We are anonymous, we are legion

The Technology behind Big Data

Geethanjali Jujjavarapu and Udbhav Tiwari — 2016-12-04T09:53:43Z

The authors undertakes a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes.

Download the Paper (PDF, 277 kb)

Introduction

Defining big data is a disputed area in the field of computer science^{^[1]}, there is some consensus on a basic structure to its definition^{^[2]}. Big data is data that is collected in the form of datasets that has three main criteria: size, variety & velocity, all of which operate at an immense scale^{^[3]}. It is ‘big’ in size, often running into petabytes of information, has vast variety within its components, and is created, captured and analysed at an incredibly rapid velocity. All of this also makes big data difficult to handle using traditional technological tools and techniques.

This paper will attempt to perform a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes. The big data life cycle consists of four components, which will also be the key structural points of the paper, namely: Data Acquisition, Data Awareness, Data Analytics & Data Governance.⁴ The paper will focus on the aspects that the author believes are relevant for analysing the technological impact of big data on both technology itself and society at large.

Scope: The scope of the paper is to study the technology used in big data using the "Life Cycle of Big Data" as model structure to categorise & study the vast range of technologies that are involved in big data. However, the paper will be limited to the study of technology related directly to the big data life cycle. It shall specifically exclude the use/utilisation of big data from its scope since big data is most often being fed into other, unrelated technologies for consumption leading to rather limitless possibilities.

Goal: Goal of the paper is twofold: a.) to use the available literature on the technological aspects of big data, to perform a brief overview of the technology in the field and b.) to frame the relevant research questions for studying the technology of big data and its possible impact on society.

Data Acquisition

Acquiring big data has two main sub components to it, the first being sensing the existence of the data’ itself and the second, the stage of collecting and storing this data. Both of these subcomponents are incredibly diverse fields, with lots of rapid change occurring in the technology utilised to carry out these tasks. The section will provide a brief overview of the subcomponents and then discuss the technology used to fulfil the tasks.

Data Sensing

Data does not exist in a vacuum and is always created as a part of a larger process, especially in the aspect of modern technology. Therefore, the source of the data itself plays a vital role in determining how it can be captured and analysed in the larger scheme of things. Entities constantly emit information into the environment that can be utilised for the purposes of big data, leading to two main kinds of data: data that is “born digital” or “born analogue.”^{^[4]}

Born Digital Data

Information that is “born digital,” is created, by a user or by a digital system, specifically for use by a computer or data‐processing system. This is a vast range of information and newer fields are being added to this category on a daily basis. It includes, as a short, indicative list: email and text messaging, any form of digital input, including keyboards, mouse interactions and touch screens, GPS location data, data from daily home appliances (Internet of Things), etc. All of this data can be tracked and tagged to users as well as be aggregated to form a larger picture, massively increasing the scope of what may constitute the ‘data’ in big data.

Some indicative uses of how such born digital data is catalogued by technological solutions on the user side, prior to being sent for collection/storage are:

a.) Cookies - There are small, often just text, files that are left on user devices by websites in order to that visit, task or action (for example, logging into an email account) with a subsequent event.^{^[5]} (for example, revisiting the website)

b.) Website Analytics^{^[6]} - Various services, such as Google Analytics, Piwik, etc., can use JavaScript and other web development languages to record a very detailed, intimate track of a user's actions on a website, including how long a user hovers above a link, the time spent on the website/application and in some cases, even the time spent specific aspects of the page.

c.) GPS^{^[7]} - With the almost pervasive usage of smartphones with basic location capabilities, GPS sensors on these devices are used to provide regular, minute driven updates to applications, operating systems and even third parties about the user's location. Modern variations such as A-GPS can be used to provide basic positioning information even without satellite coverage, vastly expanding the indoor capabilities of location collection.

All of these instances of sensing born digital data are common terms, used in daily parlance by billions of people from all over the world, which is a symbolic of just how deeply they have pervaded into our daily lifestyle. Apart from privacy & security concerns this in turn also leads to an exponential increase in the data available to collect for any interested party.

Sensor Data

Information is said to be “analogue” when it contains characteristics of the physical world, such as images, video, heartbeats, etc. Such information becomes electronic when processed by a “sensor,” a device that can record physical phenomena and convert it into digital information. Some examples to better illustrate information that is born analogue but collected via digital means are:

a.) Voice and/or video content on devices - Apart from phone calls and other forms communication, video and voice based interactions have started to regularly be captured to provide enhanced services. These include Google Now^{^[8]}, Cortana^{^[9]} and other digital assistants as well as voice guided navigation systems in cars, etc.

b.) Personal health data such as heartbeats, blood pressure, respiration, velocity, etc. - This personal, potentially very powerful information is collected by dedicated sensors on devices such as Fitbit^{^[10]}, Mi Band^{^[11]}, etc. as well as by increasingly sophisticated smartphone applications such as Google Fit that can do so without any special device.

c.) Camera on Home Appliances - Cameras and sensors on devices such as video game consoles (Kinect^{^[12]} being a relevant example) can record detailed human interactions, which can be mined for vast amounts of information apart from carrying out the basic interactions with the devices itself.

While not as vast a category as born digital data, the increasingly lower costs of technology and ubiquitous usage of digital, networked devices is leading to information that was traditionally analogue in nature to be captured for use at a rapidly increasing rate.

Data Collection & Storage

Traditional data was normally processed using the Extract, Transform, Load (ETL) methodology, which was used to collect the data from outside sources, modify the data to fit needs, and then upload the data into the data storage system for future use.^{^[13]} Technology such as spreadsheets, RDBMS databases, Structured Query Languages (SQL), etc. were all initially used to carry out these tasks, more often than not manually. ^{^[14]}

However, for big data, the methodology traditionally followed is both inefficient and insufficient to meet the demands of modern use. Therefore, the Magnetic, Agile, Deep (MAD) process is used to collect and store data^{^[15]}^{^[16]}. The needs and benefits of such a system are: attracting all the data sources regardless of their quality (magnetic), logical and physical contents of storage systems adapting to the rapid data evolution in big data (agile) and complex algorithmic statistical analysis required of big data on a very short notice^{^[17]}. (deep)

The technology used to perform data storage using the MAD process requires vast amount of processing power, which is very difficult to create in a single, physical space/unit for nonstate or research entities, who cannot afford supercomputers. Therefore, most solutions used in big data rely on two major components to store data: distributed systems and Massive Parallel Processing^{^[18]} (MPP) that run on non-relational (in-memory) database systems. Database performance and reliability is traditionally gauged using pure performance metrics (FLOPS per second, etc.) as well as the Atomicity, consistency, isolation, durability (ACID) criteria.^{^[19]} The most commonly used database systems for big data applications are given below. The specific operational qualities and performance of each of these databases is beyond the scope of this review but the common criteria that makes them well suited for big data storage have been delineated below.

Non-relational databases

Databases traditionally used to be structured entities that operated solely on the ability to correlate information stored in them using explicitly defined relationships. Even prior to the advent of big data, this outlook was turning out to be a limiting factor in how large amounts of stored information could be leveraged, this led to the evolution of non relational database systems. Before going into them in detail, a basic primer on their data transfer protocols will be helpful in understanding their operation.

A protocol is a model that structures instructions in a particular manner so that it can be reproduced from one system to another^{^[20]}^{^[21]}. The protocols which govern technology in the case of big data have gone through many stages of evolution, starting off with simple HTML based systems^{^[22]}, which then evolved to XML driven SOAP systems^{^[23]}, which led to JavaScript Object Notation, or JSON^{^[24]}, the currently used form for in most big database systems. JSON is an open format used to transfer data objects, using human-readable text and is the basis for most of the commonly used non-relational database management systems. Examples of Non-relational databases also known as NoSQL databases, include MongoDB^{^[25]}, Couchbase^{^[26]}, etc. They were developed for both managing as well as storing unstructured data. They aim for scaling, flexibility, and simplified development. Such databases rather focus on the high-performance scalable data storage, and allow tasks to be written in the application layer instead of databases specific languages, allowing for greater interoperability.^{^[27]}

In-Memory Databases

In order to overcome performance limitation of traditional database systems, some modern databases now use in-memory databases. These systems manage the data in the RAM memory of the server, thus eliminating storage disk input/output. This allows for almost realtime responses from the database, in comparisons to minutes or hours required on traditional database systems. This improvement in the performance is so massive that, entirely new applications are being developed for using IMDB systems.^{^[28]} These IMDB systems are also being used for advanced analytics on big data, especially to increase the access speed to data and increase the scoring rate of analytic models for analysis.^{^[29]} Examples of IMDB include VoltDB^{^[30]}, NuoDB^{^[31]}, SolidDB^{^[32]} and Apache Spark^{^[33]}.

Hybrid Systems

These are the two major systems used to store data prior to it being processed or analysed in a big data application. However, the divide between data storage and data management is a slim one and most database systems also contain various unique attributes that cater them to specific kinds of analysis. (as can be seen from the IMDB example above) One example of a very commonly used Hybrid system that deals with storage as well as awareness of the data is Apache Hadoop³³, which is detailed below.

Apache Hadoop

Hadoop consists of two main components: the HDFS for the big data storage, and MapReduce for big data analytics, each of which will be detailed in their respective section.

The HDFS^{^[34]}^{^[35]} storage function in Hadoop provides a reliable distributed file system, stored across multiple systems for processing & redundancy reasons. The file system is optimized for large files, as single files are split into blocks and spread across systems known as cluster nodes.^{^[36]} Additionally, the data is protected among the nodes by a replication mechanism, which ensures availability even if any node fails. Further, there are two types of nodes: Data Nodes and Name Nodes.^{^[37]} Data is stored in the form of file blocks across the multiple Data Nodes while the Name Node acts as an intermediary between the client and the Data Node, where it directs the requesting client to the particular Data Node which contains the requested data.

This operating structure for storing data also has various variations within Hadoop such as HBase for key/value pair type queries (a NoSQL based system), Hive for relational type queries, etc. Hadoop’s redundancy, speed, ability to run on commodity hardware, industry support and rapid pace of development have led to it being almost co-equivalently associated with big data.^{^[38]}

Data Awareness

Data Awareness, in the context of big data, is the task of creating a scheme of relationships within a set of data, to allow different users of the data to determine a fluid yet valid context and utilise it for their desired tasks.^{^[39]} It is a relatively new field, in which most of the work is currently being done on semantic structures to allow data to gain context in an interoperable format, in contrast to the current system where data is given context using unique, model specific constructs.^{^[40]} (such as XML Schemes, etc.)

Some of the original work on this field was carried out in the form of utilising the Resource Description Framework (RDF), which was built primarily to allow describing of data in a portable manner, especially being agnostic towards platforms and systems for Semantic Web at the W3C. SPARQL is the language used to implement RDF based designs but both largely remain underutilised in both the public domain as well as big data. Authors such as Kurt

Cagle^{^[41]} and Bob DuCharme^{^[42]} predict its explosion in the next couple of years. Companies have also started realising the value of interoperable context, with Oracle Spatial^{^[43]} and IBM’s DB2^{^[44]} already including RDF and SPARQL support in the past 3 years.

While underutilised, the rapid developments taking place in the field will make the impact that data awareness may have on big data as big as Hadoop and maybe even SQL. Some aspects of it are already beginning to be used in Artificial Intelligence, Natural Language Processing, etc. with tremendous scope for development.^{^[45]}

Data Processing & Analytics

Data Processing largely has three primary goals: a. determines if the data collected is internally consistent; b. make the data meaningful to other systems or users using either metaphors or analogy they can understand; and (what many consider most importantly) provide predictions about future events and behaviours based upon past data and trends.^{^[46]}

Being a very vast field with rapidly changing technologies governing its operation, this section will largely concentrate on the most commonly used technologies in data analytics.

Data analytics requires four primary conditions to be met in order to carry out effective processing: fast, data loading, fast query processing, efficient utilisation of storage and adaptivity to dynamic workload patterns. The analytical model most commonly associated with meeting this criteria and with big data in general is MapReduce, detailed below. There are other, more niche models and algorithms (such as Project Voldemort^{^[47]} used by LinkedIn), which are used in big data but they are beyond the scope of the review, and more information about them can be read at article linked in the previous citation. (Reference architecture and classification of technologies, products and services for big data system)

MapReduce

MapReduce is a generic parallel programming concept, derived from the “Map” and “Reduce” of functional programming languages, which makes it particularly suited for big data operations. It is at the core of Hadoop^{^[48]}, and performs the data processing and analytics functions in other big data systems as well.^{^[49]} The fundamental premise of MapReduce is scaling out rather than scaling up, i.e., (adding more numerical resources, rather than increasing the power of a single system)^{^[50]}

MapReduce operates by breaking a task down into steps and executing the steps in parallel, across many systems. This comes with two advantages, a reduction in the time needed to finish the task and also a decrease in the amount of resources one has to expend to perform the task, in both power and energy. This model makes it ideally suited for the large data sets and quick response times required of big data operations generally.

The first step of a MapReduce job is to correlate the input values to a set of keys/value pairs as output. The “Map” function then partitions the processing tasks into smaller tasks, and assigns them to the appropriate key/value pairs.^{^[51]} This allows unstructured data, such as plain text, to be mapped to a structured key/value pair. As an example, the key could be the punctuation in a sentence and the value of the pair could be the number of occurrences of the punctuation overall. This output of the Map function is then passed on “Reduce” function.^{^[52]} Reduce then collects and combines this output, using identical key/value pairs, to provide the final result of the task.^{^[53]} These steps are carried using the Job Tracker & Task Tracker in Hadoop but different systems have different methodologies to carry out similar tasks.

