We are anonymous, we are legion

Or-bits.com — A Talk by Marialaura Ghidini

praskrishna — 2013-04-16T14:34:36Z

On Friday, April 19, 2013, at the Centre for Internet and Society, Marialaura Ghidini will give a talk about the creation and activities of or-bits.com, a web-based curatorial platform that she founded in 2009.

Or-bits.com is devoted to supporting and developing practices, critical dialogues and audience engagement around artistic production, display and distribution online. Through presenting online group exhibitions and critical writing on its blog, the development of offsite gallery projects, print publishing and workshops, or-bits.com aims to instigate an exploration of the phenomena related to the spread and simplification of web-based technology across disciplines. It aims to propagate a model of artistic work that uses and reflects on the web as a language and a medium of production, display and distribution of contemporary art, both online and offline.

Marialaura's talk will then open up to present some issues related to curatorial/artistic work online and its relationship with offline activities of production, display and distribution in order to trigger further discussion in the form of a Q&A session.

Marialaura Ghidni

Marialaura Ghidini is a curator, writer and researcher based in the UK. She is founder director of or-bits.com and an AHRC-funded PhD researcher with CRUMB at the University of Sunderland, where she explores the field of online curation with a specific interest in the theory and practice of artists and curators operating through web-based platforms and in-between online and offline dimensions.

She has been in India since January as an International Research Fellow at SARAI/CSDS in Delhi and now as a curatorial resident with T.A.J. Residency & SKE Projects in Bangalore.

Also see http://marialaura-ghidini.hotglue.me

For more details visit https://cis-india.org/internet-governance/events/a-talk-by-marialaura-ghidni

Opposition questions govt move to make Aadhaar must

praskrishna — 2017-04-12T14:19:20Z

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

The article by Komal Gupta was published in Livemint on April 11, 2017. Pranesh Prakash was quoted.

The Rajya Sabha on Monday witnessed a lively debate on Aadhaar, with the opposition questioning the government’s move to make the 12-digit unique identification number mandatory for a host of welfare benefits.

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

“My major concern is implementation, how Aadhaar is being used to exclude people to avail benefits of the schemes which have been designed for them…If you need to apply to avail benefits, it’s as good as mandatory,” said Ramesh.

The former cabinet minister argued that over 25% of the population will stand excluded.

“The Rs50,000 crore savings due to Aadhaar linkage as given by the government is highly questionable,” he said, adding that according to Comptroller and Auditor General (CAG) reports, 92% of the savings on domestic gas subsidies is not on account of Aadhaar implementation or direct benefit transfer. “Instead, it is because of the fall in international oil prices,” Ramesh argued.

Trinamool Congress member Derek O’Brien said that for manual labourers, biometric identification does not always match and that can deprive them of welfare.

He gave the example of Andhra Pradesh, where almost half the 85,000 ration card holders in 2014 were unable to get subsidized foodgrains due to faulty point of sale machines and biometrics not matching.

K.T.S Tulsi, member of Parliament and senior Supreme Court advocate, said, “Not in my whole career have I come across a greater mutilation of a statutory provision than what has taken place in the case of Aadhaar.” He said Section 29 of the Aadhaar Act doesn’t permit data stored with the Unique Identification Authority of India (UIDAI) to be shared with anyone but a provision was later made for voluntary agreement to allow the sharing of data.

IT and law minister Ravi Shankar Prasad said, “No religion, income, medical history, ethnicity or education is asked in Aadhaar. Even email ID and phone number is optional.”

“The right of privacy of individuals must be respected. The privacy of the data cannot be breached by us except in the case of national security,” Prasad added.

He claimed that the government has been blacklisting operators that share data from the Aadhaar system. It has blacklisted 34,000 operators, and has taken action against 1,000 of them.

Prasad also said that UIDAI will be accountable to the Parliament.

Expressing concern on mandating the use of Aadhaar for different services, Pranesh Prakash, Policy director of the Centre for Internet and Society, said, “As an enabler, people would want to have Aadhaar. But when it is made mandatory, it becomes more of a disenabler instead of an enabler.”

“With the move towards a digital economy, setting up of a data protection authority as recommended by the Shah committee is important along with mass surveillance and greater accountability from the government,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must

OPINION | Data is New Oil and Human Mind the New Battlefield. India Must Wake Up Now

Admin — 2017-11-26T03:28:55Z

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

The article by Lt. General (Retd.) D. S. Hooda was published by News18.com on November 11, 2017

A few days ago, the Army Headquarters took out a public advisory warning about a “deliberate misinformation campaign being launched by vested interests some of which is being initiated from countries bordering our nation.” This is an acknowledgment of the use of social media for what is today considered the most dominant form of warfare — ‘information warfare’. It has been extensively used by our adversaries in Jammu and Kashmir to show the government and security forces in poor light.

