We are anonymous, we are legion

An 'app'ening world

praskrishna — 2016-10-05T00:24:19Z

A ‘forward’ has been doing the rounds on WhatsApp about the privacy concerns relating to that instant messaging app; it’s asking for permission to share user data with Facebook.

The article by Chetana Divya Vasudev was published in Deccan Herald on October 4, 2016. Rohini was quoted.

In the WhatsApp notification, asking users to agree to the terms and conditions again, the option to share these user details to help improve ads on Facebook is already selected. Those who are uncomfortable parting with this information have to uncheck it before clicking on the ‘I agree’ button.

“Agreeing to this would mean Facebook can see who you’re chatting with and what you’re talking about,” says tech expert Chinmayi S K. “So if you’re talking about cat adoption, the ads displayed on the side could be relevant to that.”

When it comes to other smartphone apps, she cites Zomato as an example. “It has been asking for user history — previous orders and other such details — to make recommendations,” she says. “This comes with the app update. Tinder, too, is asking for your location using wifi, which is more accurate than the GPRS location.”
It’s alright to agree to these permissions, she says, so long as you’re aware of what you’re signing up for and how that data is going to be used.

If you have qualms about agreeing to this, there are usually alternatives you can find, adds Rohini Lakshane, program officer, Centre for Internet and Society. “If not, it’s usually a trade-off: you have to see how much you want the app,” she points out.

There are, however, other apps that might be duplicates asking for access to your device or files, cautions Chinmayi.

“If a cooking app, a simple one that gives you recipes, asks for your call logs or other files, for example,” she says.

A discerning user, interjects Rohini, will check for permission to access files or functions that are not strictly necessary for the features the app supports. “I don’t want to name anything but some e-commerce and travel apps ask to access your browsing history and the other apps or networks you’re connect to. It could be to serve you contextual ads or content, like Zomato, or to sell it to someone. You never know,” she says. However, some devices or versions of the Android OS let you control what permissions you enable, she informs.

Aeronautical engineer Pavan Raj P V says he takes care not to compromise on his safety, whenever possible. “But there are a few apps that I have on my phone no matter what — Facebook, WhatsApp, LinkedIn, Instagram. Most of them auto-update and require no extra permissions.”

However, he has noticed that LinkedIn asks for access to Gmail contacts that you could accidentally accept “if you’re logging in mechanically”.

Varsha C V, communications specialist at Karnataka State Highways Improvement Project, says, “Last month, my husband asked me to download a Google app for free calls that required all sorts of permissions, such as access to your phone logs. When Skype offers the same features without asking for all this, why should anyone use this app?”

She believes privacy in India is not taken as seriously as it should be. “You should keep in mind that if you’re giving them access to your contacts, you’re also compromising on others’ privacy,” she points out.

Lokanand, a sound engineer, admits to not paying attention to what he’s giving apps access to. “I’m no expert but if you ask me, you download apps because they are useful. So I don’t really bother about what I’m saying yes to.”

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-chetana-divya-vasudev-october-4-2016-an-appening-world

Eye on Mumbai

praskrishna — 2016-10-02T10:22:20Z

The feeds will be beamed to a video wall that stretches 21 feet across at the police’s command and control room.

The article by Tariq Engineer was published in Mumbai Mirror today. Sunil Abraham was quoted.

When seven bombs exploded on local trains between Khar and Borivali killing 209 people and injuring 714 in 2006, the Maharashtra police looked for CCTV footage but couldn’t find any because no cameras existed at railway stations back then.

When terrorists landed near Machimar colony in Cuffe Parade in 2008 and proceeded to slaughter hundreds of people in the city, CCTV footage was found only at the Taj and Trident hotels, Chhatrapati Shivaji Terminus and near the Times of India building. Places like Cama Hospital, Nariman House and Leopold Café were simply off the grid.

When Mumbai journalist J Dey was gunned down in Powai in 2011, the police obtained CCTV footage from a shopping centre nearby but it was so blurry, it was useless.

In each of these situations, a fully functioning high-definition CCTV system could have altered the outcome or aided the investigation in critical ways. That glaring gap in Mumbai’s security has now been filled by the Mumbai City Surveillance Project, which officially goes live today.

Over the last 20 months, a total of 4697 cameras have been installed at 1510 locations around Mumbai city. In addition to these, another 146 will survey the Bandra Kurla Complex. The tender for the project was issued in 2015 and won by a consortium led by construction major Larsen & Toubro with MTNL, CMS Computers and Infinova, which supplied the cameras, as partners.

The project is actually an outcome of the 26/11 attacks, having been recommended by the Ram Pradhan Committee, which was appointed to evaluate the city administration’s responses to the terror strike. According to Additional Chief Secretary (Home) KP Bakshi these cameras will ensure roughly 80 per cent of Mumbsi will be watched 24 hours a day, seven days a week. The city’s inhabitants will now have to be on their best behaviour.

“It was the police’s call to decide what they want to observe,” Bakshi said. “Do they want to look at the traffic or at a place where people gamble or do a lot of drinking?” The policeman in charge of selection of spots for installation of cameras was former additional commissioner of police Vasant Dhoble. Calling him a “game-changer”, one of the project managers said it was thanks to Dhoble that all the locations were surveyed in just twoand-a-half months. Dhoble was also instrumental in ensuring that the cameras were installed at the appropriate angles.