Data Governance

Data Governance is the act of managing raw big data as well as the processed information that arises from big data in order to meet legal, regulatory and business imposed requirements. While there is no standardized format for data governance, there have been increasing call with various sectors (especially healthcare) to create such a format to ensure reliable, secure and consistent big data utilisation across the board. The following tactics and techniques have been utilised or suggested for data governance, with varying degrees of success:

Zero-knowledge systems: This technological proposal maintains secrecy with respect to the low-level data while allowing encrypted data to be examined for certain higherlevel abstractions.^{^[54]} For the system to be zero-knowledge, the client’s system will have to encrypt the data and send it to the storage provider. Due to this, the provider stores the data in the encrypted format and cannot decipher the same unless he/she is in possession of the key which will decrypt the data into plaintext. This allows the individual to store his data with a storage provider while also maintaining anonymity of the details contained in such information. However, these are currently just beginning to be used in simple situations. As of now, they are not expandable to unstructured and complex cases and have to be developed marginally before they can be used for research and data mining purposes.
Homomorphic encryption: Homomorphic encryption is a privacy preserving technique which performs searches and other computations over data that is encrypted while also protecting the individual’s privacy.^{^[55]} This technique has however been considered to be impractical and is deemed to be an unlikely policy alternative for near future purposes in the context of preserving privacy in the age of big data.^{^[56]}
Multi-party computation: In this technique, computation is done on encrypted distributed data stores.^{^[57]} This mechanism is closely related to homomorphic encryption where individual data is kept private using encryption algorithms called “collusion-robust” while the same is used to calculate statistics.^{^[58]} The parties involved are aware of some private data and each of them use a protocol which produces results based on the information they are aware of and the information they are not aware of, without revealing the data they are not already aware of.^{^[59]} Multi-party computations thus help in generating useful data for statistical and research purposes without compromising the privacy of the individuals.

Differential Privacy: Although this technological development is related to encryption, it follows a different technique. Differential privacy aims at maximizing the precision of computations and database queries while reducing the identifiability of the data owners who have records in the database, usually through obfuscation of query results.^{^[60]} This is widely applied today in the existence of big data in order to ensure preservation of privacy while trying to reap the benefits of large scale data collection.^{^[61]}
Searchable encryption: Through this mechanism, the data subject can make certain data searchable while minimizing exposure and maximizing privacy.^{^[62]} The data owner can make his information available through search engines by providing the data in an encrypted format but by adding tags consisting of certain keywords which can be deciphered by the search engine. This encrypted data shows up in the search results when searched with these particular keywords but can only be read when the person is in possession of the key which is required for decrypting the information.

This technique of encryption provides maximum security to the individual’s data and preserves privacy to the greatest possible extent.

K-anonymity: The property of k-anonymity is being applied in the present day in order to preserve privacy and avoid re-identification.^{^[63]} A certain data set is said to possess the property of k-anonymity if individual specific data can be released and used for various purposes without re-identification. The analysis of the data should be carried out without attributing the data to the individual to whom it belongs and should give scientific guarantees for the same.
Identity Management Systems: These systems enable the individuals to establish and safeguard their identities, explain those identities with the help of attributes, follow the activity of their identities and also delete their identities if they wish to.^{^[64]} It uses cryptographic schemes and protocols to make anonymous or pseudonymous the identities and credentials of the individuals before analysing the data.
Privacy Preserving Data Publishing: This is a method in which the analysts are provided with the individual’s personal information with the ability to decipher particular information from the database while preventing the inference of certain other information which might lead to a breach of privacy.^{^[65]} Data which is essential for the analysis will be provided for processing while sensitive data will not be disclosed. This tool primarily focuses on microdata.
Privacy Preserving Data Mining: This mechanism uses perturbation methods and randomization along with cryptography in order to permit data mining on a filtered version of the data which does not contain any form of sensitive information. PPDM focuses on data mining results unlike PPDP.^{^[66]}

Conclusion

Studying the technology surrounding big data has led to two major observations: the rapid pace of development in the industry and the stark lack of industry standards or government regulations directed towards big data technologies. These observations have been the primary motivating factor for framing further research in the field. Understanding how to deal with big data technologically, rather than just the potential regulation of possible harms after the technological processes have been performed might be critical for the human rights dialogue as these processes become even more extensive, opaque and technologically complicated.

[1] EMC: Data Science and Big Data Analytics. In: EMC Education Services, pp. 1–508 (2012)

[2] Bakshi, K.: Considerations for Big Data: Architecture and Approaches. In: Proceedings of the IEEE Aerospace Conference, pp. 1–7 (2012)

[3] Adams, M.N.: Perspectives on Data Mining. International Journal of Market Research 52(1), 11–19 (2010) ⁴ Elgendy, N.: Big Data Analytics in Support of the Decision Making Process. MSc Thesis, German University in Cairo, p. 164 (2013)

[4] Big Data and Privacy: A Technological Perspective - President’s Council of Advisors on Science and

Technology (May 2014)

[5] Chen, Hsinchun, Roger HL Chiang, and Veda C. Storey. "Business Intelligence and Analytics: From Big Data to Big Impact." MIS quarterly 36.4 (2012): 1165-1188.

[6] Chandramouli, Badrish, Jonathan Goldstein, and Songyun Duan. "Temporal analytics on big data for web advertising." 2012 IEEE 28th international conference on data engineering. IEEE, 2012.

[7] Laurila, Juha K., et al. "The mobile data challenge: Big data for mobile computing research." Pervasive Computing. No. EPFL-CONF-192489. 2012.

[8] Lazer, David, et al. "The parable of Google flu: traps in big data analysis." Science 343.6176 (2014): 12031205.

[9] ibid

[10] Banaee, Hadi, Mobyen Uddin Ahmed, and Amy Loutfi. "Data mining for wearable sensors in health monitoring systems: a review of recent trends and challenges." Sensors 13.12 (2013): 17472-17500.

[11] ibid

[12] Chung, Eric S., John D. Davis, and Jaewon Lee. "Linqits: Big data on little clients." ACM SIGARCH Computer Architecture News. Vol. 41. No. 3. ACM, 2013.

[13] Kornelson, Kevin Paul, et al. "Method and system for developing extract transform load systems for data warehouses." U.S. Patent No. 7,139,779. 21 Nov. 2006.

[14] Henry, Scott, et al. "Engineering trade study: extract, transform, load tools for data migration." 2005 IEEE Design Symposium, Systems and Information Engineering. IEEE, 2005.

[15] Cohen, Jeffrey, et al. "MAD skills: new analysis practices for big data." Proceedings of the VLDB Endowment

[16] .2 (2009): 1481-1492.

[17] Elgendy, Nada, and Ahmed Elragal. "Big data analytics: a literature review paper." Industrial Conference on Data Mining. Springer International Publishing, 2014.

[18] Wu, Xindong, et al. "Data mining with big data." IEEE transactions on knowledge and data engineering 26.1 (2014): 97-107.

[19] Supra Note 17

[20] Hu, Han, et al. "Toward scalable systems for big data analytics: A technology tutorial." IEEE Access 2 (2014):

[21] -687.

[22] Kurt Cagle, Understanding the Big Data Lifecycle - LinkedIn Pulse (2015)

[23] Coyle, Frank P. XML, Web services, and the data revolution. Addison-Wesley Longman Publishing Co., Inc., 2002.

[24] Pautasso, Cesare, Olaf Zimmermann, and Frank Leymann. "Restful web services vs. big'web services: making the right architectural decision." Proceedings of the 17th international conference on World Wide Web. ACM, 2008.

[25] Banker, Kyle. MongoDB in action. Manning Publications Co., 2011

[26] McCreary, Dan, and Ann Kelly. "Making sense of NoSQL." Shelter Island: Manning (2014): 19-20.

[27] ibid

[28] Zhang, Hao, et al. "In-memory big data management and processing: A survey." IEEE Transactions on Knowledge and Data Engineering 27.7 (2015): 1920-1948.

[29] ibid

[30] ibid

[31] Supra Note 20

[32] Ballard, Chuck, et al. IBM solidDB: Delivering Data with Extreme Speed. IBM Redbooks, 2011.

[33] Shanahan, James G., and Laing Dai. "Large scale distributed data science using apache spark." Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2015. ³³ Shvachko, Konstantin, et al. "The hadoop distributed file system." 2010 IEEE 26th symposium on mass storage systems and technologies (MSST). IEEE, 2010.

[34] Borthakur, Dhruba. "The hadoop distributed file system: Architecture and design." Hadoop Project Website

[35] .2007 (2007): 21.

[36] ibid

[37] ibid

[38] Zikopoulos, Paul, and Chris Eaton. Understanding big data: Analytics for enterprise class hadoop and streaming data. McGraw-Hill Osborne Media, 2011.

[39] Bizer, Christian, et al. "The meaningful use of big data: four perspectives--four challenges." ACM SIGMOD Record 40.4 (2012): 56-60.

[40] Kaisler, Stephen, et al. "Big data: issues and challenges moving forward." System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE, 2013.

[41] Supra Note 21

[42] DuCharme, Bob. "What Do RDF and SPARQL bring to Big Data Projects?." Big Data 1.1 (2013): 38-41.

[43] Zhong, Yunqin, et al. "Towards parallel spatial query processing for big spatial data." Parallel and

Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International. IEEE, 2012.

[44] Ma, Li, et al. "Effective and efficient semantic web data management over DB2." Proceedings of the 2008 ACM SIGMOD international conference on Management of data. ACM, 2008.

[45] Lohr, Steve. "The age of big data." New York Times 11 (2012).

[46] Pääkkönen, Pekka, and Daniel Pakkala. "Reference architecture and classification of technologies, products and services for big data systems." Big Data Research 2.4 (2015): 166-186.

[47] Sumbaly, Roshan, et al. "Serving large-scale batch computed data with project voldemort." Proceedings of the 10th USENIX conference on File and Storage Technologies. USENIX Association, 2012.

[48] Bar-Sinai, Michael. "Big Data Technology Literature Review." arXiv preprint arXiv:1506.08978 (2015).

[49] ibid

[50] Condie, Tyson, et al. "MapReduce Online." Nsdi. Vol. 10. No. 4. 2010.

[51] Supra Note 47

[52] Dean, Jeffrey, and Sanjay Ghemawat. "MapReduce: a flexible data processing tool." Communications of the ACM 53.1 (2010): 72-77.

[53] ibid

[54] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[55] Tene, Omer, and Jules Polonetsky. "Big data for all: Privacy and user control in the age of analytics." Nw. J. Tech. & Intell. Prop. 11 (2012): xxvii.

[56] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[57] Privacy by design in big data, ENISA

[58] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[59] Id

[60] Id

[61] Tene, Omer, and Jules Polonetsky. "Privacy in the age of big data: a time for big decisions." Stanford Law Review Online 64 (2012): 63.

[62] Lane, Julia, et al., eds. Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press, 2014.

[63] Crawford, Kate, and Jason Schultz. "Big data and due process: Toward a framework to redress predictive privacy harms." BCL Rev. 55 (2014): 93.

[64] http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[65] Seda Gurses and George Danezis, A critical review of 10 years of privacy technology, August 12th 2010, http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[66] Id

For more details visit https://cis-india.org/internet-governance/blog/technology-behind-big-data

Comments to the BIS on Smart Cities Indicators

Elonnai Hickok, Rohini Lakshané and Udbhav Tiwari — 2016-12-11T07:56:16Z

The Bureau of Indian Standards released the Smart Cities - Indicator on 30 September 2016. The Centre for Internet & Society (CIS) presented its views.

View the PDF

Name of the Commentator/ Organisation: The Centre for Internet and Society, India^[1]

PRELIMINARY

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Smart Cities - Indicators (dated 30 September 2016), released by the Bureau of Indian Standards (“BIS”).
CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

ABOUT CIS

CIS is a non-profit organisation^{^[2]} that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.
CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

III. Comments

Clause/ Para/ Table/ Figure No. commented	Comments/Modified Wordings	Justification of Proposed Change
General Comment	The indicators could generally utilize more of smart data, from both analog and digital sources, to better reflect the performance of various	Using technology to gather information rather than limiting its scope to existing mostly non-digital sources of data. There is a lot of potential information,

	indicators.	already collected, that simply goes unused or underutilized. Principled use of such information to make informed decisions on key aspects of urban development will lead to ‘truly’ smart cities. Further, the indicators should include actionable aspects and include avenues to leverage research to better their performance. Moreover, indicators that allow for audits for rights and transparency should be focused on as core indicators.
General Comment	Indicators are limited in scope to basic sustainability.	The indicators in their current form restrict themselves to sustainability, focused on basic sustenance, which seems to limit the scope of the Smart Cities project. Having a core set of indicators that is more relevant to India but also have an optional, more ambitious set of indicators for cities to become truly advanced and for the standard to be more dynamic. Encourage them by leveraging technology in a sustainable, human welfare and development-oriented approach, which the indicators can inculcate. Further, policy pivots being driven by these indicators could be given to make the decision making in smart cities more transparent and accountable.
Economy	Granularity of information pertaining to macro-level economic indicators	All the indicators in the Economic section pertain to macro-level standards/ indicators. Their limitation is that they provide very little information about the diversity of the economy of a city, the factors responsible for positive or negative effects and offer no real way to encourage microeconomic changes that can lead to the improvement of the economic condition of a city, aided by modern technology. Example indicators could be: average GDP of districts within a city, and total number of operating businesses and merchants in sub-localities in the city. All of this data can also be used to drive micro policies to enable localized development.