Deception, propaganda and misinformation have always been a part of warfare but what is different today is that the tools of information warfare have acquired a new dimension. An integration of massive amounts of data with Artificial Intelligence (AI) has given a significant weapon in the hands of information warriors.

The cost of saving data has been plummeting, with the cost being halved about every 15 months. Now more and more data about individuals is being saved, both by corporations and governments. In his book, Data and Goliath, Bruce Schneier writes that worldwide, Google has the capacity to store 15 exabytes of data. To put it in context, one exabyte is 500 billion pages of text. Bruce also quotes the case of Max Schrems, an Austrian law student, who in 2011 demanded all his personal data from Facebook. After a two year legal battle, Facebook gave him a CD with 1200 pages of PDF. This is how much Facebook knows about you, and it does not forget because it is all saved.

All this big data would be useless unless it can be utilised for decision making and this is where advances in AI have provided the breakthrough. Smart machines mine the data and detect trends, patterns, habits, ideology and desires. These personal characteristics of individuals are being used by corporations to send targeted advertisements to influence commercial decisions.

The same technique is used in information warfare. On November 1, the US House Intelligence Committee released Facebook advertisements bought by Russian operatives to influence the 2016 elections. Washington Post wrote, “The ads made visceral appeals to voters concerned about illegal immigration...African American political activism, rising prominence of Muslims” among other issues. Senator Angus King said, “The strategy is to take a crack in our society and turn it into a chasm.”

Data is the new oil and that is exactly how it is being traded and sold. In the absence of any legal provisions, companies and ‘data brokers’ are sharing and selling personal data. Can this personal data find its way to a hostile government? Last month, the US Army brought out that their troops in the Baltic had reported instances of cell phone hacking. However, more worrisome was the fact the hackers knew personal details of the soldiers. Direct threats against family members of the military can have a negative psychological impact during conflict.

India has its share of political, social and ethnic differences, just as in many societies. In recent times these differences have been magnified as nationalism has taken centre stage. It is difficult to imagine why these fault lines will not be exploited by inimical forces as India enters the election mode in 2018. Looking at examples from the US and French elections, Brexit and the cyber battle during the Catalonia referendum, I think we have no option but to be prepared.

The preparation for this war (and I do not use this word lightly) lies in three spheres — concepts, practices and structures.

Conceptually, our current shortcoming is that we are viewing this issue through a technical prism rather than the broader spectrum of information warfare. CERT and NTRO can technically protect our critical infrastructure but they do not have an equal understanding of the human dimension, which is more strategic than scientific. The Americans, world leaders in information technology, have not been able to prevent a perceived subversion of their democratic process.

Our practices need to improve. The security of personal data is a major concern. The Supreme Court has declared privacy as a fundamental right, but there are no privacy laws to back it up. Even data stored in India is not safe as the owners of our data are the giant technology companies, mostly based in the US and not under our legal control. In September 2017, it was reported that Google has quietly stopped challenging most search warrants from US judges in which the data requested is stored on overseas servers.

A May 2017, report by the Centre for Internet and Society estimated that 135 million Aadhaar numbers could have been leaked from official portals. This was not due to a security breach but due to poor privacy practices.

Our continued reliance on foreign hardware and software is extremely worrisome. There was clear evidence that Cisco systems had been back-doored by the American National Security Agency but the Indian military continues to procure hardware from Cisco. There is a similar story with Chinese equipment in our telecommunication and power sectors. An attempt to introduce an Indian operating system to replace Windows in the Army has been mired in controversy.

In case of a targeted cyber attack on India, there is little we can do except issue advisories. The solutions will have to come from foreign manufactures or developers whose equipment we are using. There is an urgent need to give a fillip to developing indigenous solutions for our critical infrastructure.

And finally, structures. An organisation to execute information warfare would have to be led by the Ministry of Defence, because the threat is mainly from external players. It would be a combination of military planners, specialists from the field of intelligence, government agencies, media and cyber warfare experts. Such an organisation does not currently exist, though the raising of the Cyber Command could fill this gap.

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

(The author is former Northern Commander, Indian Army, under whose leadership India carried out surgical strikes against Pakistan in 2016. Views are personal.)

For more details visit https://cis-india.org/internet-governance/news/news-18-lt-general-retd-ds-hooda-data-is-new-oil-and-human-mind-the-new-battlefield-india-must-wake-up-now

Open Workshop on 'Digital Empire(s): Perspectives from Asia and Africa

Admin — 2019-11-13T14:36:03Z

Monish will be a part of a collaborative network which is organising an open workshop on 'Digital Empire(s): Perspectives from Asia and Africa', on December 4, 2019 at Centre de Sciences Humaines (CSH) Delhi.

Click to view the agenda.