While the initial estimate was for 6,000 cameras, it was eventually determined that 4,697 were sufficient at this stage. The cameras have been placed on poles similar to street lights — 2290 of them — some with multiple cameras. “Let’s say there is a pole at Haji Ali Juice Center,” Bakshi said. “It may have three cameras — one looking towards Heera Panna, the other looking towards Mahalaxmi, the third looking towards Worli.”

The vast majority of the cameras — roughly 4200 — will be fixed and stare unblinkingly in one direction. The other 500 will be PTZ, or pan/tilt/zoom cameras, so those watching can scan an area or take a closer look at something that seems suspicious. All of the cameras can see in high definition, with visibility ranging from 50m to 120m. Some of them also have thermal imaging and night vision.

According to those involved in the project, the cameras have been built to withstand the rigours of Mumbai’s weather — specifically the heat and rain. Larsen & Toubro and CMS Computers are responsible for the maintenance of the system. Once the system is fully operational, the target is to have 99% of the cameras live at all times barring accidents. The responsibility for this lies with the service providers.

A smart system

The software that runs the cameras includes a Picture Intelligence Unit (PIU) that will conduct facial recognition analysis. If there is an image of a wanted person in the database, the program will scan the footage for matches and send a signal if it finds any. It will also send an alert if it notices a suspicious object, say one that has been left unattended for a pre-specified amount of time, so the cops can check it out. Tracking police vehicles — like you can follow the path of an Uber or Ola — is yet another feature, so if there is trouble, the nearest vehicle can be dispatched.

By Bakshi’s reckoning, if it is a small crime, then the police should be on the scene in five to ten minutes. If it is something like a bomb blast, then a Quick Response Team will be deployed, which will take a little longer – say 10 to 15 minutes.

Who will be watching you?

The feeds from these cameras will be fed to a video wall that stretches 21 feet across in a control room that has been set up in the Commissioner of Police Headquarters at Crawford Market. The footage will be monitored by about 20 observers who have been specially trained for the job.

However, a project manager said, watching the wall for more than eight minutes “would make anyone mad” because it is so chaotic. Therefore, each observer has his own workstation with three computer screens where he can only watch the feeds he has been assigned.

Entry to the control room is also strictly monitored. It requires five fingerprint access just to get in the room and a thumb print to turn individual workstations on. Mobile phones and personal effects are banned and the computers have no USB ports, so data can’t be copied.

In addition, there are viewing screens in each of the additional commissioner’s zonal offices and in all 23 police stations and roughly 200 observers will eventually be required to operate them. A project manager said he hoped to have a 60-40 or 50-50 split between male and female observers. The observers are monitored by the police, who will decide what actions to take depending on what alerts are generated.

The manpower is being provided by CMS Computers, with applicants having their resumes verified by the police. Observers will spend anywhere from four to six weeks in training before they get on the job, one of the project managers said.

Keeping the data secure

The images from the standard cameras will be stored for 90 days, while those taken with PTZ cameras will be stored for 30 days. “If you store for longer periods, it involves more cost,” Bakshi said. “We feel that if something has to be reported to us, it will be reported within 90 days.”

MTNL has set up a data centre in Worli and a disaster recovery centre in Belapur. If something goes wrong in Worli, there will still be connectivity via Belapur. Both centres have been “tied-up” to make the data as safe as possible. At the test lab at Larsen & Toubro’s project headquarters in Mallet Bunder, they even have a rodent detection device that broadcasts an ultrasonic frequency to drive away rats and stop them from chewing up the wires.

False starts

The project took some time to get off the ground because getting the details worked out was a painstaking elaborate process, former Maharashtra chief secretary ( home) Amitabh Rajan, told Mumbai Mirror. The committee wanted to make sure everything was transparent and that there were no allegations against the project. Control and security were also zealously guarded. “No compromise on security, not even cost,” Rajan said. “Like titration in chemistry, we eventually got the right concentration.”

There was also a battle between a lobby that wanted the system to be set up using dedicated fibre optic cables, and a lobby of technology providers that wanted to use wireless technology. The cops backed cables, which are not only safer but make it easy to add additional bandwidth, whereas wireless networks have limited bandwidth. It was a battle the cops would eventually win but at the cost of time.

The tender process didn’t go smoothly either. Larsen and Toubro were actually the winners of the fourth tender the Maharashtra government put forward. The first tender had to be cancelled because the winning consortium had not properly disclosed its ownership structure — one of the companies turned out to be controlled by a subsidiary of Reliance Industries. The second was cancelled when the vendor’s bank guarantee cheque of Rs 2 crore bounced and the owner disappeared. He was eventually found and arrested two years later.

The third tender received no bidders because it did not offer up-front payment for capital expenditure, according to then IT secretary Rajesh Aggarwal, who was part of the committee. It was finally on the fourth occasion, when the committee decided to offer a certain percentage of the project cost at the start and the rest over the remaining five years as maintenance fees, that a deal could be sealed.

Coordination headache

The next hurdle was coordinating the work between all the different organisations that populate Mumbai. The final total was around 35 or 40 bodies, including the Municipal Corporation of Greater Mumbai (MCGM), BEST and Reliance Power, the police, MMRDA, the Government of India and the High Court. “To explain to everyone that it is a security project and please don’t go by normal rules, you have to give concessions for all these things, all this co-ordination was a big job,” Bakshi said.