Education	Include data at city-level and indicators for higher education.	The indicators measured in the Education section only look at city level information about schools, ignoring district and even school level information already recorded and present in the system. Teacher and student attendance rates, level of basic infrastructure present in schools, presence of toilets for both genders, provisions for meals, etc. are some of the parameters that can be included in the indicator list. Further, the list completely excludes college education (both degree and diploma level) as a relevant indicator, nor does it include indicators for the average education of the population of the city, both of which can be easily measured using census data.

		Further, data that allows for a holistic decision making process - poverty levels, distance to schools, transportation levels, access to higher learning, etc. can also be used as supporting indicators. These could come from studies already done that call out the factors.
5. Education 5.1, 5.2, 5.3, 5.5	Include gender-specific indicators for students completing primary education, secondary education, and higher education, and enrolled in education institutions. Change the term “survival rate” to “retention rate”.	Indicators for the “survival rate” (may be better represented as retention rate) of students who identify as female or transgender in schools and universities, and enrollment of school-aged and college-aged girls, women and transgender students would help work towards an inclusive smart city.
Energy	Better utilisation of data from digital electricity meters.	The advent of digital meters allows for home/business level capturing of energy usage. This information can be leveraged to better target energy leaks, theft, repair work, pricing and even renewable energy incentives.
Finance	Indicators for digital and cashless payment and transaction systems.	The strong push by the government towards digital payments could also be reflected on the list of indicators, such as the “number of establishments accepting (and not accepting) digital payment systems” being a supporting indicator. Similar standards can be extended to include microfinance (number of avenues available for lending, successful payback of loans, et cetera.)

Governance	Recommended inclusion of indicators pertaining to the Right to Information Act, 2005	The number of requests made under the Right to Information Act, 2005, and the time taken by the responding office to reply to them (in terms of the number of days) by the government offices in the city as a relevant factor to gauge transparency and accountability of the governance structures. The same can also be extended to map the parliamentary performance of the elected officials from the city at the state and national level, especially for the interests of the city. Parliamentary performance here would mean attendance records, number of question raised, resources spent on constituency development, et cetera.
10. Governance 10.2, 10.3, 10.6	Indicators for the number of women and transgenders elected to public office in the city, employed in the government workforce in the city in reserved positions. Indicators for women and transgendered voters registered as a percentage of the voting-age population.	In the interest of inclusive smart cities, this indicator would help fathom if positions reserved for women and transgenders are filled out and the possible reasons, if any, for some of them going vacant.The number of women and transgender voters would help track the participation of women and transgendered voters in democracy. Further, inclusion of indicators that check voter fraud, political participation levels and technologies that enable secure voter participation and involvement would also be beneficial.
Health	“Cost of basic health services” and number of healthcare facilities as a supporting indicator.	The cost, quality and access of public primary healthcare services, which can be easily measured using digital systems, should also be included in the overall scheme as a supporting indicator.

Recreation	“Utilisation of public spaces” as a supporting indicator.	Information about the utilisation of public spaces, such as parks and grounds. can be included as a supporting indicator. Relevant information could footfalls per month or year, number of public events held at these locations, et cetera. Most of this information is already present via figures for ticket sales while the rest could be collected using digital attendance systems. Other supporting indicators could include green space per resident, play area/park space per child, quality of the public space - (lack of garbage, sewage, etc).
Safety	“Overall crime reporting statistics”as a core indicator.	The overall incidence rates of various crimes reported, crimes solved, and data regarding investigations (such as mapping of the crime to a map, number of FIR's filed, not filed, outcomes of investigations, etc.) should all be included as core indicators to better gauge the safety record of the city.
Safety 13.3	Include “crimes carried out using technology or the Internet, as per the Criminal Procedure Code and Information Technology Act, 2008 (Amended)”.	This indicator will expand the scope of crimes against women to include acts of crime carried out using the Internet as well.
Safety 13.4	Include “Response time of the police department from the initial call in instances of crimes against women”	This would include crimes against women as defined in 13.3. This indicator gives more granular information about safety in general and women’s safety in particular, and of the perception of certain kinds of crimes not being serious enough for the police to respond to.

Shelter	Expansion of indicators to include per capita living space, basic amenities within the houses.	The scope of shelter should be expanded to include per capita living space in housing units as well as availability of basic home amenities to provide a more wholesome view of the living situation in a city. Some basic amenities that could be included are electricity uptime, water distribution (in liters/ per household), number of residents in the household, kind of house roofing, etc.
Telecommunication and Innovation	Inclusion of indicators on mobile phone usage, mobile network connectivity and computer literacy.	There are no indicators for mobile phone usage and computer literacy, both of which are essential for the healthy functioning of any city. Indicators to gauge this could include number of mobile phone users, number of (active) mobile connections, number of computer literate people, etc. Similar indicators should also be included for cellphone network coverage, public WiFi connectivity and digital public service provisions as well. Indicators for the same could be number of neighbourhoods/ localities/ suburbs covered by 2G/3G/4G/ 5G out of the total number in city, total number of Public WiFi spots per unit area, etc.
Transportation	Inclusion of indicators for efficiency, sustainability and planning of city-level transportation.	The current set of indicators do not include indicators to measure the efficiency, fuel consumption, sustainability and reach of public transport, especially in the outskirts or suburban areas. These can be included as supporting indicators: the number of GPS-connected public transport vehicles to the total number, number of vehicles equipped with panic buttons, quantum of vehicles in the city using renewable energy sources as fuel, automation of toll booths, automation of points where traffic offences can be logged (e.g illegal honking) or overspeeding.

Urban Planning	Digital information, such as geospatial data, remote sensing and digital mapping can be used to provide better and more sustainable core indicators.	Geo-spatial information (from surveys and satellites) can be utilised to provide macro-level data that can then be utilised to factor city expansions, illegal structures, suburban development, etc. Digital mapping and remote sensing capabilities can be leveraged to provide this information and the utilisation of such information in city development can be made a supporting indicator.
Sewerage and Sanitation	Indicators governing community hygiene and sanitation.	Information about covered toilets per capita of the population, sewage treatment plants, etc. are either absent or too vaguely detailed in the current set of indicators, despite the push from the government towards the Swachh Bharat programme. They should be included as Core Indicators to encourage sanitation at a citizen level.
Water Supply	Indicators for digital measurement of water consumption per capita and at the city-level.	Digital water meters are starting to become pervasive and can provide detailed information about water consumption at a household level that was previously unavailable in city planning. A supporting indicator at a minimum can be included to further bolster information aware governance in the field.

[1] This submission is authored, in alphabetical order, by Elonnai Hickok (elonnai@cis-india.org), Rohini Lakshané (rohini@cis-india.org) and Udbhav Tiwari (udbhav@cis-india.org) on behalf of the Centre for Internet and Society, India.

[2] See The Centre for Internet and Society,available at http://cisindia.org for details of the organization, and our work.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-bis-on-smart-cities-indicators

Navigating the 'Reconsideration' Quagmire (A Personal Journey of Acute Confusion)

Padmini Baruah and Geetha Hariharan — 2016-11-30T13:48:41Z

An earlier analysis of ICANN’s Documentary Information Disclosure Policy already brought to light our concerns about the lack of transparency in ICANN’s internal mechanisms. Carrying my research forward, I sought to arrive at an understanding of the mechanisms used to appeal a denial of DIDP requests. In this post, I aim to provide a brief account of my experiences with the Reconsideration Request process that ICANN provides for as a tool for appeal.

Backdrop: What is the Reconsideration Request Process?

The Reconsideration Request process has been laid down in Article IV, Section 2 of the

ICANN Bylaws. Some of the key aspects of this provision have been outlined below^{^[1]},

ICANN is obligated to institute a process by which a person materially affected by ICANN action/inaction can request review or reconsideration.

To file this request, one must have been adversely affected by actions of the staff or the board that contradict ICANN’s policies, or actions of the Board taken up without the Board considering material information, or actions of the Board taken up by relying on false information.
A separate Board Governance Committee was created with the specific mandate of reviewing Reconsideration requests, and conducting all the tasks related to the same.
The Reconsideration Request must be made within 15 days of:
- FOR CHALLENGES TO BOARD ACTION: the date on which information about the challenged Board action is first published in a resolution, unless the posting of the resolution is not accompanied by a rationale, in which case the request must be submitted within 15 days from the initial posting of the rationale;
- FOR CHALLENGES TO STAFF ACTION: the date on which the party submitting the request became aware of, or reasonably should have become aware of, the challenged staff action, and
- FOR CHALLENGES TO BOARD OR STAFF INACTION: the date on which the affected person reasonably concluded, or reasonably should have concluded, that action would not be taken in a timely manner

.The Board Governance Committee is given the power to summarily dismiss a reconsideration request if:
- the requestor fails to meet the requirements for bringing a Reconsideration Request;
- it is frivolous, querulous or vexatious; or
- the requestor had notice and opportunity to, but did not, participate in the public comment period relating to the contested action, if applicable

If not summarily dismissed, the Board Governance Committee proceeds to review and reconsider.
A requester may ask for an opportunity to be heard, and the decision of the Board Governance Committee in this regard is final.

The basis of the Board Governance Committee’s action is public written record information submitted by the requester, by third parties, and so on.
The Board Governance Committee is to take a decision on the matter and make a final determination or recommendation to the Board within 30 days of the receipt of the Reconsideration request, unless it is impractical to do so, and it is accountable to the Board to make an explanation of the circumstances that caused the delay.
The determination is to be made public and posted on the ICANN website.

ICANN has provided a neat infographic to explain this process in a simple fashion, and I am reproducing it here:

(Image taken from https://www.icann.org/resources/pages/accountability/reconsiderationen)

Our Tryst with the Reconsideration Process

The Grievance
Our engagement with the Reconsideration process began with the rejection of two of our requests (made on September 1, 2015) under ICANN’s Documentary Information Disclosure Policy. The requests sought information about the registry and registrar compliance audit process that ICANN maintains, and asked for various documents pertaining to the same^{^[2]}:

Copies of the registry/registrar contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (20142015).
A generic template of the notice served by ICANN before conducting such an audit.
A list of the registrars/registries to whom such notices were served in the last year.
An account of the expenditure incurred by ICANN in carrying out the audit process.
A list of the registrars/registries that did not respond to the notice within a reasonable period of time.
Reports of the site visits conducted by ICANN to ascertain compliance.
Documents which identify the registries/registrars who had committed material discrepancies in the terms of the contract.
Documents pertaining to the actions taken in the event that there was found to be some form of contractual noncompliance.
A copy of the registrar selfassessment form which is to be submitted to ICANN.

ICANN integrated both the requests and addressed them via one response on 1 October, 2015 (which can be found here). In their response, ICANN inundated us with already available links on their website explaining the compliance audit process, and the processes ancillary to it, as well as the broad goals of the programme none of which was sought for by us in our request. ICANN then went on to provide us with information on their ThreeYear Audit programme, and gave us access to some of the documents that we had sought, such as the preaudit notification template, list of registries/registrars that received an audit notification, the expenditure incurred to some extent, and so on .

Individual contracted party reports were denied to us on the basis of their grounds for nondisclosure. Further, and more disturbingly, ICANN refused to provide us with the names of the contracted parties who had been found under the audit process to have committed discrepancies. Therefore, a large part of our understanding of the way in which the compliance audit process works remains unfinished.

What we did

Dissatisfied with this response, I went on to file a Reconsideration request (number 1522) as per their standard format on November 2, 2015. (The request filed can be accessed here).As grounds for reconsideration, I stated that “As a part of my research I was tracking the ICANN compliance audit process, and therefore required access to audit reports in cases where discrepancies where formally found in their actions. This is in the public interest and therefore requires to be disclosed...While providing us with an array of detailed links explaining the compliance audit process, the ICANN staff has not been able to satisfy our actual requests with respect to gaining an understanding of how the compliance audits help in regulating actions of the registrars, and how they are effective in preventing breaches and discrepancies.” Therefore, I requested them to make the records in question publicly available “We request ICANN to make the records in question, namely the audit reports for individual contracted parties that reflect discrepancies in contractual compliance, which have been formally recognised as a part of your enforcement process. We further request access to all documents that relate to the expenditure incurred by ICANN in the process, as we believe financial transparency is absolutely integral to the values that ICANN stands by.”

The Board Governance Committee’s response³

The determination of the Board Governance Committee was that our claims did not merit reconsideration, as I was unable to identify any “misapplication of policy or procedure by the ICANN Staff”, and my only issue was with the substance of the DIDP Response itself, and substantial disagreements with a DIDP response are not proper bases for reconsideration

(emphasis supplied).

The response of the Board Governance Committee was educative of the ways in which they determine Reconsideration Requests. Analysing the DIDP process, it held that ICANN was well within its powers to deny information under its defined Conditions for NonDisclosure, and denial of substantive information did not amount to a procedural violation. Therefore, since the staff adhered to established procedure under the DIDP, there was no basis for our grievance, and our request was dismissed..

Furthermore, as a postscript, it is interesting to note that the Board Governance Committee delayed its response time by over a month, by its own admission “In terms of the timing of the BGC’s recommendation, it notes that Section 2.16 of Article IV of the Bylaws provides that the BGC shall make a final determination or recommendation with respect to a reconsideration request within thirty days, unless impractical. To satisfy the thirtyday deadline, the BGC would have to have acted by 2 December 2015. However, due to the timing of the BGC’s meetings in November and December, the first practical opportunity for the BGC to consider Request 1522 was 13 January 2016.”⁴

Whither do I wander now?