For more details visit https://cis-india.org/internet-governance/news/open-workshop-on-digital-empire-s-perspectives-from-asia-and-africa

Open Street Maps help tackle disasters: Experts

Admin — 2018-11-28T01:58:11Z

Speakers showed how participatory maps were used to bring to light lapses in delivery of civic services.

The article was published by Deccan Chronicle on November 21, 2018.

Maps come in handy when you have lost your way, but they can also be great tools during natural disasters, like the recent, unprecedented floods in Kerala. During the disaster, 2,200 mapping volunteers from around the world added 4,00,000 data points to the Open Street Map, helping the government reach relief fast to the affected, said Manoj Karingamadathil.

On Tuesday, over 300 mappers from 12 countries got together in the city to discuss and present innovative solutions to mobilise, sustain and grow more inclusive open mapping communities. The event, hosted at the Indian Institute of Management-Bangalore, deliberated on how mapping is being used for disaster management in Asia, the role of local languages in tagging places, methods to sustain the community and others.

Speakers showed how participatory maps were used to bring to light lapses in delivery of civic services. The maps, used both in rural and urban areas, brought out issues at the neighbourhood, city, state and national levels.

For instance, Anindita Nayak explored safety in public spaces in Bengaluru by mapping lack of streetlights. Ankit Bhargava presented how Open Street Maps led to a participatory design process to create a very detailed and informative public map of Cubbon Park. Jaisen Nedumpala, a panchayat officer from Koorachundu in Kerala, used open source tools and community participation to fix land record boundaries for the village. Harry Mahardhika Machmud shared his experience on how citizen-led surveys in Indonesian cities helped the government prepare disaster response maps.

Dr Anita Patil-Deshmukh, the first keynote speaker, said that official maps did not account for the majority of under-served communities in Mumbai. These people felt empowered through community-based mapping and it helped them engage better with stakeholders for effective delivery of services.

Other speakers supported Dr Patil-Deshmukh's call to create more capacity within grassroots communities. Airin Akter stressed on the importance of maps in local languages for effective dissemination of public information in Bangladesh.

Pradip Khatiwada spoke about the need to create innovative training and internship programmes, digital activism, and demonstrated how maps have been used successfully in Nepal. Siddharth Hande, the closing keynote speaker, affirmed the need to empower communities through data-driven initiatives in his engagement with cyclical waste management economies.

Jointly organised by the Centre for Public Policy and the Centre for Software and IT Management (CSITM) of IIMB, Open Street Map (OSM) India, and Centre for Internet and Society, the inauguration of the event itself added meaning to the purpose as Prof. Abhoy K. Ojha, Dean of Academic Programmes at IIMB, contributed to the OSM project by adding the name of the building where the conference was hosted.

For more details visit https://cis-india.org/internet-governance/news/deccan-chronicle-november-21-2018-open-street-maps-help-tackle-disaster-experts

Open standards can disrupt Facebook’s messaging monopoly

Admin — 2019-02-02T01:59:37Z

Facebook made the news last week when The New York Times’ Mike Isaac reported that CEO Mark Zuckerberg intended to integrate the company’s three messaging platforms: WhatsApp, Messenger, and Instagram.

The blog post by Abhimanyu Ghoshal was published in The Next Web on January 30, 2019. Pranesh Prakash was quoted.

We don’t have all the details of exactly how this will work. The plan is still in its early stages, and there are plenty of moving parts – legal and technical – to take care of. What’s clear is this: with more than 2.6 billion users between the platforms, this is set to impact a lot of people if it goes through – and potentially many hundreds of millions more in the following years.

While the specifics of the move are yet to be revealed, a move like this could help Facebook create more detailed profiles of its users. Even if the company encrypts communications end-to-end as it seemed to imply in its responses to NYT, it could still leverage communications metadata to target ads more accurately than you might think.

Here’s an example: without looking at your messages (because they’re encrypted), Facebook could gather data on who you chat with most often and for how long, later correlating that with the recipients’ interests from Instagram. It could then show you ads for gifts that contact may like, right around the time their birthday comes up.

Integrating these platforms could also bolster Facebook’s efforts to keep users tied into its ecosystem. That’s problematic, when you consider the larger your network of contacts is on the company’s services, the harder it is for you to leave them and use an alternative you’re more comfortable with.

Is there a way out? Pranesh Prakash – a Fellow at the Center for Internet and Society, as well as a Fellow at the New America think tank – believes that the answer lies not in breaking up Facebook over privacy laws, but in competition, and regulators at the government level should demand Facebook use open standards for its messaging platforms.

Prakash explained that standards like SMTP and IMAP, which are used for facilitating email exchanges, allow for interoperability between services run by different organizations. They also let users choose the client apps they prefer for accessing their inboxes.

Facebook’s messaging services, meanwhile, run on closed standards and don’t play nice with platforms created by third parties.