It led to delays, which is why the project had to take the extraordinary step of getting permission from the MCGM to dig up roads during the monsoon to lay the fibre-optic cables. It was the only way the project could make its deadline.

“If we had done it like a normal project, it would have taken five years,” an engineer said.

A question of privacy

Two experts in privacy issues that Mirror spoke to said that such a system is in the public interest, but safeguards must be built to prevent abuse. “If the data falls into the wrong hands, it can create havoc,” said Pavan Duggal, an expert in the field of cyber law. “Large scale surveillance of the public should not be the norm, it should be the exemption to the norm.” he said. “It can create unease and lessen the enjoyment of living in a democratic society.”

According to Sunil Abraham, director of the Centre for Internet and Society, the biggest problem is that India does not have an “omnibus privacy law”.

Instead, it has about 50 different laws across sectors and therefore privacy regulations are not consistent, which has created a legal thicket. “110 countries have passed privacy laws to European Union standards. India is really far behind,” he said.

He also listed a number of principles that he hoped the project would abide by, such as the principles of notice (CCTV cameras should be advertised as such), of openness (details of the system should be made public), security (“if you don’t have security, you can’t ensure privacy”) and of access (“we should have a right to get the footage of ourselves”). He also warned against the footage being shared between different security agencies without due process.

Additional Chief Secretary (Home) Bakshi said most of these principles were part of the system. There would be boards demarcating the CCTV cameras, the system would be publicly launched, it was being made as secure as possible and footage could be handed over depending on the circumstances. “If it is your own, then no problem,” Bakshi said. “If it is someone else’s then there are privacy issues. Is it because of criminal intent or you want to track your girlfriend’s other boyfriend to see if he is following her? These are issues. If you want yours, on merit we can give. No issue.”

Another concern Abraham raised is unique to India and the Aadhaar card, which uses biometric data as passwords, not identification. Since the CCTV cameras are high resolution, it raises the risk of someone recreating your iris or finger prints from a captured image and then “somebody could empty your Aadhaarlinked bank accounts,” Abraham said.

This is not as far-fetched as it sounds. Abraham pointed out that in 2014 a member of the Chaos Collective Club, the largest association of hackers in Europe, recreated the finger print of a German minister from a photograph they took of her hand.

“Other risks are smaller, a revealing photograph or someone trying to blackmail you,” Abraham said.

Not just for crime

The camera feed has other applications too, beginning with traffic management. An automatic number plate recognition system will be installed as well. If you look around the corner, don’t see a cop and jump a light, you could still get in trouble. “6000 [sic] police in the sky are watching you and you will get a challan sitting at home,” Aggarwal said. Other uses include tracking of encroachments by the Municipal Corporation of Greater Mumbai which will have an additional viewing centre. Also garbage disposal and other civic issues such as water logging and a subject dear to Mumbai citizens — potholes. “Somebody complains that this road has a pothole, immediately you can zoom in and see that yes, there is a pothole on this road,” Bakshi said.

There is also a provision to allow a further 103 locations to plug-in and play. For example, if the Taj Mahal Hotel wants the police to survey the hotel for a period of time, the hotel’s CCTV system can be hooked up to the main control room within 48 hours. The same goes for the airport or the railway stations.

Effect of CCTV surveillance

Worldwide the academic literature on CCTV surveillance suggests its effectiveness, especially on crime prevention, is uncertain or limited. “Post crime it really, really helps,” Aggarwal said, “but for prevention, we have to wait and watch. If it reduces sexual harassment for example, then that is priceless. Time will tell how people try to beat the system and how the system tries to catch up.”

Joint Commissioner of Police, Law and Order, Deven Bharti said he was already seeing an improvement in traffic management and in prevention and detection of crimes thanks to the 3000-plus cameras that were live when Mirror spoke to him two days ago, though he said he could not provide details. “The system is working to our satisfaction,” Bharti said.

Bakshi said the effects of the system should start showing roughly a month after the project is fully operational. “In Pune, results started being seen within a month. Once all 4700 [cameras] are live, you will start seeing the results on traffic violations, street crimes, and at general discipline level. [First] Let the people know they are under surveillance, that they are completely covered in Mumbai by CCTV.”

The total cost of the project is Rs 1008 crore. Out of this, about Rs 400 crore has already been spent. The balance will be paid out in regular installments until October 2021. At that point the Maharashtra government and Mumbai police will take complete control of the project. “We presume that in five years’ time, we will have enough trained people to run it ourselves,” Bakshi said.

For more details visit https://cis-india.org/internet-governance/news/mumbai-mirror-tariq-engineer-october-2-2016-eye-on-mumbai

WhatsApp ruling: Experts seek privacy law

praskrishna — 2016-09-27T02:35:06Z

On August 25, Whatsapp updated its policy to share user content with social network; the decision opened new monetisation models for the messaging app.

The article by Apurva Venkat and Moulishree Srivastava quoted Sunil Abraham. It was published in the Business Standard on September 24, 2016.

The recent Delhi High Court ruling that messaging app Whatsapp cannot share user data highlights the need for legislation on privacy, according to experts.

On August 25, Whatsapp, a platform with 70 million users in India that was acquired by Facebook in 2014, updated its policy to share user content with the social network. The decision opened new monetisation models for the messaging app.