To me, this entire process reflected the absurdity of the Reconsideration request structure as an appeal mechanism under the Documentary Information Disclosure Policy. As our experience indicated, there does not seem to be any way out if there is an issue with the substance of ICANN’s response. ICANN, commendably, is particular about following procedure with respect to the DIDP. However, what is the way forward for a party aggrieved by the flaws in the existing policy? As I had analysed earlier, the grounds for ICANN to not disclose information are vast, and used to deny a large chunk of the information requests that they receive. How is the hapless requester to file a meaningful appeal against the outcome of a bad policy, if the only ground for appeal is noncompliance with the procedure of said bad policy? This is a serious challenge to transparency as there is no other way for a requester to acquire information that ICANN may choose to withold under one of its myriad clauses. It cannot be denied that a good information disclosure law ought to balance the free disclosure of information with the holding back of information that truly needs to be kept private.^{^[3]}^{^[4]} However, it is this writer’s firm opinion that even instances where information is witheld, there has to be a stronger explanation for the same, and moreover, an appeals process that does not take into account substantive issues which might adversely affect the appellant falls short of the desirable levels of transparency. Global standards dictate that grounds for appeal need to be broad, so that all failures to apply the information disclosure law/policy may be remedied.⁶ Various laws across the world relating to information disclosure often have the following as grounds for appeal: an inability to lodge a request, failure to respond to a request within the set time frame, a refusal to disclose information, in whole or in part, excessive fees and not providing information in the form sought, as well as a catchall clause for other failures.⁷

Furthermore, independent oversight is the heart of a proper appeal mechanism in such situations^{^[5]}; the power to decide the appeal must not rest with those who also have the discretion to disclose the information, as is clearly the case with ICANN, where the Board Governance Committee is constituted and appointed by the ICANN Board itself [one of the bodies against whom a grievance may be raised].

Suggestions

We believe ICANN, in keeping with its global, multistakeholder, accountable spirit, should adopt these standards as well, especially now that the transition looms around the corner. Only then will the standards of open, transparent and accountable governance of the Internet upheld by ICANN itself as the ideal be truly, meaningfully realised. Accordingly, the following standards ought to be met with:

Establishment of an independent appeals authority for information disclosure cases
Broader grounds for appeal of DIDP requests
Inclusion of disagreement with the substantive content of a DIDP response as a ground for appeal.
Provision of proper reasoning for any justification of the witholding of information that is necessary in the public interest.

[1] Article IV, Section 2, ICANN Bylaws, 2014 available at https://www.icann.org/resources/pages/governance/bylawsen/#IV

[2] Copies of the request can be found here and here.

[3] Katherine Chekouras, Balancing National Security with a Community's RighttoKnow: Maintaining

Public Access to Environmental Information Through EPCRA 's NonPreemption Clause, 34 B.C. Envtl. Aff. L. Rev 107, (2007).

[4] Toby Mendel, Freedom of Information: A Comparative Legal Study 151 (2nd edn, 2008).

Id, at 152

³4 Available here. https://www.icann.org/en/system/files/files/reconsideration1522cisfinaldetermination13jan16en.pdf

[5] Mendel, supra note 6.

For more details visit https://cis-india.org/internet-governance/blog/navigating-reconsideration-quagmire-a-personal-journey-of-acute-confusion

Demonetisation Survey Limits the Range of Feedback that can be Provided by the User

tiwari — 2016-11-24T14:50:08Z

The government has faced increasingly targeted attacks by the Opposition and the public on the merits of the demonetisation move carried out a fortnight ago. In an attempt to placate this ire and to create a feedback loop that directly engages with the public, the government has decided to conduct a mass survey to gauge public perception. The survey is hosted on the Narendra Modi mobile application that can be found on the Android and iOS app stores. This article will attempt to analyse the mobile application by looking at the design principles followed in the survey and the scope given to survey takers to express their true opinion of the demonetisation move.

The article was published by First Post on November 24, 2016.

At the time of writing, 90 percent of respondents expressed the feeling that the government's move was 'brilliant/nice'. However, one must look into the merits of the survey and its limitations to understand the true value and nature of the results of the survey.

The first step required in order to take the survey, is downloading the application itself, which forces the user to automatically grant access to Contacts, Phone and Storage functions of their phone. While there are ostensible reasons for these permissions, (sharing the data from within the application, storing downloaded information, etc.) unless the user is running Android 6.0 or above, the user doesn’t have a choice in giving these permissions. This leaves the application with the potential to collect the entire phone book of the user as as well as access any files stored on the user’s device. This is independent of the survey and provides a large scope for massive data collection from any user just choosing to install the application in the first place. It is easily possible to create a version of the application that carries out a vast majority of its current functions without these permissions and the government (along with the application developer) should endeavour to do so at the earliest. In the alternative, they should have a clear and distinct privacy policy that informs users of the data collection and its possible use.

The second major step required to take the survey is the long and tedious registration process, which requires all sorts of details with massive privacy implications. This includes the name, email ID, phone number, residency details, profession and interests, all of which are compulsory fields. Why all of these details are necessary to take a supposedly simple survey and what possible use this information can be put to by the government is both unclear and problematic. It is also possible to register using Google, Facebook, Twitter and other social networking sites where there is a varying standard of equally private and unnecessary information that is being collected by the application from these websites. There are no privacy notices or consent forms that govern this information collection nor is their any indication of how this information will be put to use beyond the scope of the survey. The generic, standard form privacy policy (less than 10 lines long) on the Narendra Modi website is hidden at the bottom of the application download page (not in the application itself) and leaves a lot to be desired to safeguard user interest.

Once the registration is complete, the user is presented with the survey, which has a total of 10 questions of 3 broad categories. 6 of these questions have multiple choice answers, 3 of them have a sliding rating meter and 1 question has general comments/suggestion page. The article will now look at these categories and analyze the design of the questions, the extent of the choice they give to the users and finally if the survey has a coercive or limiting effect on the feedback that can be given by the user via the application regarding the demonetisation move.

Choice limiting multiple choice questions.

The first category of questions, the multiple choice questions (MCQ), have varying degree of choices that the user can select from. However, regardless of the extent of the choices, their exact nature is severely limiting and makes it almost impossible to express a truly negative opinion of the survey. This is done in two ways, first the explicit restriction of choices and second the more subtle negative colouring of responses by cleverly phrasing questions. An example of the explicit restriction of choices can be seen in Question No 7. “Demonetisation will bring real estate, higher education, healthcare in common man’s reach” which has three options, “Completely Agree, Partially Agree and Can’t Say.” There is no option to disagree with the paradigm set by the question and neither is there an option for the user to further explain or elucidate upon the answer, if he/she choose Can’t Say as an option. This also means that there will be no answers that will have “No” as an answer to the fairly open ended question, which can have a myriad of responses. The same can be said for Question No. 6 regarding the demonetisation move’s effectiveness in curbing illegal activities to which, once again, “No” is not an answer, with “Don’t Know” being the best a user disagreeing can do with the survey question.

The second, more subtle aspect of the MCQ questions are questions that serve as bait to demand a positive answer, which can be used to later bolster the survey's results in a positive light. For example, Question No. 1 reads “Do you think Black Money exists in India” and Question No. 2 reads “Do you think the evil of Corruption & Black Money needs to be fought and eliminated?” both of which have simple “Yes” and “No” as the only two possible responses. These rhetorical questions, which demand a positive answer, provide almost no aspect for the user to subtly or explicitly disagree with motivating factor behind the demonetisation move. The placement of these questions and the lack of choice in responses that can be given to them leaves huge potential to tilt the survey results in the favour of the government’s move. For example, you can’t simultaneously agree that black money is a problem and think the demonetisation move is a bad idea, simply because you can’t express that view in a single question within the survey.

Positive bias driven multiple choice question.

The other two categories of questions do not suffer from the overt problems of encouraging positive bias that the MCQ questions do but leave a fair bit to be desired in their outlook towards individuals who disagree with the move. In the sliding rating meter questions, there are strong visual cues that hint that disagreeing with the demonetisation move is a negative, undesirable idea. They do so by using a large, danger red frown as the icon for Question No. 5 that asks for the survey takers opinion on the ban on old 500 and 1000 rupee notes. The same goes for Question No. 3 that deals with the general moves of the government to tackle black money. This makes any opinion or answer that disagrees with the validity of the move an answer that is portrayed in a negative light. Similarly, the general comments/suggestion section in Question No. 10 is the only place for anyone to express a negative or non-concurring opinion, which there is no way to measure statistically in the overall survey results and will mostly likely not be counted in the final survey results.

Visual cues.

All of the above points clearly show that the design of both the Narendra Modi mobile application and its survey have huge potential for coercing a biased viewpoint upon any survey taker and ensure that it is almost possible to express a stark, negative opinion against the demonetisation move via the survey. This can and should be remedied by the government to allow for a more open, conducive and critical discourse to take place regarding the move among the public. It is only when such opinion is allowed to exist in the first place, that the government can understand, engage and respond to the various valid critiques of the move. The chilling effect that would take place in the current form of the survey would be counterproductive to the original intent behind its creation, which was to create a direct constructive feedback loop between the public and the government.

For more details visit https://cis-india.org/internet-governance/blog/first-post-udbhav-tiwari-november-24-2016-demonetisation-survey-limits-the-range-of-feedback-that-can-be-provided-by-the-user

Caught in a filter bubble

praskrishna — 2016-11-24T01:45:35Z

The country seems to be polarised over demonetisation and its after-effects. And more likely than not, you’ve had plenty of news stories to read that corroborate what you believe, regardless of whether you think the scrapping of the Rs 500 and Rs 1,000 notes was an ingenious plan or not, especially if you get most of your news on social media.

The article by Chetana Divya Vasudev was published by Deccan Herald on November 22, 2016. Rohini Lakshané was quoted.

However, does the news you’re consuming give you a clear picture of everything going on around you or is it merely helping you live in your own bubble? This has become a hot topic of discussions post the US Presidential elections, with Facebook also coming under fire for it.

Social media sites in particular and the internet in general have been serving people stories that put forth points of view they largely agree with. “This is a phenomenon called the social media filter bubble,” says Rohini Lakshane, programme officer, Centre for Internet and Society. This means that because most people in your network think like you, what you read mostly concurs with your opinions, reinforces your bias, reducing your chances of coming across opposing viewpoints, she explains. “It’s all-pervasive, Twitter also tailors your feeds and the ‘while you were away’ section, unless you uncheck it in your settings,” she says. Using incognito mode for Google searches and clearing cookies are a couple of other steps you could take to check this filter bubble, she adds.

“As someone into policy research, I can’t let my personal prejudices affect what I read or understand,” she offers. “So I also ensure I constantly interact with people from different walks of life.” Keeping an open mind to multiple perspectives could help people remain more informed, she suggests.

Entrepreneur Devashish Mamgain says he makes a conscious effort to search for stories he knows he wouldn’t agree with. “I do this because I’m already up to date with what I like or support, and I think it’s important to know the other side as well,” he says. He doesn’t rely on social media for his news but knows many who do and thinks it limits their knowledge.

Savitha A Isaac, a content writer, says she unsubscribes to newsfeeds on Facebook she doesn’t want to read. “I get annoyed when it shows up what’s trending — videos and memes that are going viral. I feel most of this is US-centric; almost like it’s telling us we have to care about what’s happening there. My husband and I have noticed that Google keeps tabs on what you’re searching for and comes up with suggestions,” she says. This is also true of Facebook.

“I usually read a lot of investigative and feminist stories from certain sites. And when such links pop up as suggestions on your wall — or is reflected in the adds you see — it feels really nice. But it also feels wrong,” she says. “It’s creepy, almost as if someone’s stalking you.”

Uroosa Ayman Fathima, her colleague, believes most content on social media is not accurate. “I only click on a link if it’s that of a news website I trust to be at least 80 per cent accurate,” she says. And she verifies what catches her interest with news in the print media, a more credible source, she believes.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-22-2016-chetana-divya-vasudev-caught-in-a-filter-bubble

The thrill of saving India from cybercrime

praskrishna — 2016-11-21T02:42:48Z

Geeks seize the chance to help the government, defence forces and banks draw up fences against tech crimes.

The article by Peerzada Abrar was published in the Hindu on November 20, 2016.

Saket Modi loves long flights. The 26-year-old hacker likes to do most of his reasoning while criss-crossing the world. It was on one such flight from the United States to India that the co-founder of cybersecurity start-up Lucideus Tech read about India's largest data security breaches. While surfing the in-flight Internet he came to know that the security of about 3.2 million debit cards had been compromised.

“I was not surprised but I started thinking about how it would have happened. What was the ‘exploit’ used, how long was it there,” said Mr. Modi. Soon after reaching New Delhi, he received multiple requests from several banks and organisations to protect them from the hacking incident, which is just one of the thousands of cybercrimes that the country is facing.

In India, there has been a surge of approximately 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015, noted the Assocham-PwC joint study.

Ethical hackers

Mr. Modi is among a new breed of ethical hackers-turned-entrepreneurs who are betting big on this opportunity. An ethical hacker is a computer expert who hacks into a computer network on the behalf of its owner in order to test or evaluate its security, rather than with malicious or criminal intent.

“You cannot live in a world where you think that you can't be hacked. It doesn’t matter who you are,” said Mr. Modi who cofounded Lucideus four years ago. The company clocked revenues of Rs.4 crore in the last fiscal. This compares with the Rs.2.5 lakh revenues in the first year. The New Delhi-based firm now counts Reserve Bank of India, Ministry of Defence and Standard Chartered among its top clients.

