We are anonymous, we are legion

India Seeks to Limit Use of Maps and Satellite Images

praskrishna — 2016-05-28T12:38:45Z

Indians are discussing a plan to ban use of maps or satellite images of the country without approval from the government.

The plan’s critics have launched an online campaign called “Save The Map.” They say the proposed ban could affect many new businesses and services that use technology. The Geospatial Information Regulation Bill would require anyone who wants to use, publish or own maps or geospatial data to seek official permission. A special security committee would consider such requests. Indian officials say the proposed law would help protect military bases from enemies and terrorists. They deny it would cause problems for businesses.

But Internet experts say the law would affect anyone who uses mobile phones, laptop computers and online companies, such as ride services. They also fear that the ban would affect computer software programs and Apple or Google Map products. The Center for Internet and Society (CIS) in Bangalore also has criticized the bill. It says the measure would return India to where it was more than 30 years ago -- when businesses were forced to get licenses from government officials before they could begin to operate. Pranesh Prakash works at the center.

“What it does (is) it puts in place a license raj for all use of mapping technologies. That just does not make sense. No other country in the world has this regressive mapping law.” Technology experts from Bangalore launched the “Save The Map” campaign. It is calling on Indians to demand that the government change the planned law. The campaign is hoping to copy a successful campaign called “Save The Internet,” which pressured the government to ensure equal access to the Internet.

Indian officials have sought to calm critics, saying the bill is not final. The government has asked people to give ideas on how it should be changed by June 4. Officials note the country is dealing with an increasing number of security issues, including an attack at an air base in northern India earlier this year. Terrorists based in Pakistan were said to have carried out the attack. Junior Home Minister Kiren Rijiju told a newspaper that the law is needed because India must have ways to “secure its boundary and territory.”

But Prakash notes that the measure would not stop terrorists from using geospatial data from sources outside India. “They need satellite imagery and they need maps, period. Now this law doesn’t actually prevent such maps from being created, it doesn’t actually prevent satellite images of India being captured. What it does is prevent Indians from doing so. So it actually won’t prevent foreign-based terrorists -- especially state-backed terrorists -- from attacking India.” Internet and policy experts say the government would not be able to stop others from creating maps or satellite images of sensitive locations in the country.

I’m Anne Ball.

Anjana Pasricha reported this story from New Delhi for VOANews.com. Christopher Jones-Cruise adapted it for Learning English. George Grow was the editor. Read the original published by Voice of America on May 27, 2016

For more details visit https://cis-india.org/internet-governance/news/voice-of-america-may-27-2016-india-seeks-to-limit-use-of-maps-and-satellite-images

Comments on Draft Electronic Health Records Standards

Amber Sinha — 2016-12-15T08:45:07Z

The Centre for Internet & Society submitted its comments on the Draft Electronic Health Records Standards to the Ministry of Health and Family Welfare.

To,
Ministry of Health and Family Welfare,
Room 307 D,
Nirman Bhavan,
New Delhi 110108

Subject: Comments on the Electronic Health Record (EHR) Standards of India

The Electronic Health Record (EHR) Standards (hereinafter “EHR Standards”) were publicly circulated on March 18, 2016 seeking comments and views from stakeholders and the general public. Having reviewed the EHR Standards and referred to other robust standards dealing with the same subject matter, we wish to submit the following comments on the EHR Standards.

Standards and Interoperability

The EHR Standards state that the "primary aim of interoperability standards is to ensure syntactic (structural) and semantic (inherent meaning) interoperability of data amongst systems at all times" [1]. It is mentioned that set of standards outlined in this document represents an incremental approach to adopting standards and that they need to be flexible and modifiable to adapt to the demographic and resource diversity in India.

Comments:

The EHR Standards make a reference to syntactic and semantic interoperability without really defining these terms or stipulating clear steps for how they may be achieved. It is suggested that these terms are clearly defined. Syntactic interoperability can be defined as ensuring the preservation of the clinical purpose of the data during transmission among healthcare systems. Similarly, semantic interoperability can defined as enabling multiple systems to interpret the information that has been exchanged in a similar way through pre-defined shared meaning of concepts [2].
Inadequate human resource capacity remains a critical challenge to the adoption of e-health standards. The WHO and ITU eHealth Strategy Toolkit [3] recommends the development of effective health ICT workforce, capable of designing, building, operating and supporting e-health services. This workforce could participate in standards development, as well as the localization of international standards to fit a country's specific need. The EHR Standards should also include mechanisms and solutions to address these issues.

Ownership of Data

The physical or electronic records, which are generated by the healthcare provider are held in trust by them on behalf of the patient [4]. It is stated that the contained data which is sensitive personal data or personal information of the patient as per the Information Technology Act, 2000 is owned by the patients, however the medium for storage or transmission of such data is owned by the healthcare provider.

Comments:

Currently, the EHR Standards state that the contained data which are the sensitive personal data of the patient is owned by the patient. While medical records and history is included within the scope of sensitive personal data under the Information Technology Act, 2000, the definition of "Personal Health Information" under the EHR Standards is more expansive. Therefore, it is recommended that all Personal Health Information is deemed to be owned by the patient.
Currently, the EHR Standards do not clearly specify the bodies and individuals who would be subject to the requirements under this document. A definition similar to that of "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) could be used [5].

Privileges of Patient

Currently, the privileges of the patient include the rights to inspect and view their medical records. Further, the patient can request a healthcare organization that stores/maintains their medical records, to withhold specific information that they do not want disclosed to other

organizations or individuals. Also, patients can demand information from a healthcare provider on the details of disclosures performed on the patient's medical records [6].

Comments:

Currently, the EHR Standards only refer to "medical records" as being available for inspection and review of the patients. This should be expanded to also include information about enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan; or Other records that are used, to make decisions about individuals by healthcare providers or other bodies [7].
The EHR standards do not currently stipulate that the upon request by a patient, healthcare providers must exercise timeliness in providing the information to them. A time-limit such 30 calendar days should be clearly stated within which the healthcare provider must process the request.
The right of patients to request information from a healthcare provider on the details of disclosures should include within its scope the rights to receive the date of the disclosure; the name and address of the entity or person who received the information; a brief description of the medical information disclosed; and; a brief summary of the purpose of the disclosure [8].
A right to seek amendment of the one's medical records should also be provided to patients in cases where the information is incomplete.

Patient Identifying Information

Under the Standards, Personal identifiers include the following: Name, Address (all geographic subdivisions smaller than street address, and PIN code) All elements (except years) of dates related to an individual (including date of birth, date of death, etc.), Telephone, cell (mobile) phone and/or Fax numbers, Email address, Bank Account and/or Credit Card Number, Medical record number, Health plan beneficiary number, Certificate/license number, Any vehicle or other any other device identifier or serial numbers, PAN number, Passport number, AADHAAR card, Voter ID card, Fingerprints/Biometrics, Voice recordings that are non-clinical in nature, Photographic images and that possibly can individually identify the person, Any other unique identifying number, characteristic, or code [9].