In response to a PIL, the court ordered WhatsApp to delete data of users who chose to opt out of its policy changes before September 25. It also orderedWhatsApp not to share data collected before September 25 with Facebook for users who had not opted out.

"The decision makes a strong statement on privacy," said Sunil Abraham, executive director of the Centre for Internet Society. According to him, a user trusts a platform and provides access to his data. As another firm acquires the platform, it gains access to the data.

"Facebook owns Whatsapp. It has to look at ways of monetising it," said Nikhil Pahwa, co-founder of SavetheInternet.in.

"With so much digital data being generated, there is a need for a privacy law in the country," said Pahwa.

"Facebook's consent interface is confusing. It can make a person who wants to opt out let the company access his data," said Abraham, adding a law would take care of such intricacies. The government is working on a privacy bill.

Saroj Kumar Jha, partner, SRGR Law Offices, said there were few judgments on privacy in India based on constitutional rights.

"While the Information Technology Act enables courts to pass judgments on global companies on privacy, enforcing the orders is difficult," he said.

"What is required is a privacy law that can protect user data and uphold the individual's right to privacy," he added.

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law

Right to Food Campaign, Ranchi Convention, 2016

sumandro — 2019-03-16T04:40:52Z

The Right to Food Campaign held its 2016 Convention in Ranchi during September 23-25, 2016. While three years have elapsed since the passage of the National Food Security Act, despite improvements in the Public Distribution System (PDS), large implementation gaps remain. This is what the Convention focused on, and gathered researchers and campaigners from across the country to share experiences and case studies on effectiveness and exclusions from the PDS. Sumandro Chattapadhyay took part in a session of the Convention to discuss how UID-linked welfare delivery is being rolled out across key programmes like provision of pension and rationed distribution of essential commodities, and their impact on people's right to welfare services.

Right to Food Campaign: Website.

Right to Food Campaign: Cash Transfers and UID: Our Main Demands.

Ranchi Convention, 2016: Programme.

For more details visit https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016

When the war’s on WhatsApp

praskrishna — 2016-09-25T16:36:01Z

Slick, jingoistic videos are whipping up pro-war rhetoric on social media after the Uri terror attack.

The article by Manju V was published in the Times of India on September 25, 2016. Nishant Shah was quoted.

It packs a meaner punch than any 140-character tweet. In 140 jingoistic seconds, the cleverly packaged YouTube film veers from Mohammed Rafi to Chandra Shekhar Azad drumming up pro-war rhetoric to avenge the Pathankot attack. Set to the tone of chirping crickets on a moonlit night somewhere along the western border that India shares with its neighbour, the short film has two armymen in fatigues deliberate over the absolute need to respond with a counter attack. It ends in a staccato military drumbeat with a voiceover quoting Azad: "If yet your blood does not rage, then it is water that flows in your veins."

Posted about 10 days after the Pathankot attack in January, the video was resurrected last week after the country woke up to the Uri attack that killed 18 Indian soldiers in the deadliest assault on security forces in Kashmir in over two decades. Even as photographs of a grenade smoke-filled valley, tricolour-draped coffins, grieving sons, daughters and widows made the rounds in media outlets scores of Indians marched onto social media, some armed with incendiary prose and other with slick videos that expressed more anger than anguish.

In another video doing the rounds, a jawan, or someone in uniform, sings a poem warning Pakistan. His mates join in the refrain: "Kashmir toh hoga, lekin Pakistan nahi hoga."

These videos of jawans threatening to decimate Pakistan were shared by thousands. WhatsApp profile pictures and statuses were changed, Facebook posts got longer and vitriolic, Twitter #UriAttack exploded with expletives as the enough-is-enough sentiment peaked. It heralded the beginning of an era where the dynamics of Indo-Pakistan relations will play out not just in the diplomatic corridors of Delhi and Islamabad, the valley of Kashmir or the barracks of security forces; but also on the mobile phones, tablets and laptops of millions of Indians.

When contacted for a comment, the makers of the war-mongering 'Pathankot Tolerance' video didn't endorse war outright. "My individual opinion is that war is not a solution," said producer Santosh Singh, who heads the Mumbai-based V Seven Pictures. "Before we resort to war, we have to solve our internal problems. How can we let infiltration take place so blatantly?" he asked. Why then does the video not talk about this? Singh said that when one hears about such attacks, the instant reaction is to retaliate. "The video is based on that sentiment."

An electronics engineer, Singh also owns an IT recruitment firm. His film production company, which he runs along with his friend Vivek Joshi, made the Mauka Mauka World Cup video that went viral and also produces short films and videos for clients. "We have no political affiliations, in fact we turned down a couple of political parties who approached us," says Singh, adding that his company has made 30-35 films in less than two years. "Of these, about 10 are on issues close to our heart, like those on Afzal Guru and the Pathankot attack. We upload them on YouTube, they are aired without ads. We don't earn money from them," he adds.

Ugly gets outlet

Nitin Pai, director of Takshashila Institution, an independent centre for research and education in public policy, says that social media and some television studios have enabled people to express their subconscious fears and desires. "It is not just today that the people of India have been angry with Pakistan for fomenting terrorism in our country. But it is only now that they have ways to express this anger; unfortunately, social media dynamics amplify this anger in a grotesque, distorted manner, allowing the ugly and less-sensible views to rise to the top of the public discourse," said Pai.

