major players spend crores on their movies and depend on ticket sales to get back the amount.

Difficult to claim copyright from different websites

Prominent production companies are targeting streaming websites who have uploaded their movies, citing copyright issues. However, floating websites like citytorrents and TamilRockers keep changing their domain name and it becomes impossible to counter them.

-Neville J Kattakayam

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-surupasree-sarmmah-january-23-2019-new-movies-lose-out-due-to-piracy

Response to GCSC on Request for Consultation: Norm Package Singapore

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-27T15:43:12Z

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.

The GCSC announced the release of its new Norm Package on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace

The norms introduced by the GCSC focus on the following areas:

Norm to Avoid Tampering
Norm Against Commandeering of ICT Devices into Botnets
Norm for States to Create a Vulnerability Equities Process
Norm to Reduce and Mitigate Significant Vulnerabilities
Norm on Basic Cyber Hygiene as Foundational Defense
Norm Against Offensive Cyber Operations by Non-State Actors

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.

Read the full submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation

Cyber Policy Centres Meeting in Sri Lanka

Admin — 2019-01-21T23:50:45Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in this event organized by IDRC in Sri Lanka on January 11 - 14, 2019.

Download the agenda here

See the presentation here

For more details visit https://cis-india.org/internet-governance/news/cyber-policy-centres-meeting-in-sri-lanka