Comments:

The above mentioned list is not adequate and exhaustive such as the definition and scope of Protected Health Information under the HIPAA [10]. The following identifiers must be included within the scope of Patient Identifying Information: Device identifiers and serial numbers, Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers.

Disclosure of Protected/Sensitive Information

The EHR Standards state that disclosure of protected/sensitive information for use in treatment, payments and other healthcare operations must be only done after obtaining a general consent of the patient. On the other hand, disclosures for for non-routine and most non-health care purposes must be done only after obtaining the specific consent of the patient. Only for certain specified national priority activities, such as notifiable/communicable diseases, it is stated that "the health information may be disclosed to appropriate authority as mandated by law without the patient's prior authorization."

Comments:

The terms "specific consent" and "general consent" need to be clearly defined.
In cases of disclosures for for non-routine and most non-health care purposes, a written authorisation should be mandatory. It should be clearly specified that a healthcare provider may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization.
There is confusion due to the use of numerous terms such as "health information", "protected health information", "sensitive personal data", "personal information" and "protected/sensitive information" in the EHR Standards for the same purpose. Some of these above terms are defined while the others are not. In order to remove the ambiguity caused due to this, it is recommended that the term "protected health information" is used throughout the document.
All bodies dealing with medical data should be required to abide by the principle of "data minimisation" in use and disclosure. They must take reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
For internal uses, healthcare providers and other entities must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Amber Sinha,
Centre for Internet and Society,
No. 194, 2nd 'C' Cross,
Domlur, 2nd Stage,
Bengaluru, 560071

[1] Page 7 of the EHR Standards.

[2] Funmi Adebesin, Rosemary Foster, Paula Kotze, Darelle van Greunen, "A review of interoperability standards in e-Health and imperatives for their adoption in Africa", Research Article - SACJ No. 50, July 2013; L. E. Whitman and H. Panetto. "The missing link: Culture and language barriers to interoperability", Annual Reviews in Control, vol. 30, no. 2, 2006.

[3] WHO and ITU. "National eHealth Strategy Toolkit", available at http://goo.gl/uxMvE.

[4] Page 19 of the EHR Standards.

[5] Covered Entity includes a healthcare provider ( Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies), a health plan (Insurance companies, HMOs, Company Health Plans, Government programs that pay for health care) and Healthcare Clearinghouse.

[6] Page 20 of the EHR Standards.

[7] Individuals' Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ .

[8] Patient Rights Under HIPAA Accounting of Disclosures of Health Information, available at http://uthscsa.edu/hipaa/patientrights/accountingofdisclosures.pdf.

[9] Page 21 of the EHR Standards.

[10] See: http://cphs.berkeley.edu/hipaa/hipaa18.html.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-draft-electronic-health-records-standards

Understanding Aadhaar and its New Challenges, May 26-27, 2016

sumandro — 2016-05-26T10:29:43Z

A workshop on “Understanding Aadhaar and its New Challenges” is being organised by the Centre for Studies in Science Policy, Jawaharlal Nehru University, and the Centre for Internet and Society, during May 26-27. It is also supported by the Centre for Communication Governance at NLU Delhi, Free Software Movement of India, Knowledge Commons, PEACE, and Center for Advancement of Public Understanding of Science & Technology. This is a legal and technical workshop to be attended by various key researchers and practitioners to discuss the current status of the implementation of the project, in the context of the passing of the Act and the various ongoing cases.

Workshop Programme

First Day, May 26

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. Ram Kumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Deptt of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Aadhaar - International Dimensions Prof. Chinmayi Arun, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in other parts of the world Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea
18:00-19:00	Video Presentations

Second Day, May 27

9:30-11:00	Privacy, Surveillance, and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-10:30	Aadhaar: Broad Issues - I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-13:30	Video Presentations
13:30-14:30	Lunch
14:30-15:30	Aadhaar: Broad Issues - II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan (TBC) - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Conclusion

For more details visit https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016

Women's Safety? There is an App for That

rohini — 2017-01-10T02:48:34Z

“After locking ourselves in a room for more than 6 days, this is what we came out [sic] with. Join us in helping make WOMEN feel SAFE,” read a gloating press release about a smartphone app for women to notify their near ones that they were in distress. It was one among many such PRs frequently landing in my mailbox after the rape and murder of a young student on board a private bus in Delhi in 2012.

The article by Rohini Lakshané was published in Gender IT.org on May 19, 2016. This was also mirrored by Feminism in India on January 9, 2017.

The incident had spurred protests across the country and made international headlines. Along with all this came a slew of new “women’s safety” apps. Existing ones, many of which had fizzled out, were conveniently relaunched. My own experience of user-testing such apps in India back then was that they were unreliable at best and dangerously counterproductive at worst. Some of them were endorsed by governments and celebrities and ended up being glorified despite their flaws, their technical and systemic handicaps never acknowledged at all.

There are myriad mobile phone apps meant to be deployed for personal safety, but their basic functioning is more or less the same: the user activates the app (by pressing a button, shaking the device or similar cue), which sends a distress message containing the users’ location to pre-defined contacts. Some apps include additional artefacts such as a short audio or video recording of the situation. Some others augment this mechanism by alerting the police and other agencies best placed to respond to the emergency. For example, the Companion app for students living on campus notifies the university along with police. The SOS buttons in taxi-hailing apps such as Uber enable the user’s contacts to follow the cab’s GPS trail and notify them and the cab company’s “incident response team” of emergencies. Apps such as Kitestring would treat the lack of the user’s response within a time-window as the trigger for a distress message. All their technical wizardry perhaps makes it easy to lose sight of the fact that technology is not a saviour but a tool or an enabler, that technology alone cannot be the panacea of a problem that is deeply complex and, in reality, rooted in society and governance.

The Indian government announced last month that every phone sold in the country from January 2017 should be equipped with a panic button that sends distress flares to the police and a trusted set of contacts. Nearly half the phones sold in India cost USD 100 or less. Prices are kept so low by sacrificing features and the quality of the hardware; there are a lot of phones with substandard GPS modules, poor touchscreens, slow processors, bad cameras, tiny memory, and dismal battery life. They run on different versions of different operating systems, some of them outdated. All of these factors would determine if someone is able to use the app at all and how quickly they and their phone would be able to respond to an emergency. Additionally, mobile phone signals become thin or shaky in areas with a high number of users and buildings located cheek-by-jowl. Even when the mobile hardware is good and the mobile signal usable, GPS accuracy can be spotty and constant location tracking would hog battery. These issues would affect the efficacy of any app. Besides, there is too much uncertainty for an app developer to factor in. (Two years ago, I learnt about an app called Pukar, then operational in collaboration with police departments in four cities in India. Pukar solved the problem of potential inaccuracy of the GPS location by getting the user’s contacts to tell the police where the person in distress might be.) Designing a one-size-fits-all safety app is almost impossible. The app that rings a loud alarm when triggered may save someone’s life or spoil the chances of someone who is trying to get help while hiding. Different people may be vulnerable to different kinds of distress situations and an app can at best be optimised for some target user groups.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea.