This results in people becoming trapped in Facebook’s ecosystem: even if you’re opposed to using the company’s products, you can’t realistically ditch them all because your friends and family are all using its platforms.

In case you’re worried about open-source protocols not being up to the task of serving massive networks like the ones Facebook operates, consider the fact that WhatsApp runs on FunXMPP, a customized version of the open XMPP set of standards that anyone can use for their own projects.

If Facebook is doing the difficult legwork of unifying the underlying technical infrastructure of its three apps, Prakash argues, it’d do well to make its new protocol public and open-source. That way, anyone should be able to use the company’s services to reach people just the same as when they choose to use a service created by a separate entity.

Prakash said that the only way diminishing Facebook’s power in this regard is to open up access to its network of users. In doing so, it will see people stick with the company’s services because they like using them, not because they can’t stay in touch with their contacts.

Questions surrounding Facebook’s monopolistic domination of the messaging space will inevitably crop up when the company implements Zuckerberg’s plan, and this sounds like a healthy way to tackle those issues.

Naturally, that seems like it’d hurt Facebook’s bottom line – but it’s important to start thinking about realistic measures to comply with antitrust law – or risk being booted from countries that don’t appreciate the way the company does business.

For more details visit https://cis-india.org/internet-governance/news/the-next-web-abhimanyu-ghoshal-january-30-2019-open-standards-can-disrupt-facebooks-messaging-monopoly

Open sesame

praskrishna — 2015-09-25T01:31:49Z

The government’s email is shockingly vulnerable.

The article was published in the Hindu on September 22, 2015. CIS research on private email accounts is mentioned.

As the Centre moves towards smart cities and a Digital India, some critics have cited the country’s increased vulnerability to cyber attacks. To be sure, cyber threat groups could disrupt our infrastructure by taking control of many systems. Such attacks could be quite damaging. Yes, they are rare today, but are much more likely to arise in conjunction with traditional armed conflicts. Cyber criminal groups target Indian organisations on a daily basis.

Almost two years ago, the IT minister’s office triggered national outrage when it used a public email service for official communication. There was much hand-wringing about security practices in a ministry responsible for setting the technology direction (secure email policy) for the country. Then in December 2013, the Centre for Internet and Society revealed that up to 90 per cent of Indian government officials used private email accounts for professional purposes.

A big deal

Between then and now, we’ve read about a new email policy and revelations of several cyber attacks on government officials. And FireEye revealed a decade-long cyber espionage operation by a group we call ‘APT30’, which is likely to be sponsored by China. How did they break in? By sending targeted ‘spear-phish’ emails with malware attached.

Email doesn’t sound like a big deal. Most of us have been using it for over a decade, and think we know how to use it right. But when you’re in a position of authority with access to sensitive information, you shouldn’t leave it to chance.

Today, state-sponsored attackers craft these spear-phishing emails after considerable research. APT30 carefully researched their targets and crafted mails which would appear extremely relevant, with interesting content. The moment a victim would open an attachment, an exploit would secretly install a backdoor. Through that backdoor, groups can compromise the employee’s entire network and extricate sensitive data. Groups bent on destruction can deploy malware to destroy the data. They could also take control of systems managing infrastructure or industrial processes and create havoc.

Spear-phishing has an open rate of 70 per cent, while regular mass emails had an open rate of just 3 per cent. Email is the front- door for today’s threat groups. That’s why governments around the world are improving the security of their email systems to fend off these spear-phishing threats.

Public concerns

When government employees use webmail for official business, they trade away their security for convenience. The emails they receive are no longer screened by cyber security solutions, which detect advanced targeted email attacks before they reach the inbox. In addition, because people typically retrieve their webmail in a browser, attackers have a larger attack surface to exploit when carrying out their attacks. For example, attackers can coax victims to click on a link to a website, which delivers an exploit via Adobe Flash.

Webmail opens the door to threats that would otherwise have been intercepted. When our government employees use webmail for official business, they leave the front door wide open to threats. One of the best steps we can take towards improving our government’s cyber security defences is abandoning public email services.

The writer is a software architect at the cyber security firm FireEye

For more details visit https://cis-india.org/internet-governance/news/the-hindu-september-22-2015-atul-kabra-open-sesame

Open Secrets

nishant — 2013-11-30T08:21:21Z

We need to think of privacy in different ways — not only as something that happens between people, but between you and corporations.

Dr. Nishant Shah's article was originally published in the Indian Express on October 27.

If you are a part of any social networking site, then you know that privacy is something to be concerned about. We put out an incredible amount of personal data on our social networks. Pictures with family and friends, intimate details about our ongoing drama with the people around us, medical histories, and our spur-of-the-moment thoughts of what inspires, peeves or aggravates us. In all this, the more savvy use filters and group settings which give them some semblance of control about who has access to this information and what can be done with it.