Mr. Modi, who is also a pianist, discovered his skills for hacking into secure computer systems while preparing for his board exams. He hacked into his school computer and stole the chemistry question paper, after realising that he would not be able to clear the test conducted by his school. However, a guilty conscience compelled him to confess to his teacher who permitted him to still take the test. The incident transformed him to use his skills to protect and not misuse them. This year, Lucideus was hired by National Payments Corporation of India (NPCI) along with other information security specialists to protect its most ambitious project, the Unified Payment Interface (UPI) platform, from cyber attacks. UPI aims to bring digital banking to 1.2 billion people in the country. Lucideus has a team of 70 people mostly fresh college graduates who do hacking with authorisation.

“The reason behind choosing Lucideus was their young, energetic and knowledgeable team," said Bhavesh Lakhani, chief technology officer of DSP BlackRock, one of the premier asset management companies. Mr. Lakhani said that India is currently the epicentre of financial and technological advancements which make it a probable target of cyber-attacks.

Hacking lifeline

Indeed, a new breed of cyber criminals has emerged, whose main aim is not just financial gains but also cause disruption and chaos to businesses in particular and the nation at large, according to the Assocham-PwC study. Attackers can gain control of vital systems such as nuclear plants, railways, transportation and hospitals. This can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.

“The hacker doesn’t care whether he is attacking an Indian or a U.S. company. It is bread and butter for him and he wants to eat it wherever he gets it from,” said Trishneet Arora, a 22-year-old ethical hacker. In an office tucked away in Mohali, a commercial hub lying adjacent to the city of Chandigarh in Punjab, Mr.Arora fights these cyberattacks on a daily basis to protect his clients. His start-up TAC Security provides an emergency service to customers who have been hacked or are anticipating a cyberattack. It alerted a hospital in the U.S. after detecting vulnerabilities in their computer network.

Mr.Arora said that the hackers could have easily shut down the intensive care unit which was connected to it and remotely killed the patients. TAC said the data server of a bank in the UAE containing critical information got hacked recently. The bank also lost access to the server. TAC said that it not only helped the organisation to get back access to the server but also traced the hacker’s identity.

A school drop out, Mr.Arora founded TAC three years ago. But he initially found it tough to convince enterprises about his special skills. “I was a backbencher in the classroom and not good in studies, but I loved playing video games and hacking,” he said. He conducted workshops on hacking and provided his expertise to law enforcement agencies such as the Central Bureau of Investigation and various State police departments. His firm now provides its services to customers such as Reliance Industries, dairy brand Amul and tractor manufacturer Sonalika.

“We were surprised by their expertise,” said R.S. Sodhi, managing director of Amul. “We wanted to be sure that the company’s vital IT infrastructure is in the right hands – the big question was, ‘Who can that be?’ In TAC, we found that team.”

TAC expects to cross revenues of $5 million (Rs.33 crore) and employ about 100 ethical hackers by next year.

Budget woes

Security watchers such as Sunil Abraham, executive director of Bengaluru-based think tank Centre for Internet and Society said that India’s cybersecurity budget is woefully inadequate when compared to the spending by other countries. In 2014-15, the government doubled its cybersecurity budget by earmarking Rs.116 crore. “We require a budget of $1 billion per annum or every two years to build the cybersecurity infrastructure. The current cyber security policy has no such budget,” said Mr. Abraham.

According to Data Security Council of India (DSCI), India's cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.

The Cyber Security Task Force (CSTF) set up by DSCI and industry body Nasscom expects to create a trained base of one million certified and skilled cybersecurity professionals. It also aims to build more than 100 successful security product companies from India. Investors who normally focus on e-commerce ventures or public markets are now taking note of this opportunity and are betting on such ventures. Amit Choudhary, director, MotilalOswal Private Equity and an investor in Lucideus, said he saw tremendous opportunity in the cybersecurity market as hackers are shifting their focus from developed countries to emerging countries like India.

“There is a huge opportunity. The recent security breaches of a few Indian banks are an example,” said Vijay Kedia an ace stock picker and an investor in TAC Security. He said that organisations are still unaware of the widespread damage that can be caused by hackers. “The next war will be a ‘cyberwar’,” he said.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime

Free Net advocates flay Trai's public Wi-Fi paper

praskrishna — 2016-11-20T03:21:41Z

Stakeholders vouching for a cheap and open Internet have flagged concerns over privacy and regulatory hurdles.

The article by Anita Babu was published in the Business Standard on November 20, 2016. Pranesh Prakash was quoted.

With the Telecom Regulatory Authority of India releasing its consultation paper on public Wi-Fi this week, stakeholders vouching for a cheap and open Internet have flagged concerns over privacy and regulatory hurdles.

The Internet Freedom Foundation has pointed out that the proposed regulations might lead to invasion of privacy and interfere with the freedom of hotspot providers to operate freely.

“While we welcome Trai’s vision that increasing the number of public Wi-Fi hotspots could be the way to bringing the majority of Indians online, the proposals turn out to be regressive and poorly thought out,” said Aravind Ravi Sulekha, co-founder of the Internet Freedom Foundation.

The regulator in its consultation paper issued earlier this week proposed hotspot providers would have to register with the government and users could access hotspots only after paying using a service tied to their Aadhaar number. It wants to utilise Aadhaar, electronic-Know Your Customer (e-KYC) and the Unified Payment Interface (UPI) to build a standard authentication mechanism for access to public Wi-Fi in India. While the aim of Trai is to increase the number of Wi-Fi hotspots in India, proponents of free Internet fear these proposed rules might have a contrary effect.

Hotspot providers will have to incur costs on account of hardware installations for one-time password verification in addition to the costs of sending out the passwords. This might discourage entrepreneurs.

“This system of verification makes it harder for entrepreneurs to set up hotspots and for people to access them. It is impossible for broadband to proliferate in any significant way if Trai insists on applying ineffective and cumbersome regulations on those who wish to set up their own hotspots,” Internet Freedom Foundation said in its comments to Trai’s consultation paper.

The proposals have excluded individuals who do not have an Aadhaar account from accessing public Wi-Fi. “This not only brings concerns of costs and exclusion but also privacy, given the constitutionality of the Aadhaar project, and its government-mandated use, is pending adjudication in the Supreme Court,” the foundation pointed out.

The proposals also come at the cost of anonymity. The foundation, cofounded by the crusaders of last year’s SaveTheInternet campaign, trashed the argument that imposing eKYC norms would help in countering terrorism and other crimes. “This prohibition on anonymous communication is a violation of Indians’ freedom of expression… making a call at a PCO, sending a telegram and posting a letter have always been possible without showing ID — even though criminals and terrorists occasionally abused these services… KYC measures are ineffective in preventing crime and terrorism, as tools like VPNs, TOR, and proxies can easily mask the identity of an Internet user,” it stated.

“The solution proposed by Trai is a classic example of centralism and over-regulation. It turns out that Trai is unclear about the problem to be solved,” said Pranesh Prakash, policy director at the Centre for Internet and Society. He added that the new proposals had also failed to address the limitations on foreigners or tourists in India.

Current regulations prevent foreigners without a local mobile number from accessing public Wi-Fi connections. While Trai had identified the problem, it failed to come up with a plausible solution.

For more details visit https://cis-india.org/internet-governance/news/business-standard-november-20-2016-anita-babu-free-net-advocates-flay-trais-public-wifi-paper

CERT-In's Proactive Mandate - A Report on the Indian Computer Emergency Response Team’s Proactive Mandate in the Indian Cyber Security Ecosystem

tiwari — 2016-11-19T04:14:51Z

CERT-IN’s proactive mandate is defined in the IT Act, 2000 as well as in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Function and Duties ) Rules, 2013 (CERT-In Rules, 2013) both of which postdate the existence of the organisation itself, which has been operational since 2004.

Regarding the proactive mandate, the IT Act and CERT-In Rules include the following areas where CERT-In is required to carry out proactive measures in the interests of cyber security:

Forecast and alert cyber security incidents (IT Act, 2000) & Predict and prevent cyber security incidents (CERT-In Rules, 2013)
Issue guidelines, advisories and vulnerability notes etc. relating to information security practices, procedures, prevention, response and reporting (IT Act, 2000)
Information Security Assurance (CERT-In Rules, 2013)

This article will track and analyse the CERT-In’s operations in each of these areas over the past twelve years, by analysing the information available on CERT-In’s website as well as other media in the public domain.

The analysis will be carried out using a mixed methodology. The basic quantitative analysis of the information available on the CERT-In’ website will be carried out in the form of simple comparatives of updates, bulletins and other forms of publicly available interaction and critical information dispersal on CERT-In’s website. The qualitative sections, on the other hand, will contain a comparative analysis of the content present in the technical documents of the CERT-In with the equivalent documentation (where present) of similar bodies in the USA and EU. Each section will then illustrate normative suggestions as to how CERT-In’s performance of that respective obligation can be improved to better serve its cyber security mandate.

Read the full article

The image is published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document.

For more details visit https://cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem

How The U.K. Got A Better Deal From Facebook Than India Did

praskrishna — 2016-11-18T01:56:49Z

The U.K.’s Information Commissioner’s Office (ICO) and India’s Karmanya Sareen shared a similar concern – how messenger application WhatsApp’s decision to share user data with parent Facebook is a violation of the promise of privacy.

The blog post by Payaswini Upadhyay was published in Bloomberg Quint on November 17, 2016. Sunil Abraham was quoted.

Last week, Facebook agreed to address the concerns of the ICO; in India, it didn’t have to.

WhatsApp: New Privacy Policy

In August 2016, WhatsApp issued a revised privacy policy that allowed it to share user information with parent company Facebook. Any user who didn’t want her information to be shared with Facebook had a 30-day period to opt out of the policy. Opting out meant that a user’s account information would not be shared with Facebook to improve ads and product experiences. But, there was a caveat.

The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.
WhatsApp Support Team statement on its website

Facebook’s Commitment To ICO

The ICO decided to delve deeper into what Facebook intended to do with the WhatsApp user data. Elizabeth Denham, Information Commissioner, ICO stated in her blog that users haven’t been given enough information about what Facebook plans to do with the information, and WhatsApp hasn’t got valid consent from users to share the information.

I also believe users should be given ongoing control over how their information is used, not just a 30-day window.
Elizabeth Denham, Information Commissioner, ICO

Denham further elaborated ICO’s stand - that it’s important users have control over their personal information, even if services don’t charge them a fee.

We’ve set out the law clearly to Facebook, and we’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes.
Elizabeth Denham, Information Commissioner, ICO

The ICO has now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data will be used, and to giving users ongoing control over that information. Additionally, the ICO also wants WhatsApp to give users an unambiguous choice before Facebook starts using that information and for them to be given the opportunity to change that decision at any point in the future. Facebook and WhatsApp are yet to agree to this, Denham stated.

If Facebook starts using the data without valid consent, it may face enforcement action from my office.
Elizabeth Denham, Information Commissioner, ICO

In the U.K., protections in the European Data Protection Directive have been incorporated into local law via the Data Protection Act 1998. The ICO is both the privacy regulator and the transparency (right to information) regulator, Sunil Abraham, executive director at the Centre for Internet and Society pointed out. The regulator can issue enforcement notices and also fine errant actors in the market place, he said.

This is a regulator with expertise, experience and teeth. Come May 25, 2018, the General Data Protection Regulation will come into force and this will give more comprehensive powers to the regulator to investigate and remedy cases like this. The regulator will take each principle from the Directive or Regulation and examine Facebook’s actions comprehensively before deciding on a response.
Sunil Abraham, Executive Director, Centre for Internet and Society

For example, if the regulator determines that the principle of choice and consent has not been complied with, it can force Facebook to reverse its decisions and provide greater transparency and clearer choices, Abraham added.

Karmanya Sareen’s Grievance

Back home in India, just two months ago, Karmanya Sareen, a WhatsApp user, argued before the Delhi High Court against the company’s new privacy policy. The argument was that WhatsApp’s August 2016 notice to its users about the proposed change in the privacy policy violated the fundamental rights of users under Article 21 of the Constitution. Article 21 promises protection of life and personal liberty.

Proposed change in the privacy policy of WhatsApp would result in altering/changing the most valuable, basic and essential feature of WhatsApp i.e. the complete protection provided to the privacy of details and data of its users.
Karmanya Sareen vs Union of India

The Delhi High Court struck down the Article 21 argument saying that the Supreme Court was still deliberating over including right to privacy as a fundamental right. It also pointed to WhatsApp’s 2012 Privacy Policy that allowed the company to transfer user information in case of an acquisition or merger with a third party. The 2012 policy also allowed WhatsApp to change the terms periodically.

Consequently, the Delhi High Court held that it is not open to the users now to contend that WhatsApp should be compelled to continue the same terms of service. However, the court gave WhatsApp two directions to protect users.

WhatsApp to delete from its servers and not share with Facebook or its group companies any information belonging to users who delete their account.

Users who continue to be on WhatsApp, their existing information up to September 25, 2016 cannot be shared with Facebook or any of its group companies.

Did The Delhi High Court Go Easy On Facebook And WhatsApp?

Apar Gupta, an advocate specializing in information technology, points out that the directions given by the Delhi High Court to WhatsApp did not contemplate any additional protection to a user than what was already provided by WhatsApp.

The Delhi Court essentially reproduced WhatsApp’s privacy policy. It did not compel or provide any additional safeguard.
Apar Gupta, Lawyer

Apar attributes this to the absence of a regulatory framework.