In the end, the “technical” problems may actually be problems of economic disparity. Making it mandatory for people to own phones equipped with certain hardware or requiring them to upgrade to more reliable devices would drive the phones out of the financial reach of many. Indian manufacturers have expressed concerns that the proposed panic button would raise costs for them as well the end buyers. Popularising a downloadable app and informing its target users how to install and work it correctly needs a marketing blitzkrieg, which is something only the state or well-funded developers can afford. The New Delhi police department runs a dedicated control room for reports arriving from its safety app, Himmat (the word for courage in many Indian languages). It’s an expensive affair.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea. It puts the onus of “keeping women safe” on members of their social circles or on intermediaries and private parties such as cab companies, while absolving law enforcement agencies of their failing to provide security. It opens doors to victim blaming in case someone is unable to use the app at the right time in the right way, or if the app fails.

On the contrary, an app that does loop in the police raises concerns about surveillance and protection of data available to the police, which is especially problematic in places such as India where there is no law for privacy or data protection. Alwar, one of the cities where Pukar was implemented, is super-populated with a large geographical area and a high crime rate. Police departments in such places tend to be overworked and understaffed. Without significant policing reforms, it is questionable whether they will be able to respond in time. A sting operation done by two media outlets on 30 senior officials of the New Delhi police department in 2012 showed the cops blaming victims of sexual violence with gay abandon. “If girls don't stay within their boundaries, if they don't wear appropriate clothes, then naturally there is attraction. This attraction makes men aggressive, prompting them to just do it [sexual assault]," reads one of their nuggets. “It's never easy for the victim [to complain to the police]. Everyone is scared of humiliation. Everyone's wary of media and society. In reality, the ones who complain are only those who have turned rape into a business," goes another. An app that lets known people monitor someone’s location also poses the risk of abuse, coercion and surveillance by intimate partners or members of the family.

Unfortunately, there is no app for reforming a morass in law enforcement or dismantling patriarchy.

For more details visit https://cis-india.org/internet-governance/blog/gender-it-rohini-lakshane-may-19-2016-womens-safety-there-is-an-app-for-that

Draft Law Would Prohibit Showing ‘Disputed Areas’ on Maps of India

subha — 2016-05-15T13:05:41Z

Maps that label geographic areas of conflict as “disputed” territories in India could put one behind bars for seven years with 1B Indian Rupees (US$15M) penalty if a recently proposed bill becomes law.

The article was published in Global Voices on May 11, 2016.

The controversial bill, also known as Geospatial Information Regulation Bill 2016 would make it illegal to “depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.”

If approved, it could put large corporations like Google (with its Google map), free and open source projects like Wikipedia and Open Street Map, and several other organizations in trouble for showing areas of conflict as disputed. Pakistan-Occupied Kashmir (PoK) and Arunachal Pradesh near the China border are two well-known examples of such areas.

The Indian government ruled by Bharatiya Janata Party (BJP) under the leadership of Prime Minister Narendra Modi has been quite critical of the depiction of the PoK and China border in Arunachal Pradesh.

If passed in the parliament as law, it could prevent Indians and foreigners, government employees and people traveling in ships and aircrafts that are registered in India, to acquire geospatial imagery or data. To acquire such data, one needs to obtain permissions from the security vetting authority.

In recent years, the Indian government has targeted numerous foreign publications including Al Jazeera for showing distorted maps of India that excluded parts of the state of Jammu and Kashmir and even another state Arunachal Pradesh. While the bill does not explicitly mention these efforts, it seems to fall in line with these previous attempts to control the free flow of geospatial information.

A news article about the proposed bill published on the portal MediaNama explains how the potential law could affect map portals like Open Street Map and Google Maps, taxi, e-commerce and public safety sites and many other services that allow marking and sharing coordinates. “Most digital photographs contain location meta-data, and by sharing your photos online, you’re adding to a repository of data related to man-made phenomenon,” suggests the same article. Open data advocates also have published list of 25 different services, seven major news portals, and 14 nonprofits that would be affected if the bill is approved.

The Open Data community of India also has come up with a campaign “SaveTheMap” to draft a request to the government to not pass the bill. The draft request states:

Request for comments / suggestions on draft “The Geospatial Information Regulation Bill, 2016” To regulate the acquisition, dissemination, publication and distribution of geospatial information of India which is likely to affect the security, sovereignty and integrity of India, a draft “The Geospatial Information Regulation Bill, 2016” has been prepared. Copy of the draft “The Geospatial Information Regulation Bill, 2016” is attached herewith for comments/suggestions. The comments/suggestions on the draft Bill may be forwarded to the Joint Secretary (Internal Security-I), Ministry of Home Affairs, North Block, New Delhi at email id: jsis@nic.in within 30 days.

There has been a lot of discussion with hashtag #GeoSpatialBill and humorous comments on social media:

Many have already started tweeting with the hashtag #savethemap:

Twitter user Prasanto Roy explained the implications of geospatial bill for various companies including Google, Uber and Open street maps:

Here's what other experts have to say:

Arup. R writes in Geospatial World:

This Act needs to be dropped. In its attempt to cover all bases it has been made so broadband and all encompassing that it may actually impede the progress of work on Geospatial systems and therefore on key Government programmes and projects. The Act does not take into account the fact that with the advent of the Cloud, Data as a Service, Software as a Service and Platform as a Service there is no need for ‘persons’ to possess data. They can just access data, do their work and retain only the final results. This Act does not, in fact cannot, even begin to comprehend the paradigm shift in geospatial technologies which makes it a non-starter.

India does need a Geospatial Information Act, but it has to be an enabling and encouraging Act that makes for faster and better implementation of programmes, not a regressive and punitive Act as the proposed one.

Devdutta Tengshe writes about the overreaching ambit of Geospatial bill on Medium:

Worst of all, it (the bill) is trying to implement Security by Obscurity, which is expecting the country to become secure by hiding information from its citizens. This is dangerous, because the real mischief creators, be they terrorists, Foreign government agencies, or domestic criminals, will most likely have access to kind of data from foreign sources, and will not even think about getting permits and licenses from these Indian Authorities.

Cyber law expert Pavan Duggal told The Wire:

The draft legislation has the intrinsic problem that it has been given extra-territorial applicability in terms of jurisdiction. It is applicable to any person anywhere in the world. We have historically seen that such jurisdiction does not work well in practical terms. What if global players do not want to take your licence or subject themselves to your jurisdiction?

Duggal further spoke about how the law could impact the growth of e-commerce and m-commerce in India.

Under this law, Google Maps will be illegal without a licence, which means that all mobile or e-commerce applications working on Google Maps will also become illegal. The licence will also only be applicable to the concerned person. So if I am a taxi aggregator like Ola or Uber, I will have to get a separate licence over and above what Google Map has.