But it is now a given that in the world of the worldwide web, privacy is more or less a thing of the past. Data transmits. Information flows. What you share with one person immediately gets shared with thousands. Even though you might make your stuff accessible to a handful of people, the social networks work through a "friend-of-a-friend effect", where others in your networks use, like, share and spread your information around so that there is an almost unimaginable audience to the private drama of our lives. Which is why there is a need for a growing conversation about what being private in the world of big data means.

Privacy is about having control over the data and some ownership about who can use it and for what purpose. Interface designs and filters that allow limited access help this process. The legal structures are catching up with regulations that control what individuals, entities, governments and corporations can do with the data we provide. However, most people think of privacy as a private matter. Just look at last month's conversations around Facebook's new privacy policies, which no longer allow you to hide. If you are on Facebook, people can find you using all kinds of parameters — meta data — other than just your name. They might find you through hobbies, pages you like, schools you have studied in, etc. This can be scary because it means that based on particular activities, people can profile and follow you. Especially for people in precarious communities — the young adults, queer people who might not be ready to be out of the closet, women who already face increased misogyny and hostility online. This means they are officially entering a stalkers' paradise.

While those concerns need to be addressed, there is something that seems to be missing from the debate. Almost all of these privacy alarms are about what people can do to people. That we need to protect ourselves from people, when we are in public — digital or otherwise. We are reminded that the world is filled with predators, crackers and scamsters, who can prey on our personal data and create physical, emotional, social and financial havoc. But this is the world we already know. We live in a universe filled with perils and we have learned and coped with the fact that we navigate through dangerous spaces, times and people all the time. The digital is no different than the physical when it comes to the possible perils that we live in, though digital might facilitate some kinds of behaviour and make data-stalking easier.

What is different with the individualised, just-for-you crafted world of the social web is that there are things which are not human, which are interacting with you in unprecedented ways. Make a list of the top five people you interact with on Facebook. And you will be wrong. Because the thing that you interact with the most on Facebook, is Facebook. Look at the amount of chatter it creates — How are you feeling today?; Your friend has updated their status; Somebody liked your comment… the list goes on. In fact, much as we would like to imagine a world that revolves around us, we know that there are a very few people who have the energy and resources to keep track of everything we do. However, no matter how boring your status message or how pedestrian your activity, deep down in a server somewhere, an artificial algorithm is keeping track of everything that you do. Facebook is always listening, and watching, and creating a profile of you. People might forget, skip, miss or move on, but Facebook will listen, and remember long after you have forgotten.

If this is indeed the case, we need to think of privacy in different ways — not only as something that happens between people, but between people and other entities like corporations. The next time there is a change in the policy that makes us more accessible to others, we should pay attention. But what we need to be more concerned about are the private corporations, data miners and information gatherers, who make themselves invisible and collect our personal data as we get into the habit of talking to platforms, gadgets and technologies.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-october-27-2013-nishant-shah-open-secrets

Open Letter to Prevent the Installation of RFID tags in Vehicles

maria — 2013-07-12T10:59:31Z

The Centre for Internet and Society (CIS) has sent this open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to intall RFID tags in vehicles in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.

On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.

The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.

The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.[1]

The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.[2]The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.

As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.

Thank you for your time and for considering our request.

Sincerely,

Centre for Internet and Society (CIS)

[1]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf

For more details visit https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles

Open Letter to Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee

elonnai — 2013-10-23T05:00:02Z

An open letter was sent to the Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee on the proposed EU Regulation. The letter was apart of an initiative that Privacy International and a number of other NGO's are undertaking.

Dear Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee,

On behalf of The Centre for Internet and Society, Bangalore, India, we are writing to express our support of the European Commission’s proposed General Data Protection Regulation (COM (2012) 11).

The legal framework established under the 1995 Data Protection Directive (95/46/EC) in Europe has positively influenced many existing privacy regimes worldwide, serving as a model legal framework in jurisdictions that are in the process of developing privacy regimes, including India. The positive impact of the Data Protection Directive shows the potential of the Regulation to become a global model for the protection of personal data. The Regulation seeks to address new scenarios that have arisen in the context of rapidly changing technologies and practices, increasing its potential for positively influencing privacy rights for individuals globally.

India is currently in the process of considering the enactment of privacy legislation, in part with the aim of ensuring adequate safeguards to enable and enhance information flows into India from countries around the world, including Europe. At the same time, India is seeking Data Secure Status from the EU, on the basis of its current regime.

It is clear that the EU framework for data protection has a major influence on the current and emerging privacy regime in India. India is only one country of many that are in the beginning stages of developing a comprehensive privacy regime. Thus, we ask that you keep in mind how the Regulation will impact the rights of individual in countries outside of Europe, particularly in countries that are in the process of developing privacy regimes.