The lack of substantive safeguard and enforcement framework in India led to the Delhi High Court upholding WhatsApp’s new privacy policy.
Apar Gupta, Lawyer

Abraham added that the court did not examine the privacy policy from the perspective of data protection principles as would have been the case in EU or any other jurisdictions with a proper data protection law.

The court too admitted this in its order that there existed a regulatory vacuum in India and asked TRAI to look into the matter. Facebook did not respond to BloombergQuint’s query on whether it would implement its U.K. commitments in India as well.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-november-17-2016-payaswini-upadhyay-how-the-uk-got-a-better-deal-from-facebook-than-india-did

Conference on the Digitalization of the Indian Legal System

Leilah Elmokadem — 2016-11-16T15:34:36Z

On Legal Services Day, November 9, 2016, LegalDesk.com collaborated with iSPIRT to host a conference on the “Digitalization of the Indian Legal System”. The event invited prominent speakers to present their organizations’ work and to participate in a panel discussion followed by a Q&A period for the audience.

The co-founder of DAKSH Society of India, Kishore Mandyam, opened the event with a thought-provoking presentation on the efficiency levels of the current legal system and the kinds of progress that can be brought about by technological reforms. Members of LegalDesk.com then presented their ideas and then introduced their newest white paper on Legal Digitalization, providing a brief overview of the study and summarizing the most relevant sections. The panel discussion then proceeded, moderated by Sanjay Khan Nagra, a policy expert at iSPIRT Foundation. He facilitated an insightful and conducive discussion around the advantages, disadvantages, risks and incentives of digitalizing the Indian legal system. On the discussion panel was Kishore Mandyam from DAKSH Society and Prabhuling K Navadgi, the Additional Solicitor General of India.

The objectives to the conference, as per its website, were to: (1) examine the current legal framework and the possibility of amendments in laws to facilitate digitalization of the system, (2) asses the potential of India Stack in digitalizing the legal system, (3) to identify statutes which require amendment, (4) identify the hurdles and roadblocks in the path towards digital reform of the legal ecosystem, and (5) suggest amendments to the act and potential areas of improvement. With those objectives in mind, this blog post intends to provide a brief overview of the main narratives shared in the conference and to identify some of the loopholes and unanswered questions that I was left with by the end.

Improved efficiency is the dominant narrative used to advocate for the digitalization of the Indian legal system. According to LegalDesk.com, the current Indian legal system relies mostly on paperwork, resulting in thousands of courts and over a million advocates accumulating lackhs of ongoing cases and an enormous pile of pending cases, mostly due to insufficient information. It is stated that the traditional methods of legal documentation, paperwork and court work must change through awareness, technology and pursuance by the government, as it needs to be implemented throughout the country. The key idea here is that digital transactions are faster and simplify the process of storing information. The ultimate desired outcome here, then, is increased efficiency and transparency.

One must question, however, if this narrative may be overly generous with the credit it gives to technology. IT systems, like many other manmade structures, are always bound to glitch and crash. It would be useful, then, to question whether the legal system is a department that can afford the complications that inevitably accompany a digital transformation. If portals or servers fail at critical times (i.e. when a person needs to confirm their trial date, submit a document before a deadline, or any other pressing procedures), the consequences may in fact outweigh the convenience brought about by overall digitalization. This is not to imply that the legal system cannot or should not undergo a digital transformation. Rather, it is to pose the question of whether the government will dedicate sufficient funds and expertise towards developing a resilient and reliable IT system for the courts. The conference was strongly centered on the concept that technology is always the way forward. This is a positive idea but one must pay special attention to the complications that may arise with the digitalization of a system that must function in a particularly time-sensitive manner – and to ensure that these complications can be managed efficiently and effectively should they arise. This then, requires more than a mere push for digitalization. Introducing new technological platforms is a positive step towards digitalization. However, there is a need for a detailed, government-authorized plan on how the judicial system will efficiently and smoothly undergo this digital transformation in a sustainable and resilient manner.

A presenter from LegalDesk.com mentioned Estonia’s model of complete digital governance as an example of successful digitalization: “If a small country like Estonia can do it, why can’t we?” While it is useful to draw examples and lessons from other countries, it is also crucial to recognize the contextual differences between countries. The presenter’s point was that Estonia is small in both size and population and has just recently gained independence in 1991—and has nonetheless been able to undergo technological reform and completely digitalize governance systems. India’s case is extremely different as one can logically argue that digital inclusion is more difficult to accomplish for large, spatially dispersed populations. Furthermore, the socioeconomic disparities in India, particularly in income and literacy, contribute to an immense digital divide that Estonia did not, to any comparable extent, face in order to digitalize governance over 1.3 million individuals. This is not to suggest that India cannot become a world leader in digital governance, or become comparable to Estonia. Rather, this is to highlight the importance of recognizing historical, political and sociocultural differences between countries when comparing governance models and digitalization processes. There is a need to indigenize digital reform strategies and platforms in India to cater to its unique context and vast diversity. This can be done by focusing on issues such as the language of digital governance, ensuring sufficient distribution of access to public digital platforms, and prioritizing the inclusion of all socioeconomic classes. I would argue that digitalization could come at a greater cost than benefit if it perpetuates the exclusion of the underprivileged members of society, especially from a system as critical as the judiciary. These topics were alarmingly overlooked in the conference.

The topic of privacy was also quite overlooked in the conference. As a step towards digital transformation, LegalDesk.com presented the new eNotary technology, which would be implemented by utilizing a combination of Adhaar based authentication, eSign, digilocker systems such as India Stack and video/audio recorded interviews. With the eNotary system, attestation, authentication and verification of legal instruments can be done remotely. This is expected to make paperwork easier, faster and more secure, as individuals would log into digital platforms using their Adhaar numbers to perform their judiciary procedures. A member of the audience asked about privacy concerns associated with digitalizing the legal records or property ownership information of individuals. Kishore Mandyam, from DAKSH, answered confidently with a statement that privacy is not a pressing issue here. He asserted that privacy concerns are a western construct that we have adopted in urban parts of India but that is not a concern for the majority of locals. It is clear, however, from examples such as the United States’ predictive policing practices, that accumulating data regarding the legal affiliations of individuals can result in discriminatory practices if this data does not remain strictly confidential to protect the privacy rights of citizens. This is not to mention the other forms of discrimination that can arise from the accumulation of such data, such as the targeting of certain demographics by corporate marketing and credit scoring practices that rely on trends in big data. To keep citizens’ legal records and affairs out of these databases, a digital legal system must be securely encrypted and protected by rigid privacy policies. India may have a varying context that leads to different privacy concerns with regards to a digital legal system. In any case, special attention must be given to privacy and security rights of individuals as their Adhaar numbers become attached to all their online personal data, including their legal records and judicial affairs.

For more details visit https://cis-india.org/internet-governance/blog/conference-on-the-digitalization-of-the-indian-legal-system

'Delink ICANN from US jurisdiction'

praskrishna — 2016-11-15T14:16:36Z

Eight Indian civil society organisations involved with internet governance have called for complete delinking of ICANN from US jurisdiction, saying an important global public infrastructure being subject to a single country’s control is unacceptable.

The article was published by Deccan Herald on November 12.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable.

The demand from Bengaluru-based Centre for Internet and Society and IT for Change as well as Delhi-based Software Freedom Law Centre among others came against the backdrop of ICANN’s meeting in Hyderabad that ended on Wednesday.

The other organisations involved in the campaign are Free Software Movement of India (Hyderabad), Society for Knowledge Commons, Digital Empowerment Foundation, Delhi Science Forum and Third World Network (all in New Delhi).

“Urgent steps (should) be taken to transit ICANN from its current US jurisdiction. Only then can ICANN become a truly global organisation . We would like to make it clear that our objection is not directed particularly against the US, we are simply against an important global public infrastructure being subject to a single country’s jurisdiction,” a joint statement said.

Though the US has given up its role of signing entries to the Internet’s root zone file, which represents the addressing system for the global Internet, the groups said, the organisation that manages ICANN continues to be under US jurisdiction and hence subject to its courts, legislature and executive agencies.

“Keeping such an important global public infrastructure under US jurisdiction is expected to become a very problematic means of extending US laws and policies across the world,” the statement said.

Explaining the issue, it said country domain names like .br and .ph remain subject to US jurisdiction.

“Iran’s .ir was recently sought to be seized by some US private parties because of alleged Iranian support to terrorism. Although the plea was turned down, another court in another case may decide otherwise. Other countries cannot feel comfortable to have at the core of the Internet’s addressing system an organisation that can be dictated by one government,” the statement said.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-12-2016-delink-icann-from-us-jurisdiction

Google, Facebook will not place ads on sites distributing fake news

praskrishna — 2016-11-15T13:59:40Z

Google plans to update its AdSense program policies to prevent placement of its ads on sites distributing fake news.

The article by John Riberio originally published by IDG News Service was mirrored on CIO on November 14, 2016. Pranesh Prakash was quoted.

Facebook also said Monday it had updated the policy for its Audience Network, which places ads on websites and mobile apps, to explicitly clarify that it applies to fake news.

“In accordance with the Audience Network Policy, we do not integrate or display ads in apps or sites containing content that is illegal, misleading or deceptive, which includes fake news,” Facebook said in a statement. The company said its team will continue to closely vet all prospective publishers and monitor existing ones to ensure compliance.

False news stories have become a sore point after the U.S. presidential elections with critics blaming internet companies like Twitter and Facebook for having had an influence on the outcome of the elections as a result of the fake content.

The controversy also reflects concerns about the growing power of social networks to influence people and events, as well as help people to communicate and organize. Facebook promotes democracy by letting candidates communicate directly with people, Facebook CEO Mark Zuckerberg said recently in an interview.

Google had its own embarrassing moments on Sunday with a false story that claimed that President-elect Donald Trump had won the popular vote in the U.S. presidential elections figuring atop some Google search results. Trump’s Democratic rival Hillary Clinton is leading in the popular vote.

“We've been working on an update to our publisher policies and will start prohibiting Google ads from being placed on misrepresentative content, just as we disallow misrepresentation in our ads policies,” Google said Monday in a statement. “Moving forward, we will restrict ad serving on pages that misrepresent, misstate, or conceal information about the publisher, the publisher's content, or the primary purpose of the web property.”

Google evidently expects that the threat of a cut in revenue from ads will dissuade sites from publishing fake content.

Zuckerberg has described as “crazy” the criticism that fake news on Facebook's news feed had influenced the vote in favor of Trump. “Of all the content on Facebook, more than 99% of what people see is authentic. Only a very small amount is fake news and hoaxes,” Zuckerberg said in a post over the weekend. The hoaxes are not limited to one partisan view, or even to politics, he added.

Identifying the "truth" is complicated, as while some hoaxes can be clearly identified, a greater amount of content, including from mainstream sources, often gets the basic idea right but some details wrong or omitted, or expresses a view that some people will disagree with and flag as incorrect even when it is factual, Zuckerberg wrote.

There are concerns that the monitoring of sites for fake news and the penalties could give internet companies more power. "We have to be wary of Facebook and Google being allowed to decide what's 'fake' and what's 'true' news. That only increases their power," said Pranesh Prakash, policy director at the Centre for Internet & Society in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/cio-november-14-2016-john-riberio-google-facebook-will-not-place-ads-on-sites-distributing-fake-news

Big Data in India: Benefits, Harms, and Human Rights - Workshop Report

Vidushi Marda, Akash Deep Singh and Geethanjali Jujjavarapu — 2016-11-18T12:58:19Z

The Centre for Internet and Society held a one-day workshop on “Big Data in India: Benefits, Harms and Human Rights” at India Habitat Centre, New Delhi on the 1st of October, 2016. This report is a compilation of the the issues discussed, ideas exchanged and challenges recognized during the workshop. The objective of the workshop was to discuss aspects of big data technologies in terms of harms, opportunities and human rights. The discussion was designed around an extensive study of current and potential future uses of big data for governance in India, that CIS has undertaken over the last year with support from the MacArthur Foundation.

Contents

Big Data: Definitions and Global South Perspectives

Aadhaar as Big Data

Seeding

Aadhaar and Data Security

Aadhaar’s Relational Arrangement with Big Data Scheme

The Myths surrounding Aadhaar

IndiaStack and FinTech Apps

Problems with UID

Big Data: Definitions and Global South Perspectives

“Big Data” has been defined by multiple scholars till date. The first consideration at the workshop was to discuss various definitions of big data, and also to understand what could be considered Big Data in terms of governance, especially in the absence of academic consensus. One of the most basic ways to define it, as given by the National Institute of Standards and Technology, USA, is to take it to be the data that is beyond the computational capacity of current systems. This definition has been accepted by the UIDAI of India. Another participant pointed out that Big Data is not only indicative of size, but rather the nature of data which is unstructured, and continuously flowing. The Gartner definition of Big Data relies on the three Vs i.e. Volume (size), Velocity (infinite number of ways in which data is being continuously collected) and Variety (the number of ways in which data can be collected in rows and columns).

The presentation also looked at ways in which Big Data is different from traditional data. It was pointed out that it can accommodate diverse unstructured datasets, and it is ‘relational’ i.e. it needs the presence of common field(s) across datasets which allows these fields to be conjoined. For e.g., the UID in India is being linked to many different datasets, and they don’t constitute Big Data separately, but do so together. An increasingly popular definition is to define data as “Big Data” based on what can be achieved through it. It has been described by authors as the ability to harness new kinds of insight which can inform decision making. It was pointed out that CIS does not subscribe to any particular definition, and is still in the process of coming up with a comprehensive definition of Big Data.