Indian Express calls the Geospatial bill a death note for Cartography:

The draft Geospatial Information Regulation Bill of 2016 is so perfectly ridiculous that one can only hope that it falls off the map before it can be tabled in the House. Publishers the world over have learned, to their bewildered amusement, that India censors maps of itself. Now, to strike fear into their anti-national gizzards, the government has invoked an official map censor, a babu-led organisation whose prior permission will be required to publish geospatial information, which is newspeak for maps. Failure to correctly depict the borders of India could attract a fine of up to Rs 100 crore, before the poor offending bozo is dragged away to the cooler for seven years. With this draft, the government has embarked on a journey without maps, which must rapidly become directionless.

Not the first time around?

Meanwhile, this clearly isn't the first time that services such as Google Maps have come under the federal scanner in India. In 2014, India's prime investigation agency Central Bureau of Investigation (CBI) had launched a probe into Google Maps’ irregularities in Mapathon 2013 and had accused the company of running the competition without procuring proper governmental permissions. But the agency had called off the case citing lack of ‘adequate evidence to corroborate the allegations’.

For more details visit https://cis-india.org/a2k/blogs/draft-law-would-prohibit-showing-2018disputed-areas2019-on-maps-of-india

MHRD IPR Chair Series: Information Received from Delhi University

nehaa — 2016-05-15T12:18:40Z

This post provides a factual description about the operation of Ministry of Human Resource Development IPR Chair’s Intellectual Property Education, Research and Public Outreach (IPERPO) scheme in Delhi University.

The author has analysed all the data received through which, the author seeks to trace the presence of unjustified underutilisation of funds by the aforementioned university as provided by the MHRD during the period of 2013-2014. To collect the information for the given study, an RTI application was filed to Delhi University on 09/02/2015 by the Centre for Internet and Society. The reply to RTI application was received on 25/02/2015.

These are the documents received by CIS from Delhi University:

For the response to the RTI application click here

Hereinafter, in order to receive any information about Delhi School of Economics, Delhi University’s RTI reply, kindly refer to the above mentioned links. Following are the queries mentioned in the RTI application along with their replies.

Reports on the implementation of the IPERPO scheme of the Ministry of Human Resource Development and the implementation of the MHRD IPR Chair funded under the scheme at the Delhi School of Economics.
Reply: The University submitted that there are no reports on the implementation of the IPERPO scheme or the MHRD IPR Chair funded under the same. Additionally, the implementation of the scheme commended at Delhi University w.e.f 20th Feb., 2014. Dr. Rekha Chaturvedi joined as the IPR Chair (Technical) on the same date.
Documents on the release of grants to the MHRD IPR Chairs under the IPERPO scheme at the Delhi University, Delhi School of Economics for the year 2013-14.
Reply: The University submitted that there has been no release of grants by the Human Resource and Development Ministry under the IPERPO Scheme.
Documents relating to receipts of utilization certificates and audited expenditure statements and matters related to all financial sanctions with regard to funds granted to the MHRD IPR Chair established under the IPERPO Scheme for the year 2013-14 at the Delhi University, Delhi School of Economics.
Reply: The University replied that as there has been no release of grants under the IPERPO scheme, the question of utilization certificates and audited expenditure or any other matter related to financial sanctions with regard to the funds does not arise.
Documents regarding all matters related to finance and budget related to the MHRD IPR Chair under the IPERPO scheme 2013-14 established at Delhi University, Delhi School of Economics.
Reply: The University did not submit any documents in this regard and asserted that the information sought is not specific.

Comparative Analysis between University Response and the guidelines of MHRD Scheme Document
The Scheme Document of MHRD (http://copyright.gov.in/Documents/scheme.pdf) is a comprehensive document which consists of guidelines regarding Intellectual Property Education, Research and Public Outreach. It talks about a list of objectives, purposes, conditions and eligibility criteria for a University to ensure in order to implement IPERPO in a truest sense. This document provides the procedural as well as qualifying conditions for an Institute to ensure or fulfil before applying for the MHRD grant. Some of these conditions include maintenance of utilization certificates, audit reports, expenditure statements and event information which would be open to access on demand by MDHR or Comptroller and Auditor General of India.

A. Objectives
The University has not provided any documents detailing any activities undertaken to further the objectives of the IPERPO scheme.

B. Eligibility
Delhi School of Economics, Delhi University is recognized by the University Grants Commission. Therefore, it fulfils the eligibility criteria mentioned in the scheme document.

Financial Analysis

The University has not provided any documents on this subject.

For more details visit https://cis-india.org/a2k/blogs/mhrd-ipr-chair-series-information-received-from-delhi-university

Why The New Government Policy Mandating Panic Buttons On Phones Isn’t Going To Protect Women

praskrishna — 2016-05-15T09:45:36Z

Recently, the Union Minister for Communications and Information Technology Mr Ravi Shankar Prasad tweeted about new rules mandating a panic button in every cell phone sold in the country from January 2017. To keep ladies safe, of course.

The story by Madhura Kadaba was published in the Ladies Finger on May 14, 2016. Rohini Lakshané was quoted.

According to a statement released by the Telecommunications Ministry, the panic button will be activated by pressing a designated button on a smartphone or by holding down both ‘5’ and ‘9’ keys on a basic phone. Pressing the panic button is expected to alert police and designated friends or relatives, similar to apps launched previously by police departments like Himmat.

It followed remarks from the Union Minister for Women and Child Development, Ms Maneka Gandhi, in the Lok Sabha in December 2015. “Every cell phone will have an in-built panic button. Now, all new cell phones will be made with panic buttons. But in case of all old cell phones, you can go to the person who owns the company or the dealer and they will adjust it for you. If a woman is in trouble, she can just press the button on the cell phone and she will immediately get help.”

Two days later, reacting to concerns that the mandate could increase mobile phone costs, Mr Ravi Shankar Prasad said, “Manufacturers… have given their support. My expectation is that they will render their support in social justice and women security.”

After a point, it almost becomes a farce — the government’s continuous search for grand, one-stop solutions to dealing with sexual violence. We had the vast coffers of the Nirbhaya fund, which went nowhere. It had tech solutions coming out of its 1000-crore ears. It included plans for setting up control rooms in 114 cities within 9 months back in 2014 and surveillance cameras in all public transport vehicles including autos! Who was going to be watching the feed of these cameras, if ever by some vast change in the face of humanity such a thing happened, you may wonder? Or as journalist Revati Laul wrote, “Given that police stations across the country are short staffed, given how many of them cannot even afford paper to file a first information report (FIR) or fuel for the police personnel’s motorbike, just how will the appearance of these control rooms change that? How will switchboards help if police stations in even big cities like Varanasi have too few vehicles to cater to the existing load of emergencies they have to deal with?” But hush, don’t interrupt when Daddy is talking.

Recently, we published an investigation into the one-stop centres promised by the Nirbhaya fund. These centres are supposed to provide services like assistance in lodging FIRs, medical assistance for medical examinations, and therapy. On paper, Delhi is supposed to have 6. Good luck locating them because they don’t exist. Most of the staff of the hospitals where the centers were to be located were clueless about the program.