We ask that you take into consideration the four following points that we believe need to be addressed in the Regulation to help ensure adequate protection of the rights of individuals in the European Union and around the world.

Strengthen the principle of purpose limitation: The Regulation should incorporate a strong purpose limitation principle that strictly limits present and future uses of personal data to the purposes for which it was originally collected. Currently, Article 6(4) allows for the further processing of data when the processing is “not compatible with the one for which the personal data have been collected”. Though the provision establishes legal requirements, one of which must be before information can be used for a further purpose, this is has proven insufficient in the existing Directive. The current provision in the Regulation dilutes the principle of purpose limitation as well as weakening an individual’s ability to make informed decisions about their personal data.
Define principles for interpretation of broad terms: The Regulation should create principles for interpreting broad terms such as “legitimate interest” and “public interest”. These vague terms are used throughout the Regulation, and create the potential for loopholes or abuse. Because these terms can be interpreted in many different ways, it is important to create a set of principles to guide their interpretation by data protection authorities and courts to avoid inconsistent application and enforcement of the Regulation.
Clarify the scope of the Regulation: The Regulation should clearly describe the jurisdictional scope and reach of its provisions. Currently Article 3(1) states that the Regulation will apply to the processing of data “in the context of the activities of an establishment of a controller or a processor in the Union”. The flow of information on the online environment coupled with trends such as cloud computing, outsourcing, and cross border business creates a scenario where defining what constitutes “context of the activities of an establishment”, is difficult and could lead to situations where personal data is not protected, as the collection, use, or storage of it does not necessarily fall within the “context of the activities”.
Address access by foreign alliance bodies: In light of growing demands by law enforcement for access, use, and transfer of personal information for investigative purposes across jurisdictions– the Regulation should define the circumstances in which personal data protected by its provisions can be accessed and used by foreign intelligence bodies, and the procedure by which to do so. The Regulation should address challenges such as access by foreign intelligence bodies to data stored on the cloud and data that has passed through/is stored on foreign networks/servers.

For more details visit https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee

Open letter to Kolaveri Di makers: How Dare You!

nishant — 2012-05-23T07:02:03Z

When it comes to piracy, you are sure to have an opinion. You might either make a virtue out of it, talking about cultural commons and collaborative conditions of production. Or you might vilify it as the social fault-line that is destroying the very pillars of commerce and cultural negotiations.

This article by Nishant Shah was published in First Post on May 22, 2012.

No matter which part of the fault-line you fall under, this is the time for all good (and otherwise ambiguously identified) people to come to the aid of the party. This is an open call for anybody who has been on the interwebz, to share and distribute one particular object whose rights protector have recently taken your right to access countless platforms which are a part of your everyday life online.

If you haven’t yet grasped it, I am referring to the recent events where, following a John Doe order from the High Court of Chennai, all kinds of file sharing platforms are suddenly being blocked by Internet Service Providers (ISPs) across India.

The film producers of ‘3’, the movie whose claim to fame has been the spectacular viral success of the Kolaveri Di song, have moved the courts to issue a blanket order that has suddenly made it impossible for Indian netizens to access file sharing, user-generated-content hosting websites which allowed for digital cultural texts – from print to music to movies to presentations – to be shared and disseminated freely online.

The producers and those who support them, are glorying in this legal battle where they have identified nodes in our networks, through which their copyright information was potentially being pirated. They are hoping that by ensuring this lack of digital mobility for their film, they will be able to entice audiences to come into the theatres and spend their money ‘legitimately’ on the film.

They are revelling in the fact that hundreds of thousands of users have been thwarted in their attempts at copyright infringement. What they haven’t realised is that they have justified their box-office greed by infringing on your and my rights to perform everyday activities online.

I am sure there is going to be a smart-aleck riding a moral high horse, who will applaud this move and point out to me about the rights of the producers to protect their content. There are many who support this high-censorship which not only betrays the power of the Music And Film Industry Association (MAFIA, to friends) to curb us of our rights, but also the completely depraved technology apparatus of the State which seems to have no understanding of how the internet actually works.

However, i want to shift the focus from the rights of these victimised producers and right-holders to the right of the individual who is actually the structural unit of cyberspaces. And I want to suggest to you that these right-holders, who incidentally, have such global value only because the Kolaveri Di song put them on the global meme map, have now infringed upon my right to access my content which I had put out to share.

There are open content videos on Vimeo that we have produced through years of research and a huge amount of financial investment, which are now no longer available to people who want to view them.

There are powerpoint presentations and publications on file sharing sites, seeded through torrents, which are now impossible to access for people in India. A large amount of our personal research and lectures, which we have shared for educational purposes, are now not even available for us to download.

And we are not alone in this. Hundreds of thousands of individuals, who have shared openly licensed material, have now lost the ability to access that information because one private company wanted to make sure it made its profits.