Tracing the many origins of this phenomenon, psychiatrist Harish Shetty says that in an angst-ridden, globalized world, we need a whipping boy. "With the Uri attacks, the entire nation had a common enemy. In expressing collective anger, there's catharsis." The current outpouring is not just over the deaths of soldiers; such an incident also opens up older wounds, he says. "For a long time, Indians have found their leaders to be helpless. It's like a family that is attacked again and again by a neighbour, but the father does nothing about it. There has been a lack of strong response from 'papa figures' across time, which has led to a sense of anger and rage. After the Uri attacks, the collective self-esteem of the country took a beating, and people felt a need to assert themselves on social media. At such times strong action is viewed as legitimate, valid and free of guilt," he adds.

Amplifying angst

If social media brought together protesters in Tunisia and Egypt during the Arab spring, in democratic India it has turned into a platform for expressing mass disenchantment with the government, especially in the wake of such attacks.

Social media plays several roles in times of crises, says Nishant Shah, professor of digital media and co-founder of the Centre for Internet & Society, Bengaluru. One, it amplifies what is already being said in friend circles and living-room conversations in front of the telly, but spreads it to a larger audience. "The second role it plays is distribution: social media allows people to inherit other people's opinions, thus exposing them to new ways of thinking but also find corroborators for their own viewpoints," he says. The third is catalysis — social media also has the capacity to generate new information. "The format creates new kinds of truths. Things that can be caught in Snapchat videos, or visuals which can be remixed, all become a part of this zeitgeist," Shah says.

Virtual wars

But in India at least, social media is no indicator of considered public opinion, points out Pai. Shah adds: "What we are seeing is a filter bubble of a privileged set of people who are engaging in this debate."

Then again, what's said on social media needn't be endorsed in real life. Vivek Joshi, who wrote and directed the Pathankot video, says nobody in the world would want a war. "But when it comes to the lives of our soldiers, an answer has to be given. If the government had taken any visible action, then there would have been no need to put out a video like this," Joshi adds. And therein probably comes the new-age heuristic of venting out on social media.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-september-25-2016-manju-vi-when-the-war-is-on-whatsapp

LITD 17 Committee, Bureau of Indian Standards Meeting

praskrishna — 2016-10-07T01:38:00Z

Vanya Rakesh attended the LITD-17 committee meeting (committee on Information Systems Security and Biometrics) organised by the Bureau of Indian Standards on 23 September 2016 in Bengaluru.

The agenda for the meeting included presentation of the draft data privacy standard for India which was proposed before the BIS and its members. Elonnai Hickok and Vanya are a part of the drafting committee for the same. The draft standard was accepted by BIS and would now be circulated for further comments. Click here to read the Agenda.

For more details visit https://cis-india.org/internet-governance/news/litd-17-committee-bureau-of-indian-standards-meeting

Young Scholars' Programme, CPRSouth 2016

praskrishna — 2016-09-23T01:03:13Z

Rohini Lakshané took part in the Young Scholars' Programme organized by Communication Policy Research South from September 6 to 7, 2016 in Zanzibar.

CPRsouth 2016 Young Scholar Awards

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar from 8-10 September. It will include sessions on cutting-edge developments in ICT policy and regulation in the South and discussion of the research-policy interface.

As part of the capacity building initiative, 30 Young Scholars from Africa and the Asia-Pacific region have been selected to participate in a tutorial programme. They will be taught by recognised scholars and practitioners from Africa and Asia, and will be attending the main conference thereafter. Congratulations to the Young Scholars of 2016. See the list here.

For more details visit https://cis-india.org/internet-governance/news/young-scholars-programme-cpr-south-2016

Internet Rights and Wrongs

pranesh — 2016-09-22T23:36:14Z

With a rise in PIL's for unwarranted censorship, do we need to step back and inspect if it's about time unreasonable trends are checked?

The article was published in India Today on September 1, 2016. The original piece can be read here.

Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.

Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.

In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.

In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.

The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?

For more details visit https://cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs

The Future of Privacy in the Age of Big Data

praskrishna — 2016-09-22T23:24:16Z

A study tour on privacy and big data was organised by Friedrich Naumann Foundation for Freedom from September 3 to 10, 2016 in Berlin and Hamburg. Vanya Rakesh was one of the participants from South Asia who went for the tour.

List of Participants

Shahid Ahmad, Deputy Director, Digital Empowerment Foundation
Shahzad Ahmad, Country Director, Bytes for All
Shivam Satnani, Senior Analyst, Data Security Council of India
Vanya Rakesh, Senior Policy Officer, Centre for Internet & Society
Anja Kovacs, Director, Internet Democracy Project
Tshering Cigay Dorji, CEO, Thimphu Tech Park
Vrinda Bhandari, Lawyer and Journalist, Chambers of Trideep Pais (Anwaltskanzlei)
Tahsin Ifnoor Sayeed, Head of Business Intelligence, DNet

Click to see the Agenda

For more details visit https://cis-india.org/internet-governance/news/study-tour-on-future-of-privacy-in-age-of-big-data

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

Workshop on Big Data in India: Benefits, Harms, and Human Rights (Delhi, October 01)

vanya — 2016-09-28T05:53:55Z

CIS welcomes you to participate in the workshop we are organising on Saturday, October 01 at India Habitat Centre, Delhi, to discuss benefits, harms, and human rights implications of big data technologies, and explore potential research questions. A quick RSVP will be much appreciated.