But perhaps we should forget the tiresome past and move to the shiny button-filled future. We asked Rohini Lakshane, a technology expert and Program Officer at the Centre for Internet and Society what she thought of panic buttons. Recently she reviewed a bunch of personal safety apps geared toward women and was very unimpressed. About the government’s new plan, she said, “GPS accuracy in India can sometimes be patchy and not very accurate, and continuous location tracking drains the battery, something that could be problematic for people with phones that do not have good GPS hardware or a long battery life.” Lakshane added, “The app would also enable tracking by family members, which can increase the chance of intimate partner abuse and violence. There have been instances in which apps that provide real-time location or periodic updates of the location of a person to a contact have enabled abuse by intimate partners or by members of the family.” In short, you are unlikely to get the help you need in case of stranger danger and continue to face whatever oppression you maybe facing from your ‘loved ones’.

Which brings us to the biggest problem with panic buttons, the idea that what Indian women should live in fear of scary strangers outside the house.

The story by Madhura Kadaba was published in The Ladies Finger on May 14, 2016. Rohini Lakshane was quoted. The story by Madhura Kadaba was published in the Ladies Finger on May 14, 2016. Rohini Lakshane was quoted.

In fact, carefully conducted research shows over and over again that Indian women are most likely to face violence from their families, within their homes. The Mumbai programme RAHAT’s report shows that 91 percent of the accused in reported cases of rape were by known persons. Add on the fact if you have even a fleeting acquaintance with a man who attacks you the police are additionally reluctant to do anything.

Not that the police like to file complaints if you have been raped by a stranger. That way they are quite equal opportunity about ignoring complaints.

Perhaps we should have a panic button in our phones after all. A daily reminder that you should fear rape, in case for a moment you had decided to stop worrying. A daily reminder that if you do get raped you must remember to press a button that goes nowhere. A great metaphor for how we deal with victims of sexual violence in India.

For more details visit https://cis-india.org/internet-governance/news/why-the-new-government-policy-mandating-panic-buttons-on-phones-isn2019t-going-to-protect-women

Geospatial Info Regulation Bill will hurt start-ups, small firms

praskrishna — 2016-05-13T15:46:13Z

The Geospatial Information Regulation Bill, 2016, whose draft outlaws the acquisition of geospatial information without the government’s permission, is expected to impact smaller companies rather more than the large ones.

The article by Varun Aggarwal was published in Hindu BusinessLine on May 10, 2016. Sumandro Chattapadhyay was quoted.

Experts said that the law is being created to keep large corporates in check, but if implemented in its current form, its biggest impact would be on start-ups and smaller firms that use or create geospatial data.

“While companies such as Uber and Google can survive by getting all their maps vetted by the government, smaller companies will be impacted. This will act as a big entry barrier in favour of the dominant players such as Google and Microsoft,” said Sumandro Chattapadhyay, research director at Centre for Internet and Society.

“Smaller companies have no means to know what kind of geospatial information they can store and what they cannot. Moreover, if a start-up requires three months to get approvals for your data before you can use it, it’ll be as good as dead,” Chattapadhyay said.

Google declined to comment on the draft Bill.

U-turn by Centre

Sanjay Kumar, president of the Association of Geospatial Industries, recalled that Prime Minister Narendra Modi had in a speech in September last highlighted the importance of geospatial data in everyday life of the common man. “But now, the government seems to be taking a U-turn,” he said.

The Association has hundreds of members, including Google, offering various geospatial services.

“The PM’s campaigns on skill development, digital India and enhancement of the transport sector are heavily dependent on geospatial data. There are several private sector companies that provide services for these projects. If this Bill is passed as drafted, all this development process will be stalled,” said Kumar.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-may-10-2016-varun-aggarwal-geospatial-info-regulation-bill-will-hurt-start-ups-small-firms

Identity of the Aadhaar Act: Supreme Court and the Money Bill Question

Vanya Rakesh and Sumandro Chattapadhyay — 2016-05-09T11:52:44Z

A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view. It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation. Vanya Rakesh and Sumandro Chattapadhyay wrote this article on The Wire.

Published by and cross-posted from The Wire.

The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, faced opposition ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.

It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.

The money bill question

M.R. Madhavan has argued that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta calls this a subversion of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, expressed concern about the attempts to pass off financial bills like Aadhaar as money bills as a means to circumvent and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is an unconstitutional act.

Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:

imposition and regulation of any tax,
financial obligations undertaken by Indian Government,
payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,
appropriation of money and expenditure charged on the CFI or receipt, and
custody, issue or audit of money into CFI or public account of India.

However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.

A case of procedural irregularity?

The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is conclusive for all purposes under section 3 of the Parliament Act 1911, the speaker is required to consult two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.

Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of procedural irregularity.

There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in Kihoto Hollohan vs Zachillhu and Ors. (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.

Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In Ramdas Athawale vs Union of India (2010), the case of Keshav Singh vs Speaker, Legislative Assembly (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under Article 32, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in Mohd. Saeed Siddiqui vs State of Uttar Pradesh (2014) and Yogendra Kumar Jaiswal vs State of Bihar (2016).

Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.

National implications demand public deliberation

As the provisions of the Aadhaar Act have far reaching implications for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.

The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As Smarika Kumar argues, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as Arvind Datar notes, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.

Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the Standing Committee on Finance, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations passed in the Rajya Sabha recently. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from marriages to the guaranteed work programme should also be addressed and responses sought from the Union government.

Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.

For more details visit https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question

Why India’s attempt to police digital maps and satellite images is a ‘dumb’ idea

praskrishna — 2016-05-08T13:05:48Z

Are we back to the license raj?

The story was published by the News Minute on May 6, 2016. Pranesh Prakash gave inputs.

In a move which is receiving widespread criticism from technology and policy experts, the Indian government has proposed the Geospatial Information Regulation Bill that seeks to regulate the use of ‘geospatial information’ of India. Any violation of the proposed act could attract a penalty of up to 7 years in prison and Rs. 1 crore in fines, and the extreme punishments proposed have also been criticised.

So what is Geospatial information?

Geospatial Information has been defined in the act as

any imagery or data acquired through space or aerial platforms such as satellites, aircrafts, airships, balloons, unmanned aerial - vehicles or graphical or digital data depicting natural or man-made physical features, phenomenon or boundaries of the earth or any information including surveys, charts, maps and terrestrial photos.

To put it simply, any imagery of anything on earth (in India) recorded using machines in the sky will be under the purview of the law.

The law forbids any ‘incorrect representation' of the Indian map. For instance, not showing Pakistan Occupied Kashmir as a part of India will now be illegal and attract a fine and jail-term.

Here’s what the draft bill says,

"No person shall depict, disseminate, publish or distribute any wrong or false topographic information of India, including international boundaries through Internet platforms or online services or in any electronic or physical form."

And further states,

"Whoever acquires any geospatial information of India in contravention of the law shall be punished with a fine ranging from Rs 1 crore to Rs 100 crore and/or imprisonment for a period up to seven years."