I am not going to write a manifesto for the digital world, but I do want to put it out there, this new cultural MAFIA, grant to me my rights which their actions have violated. For every site that they have included in their banned list, they have disrespected the open, collaborative licenses that enabled sharing of information whose value, usage and worth is more than their commercial pot boiler, which shall hopefully be forgotten before we realise it was released in the markets.

Their commercially driven arrogance has suddenly demanded that we pay a price for the shared information, and that price should be to those who hold rights over the movie.

And so I am writing this open call, for you to come and demand your right. If that movie producer has the right to protect his interests, you and I have the right to protect ours. I demand that for every site that I am not able to access, for public domain information that I am entitled to, they pay us a penalty.

For more details visit https://cis-india.org/internet-governance/open-letter-to-kolaveri-di

Open letter to Hillary Clinton on Internet Freedom

sunil — 2012-09-04T08:28:02Z

Last month I wrote an open letter to Hillary Clinton. It was based on a presentation I that I made during a panel discussion at a Google sponsored conference titled Internet at Liberty 2012 in Washington DC on May 24, 2012.

Sunil Abraham's article was published in Thinking Aloud on July 17, 2012

The question that my panel tried to grapple with was "In a world where nearly nine out of ten Internet users are not American, what is the responsibility of United States institutions in promoting internet freedom?" My co-panelists were Cynthia Wong who is with the Centre for Democracy and Technology, Mohamed El Dahshan a writer and journalist, Dunja Mijatovic the OSCE Representative on Freedom of the Media.

Internet freedom is a curious subject. It is a technology specific liberty - for a moment consider television freedom. The US has more Muslims than India has Christians. But Indian television in the average hotel comes in hundreds and there are at least 3 channels of Christian preaching. But US television in hotels is usually less than 50 channels with no channels of Islamic preaching. In fact even the reception of secular channels from the Islamic World like Al Jazeera is still difficult in America. Can we accuse the US of not having television freedom since their television features Christian evangelists but not Muslim evangelists? Should it be part of India's foreign policy to evangelize television freedom given that there is a large domestic industry with clear international potential?

In an ideal world - citizens will possess technology-neutral freedom to communication and expression. But nothing can be farther from the truth. Communication technologies are regulated using a plethora of policies and practices and very often these have a chilling effect on freedoms.

The following is my response to the technology-specific demands for deregulation from the US Government.

Text of the Open Letter[2]

Recognise Access to Knowledge (A2K) as pre-condition for freedom of expression: There is no difference between aggressive enforcement of imbalanced and obsolete intellectual property laws and censorship. The need of the moment is not more enforcement to protect obsolete business models against the everyday practices of ordinary netizens but rather the reform of intellectual property law (levies, broader exceptions and limitations, pools, statutory and compulsory licenses, prizes etc.) to keep pace with innovations in technology and the production of knowledge and culture.

Recognise privacy as pre-condition for security: The alleged tension between privacy and security is a false dichotomy. Blanket surveillance by design compromises security. Surveillance is like salt in cooking — essential in very small quantities but dangerous even if slightly in excess. Blanket surveillance technologies are only going make things easier for — and will only serve as targets for — current and future online villains.

Don't lose the moral high-ground: Remember, with great power comes great responsibility. Other countries are waiting to cherry pick from your worst practices. Also don't use trade agreements to selectively export components of US policy without the accompanying safeguards for civil liberties and rights. Citizens in oppressive and authoritarian states are depending on the US government, courts and civil society to protect their rights online. Don't undermine their capacity to shame their governments by holding up the US as the example of 'how to get things right'. They urgently need the US government to lead by example.

Recognise that freedom of expression has become a trade issue: This is unfortunate but this is true — thanks to the precedent set by the developed world when it came to asymmetric trade negotiations. Just as the US is interested in protecting the interests of its corporations in global markets — other governments are keen protect the interests of their own corporations. The optimal solution in this case is where all countries and corporations are equally unsatisfied. This will remain a continuing discussion.

Address developing country anxieties around critical internet infrastructure: Security by obscurity will no longer do — security by transparency through open standards, technologies and governance is the only way to fears and build a trust-worthy and secure Internet for all of us. For example, there is urgent need to develop standards for supply chain audits of information infrastructure. The US has dealt with the fear of back doors by banning the use of hardware and software from countries it does not trust. The developing world is not sure if there are back-doors in hardware and software manufactured by US corporations.

Time has comes to address this and other related anxieties.

Appreciate diversity in nomenclature: 'Freedom' and 'liberty' may be appropriate terms to use in the United States of America. But openness may be more in countries that are not yet full and robust liberal democracies. The Internet Governance Forum for example uses 'openness' instead of 'freedom'. Openness is also preferred because it includes 'freedom of expression', 'freedom of information' (also known as right to information, access to information or public and 'free knowledge' (free software, open standards, open content, open access, open data, open educational resources, etc.)