Further, discussion touched upon the approach to Big Data in the Global South. It was pointed out that most discussions about Big Data in the Global South are about the kind of value that it can have, the ways in which it can change our society. The Global North, on the other hand, has moved on to discussing the ethics and privacy issues associated with Big Data.

After this, the presentation focussed on case studies surrounding key Central Government initiatives and projects like Aadhaar, Predictive Policing, and Financial Technology (FinTech).

Aadhaar as Big Data

In presenting CIS’ case study on Aadhaar, it was pointed out that initially, Aadhaar, with its enrollment dataset was by itself being seen as Big Data. However, upon careful consideration in light of definitions discussed above, it can be seen as something that enables Big Data. The different e-governance projects within Digital India, along with Aadhaar, constitute Big Data. The case study discussed the Big Data implications of Aadhaar, and in particular looked at a ‘cradle to grave’ identity mapping through various e-government projects and the datafication of various transaction generated data.

Seeding

Any digital identity like Aadhaar typically has three features: 1. Identification i.e. a number or card used to identify yourself; 2. Authentication, which is based on your number or card and any other digital attributes that you might have; 3. Authorisation: As bearers of the digital identity, we can authorise the service providers to take some steps on our behalf. The case study discussed ‘seeding’ which enables the Big Data aspects of Digital India. In the process of seeding, different government databases can be seeded with the UID number using a platform called Ginger. Due to this, other databases can be connected to UIDAI, and through it, data from other databases can be queried by using your Aadhaar identity itself. This is an example of relationality, where fractured data is being brought together. At the moment, it is not clear whether this access by UIDAI means that an actual physical copy of such data from various sources will be transferred to UIDAI’s servers or if they will just access it through internet, but the data remains on the host government agency’s server. An example of even private parties becoming a part of this infrastructure was raised by a participant when it was pointed out that Reliance Jio is now asking for fingerprints. This can then be connected to the relational infrastructure being created by UIDAI. The discussion then focused on how such a structure will function, where it was mentioned that as of now, it cannot be said with certainty that UIDAI will be the agency managing this relational infrastructure in the long run, even though it is the one building it.

Aadhaar and Data Security

This case study also dealt with the sheer lack of data protection legislation in India except for S.43A of the IT Act. The section does not provide adequate protection as the constitutionality of the rules and regulations under S.43A is ambivalent. More importantly, it only refers to private bodies. Hence, any seeding which is being done by the government is outside the scope of data protection legislation. Thus, at the moment, no legal framework covers the processes and the structures being used for datasets. Due to the inapplicability of S.43A to public bodies, questions were raised as to the existence of a comprehensive data protection policy for government institutions. Participants answered the question in the negative. They pointed out that if any government department starts collecting data, they develop their own privacy policy. There are no set guidelines for such policies and they do not address concerns related to consent, data minimisation and purpose limitation at all. Questions were also raised about the access and control over Big Data with government institutions. A tentative answer from a participant was that such data will remain under the control of the domain specific government ministry or department, for e.g. MNREGA data with the Ministry of Rural Development, because the focus is not on data centralisation but rather on data linking. As long as such fractured data is linked and there is an agency that is responsible to link them, this data can be brought together. Such data is primarily for government agencies. But the government is opening up certain aspects of the data present with it for public consumption for research and entrepreneurial purposes.The UIDAI provides you access to your own data after paying a minimal fee. The procedure for such access is still developing.

Aadhaar’s Relational Arrangement with Big Data Scheme

The various Digital India schemes brought in by the government were elucidated during the workshop. It was pointed out that these schemes extend to myriad aspects of a citizen’s daily life and cover all the essential public services like health, education etc. This makes Aadhaar imperative even though the Supreme Court has observed that it is not mandatory for every citizen to have a unique identity number. The benefits of such identity mapping and the ecosystem being generated by it was also enumerated during the discourse. But the complete absence of any data ethics or data confidentiality principles make us unaware of the costs at which these benefits are being conferred on us. Apart from surveillance concerns, the knowledge gap being created between the citizens and the government was also flagged. Three main benefits touted to be provided by Aadhaar were then analysed. The first is the efficient delivery of services. This appears to be an overblown claim as the Aadhaar specific digitisation and automation does not affect the way in which employment will be provided to citizens through MNREGA or how wage payment delays will be overcome. These are administrative problems that Aadhaar and associated technologies cannot solve. The second is convenience to the citizens. The fallacies in this assertion were also brought out and identified. Before the Aadhaar scheme was rolled in, ration cards were issued based on certain exclusion and inclusion criteria.. The exclusion and inclusion criteria remain the same while another hurdle in the form of Aadhaar has been created. As India is still lacking in supporting infrastructure such as electricity, server connectivity among other things, Aadhaar is acting as a barrier rather than making it convenient for citizens to enroll in such schemes.The third benefit is fraud management. Here, a participant pointed out that this benefit was due to digitisation in the form of GPS chips in food delivery trucks and electronic payment and not the relational nature of Aadhaar. Aadhaar is only concerned with the linking up or relational part. About deduplication, it was pointed out how various government agencies have tackled it quite successfully by using technology different from biometrics which is unreliable at the best of times.

The Myths surrounding Aadhaar

The discussion also reflected on the fact that Aadhaar is often considered to be a panacea that subsumes all kinds of technologies to tackle leakages. However, this does not take into account the fact that leakages happen in many ways. A system should have been built to tackle those specific kinds of leakages, but the focus is solely on Aadhaar as the cure for all. Notably, participants who have been a part of the government pointed out how this myth is misleading and should instead be seen as the first step towards a more digitally enhanced country which is combining different technologies through one medium.

IndiaStack and FinTech Apps

What is India Stack?

The focus then shifted to another extremely important Big Data project, India Stack, being conceptualised and developed by a team of private developers called iStack, for the NPCI. It builds on the UID project, Jan Dhan Yojana and mobile services trinity to propagate and develop a cashless, presence-less, paperless and granular consent layer based on UID infrastructure to digitise India.

A participant pointed out that the idea of India Stack is to use UID as a platform and keep stacking things on it, such that more and more applications are developed. This in turn will help us to move from being a ‘data poor’ country to a ‘data rich’ one. The economic benefits of this data though as evidenced from the TAGUP report - a report about the creation of National Information Utilities to manage the data that is present with the government - is for the corporations and not the common man. The TAGUP report openly talks about privatisation of data.

Problems with India Stack

The granular consent layer of India Stack hasn’t been developed yet but they have proposed to base it on MIT Media Lab’s OpenPDS system. The idea being that, on the basis of the choices made by the concerned person, access to a person’s personal information may be granted to an agency like a bank. What is more revolutionary is that India Stack might even revoke this access if the concerned person expresses a wish to do so or the surrounding circumstances signal to India Stack that it will be prudent to do so. It should be pointed out that the the technology required for OpenPDS is extremely complex and is not available in India. Moreover, it’s not clear how this system would work. Apart from this, even the paperless layer has its faults and has been criticised by many since its inception, because an actual government signed and stamped paper has been the basis of a claim.. In the paperless system, you are provided a Digilocker in which all your papers are stored electronically, on the basis of your UID number. However, it was brought to light that this doesn’t take into account those who either do not want a Digilocker or UID number or cases where they do not have access to their digital records. How in such cases will people make claims?

A Digital Post-Dated Cheque: It’s Ramifications

A key change that FinTech apps and the surrounding ecosystem want to make is to create a digital post-dated cheque so as to allow individuals to get loans from their mobiles especially in remote areas. This will potentially cut out the need to construct new banks, thus reducing the capital expenditure , while at the same time allowing the credit services to grow. The direct transfer of money between UID numbers without the involvement of banks is a step to further help this ecosystem grow. Once an individual consents to such a system, however, automatic transfer of money from one’s bank accounts will be affected, regardless of the reason for payment. This is different from auto debt deductions done by banks presently, as in the present system banks have other forms of collateral as well. The automatic deduction now is only affected if these other forms are defaulted upon. There is no knowledge as to whether this consent will be reversible or irreversible. As Jan Dhan Yojana accounts are zero balance accounts, the account holder will be bled dry. The implication of schemes such as “Loan in under 8 minutes” were also discussed. The advantage of such schemes is that transaction costs are reduced.The financial institution can thus grant loans for the minimum amount without any additional enquiries. It was pointed out that this new system is based on living on future income much like the US housing bubble crash. Interestingly, in Public Distribution Systems, biometrics are insisted upon even though it disrupts the system. This can be seen as a part of the larger infrastructure to ensure that digital post-dated cheques become a success.

The Role of FinTech Apps

FinTech ‘apps’ are being presented with the aim of propagating financial inclusion. The Technology Advisory Group for Unique Projects report stated that as managing such information sources is a big task, just like electricity utilities, a National Information Utilities (NIU) should be set up for data sources. These NIUs as per the report will follow a fee based model where they will be charging for their services for government schemes. The report identified two key NIUs namely the National Payments Corporation of India (NPCI) and the Goods and Services Tax Network (GSTN). The key usage that FinTech applications will serve is credit scoring. The traditional credit scoring data sources only comprised a thin file of records for an individual, but the data that FinTech apps collect - a person’s UID number, mobile number. and bank account number all linked up, allow for a far more comprehensive credit rating. Government departments are willing to share this data with FinTech apps as they are getting analysis in return. Thus, by using UID and the varied data sources that have been linked together by UID, a ‘thick file’ is now being created by FinTech apps. Banking apps have not yet gone down the route of FinTech apps to utilise Big Data for credit scoring purposes.

The two main problems with such apps is that there is no uniform way of credit scoring. This distorts the rate at which a person has to pay interest. The consent layer adds another layer of complication as refusal to share mobile data with a FinTech app may lead to the app declaring one to be a risky investment thus, subjecting that individual to a higher rate of interest .

Regulation of FinTech Apps and the UID Infrastructure

India Stack and the applications that are being built on it, generate a lot of transaction metadata that is very intimate in nature. The privacy aspects of the UID legislation doesn't cover such data. The granular consent layer which has been touted to cover this still has to come into existence. Also, Big Data is based on sharing and linking of data. Here, privacy concerns and Big Data objectives clash. Big Data by its very nature challenges privacy principles like data minimisation and purpose limitation.The need for regulation to cover the various new apps and infrastructure which are being developed was pointed out.

Problems with UID

It has been observed that any problem present with Aadhaar is usually labelled as a teething problem, it’s claimed that it will be solved in the next 10 years. But, this begs the question - why is the system online right now?

Aadhaar is essentially a new data condition and a new exclusion or inclusion criteria. Data exclusion modalities as observed in Rajasthan after the introduction of biometric Point of Service (POS) machines at ration shops was found to be 45% of the population availing PDS services. This number also includes those who were excluded from the database by being included in the wrong dataset. There is no information present to tell us how many actual duplicates and how many genuine ration card holders were weeded out/excluded by POS.

It was also mentioned that any attempt to question Aadhaar is considered to be an attempt to go back to the manual system and this binary thinking needs to change. Big Data has the potential to benefit people, as has been evidenced by the scholarship and pension portals. However, Big Data’s problems arise in systems like PDS, where there is centralised exclusion at the level of the cloud. Moreover, the quantity problem present in the PDS and MNREGA systems persists. There is still the possibility of getting lesser grains and salary even with analysis of biometrics, hence proving that there are better technologies to tackle these problems. Presently, the accountability mechanisms are being weakened as the poor don’t know where to go to for redressal. Moreover, the mechanisms to check whether the people excluded are duplicates or not is not there. At the time of UID enrollment, out of 90 crores, 9 crore were rejected. There was no feedback or follow-up mechanism to figure out why are people being rejected. It was just assumed that they might have been duplicates.

Another problem is the rolling out of software without checking for inefficiencies or problems at a beta testing phase. The control of developers over this software, is so massive that it can be changed so easily without any accountability.. The decision making components of the software are all proprietary like in the the de-duplication algorithm being used by the UIDAI. Thus, this leads to a loss of accountability because the system itself is in flux, none of it is present in public domain and there are no means to analyse it in a transparent fashion..

These schemes are also being pushed through due to database politics. On a field study of NPR of citizens, another Big Data scheme, it was found that you are assumed to be an alien if you did not have the documents to prove that you are a citizen. Hence, unless you fulfill certain conditions of a database, you are excluded and are not eligible for the benefits that being on the database afford you.

Why is the private sector pushing for UIDAI and the surrounding ecosystem?

Financial institutions stand to gain from encouraging the UID as it encourages the credit culture and reduces transaction costs.. Another advantage for the private sector is perhaps the more obvious one, that is allows for efficient marketing of products and services..

The above mentioned fears and challenges were actually observed on the ground and the same was shown through the medium of a case study in West Bengal on the smart meters being installed there by the state electricity utility. While the data coming in from these smart meters is being used to ensure that a more efficient system is developed,it is also being used as a surrogate for income mapping on the basis of electricity bills being paid. This helps companies profile neighbourhoods. The technical officer who first receives that data has complete control over it and he can easily misuse the data. This case study again shows that instruments like Aadhaar and India Stack are limited in their application and aren’t the panacea that they are portrayed to be.

A participant pointed out that in the light of the above discussions, the aim appears to be to get all kinds of data, through any source, and once you have gotten the UID, you link all of this data to the UID number, and then use it in all the corporate schemes that are being started. Most of the problems associated with Big Data are being described as teething problems. The India Stack and FinTech scheme is coming in when we already know about the problems being faced by UID. The same problems will be faced by India Stack as well.

Can you opt out of the Aadhaar system and the surrounding ecosystem?