And it doesn’t end here.

In what is reminiscent of India’s license raj era, the law also mandates that any person or institution acquiring or disseminating any geospatial imagery will have to first seek permission and license from a government authority. So Google Maps, Wikipedia, OpenStreetMap and others can operate in India only with a specific license from the Indian government.

The government authority will also run “sensitivity checks” on the imagery to protect India’s security and sovereignty.

Technology and policy experts are openly gunning for the bill and are holding no punches back.

“This proposed bill is as dumb as the draft encryption bill of last year which would have made WhatsApp illegal. It is unenforceable and will only serve to make India look like a backward, despotic country,” says Kiran Jonalgadda, founder of HasGeek and a social technologist.

Pranesh Prakash, Director of the Centre for Internet and Society, is of the view that this bill goes against the philosophy of Digital India and is regressive in nature. “It bears semblance to the conditions that prevailed in the License Raj. The bill is a clear over-reaction to legitimate security concerns. The government ought to encourage open mapping and should have limited the security restrictions to a set of officially declared security installations across India,” he says.

While the government's motive may be in the best interest of maintaining national security in order to prevent the misuse of sensitive data, such stringent measures may hinder the operations of navigation services and other applications that rely on geospatial information, and it will be the smaller players who will be affected the most. “Every map maker has to create different maps for different countries and hope they're not shown in the wrong country. Google Maps can afford to do this. OpenStreetMap and Wikipedia cannot. They will effectively become illegal,” adds Jonalgadda.

These stringent rules are not entirely unexpected and the government has cracked down on institutions in the past for ‘wrong’ geographical depiction of India.

The government had taken harsh rebuke against Twitter earlier this year for showing parts of Jammu and Kashmir in Pakistan and China. In another such instance, Al Jazeera was banned from broadcasting by the Information and Broadcasting Ministry because of repeatedly using a wrong map of India and was accused of cartographic aggression. The RSS too carried an inaccurate map of India (without some parts of Jammu and Kashmir) in its mouthpiece, Organiser and later apologised for its inadvertent error.

Nikhil Pahwa of Medianama has an exhaustive explanation and critique of the bill, and tells you how you and your businesses will be affected if the law is enacted. Read his piece here.

Here are his final comments from his piece, and they are pretty scathing.

This looks like a policy made for policing Google maps that has ended up throwing out the baby with the bathwater.

The people involved in drafting this have absolutely no clue about how users and businesses use geospatial data to make users lives easier, and how integral it is to every day life. Data is changing and increasing every single minute, and it is impossible to police it.

Collection and dissemination of realtime data and its utility is what makes location information useful and special. This kills realtime information.

It looks at location information from the myopic viewpoint of businesses and platforms, and ignores crowdsourced information, and indeed, independent crowdsourced maps.

A separate policy regarding just security establishments and their removal from mapping information, as well as the depiction of national boundaries of India was all that is needed.

It’s hypocritical of a government that promised “maximum governance, miminum governance” to try and enforce a License-raj.

Interestingly, even as the government wishes to impose punitive measures on erring private bodies, government organisations will not be regulated by the Geospatial Information Regulation Bill.

For more details visit https://cis-india.org/internet-governance/news/the-newsminute-may-6-2016-why-indias-attempt-to-polic-digital-maps-and-satellite-images-is-a-dumb-idea

Facebook: A Platform with Little Less Sharing of Personal Information

nishant — 2016-06-05T02:38:22Z

As Facebook becomes less personal, what happens to digital friendship?

The article was published in the Indian Express on May 8, 2016.

Facebook is worried. Even though usage is growing, something strange is happening on the social network. For the first time since it started its journey as a website to rate datable people on college campuses, to becoming the global reference point that defined friendship in the connected age, people are sharing less personal information on Facebook. For a social media network that positions itself largely as a space where our everyday, banal doings become newsworthy articulations, this is surprising news. But it is true. On Facebook, the traffic is high, but most of it is now sharing of external information. People are sharing links to news, to listicles, to videos, to blogs entries, to pictures and to information that they find interesting, but they are writing less and less about what it is that they are doing and feeling.

Ironically, this coincides with the latest change in Facebook’s “response” options, where the ubiquitous “Like” button can now expand to other emojis where you can also be appropriately angry, sad, surprised, or happy about the shared content. Even as Facebook is trying to get its users to qualify how they feel and give emotional value to their likes, people seem to be sharing even less of their private lives on Facebook.

One of the key ways of understanding this drop in people sharing their personal information is through the concept of “context collapse”. It has been a concern since the first instances of disembodied digital communication. In our everyday life, we make sense of information based on the different contexts that surround us. The person who authors the information, the setting within which that information reaches us, the emotional state that we are in when encountering the information, our sense of where we are when processing it, and the preparedness we have for receiving this information are all crucial parameters by which we make sense of the meaning of the information and also our response to it.

In the case of Facebook, the context within which information and transactions have made sense is “friendship”. The site’s USP was that you could bring in a variety of information, but you were always sharing it with friends. You could have a large audience, but this audience is formed of people you know, people you trust, people you add to your friend groups — there is a sense of intimacy, privacy, and casualness that marks the flow of information. You are able to talk, in an equal breath, about what you had for breakfast, your crush on a celebrity, your random acts of charity, and your strong political rant, one after the other, without requiring to think about what you are posting and how others will receive it.

However, Facebook is not really a friendship platform. It is a company interested in selling our interactions and data to advertisers who can target us with content and information based on the patterns of our behaviour. To serve its advertisers better, Facebook started privileging “verified” information trying to ensure news and content producers higher attention and more eyeballs. This was further strengthened by their continued integration with third party vendors, who could push and pull information into the social world of Facebook, and is seen as one of the biggest reasons for this drop. Any newsfeed in the last few months has had equal amounts of professional and amateur content, leading to a context collapse, where you no longer feel like your Facebook feed is a private and intimate conversation with friends.

Similarly, Facebook’s expansive integration of its products —WhatsApp chats, Instagram updates, and Tumblr posts all can collapse into one — produced a confusing space where the personal information that you were once happy to share with your friends, is suddenly being shared along with news and information. Also, digital behaviour works on mirroring, and we often shape our updates to match what we see on our timelines. If we more and more see external content rather than personal statuses, we also start sharing more third party news and links, thus producing a domino effect of everybody shying away from extremely personal or intimate moments.

Facebook, for the millennials, has been the context within which friendship got structured. Its own transitions have now collapsed that context, leading people to think of it as a content aggregator. It is going to be interesting to see what happens to our digital friendships and networks if Facebook is no longer the space where they are housed.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-may-8-2016-facebook-a-platform-with-little-less-sharing-of-personal-information

Privacy Issues with DRM

Jalaj Pandey — 2016-05-03T02:41:15Z

This post has been written by Jalaj Pandey interning at CIS. It elaborates upon the various privacy issues with the Digital Rights Management. The author talks about the various ways in which content producers use DRM as a tool to infringe the privacy of the end users.