Don't be too instrumental in your interventions: Don't undermine the local credibility of like-minded civil society, think-tanks and research organisations by being too directive in your support. Managerialism will undermine reform of policies and practices in information societies and so does inappropriate/premature monitoring and evaluation (for example, looking for explicit attribution in terms of casual connections between your actions and outcomes). There is a need to support greater reflexivity in the global information society by developing institutional capacity in developing countries through unrestricted funding. True critical thinking is the foundation of both scientific progress and open societies. Go out of your way to find and support those who disagree with you. Protect the plural foundation of our networked society!

Video

Sunil Abraham was a speaker along with Cynthia Wong, Mohamed El Dahshan and Dunja Mijatovic in Plenary IV Debate 3 at the Internet at Liberty 2012 event organised by Google on May 24, 2012.

View the video on YouTube

For more details visit https://cis-india.org/internet-governance/open-letter-to-hillary-clinton

Open Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation

elonnai — 2013-07-12T11:07:58Z

India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, [1] and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.[2]

On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.

The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.[3] In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. [4] In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.[5] The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.[6] Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.[7] The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.

The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.

The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.[8]

We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.

[1]. CII asks EU to accept India as 'Data Secure' nation: http://bit.ly/15Z77dH

[2]. India threatens to stall trade talks with EU: http://bit.ly/1716aF1

[3]. New privacy Bill: Data Protection Authority, jail term for offence: http://bit.ly/emqkkH

[4]. The Report of the Group of Experts on Privacy http://bit.ly/VqzKtr

[5]. Law Minister Seeks stand along privacy legislation, writes PM: http://bit.ly/16hewWs

[6]. The Privacy Protection Bill 2013 drafted by CIS: http://bit.ly/10eum5d

[7]. Privacy Roundtable: http://bit.ly/12HYoj5

[8]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: http://bit.ly/Z2FjX6

Note: CIS sent the letters to Data Protection Commissioners across Europe.

For more details visit https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation

Open House on Security Practices in FinTech

Admin — 2017-11-12T10:18:09Z

CIS in collaboration with Has Geek is organizing an Open House on security practices in FinTech.

The prevalence of fintech companies operating in India is growing with new actors entering the sector and traditional actors such as banks beginning to offer digital financial services. The push to digital payments has been particularly strong after the demonetization policy, the development and implementation of Aadhaar and India Stack. Services offered by Fintech firms can range from offering a loan or credit to a digital wallet and digital banking and payment services.

Presently, there is a regulatory gap for many of the fintech services and business models. The Reserve Bank of India has published consultation papers on Peer-to-Peer lending platforms as well as Account Aggregators, but comprehensive regulations, especially those surrounding minimum security practices, have yet to emerge – presenting a critical policy and research window. Furthermore, under Section 43A of the IT Act and its associated Rules, ‘body corporates’ are required to implement reasonably security procedures compliant with ISO27001 or a sectoral standard approved by the Central Government. However, currently such a sectoral standard is absent for the FinTech and Digital Payments space.

The growing prevalence of these fintech technologies and the criticality of security of the same to engender citizen trust, protect rights, and comprehensive national security posture demands debate and discussion.

On November 17th, the HasGeek in collaboration with the Centre for Internet and Society will be holding an Open House from 6pm - 8pm to discuss security practices in the fintech industry.

Pressing questions for discussion include: How secure are these services? What security standards are they adhering to? Who is holding them accountable for adherence to security standards? What can individuals do if there financial data is compromised?

Please join us for a robust discussion on these issues @HasGeek House, 2699, 19th Main Rd, HAL 2nd Stage, Indiranagar, 19th Main Rd, HAL 2nd Stage, Indiranagar, Bengaluru, Karnataka 560008 from 6PM - 8 PM on November 17th.

For more details visit https://cis-india.org/internet-governance/events/open-house-on-security-practices-in-fintech

Open house on information breaches

praskrishna — 2017-06-07T00:41:55Z

On May 26, 2017 at the Has Geek open house participants discussed the state of information security in India the legal and regulatory measures that companies must comply with, and consumers should be aware of. Udbhav Tiwari was a speaker at the event organized by Has Geek in Bengaluru.

Sandesh Anand–InfoSec professional at Cigital was the other speaker. Alok Prasanna Kumar, former Supreme Court advocate and Senior Resident Fellow at the Vidhi Centre for Legal policy, moderated the discussion. Udbhav spoke about Breach Notifications and the legal and regulatory positions behind it in India. His presentation from the event can be found here: https://goo.gl/51GDba

For more details visit https://cis-india.org/internet-governance/news/open-house-on-information-breaches