Workshop invitation: Download (PDF)

Workshop agenda: Download (PDF)

In the last few years, there has been an emergence of the discourse of big data viewing it as an instrument not just for ensuring efficient, targeted and personalised services in the private sector, but also for development, social and policy research, and formalising and monetising various sections of the economy. This possibility is premised upon the idea that there is great knowledge that resides in both traditional and new forms of data made possible by our digital selves, and that we may now have the capability to tap into that knowledge for insights across diverse sectors like healthcare, finance, e-governance, education, law enforcement and disaster management, to name but a few. Alongside, various commentators have also pointed to the new problems and risks that big data could create for privacy of individuals through greater profiling, for free speech and economic choice by strengthening monopolistic tendencies, and for socio-economic inequalities by making existing disparities more acute and facilitating algorithmic bias and exclusion.

From a regulatory perspective, big data technologies pose fundamental challenges to the national data regulatory frameworks that have existed since many years. The nature of collection and utilisation of big data, which is often not driven by immediate purpose of the collected data, conflict with the principles of data minimisation and collection limitation that have been integral to data protection laws globally. This compels us to revisit existing theories of data governance. Additionally, use of big data in public decision-making highlights the question of how algorithmic control and governance must be regulated. This raises concerns around taking determining a balanced position that recognises the importance of big data, including for development actions, and ensures unhindered innovation with simultaneous focus on greater transparency and anonymisation to protect individual privacy, and various big data risks faced by population groups. In order to answer these questions, we need to begin with identifying the different harms and benefits of big data that could arise through its use across sectors and disciplines, especially in the context of human rights.

This workshop is designed around an extensive study of current and potential future uses of big data for governance in India that CIS has undertaken over the last year. The study focused on key central government projects and initiatives like the UID project, the Digital India programme, the Smart Cities Challenge, etc.

We will initiate the workshop with a detailed presentation of our findings and key concerns, which will then shape the discussion agenda of the workshop. We look forward to discuss aspects of big data technologies through the entry points of harms, opportunities, and human rights.

The final session of the workshop will focus on identifying key research questions on the topic, and exploring potential alliances of scholars and organisations that can drive such research activities.

We look forward to making this a forum for knowledge exchange for our friends and colleagues attending the discussion and discuss the opportunity to for potential collaboration.

RSVP: Please send an email to Ajoy Kumar at <ajoy@cis-india.org>.

Organisers: Amber Sinha <amber@cis-india.org> and Sumandro Chattapadhyay <sumandro@cis-india.org>.

For more details visit https://cis-india.org/internet-governance/events/big-data-in-india-benefits-harms-and-human-rights-oct-01-2016

Glaring Errors in UIDAI's Rebuttal

pranesh — 2016-09-18T03:22:32Z

This response note by Pranesh Prakash questions Unique Identification Authority of India’s reply to Hans Verghese Mathews' article titled “Flaws in the UIDAI Process” (EPW, March 12, 2016), which found “serious mathematical errors” in the article.

The article was published in Economic & Political Weekly Vol. 51, Issue No. 36, September 3, 2016.

While I am not a statistician, I have followed the technical debate between Hans Verghese Mathews and the UIDAI closely, and see a number of glaring errors in the latter’s so-called rebuttal in EPW (March 12, 2016).

The UIDAI alleges Mathews to have ignored the evidence that the Receiver Operating Characteristic (ROC) "flattens" with more factors. However, Mathews cannot be accused of ignorance if the flattening of the ROC is not relevant to his argument. To explain this in simple terms, the ROC curve is used to choose the appropriate "threshold distance" which determines false positives and false negatives, and belongs to a stage which precedes the estimation of the false positive identification rates (FPIR).

However, Mathews has used the FPIR estimates provided by the UIDAI (based on evidence from the enrolment of 84 million persons), and calculated how the FPIR changes when extrapolated for a population of 1.2 billion persons. In other words, he did not need to look at the ROC curve as that factor is not relevant to his argument, since he has used UIDAI data (which has presumably been estimated on the basis of all 12 factors : 10 fingerprints and 2 irises).

Further, UIDAI asks why Mathews has assumed a linear curve for his extrapolation. Mathews has done no such thing. In fact, in their paper "Role of Biometric Technology in Aadhaar Enrollment," the UIDAI states: "FPIR rate grows linearly with the database size" (nd, 19). Thus, this is an assumption formerly made by them (without providing rationale for it to be a linear curve as opposed to anything else). Mathews mathematically derives bounds for the FPIR in his paper, that is, the range within which the FPIR lies. One gets a linear curve only if they use the upper bound and not on the usage of anything else. So while Mathews does, as he explains, provide the results of the calculation based on the upper bound for the sake of simplicity, he nowhere asserts nor assumes a linear curve.

If, as the UIDAI claims, one cannot perform such an extrapolation and needs to depend on “empirical evidence” instead, the question arises as to how the UIDAI decided to scale up the programme to 1.3 billion people given the error rates. One could also ask if the machines being used to capture biometrics are good enough for the enlargement. Surely they would have performed some extrapolations to decide this.