Nehaa Chaudhari provided inputs and also edited the blog post. Click to download the File.

The ubiquity of internet in today's world has made content and information sharing an easy task. A certain media file can be shared and made public with hardly any technical obstacles. Issues like hacking, unauthorized copying and publication, unlicensed usage have become concerns for content producers, who have employed Digital Rights Management (hereafter DRM) measures to address some of them.

Several instances of the online privacy intrusion by the content producers have been recorded. In such a scenario the balancing the rights of the content producers and the end users becomes an important one. It is imperative to find a common ground to safeguard the interests of both the parties involved. In the recent past DRM has been receiving a lot of flak because of the privacy issues contented by the users.

In the most rudimentary form privacy can be explained as any information about an individual which he/she does not want to be made public. It is important to mention that this information is seen from the perspective of an ordinary reasonable person. The UN Declaration of Human Rights, 1948, defines privacy as a fundamental right of every human. The functioning of the DRM is based on restricting the usage or distribution of the content. Since this restriction is only possible after there is a formal identification of the end user, the content producers end up collecting information about the users. For example: a DRM for a music file might work in a manner where it can only be accessed by one computer from which the user accesses and registers for the first time. DRMs initially identify the IP addresses of the system and make the file functioning on only that IP address. In this way the producer ends up collecting information about the end user. Different DRM models take different ways to collect information of their user. While collecting IP addresses in one of them the other way is tracking the user information via download, browsing activities, subscription service, etc. The usage log of the users is generated and becomes a valuable asset to assess and predict the preferences of the users

Two contentions of privacy have been raised on the privacy issues of DRM -

a) What is the accountability of this process and

b) Whether it puts the content producers in a position where they can control the users.

The information collected is under the control of content producers, who mostly store this information in the form database. BEUC (European Consumer Organization) claimed that the DRM systems technologically enable content providers to monitor private consumption of content, create reports of consumption, and profile users.

The information is at the disposal of the content producers. An assessment of DRM applications under Canadian Privacy showed that the firms did not even recognise privacy issues of the customers as a priority. In fact the firms failed to provide the information that was stored in their databases. This gives an idea about the lack of transparency that exists in collecting the information about users. The question whether users are aware of what information is being collected and to what extent they are being tracked online remains unanswered. The CEN/ISSS (European Committee for Standardization/ Information Society Standardisation System) pointed out that DRMs have a large potential to transmit, generate personal information about users. It has also been characterized by unprecedented levels of monitoring by various content producers.

Further the principled level argumentation to this is on lines of collection of information without any authentication from the user herself/himself. It is essential that if any information is collected or saved by the producers it should only be after taking consent of the user. Surveillance and compelled disclosure of information about intellectual consumption threaten rights to personal integrity.

DRMs take away the anonymity of the consumption. Since the producers can practically monitor the content usage of the user, this has led to wide scale of price discrimination. This means that producers would monitor and assess the preferences of the user and subsequently raise the prices of that particular class of products. In the report of FIPR (Foundation of Information Policy and Research) it was found that Microsoft had been trying to implement their DRM systems in their products using a similar approach to gain a monopoly position as in their strategy of browser implementation.

The Sony BMG copy protection rootkit scandal in 2005 brought much criticism to DRM. It was found out that Sony BMG had introduced illegal and harmful copy protection measure in its CDs. The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. Further more than just the DRM part of it the software also made the user's system open to a number of malwares and created vulnerabilities in the system. Sony was eventually made to compensate consumer costs, etc on the same. However the question of whether the database in the hands of companies can be used in arbitrary manner was intensely discussed after this.

It is essential that an effective framework is brought into effect which caters to privacy interests of the users. Privacy is the basic human right and it is the onus of the State to protect and safeguard this right. It is essential that the State does not compromise and support mechanisms which promote the welfare of the content producers over the users. The balance of users and producers becomes all the more important in a developing country like ours. The lack the awareness and the knowledge coupled with increasing usage of internet can lead to the exploitation of many. It is essential that the States see through these problems and collectively find an all encompassing solution to it.

K. G. Coffman and A. M. Odlyzko, Growth of the Internet, AT&T Labs - Research, July 6, 2001, available at, ( www.dtc.umn.edu/~odlyzko//doc/oft.internet.growth.pdf) (hereinafter Growth).

The Daily Source, The Growing Impact of the Internet, April 4, 2016, available at (https://www.dailysource.org/about/impact).

Corryne Mcsherry, Adobe Spyware Reveals (Again) The Price Of DRM: Your Privacy And Security, Electronic Frontier Foundation, October 17, 2014, available at,

(https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security).

Digital Rights Management: A failure in the developed world, a danger to the developing world, Electronic Frontier Foundation, March 23, 2005, available at,

(https://www.eff.org/wp/digital-rights-management-failure-developed-world-danger-developing-world).

R. Subramanya and Byung k. Yi, Digital Rights Management, available at, ( https://www.academia.edu/8054608/Digital_Rights_Management) (hereinafter Digital Rights Management).

Global internet liberty campaign, privacy and human rights, An International Survey of Privacy Laws and Practice, available at, (http://gilc.org/privacy/survey/intro.html).

Ann Cavoukian, Privacy and Digital Rights Management (DRM): An Oxymoron, Information and Privacy Commissioner Ontario, available at, ( https://www.ipc.on.ca/images/Resources/up-1drm.pdf ) (hereinafter Oxymoron)

Varian, H.R. (1985) 'Price discrimination and social welfare', American Economic Review, Vol. 75, available at, (http://www.economics-ejournal.org/economics/journalarticles/2007-1/references/Varian1985).

Privacy and Digital Rights Management,A position paper for the W3C workshop on Digital Rights Management, January 2001, available at, ( www.w3.org/2000/12/drm-ws/pp/hp-poorvi.html).

Growth supra note, 1.

Digital Rights Management supra note, 5.

Thierry Rayna, Privacy or piracy, why choose? Two solutions to the issues of digital rights management and the protection of personal information, Intellectual Property Management, Vol. X, No. Y, available at,

(www.inderscienceonline.com/doi/abs/10.1504/IJIPM.2008.021138).

Oxymoron supra note, 7.

BEUC, Consumentenbond, and CLCV at DRM Working Group 1 (2002), available at, (https://privacy.org.nz/assets/Files/4558510.pdf).

Natali Helberger and Kristo´f Ker´enyi and Bettina Krings, Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations, available at (citeseerx.ist.psu.edu/showciting?cid=733532).

Knud Bohle, Indicare, Research into unfriendly DRM : A Review, December, 2004,available at, (citeseerx.ist.psu.edu/showciting?cid=733532) (hereinafter Indicare).

European Committee for Standardization/Information Society Standardisation System (CEN/ISSS) DRM Report, 2003.

Indicare supra note, 16.

News Release, "Forrester Technographics Finds Online Consumers Fearful of Privacy Violations" (October 27, 1999 available at, (www.forrester.com/ER/Press/Release/0,1769,177,FF.html).