The discussion then turned towards whether there can be voluntary opting out from Aadhaar. It was pointed out that the government has stated that you cannot opt out of Aadhaar. Further, the privacy principles in the UIDAI bill are ambiguously worded where individuals only have recourse for basic things like correction of your personal information. The enforcement mechanism present in the UIDAI Act is also severely deficient. There is no notification procedure if a data breach occurs. . The appellate body ‘Cyber Appellate Tribunal’ has not been set up in three years.

CCTNS: Big Data and its Predictive Uses

What is Predictive Policing?

The next big Big Data case study was on the Crime and Criminal Tracking Network & Systems (CCTNS). Originally it was supposed to be a digitisation and interconnection scheme where police records would be digitised and police stations across the length and breadth of the country would be interconnected. But, in the last few years some police departments of states like Chandigarh, Delhi and Jharkhand have mooted the idea of moving on to predictive policing techniques. It envisages the use of existing statistical and actuarial techniques along with many other tropes of data to do so. It works in four ways: 1. By predicting the place and time where crimes might occur; 2. To predict potential future offenders; 3. To create profiles of past crimes in order to predict future crimes; 4. Predicting groups of individuals who are likely to be victims of future crimes.

How is Predictive Policing done?

To achieve this, the following process is followed: 1. Data collection from various sources which includes structured data like FIRs and unstructured data like call detail records, neighbourhood data, crime seasonal patterns etc. 2. Analysis by using theories like the near repeat theory, regression models on the basis of risk factors etc. 3. Intervention

Flaws in Predictive Policing and questions of bias

An obvious weak point in the system is that if the initial data going into the system is wrong or biased, the analysis will also be wrong. Efforts are being made to detect such biases. An important way to do so will be by building data collection practices into the system that protect its accuracy. The historical data being entered into the system is carrying on the prejudices inherited from the British Raj and biases based on religion, caste, socio-economic background etc.

One participant brought about the issue of data digitization in police stations, and the impact of this haphazard, unreliable data on a Big Data system. This coupled with paucity of data is bound to lead to arbitrary results. An effective example was that of black neighbourhoods in the USA. These are considered problematic and thus they are policed more, leading to a higher crime rate as they are arrested for doing things that white people in an affluent neighbourhood get away with. This in turn further perpetuates the crime rate and it becomes a self-fulfilling prophecy. In India, such a phenomenon might easily develop in the case of migrants, de-notified tribes, Muslims etc. A counter-view on bias and discrimination was offered here. One participant pointed out that problems with haphazard or poor quality of data is not a colossal issue as private companies are willing to fill this void and are actually doing so in exchange for access to this raw data. It was also pointed out how bias by itself is being used as an all encompassing term. There are multiplicities of biases and while analysing the data, care should be taken to keep it in mind that one person’s bias and analysis might and usually does differ from another. Even after a computer has analysed the data, the data still falls into human hands for implementation.

The issue of such databases being used to target particular communities on the basis of religion, race, caste, ethnicity among other parameters was raised. Questions about control and analysis of data were also discussed, i.e. whether it will be top-down with data analysis being done in state capitals or will this analysis be done at village and thana levels as well too. It was discussed as topointed out how this could play a major role in the success and possible persecutory treatment of citizens, as the policemen at both these levels will have different perceptions of what the data is saying. . It was further pointed out, that at the moment, there’s no clarity on the mode of implementation of Big Data policing systems. Police in the USA have been seen to rely on Big Data so much that they have been seen to become ‘data myopic’. For those who are on the bad side of Big Data, in the Indian context, laws like preventive detention can be heavily misused.There’s a very high chance that predictive policing due to the inherent biases in the system and the prejudices and inefficiency of the legal system will further suppress the already targeted sections of the society. A counterpoint was raised and it was suggested that contrary to our fears, CCTNS might lead to changes in our understanding and help us to overcome longstanding biases.

Open Knowledge Architecture as a solution to Big Data biases?

The conference then mulled over the use of ‘Open Knowledge’ architecture to see whether it can provide the solution to rid Big Data of its biases and inaccuracies if enough eyes are there. It was pointed out that Open Knowledge itself can’t provide foolproof protection against these biases as the people who make up the eyes themselves are predominantly male belonging to the affluent sections of the society and they themselves suffer from these biases.

Who exactly is Big Data supposed to serve?

The discussion also looked at questions such as who is this data for? Janata Information System (JIS), is a concept developed by MKSS where the data collected and generated by the government is taken to be for the common citizens. For e.g. MNREGA data should be used to serve the purposes of the labourers. The raw data as is available at the moment, usually cannot be used by the common man as it is so vast and full of information that is not useful for them at all. It was pointed out that while using Big Data for policy planning purposes, the actual string of information that turned out to be needed was very little but the task of unravelling this data for civil society purposes is humongous. By presenting the data in the right manner, the individual can be empowered. The importance of data presentation was also flagged. It was agreed upon that the content of the data should be for the labourer and not a MNC, as the MNC has the capability to utilise the raw data on it’s own regardless.

Concerns about Big Data usage

Participants pointed out that privacy concerns are usually brushed under the table due to a belief that the law is sufficient or that the privacy battle has already been lost.
In the absence of knowledge of domain and context, Big Data analysis is quite limited. Big Data’s accuracy and potential to solve problems needs to be factually backed.
The narrative of Big Data often rests on the assumption that descriptive statistics take over inferential statistics, thus eliminating the need for domain specific knowledge. It is claimed that the data is so big that it will describe everything that we need to know.
Big Data is creating a shift from a deductive model of scientific rigour to an inductive one. In response to this, a participant offered the idea that troves of good data allow us to make informed questions on the basis of which the deductive model will be formed. A hybrid approach combining both deductive and inductive might serve us best.
The need to collect the right data in the correct format, in the right place was also expressed.

Potential Research Questions & Participants’ Areas of Research

Following this discussion, participants brainstormed to come up with potential areas of research and research questions. They have been captured below:

Big Data, Aadhaar and India Stack:

Has Aadhaar been able to tackle illegal ways of claiming services or are local negotiations and other methods still prevalent?
Is the consent layer of India Stack being developed in a way that provides an opportunity to the UID user to give informed consent? The OpenPDS and its counterpart in the EU i.e. the My Data Structure were designed for countries with strong privacy laws. Importantly, they were meant for information shared on social media and not for an individual’s health or credit history. India is using it in a completely different sphere without strong data protection laws. What were the granular consent layer structures present in the West designed for and what were they supposed to protect?
The question of ownership of data needs to be studied especially in context of a globalised world where MNCs are collecting copious amounts of data of Indian citizens. What is the interaction of private parties in this regard?

Big Data and Predictive Policing:

How are inequalities being created through the Big Data systems? Lessons should be taken from the Western experience with the advent of predictive policing and other big data techniques - they tend to lead to perpetuation of the current biases which are already ingrained in the system.
It was also pointed out how while studying these topics and anything related to technology generally, we become aware of a divide that is present between the computational sciences and social sciences. This divide needs to be erased if Big Data or any kind of data is to be used efficiently. There should be a cross-pollination between different groups of academics. An example of this can be seen to be the ‘computational social sciences departments’ that have been coming up in the last 3-4 years.
Why are so many interim promises made by Big Data failing? A study of this phenomenon needs to be done from a social science perspective. This will allow one to look at it from a different angle.

Studying Big Data:

What is the historical context of the terms of reference being used for Big Data? The current Big Data debate in India is based on parameters set by the West. For better understanding of Big Data, it was suggested that P.C. Mahalanobis’ experience while conducting the Indian census, (which was the Big Data of that time) can be looked at to get a historical perspective on Big Data. This comparison might allow us to discover questions that are important in the Indian context. It was also suggested that rather than using ‘Big Data’ as a catchphrase to describe these new technological innovations, we need to be more discerning.
What are the ideological aspects that must be considered while studying Big Data? What does the dialectical promise of technology mean? It was contended that every time there is a shift in technology, the zeitgeist of that period is extremely excited and there are claims that it will solve everything. There’s a need to study this dialectical promise and the social promise surrounding it.
Apart from the legitimate fears that Big Data might lead to exclusion, what are the possibilities in which it improve inclusion too?
The diminishing barrier between the public and private self, which is a tangent to the larger public-private debate was mentioned.
How does one distinguish between technology failure and process failure while studying Big Data?

Big Data: A Friend?

In the concluding session, the fact that the Big Data moment cannot be wished away was acknowledged. The use of analytics and predictive modelling by the private sector is now commonplace and India has made a move towards a database state through UID and Digital India. The need for a nuanced debate, that does away with the false equivalence of being either a Big Data enthusiast or a luddite is crucial.

A participant offered two approaches to solving a Big Data problem. The first was the Big Data due process framework which states that if a decision has been taken that impacts the rights of a citizen, it needs to be cross examined. The efficacy and practicality of such an approach is still not clear. The second, slightly paternalistic in nature, was the approach where Big Data problems would be solved at the data science level itself. This is much like the affirmative algorithmic approach which says that if in a particular dataset, the data for the minority community is not available then it should be artificially introduced in the dataset. It was also suggested that carefully calibrated free market competition can be used to regulate Big Data. For e.g. a private personal wallet company that charges higher, but does not share your data at all can be an example of such competition.

Another important observation was the need to understand Big Data in a Global South context and account for unique challenges that arise. While the convenience of Big Data is promising, its actual manifestation depends on externalities like connectivity, accurate and adequate data etc that must be studied in the Global South.

While the promises of Big Data are encouraging, it is also important to examine its impacts and its interaction with people's rights. Regulatory solutions to mitigate the harms of big data while also reaping its benefits need to evolve.

For more details visit https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

How Workstream 2 Plans to Improve ICANN's Transparency

Asvatha Babu — 2016-11-11T10:05:04Z

The Centre for Internet and Society has worked extensively on ICANN’s transparency policies. We are perhaps the single largest users of the Documentary Information Disclosure Policy. Our goal in doing so is not to be a thorn in ICANN’s side, but to try and ensure that ICANN, the organisation, as well as the ICANN community have access to the data required to carry out the task of regulating the global domain name system.

The transparency subgroup of ICANN’s Workstream 2 dialogue attempts to see how they could effectively improve the transparency and accountability of the organization. The main document under scrutiny at the moment is the draft Transparency Report published a few days before the 57th ICANN meeting in Hyderabad.

The report begins with an acknowledgement of the value of taking tips from the Right to Information policies of other institutions and governments. My colleague Padmini Baruah had earlier written a blog post comparing the exclusion policy of ICANN’s DIDP and the Indian Government’s RTI where she found that “the net cast by the DIDP exclusions policy is more vast than even than that of a democratic state’s transparency law.”[1] The WS2 report not only discusses the DIDP process, but also discusses ICANN’s proactive disclosures (with regard to lobbying etc) and whistleblower policies. This article focuses solely on the first.

As our earlier blog posts have mentioned, CIS sent in 28 DIDP requests over the last two years. Our experience with DIDP has been less than satisfactory and we are pleased that DIDP reform was an important part of the discussions of this subgroup. The report proposes some concrete structural changes to the DIDP process but skirts around some of the more controversial ones.

The recommendation to make the process of submitting requests clearer is a good one. There are currently no instructions on the follow-up process or what ICANN requires of the requestors. The report also recommends capping any extension to the original 30-day limit to an additional 30 days. While this is good, we further recommend that ICANN stay in touch with the requestor in order to help them to the best of its ability. The correspondence should ideally not be limited to a notification that they require an extension. Any clarifications on the part of the requestor must be resolved by ICANN. We commend the report for pointing out that the status quo – where there is no outside limit for extension of time beyond the mandated 30 days – is problematic as it allows the ICANN staff to give lesser priority to responding to DIDP requests. We strongly suggest that extensions of time on responding to DIDP requests be restricted to a maximum of 7 days after the passing of the 30-day period, after which liability should be strictly imposed on ICANN in the form of an individual fine, analogous to India’s RTI policy.[2]

One of the major areas of focus for this report and for our earlier analysis was the problematic nature of the exclusions to the DIDP. I had written that the conditions were "numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain.”[3] This is echoed by the report which calls for a deletion of two clauses that we found most used in denying our requests for information.

The report also calls into question the subjective nature of the last condition which states that ICANN can deny information if they find requests “not reasonable, excessive or overly burdensome, not feasible, abusive or vexatious or made by a vexatious or querulous individual.” As seen from our blog posts, we are of the firm belief that such a subjective condition has no place in a robust information disclosure policy. Requiring the Ombudsman’s consent to invoke it is a good first step. In addition to that, we strongly encourage that objective guidelines which specify when a requestor is considered “vexatious” be drawn up and made public.

The most disappointing aspect of this report is that it does not delve into details about having an independent party dedicated to reviewing the DIDP process to address grievances. We believe that this must not be left to the Ombudsman who cannot devote all their time to this process. We are of the opinion that an independent party would also be able to more effectively oversee the tracking and periodic review of the DIDP mechanism.

In conclusion, we believe that this report is a good start but does not comprehensively answer all of our issues with the DIDP process as it is. We look forward to more engagement with the Transparency subgroup to close all loopholes within the DIDP process.

[1] Padmini Baruah, Peering behind the veil of ICANN’s DIDP, (September 21, 2015), available at http://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icann2019s-didp (Last visited on November 9, 2016).

[2] Section 20(1), Right to Information Act, 2005.

[3] Asvatha Babu, If the DIDP Did Its Job, (November 3, 2016), available at http://cis-india.org/internet-governance/blog/if-the-didp-did-its-job (Last Visited on November 9, 2016).

For more details visit https://cis-india.org/internet-governance/blog/how-workstream-2-plans-to-improve-icanns-transparency