In their paper they note that "although it [FPIR] is expected to grow as the database size increases, it is not expected to exceed manageable values even at full enrolment of 120 crores" (UIDAI nd, 13). They do not illustrate the extent to which the FPIR is expected to grow—neither in their initial paper, nor in their rebuttal to Mathews—whereas Mathews provides a method of estimating the increase of FPIR. Even if UIDAI is correct in its appraisal of FPIR and that it will not exceed "manageable values," they need to either exemplify their calculations or release the latest data. They have done neither, and that is quite unfortunate.

References

UIDAI (nd): “Role of Biometric Technology in Aadhaar Enrollment,” Unique Identification Authority of India, Government of India, New Delhi, viewed on 18 August 2016, https://uidai.gov.in/images/FrontPageUpdates/role_of_biometric_technology

Related Links

Flaws in the UIDAI Process http://www.epw.in/journal/2016/9/special-articles/flaws-uidai-process.html
Erring on Aadhaar http://www.epw.in/journal/2016/11/discussion/erring-aadhaar.html
Request for Specifics http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-u...
Glaring Errors in UIDAI's Rebuttal http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebutt...
Overlooking the UIDAI Process http://www.epw.in/journal/2016/36/documents/response-hans-verghese-mathe...

For more details visit https://cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw

India's Aadhaar mandate for smartphone makers may rile global firms

praskrishna — 2016-09-15T02:25:31Z

They are unlikely to oblige to request to make changes in their operating system and devices to ensure Aadhaar authentication is done securely on smartphones.

The article by Alnoor Peermohammed was published in the Business Standard on September 14, 2016. Sunil Abraham was quoted.

India is asking global smartphone makers such asApple and Google to adopt locally designed standards on their devices or operating systems that would allow use of biometric scanners for Aadhaarauthentication, a move that could face resistance from global firms.

Apple, the world’s largest smartphone maker runs its own iOS closed ecosystem and mandates apps built by developers to be certified by the company. Its closest rival Google, which owns the Android operating software that runs on nine out of ten smartphones in India, has directives for device makers to comply with. Firms such as Samsung, Lenovo and Micromax build smartphones on the Android OS that are sold in India.

Most global companies are unlikely to oblige India’s request that would require to make changes in their operating system and devices to ensure Aadhaarauthentication is done securely on smartphones, say analysts.

“There is no clarity so far. As of now, it is impossible that they (global smartphone makers) would oblige for a hardware safe zone baked on the sensors,” says Sunil Abraham, executive director at Centre for Internet and Society, a Bengaluru-based researcher that works on emerging technologies. “Because the biometrics contain sensitive personal information, they (UIDAI) don’t want anybody — vmobile manufacturer, OS vendor, telco or ISP — to intercept it”.

India is hoping that global firms would accept the country’s plea considering that most of India’s population use a mobile phone as their only computing device and need them to authenticate on Aadhaar for using government and banking services.

“Right now we’re in consultation with all these device manufacturers as well as the operating system vendors,” said Ajay Bhushan Pandey, Director General of the Unique Identification Authority of India (UIDAI) in a phone interview. “Basically we’re trying to evolve our system wherein a manufacturer or the devices where those operating systems are being used will have a facility where Aadhaar authentication can be made possible in a secure manner.”

India has over 105 crore people or 98% of adult population with Aadhaar. Most government and private organisations use Aadhaar authentication to issue services or products such as opening a bank account, getting a ration card or buying a mobile connection.

Reliance plans to reduce paperwork and issue connections in less than an hour usingAadhaar and try to get its 100 million target market sooner.

Over a fifth of India’s one billion users own smartphones and as the country sees better mobile internet access, more people are expected to upgrade to smartphones and use apps to access their banks to transfer funds, do online shopping and access government services.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohammed-september-14-2016-indias-aadhaar-mandate-for-smartphone-makers-may-rile-global-firms

SpaceX Explosion Slows Facebook & Israeli Efforts To Control Online Content

praskrishna — 2016-09-14T11:24:47Z

In their ‘space race’ to expand internet access to remote, impoverished areas of the world, Facebook and Google are actually vying for control o fthe online experiences of millions of people.

The article by Kit O' Connell published by Mint Press News on September 13, 2016 has quoted Pranesh Prakash.

When a rocket operated by space startup SpaceX burned up on the launch pad, it was a setback to the prospects of commercial space travel, as well as efforts by Facebook to control the online experiences of millions of rural internet users.

Facebook’s project, Internet.org, is described by founder Mark Zuckerberg in charitable terms, but critics have accused it of spreading “techno-colonialism.”

The Sept. 1 fire in Cape Canaveral, Florida, destroyed a $200 million satellite owned by SpaceCom, an Israeli communications satellite firm, and co-leased by Facebook. The satellite, Amos-6, was built by Israel Aerospace Industries, a government-owned aviation and aerospace manufacturer.

Facebook’s partnership with SpaceCom is another sign of the corporation’s deepening ties with Israel. In June, Facebook appointed Jordana Cutler, a close advisor to Israeli Prime Minister Benjamin Netanyahu, as head of policy and communications at Facebook’s Israeli office.

Another setback for Facebook’s Internet.org

“Facebook was counting on [the satellite] to beam internet service to sub-Saharan Africa as part of its ambitious Internet.org project,” noted Will Oremus, Slate’s senior technology writer.

The Los Angeles Times reported that SpaceCom’s stock fell 9 percent on the Tel Aviv Stock Exchange after the explosion. Zuckerberg shared his dismay in a post on his facebook page, writing:

“As I’m here in Africa, I’m deeply disappointed to hear that SpaceX’s launch failure destroyed our satellite that would have provided connectivity to so many entrepreneurs and everyone else across the continent.”

Internet.org would help users get online in areas lacking conventional internet access, and the service, which works in partnership with local mobile phone companies, has launched, at least provisionally, in 48 countries in Africa, Asia, and Latin America. In addition to satellites, Internet.org plans to use cutting edge solar-powered drones to expand internet access in remote parts of the world.

The service is not without controversy, though. An offering called “Free Basics” would provide users who can’t afford full internet access with a curated selection of websites, tailored for use on low bandwidth devices such as older smartphones. Free Basics generated international protests after it was rolled out in India, and was eventually blocked by the Telecom Regulatory Authority of India in March 2015 for violating the principle of net neutrality.

In a May 12 analysis for The Guardian, Mumbai-based journalist Rahul Bhatia suggested the failure of Free Basics was also due to Zuckerberg’s dismissive attitude toward the Indian government and people.

An unnamed Facebook executive told Bhatia that Zuckerberg made the “mistake of thinking that a third-world country is a banana republic. So institutions, the public, the press — they can be bypassed.”

Colonialism or philanthropy?

Indian students gather for a protest against Facebook’s “Free Basics” in Hyderabad, India. A central element of Facebook’s Internet.org campaign was controversial even before it was shut down in a key market this month. Indian regulators banned one of the pillars of the campaign, a service known as Free Basics, because it provided access only to certain pre-approved services – including Facebook – rather than the full Internet.

Google and its parent company, Alphabet, also intend to spread internet to rural, underserved areas through the unique balloon-based Project Loon. Tech site Pocket-Lint reported in March 2015 that SpaceX hoped to offer internet service through its satellites, in what reporter Luke Edwards called an “internet space race.”

Pranesh Prakash, a representative of the Centre for Internet & Society, an NGO based in Bangalore, India, questioned the company’s motivation in a June 2015 interview with Al-Jazeera.

“They’re doing it out of their self-interest,” Prakash told Tarek Bazley, Al-Jazeera’s science and technology editor.

“They are not doing it because they are charities, because they believe in altruism etc. They’re doing it because having more people online benefits them.”

And Aral Balkan, a human rights activist, told Bazley, “I wouldn’t call it philanthropy I would call it colonialism.”

In an August 2013 post on his homepage, Balkan went into more detail about his “strong reservations about why Google and Facebook want to be the ones providing this service.”

Noting that both tech corporations profit primarily from collecting and selling information about their users, he continued:

“Google and Facebook want to give everyone access to the Internet because they need more raw materials. More data. Your data. So they can cultivate more Digital Serfs to sell to their customers.”

For more details visit https://cis-india.org/internet-governance/news/mint-pressnews-september-13-2016-kit-o-connell-spacex-explosion-slows-facebook-israeli-efforts-to-control-online-content

How does the government track all its legal cases?

praskrishna — 2016-09-14T10:17:07Z

The Legal Information Management and Briefing System , an integral part of the digital India initiative, aims to be a database of all the ongoing cases with the government.

The article by Shreeja Sen published by Livemint on September 13, 2016 has quoted Sunil Abraham.

More than one lakh cases currently exist on a law ministry platform curated in the last 13 months.The Legal Information Management and Briefing System (LIMBS), aimed to be a database of all the ongoing cases with the government as a party, is part of the government’s push towards digital India.

Law secretary Suresh Chandra said this is a big step under the Digital India project, intended to monitor and ultimately reduce spending on government litigation.

“The aim is to conduct cases properly. If our system works, along with the national litigation policy, we will be able to prevent 50% cases before they are even filed,” Chandra said.

According to the government, the project will help reduce delays in filing responses in cases , contempt notices because of such delays and consequent monetary penalties.

The website has also undergone the required security audit under the NIC (national informatics centre), to ensure the data is safe and protected. However, a database like this on the internet comes with its challenges.

“To ensure client confidentiality, communication should be bilateral between lawyer and client and should be encrypted and even watermarked. If this project allows access to documents by multiple stakeholders without encrypting it for the recipient, then if there is any leak, the documents cannot be traced back to the person who was responsible,” said Sunil Abraham, executive director at Centre for Internet and Society, a non-profit research organisation.

The LIMBS project began internally at the ministry of railway sometime in 2013, but was soon expanded as a single platform across ministries. In July 2015, it was hosted on the NIC server. The law ministry, by a gazette notification on 8 February, formally launched LIMBS to monitor cases filed against the Union government.

As of now, there is no special budget allocated for this project, which is being handled in house with a team of eight people – four developers on the technology side and four implementers for the case details. The development of the website is being handled by Ajay Gupta, deputy chief vigilance officer, northern railway. From the law ministry, Spriha Johari is the project director responsible for the website.

As of 12 September, the five ministries with the most uploads on the website were railways (69,469 cases), communications and information technology (7,830), finance (4452), environment (3,189) and defence (2,565).

Every day, nearly 400-500 cases are added to the portal. In all 58 ministries and their 202 departments have been brought under the LIMBS project.

For more details visit https://cis-india.org/internet-governance/news/livemint-september-13-2016-shreeja-sen-how-does-govt-track-all-its-legal-cases