Julia E. Cohen, Georgetown Law Faculty Publications, DRM and Privacy, January 2010, available at,

(https://www.academia.edu/2164013/DRM_and_Privacy).

Moe, W. and Fader, P. (2004) 'Dynamic conversion behavior at e-commerce sites', Management Science, Vol. 50, available at,

(https://www.researchgate.net/publication/227447618_Dynamic_Conversion_Behavior_at_E-Commerce_Sites).

Privacy or piracy supra note, 21.

Sismeiro, C. and Bucklin, R. (2004) 'Modeling purchase behavior at an e-commerce web site: a task completion approach', Journal of Marketing Research, available at, (citeseerx.ist.psu.edu/showciting?cid=906878).

Ross Anderson, Foundation of Information Policy and Research Consultation Response to DRM (2004), available at, (www. fipr.org/APIG_DRM_submission.pdf).

Otto Helweg, Sony, Rootkits and Digital Rights Management Gone Too Far, Oct, Oct. 31, 2014, available at (https://blogs.technet.microsoft.com/markrussinovich/2005/10/31).

Sony BMG Litigation Info, Electronic Frontier Foundation, available at, (https://www.eff.org/cases/sony-bmg-litigation-info).

For more details visit https://cis-india.org/internet-governance/blog/privacy-issues-with-drm

April 2016 Newsletter

sunil — 2016-05-10T06:26:09Z

Welcome to the CIS newsletter for April 2016. The key issues we worked on this month included the Aadhaar Act 2016, Standard Essential Patents, cyber security of smart grids, and involvement of international agencies in the smart cities project in India.

Early last year, thanks to the fund raising efforts of a friend of CIS - Suhail Kazi, we received Rs. 1.9 lakhs as donations from 19 individuals. In January this year, we set up an online giving feature on our website which would ease the donation process, but we haven’t got a single donation so far! This could be because many of you may be under a false impression that CIS is very wealthy and does not need more support. Unfortunately, this is no longer true. Today, we are unable to find a single donor who is interested in our Accessibility, Telecom, or RAW programmes. In other words, we need your support. Would you to consider making a small donation to CIS? Click here to donate.

Previous issues of the newsletters can be accessed here: http://cis-india.org/about/newsletters.

Highlights
CIS prepared an FAQ on the Aadhaar / UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. Further, two infographics were produced to highlight on the questions of "Can the Aadhaar Act 2016 be Classified as a Money Bill?" and "Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill?". NVDA team prepared a report on the progress of the project for the month of April 2016. CIS submitted its comments to the Department of Industrial Policy and Promotion's Discussion Paper on Standard Essential Patents and their Availability on FRAND Terms. CIS has offered its assistance on other matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards the sustained innovation, manufacture and availability of mobile technologies in India. A summary of the comments can be accessed here. Responses to the Discussion Paper is available here. Rohini Lakshané's paper titled Patents and Mobile Devices in India: An Empirical Survey has been accepted for publication by the Vanderbilt Journal of Transnational Law. Kiran A.B. in a blog post has documented the availability and openness of data sets in India that are relevant for monitoring the targets under the SDGs. Low-cost Aakash tablet and its previous iterations in India have gone through several phases of technological changes and ideological experiments wrote Sumandro Chattapadhyay and Jahnavi Phalkey in an article published in the Economic and Political Weekly.

-----------------------------------
CIS in the News
-----------------------------------

CIS gave inputs to the following media coverage:

India's biometric database crosses billion-member mark (AFP and Daily Mail, UK; April 4, 2016).
The Panama Papers and the question of privacy (Big News Network; April 6, 2016). This was originally published by Privacyinternational.org.
Daunting task ahead for investigative agencies with WhatsApp's end-to-end encryption (Neha Alawadhi; Economic Times; April 8, 2016).
PMO’s no to smart cards, insists on Aadhaar (Somesh Jha; Hindu; April 10, 2016).
2014 showed the power of Twitter, now every Indian politician wants a handle (T.V. Jayan, Smitha Verma,Sonia Sarkar and V. Kumara Swamy; Telegraph; April 10, 2016).
Why is the UIDAI cracking down on individuals that hoard Aadhaar data? (Alnoor Peermohamed; Business Standard; April 13, 2016).
You will need a license to create a WhatsApp group in Kashmir (Governance Now; April 19, 2016).
Will Facebook, Twitter relocate servers to India? (Taru Bhatia; Governance Now; April 23, 2016).
Government keeps experts out of cyber security discussions (Amrita Madhukalya; DNA; April 23, 2016).
CCTV plays Sherlock (Raj Shekhar, Arun Dev, V Narayan & A Selvaraj with inputs from Sindhu Kannan and Somreet Bhattacharya; The Times of India; April 24, 2016).

CIS members wrote the following pieces:

Sunil Abraham wrote an article in the July 15 edition of Frontline arguing that the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.
Amber Sinha wrote an article in The Wire arguing that the Aaddhaar Act is not a money bill, and the Supreme Court may very well question the decision by the Lok Sabha speaker to classify it as such.
Sumandro Chattapadhyay also wrote on The Wire arguing that "the last chance for a welfare state doesn’t rest in the Aadhaar system."
Subhashish Panigrahi's article on the 8 challenges that Indian language Wikipedias have to overcome was published by Global Voices. The article had earlier been published in the Wire.
Elonnai Hickok and Vanya Rakesh co-authored an article on Cyber Security of Smart Grids in India that was published by Dataquest.
Shyam Ponappa in his monthly column published in the Business Standard tell us that it's time the government accepts that current policies are not enough to bring about Digital India.

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

►NVDA and eSpeak

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

Comments

Comments on Department of Industrial Policy and Promotion Discussion Paper on Standard Essential Patents and their Availability on Frand Terms (Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané; April 23, 2016).
Responses to the DIPP's Discussion Paper on SEPs and their Availability on FRAND Terms (Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané; April 23, 2016).
Summary of CIS Comments to DIPP’s Discussion Paper on SEPs and their availability on FRAND terms (Anubha Sinha; April 26, 2016).

Blog Entries

Global Congress 2015 - A Collection of Resources (Pervasive Technologies Team; April 1, 2016).
Compilation of Mobile Phone Patent Litigation Cases in India (Rohini Lakshané; updated on April 15, 2016).
Joining the Dots in India's Big-Ticket Mobile Phone Patent Litigation (Rohini Lakshané; updated on April 29, 2016).
MHRD IPR Chair Series: Information Received from Tezpur University (Karan Tripathi; April 26, 2016).
National IPR Policy Series : Sectoral Innovation Councils on Intellectual Property Rights – RTI Requests + DIPP Responses (Nehaa Chaudhari and Saahil Dama; April 30, 2016). Nisha S. Kumar assisted in compilation of the document.

Participation in Events

Fifth Annual IP Teaching Workshop (Organised by the Centre for Innovation, Intellectual Property and Competition at National Law University Delhi in association with National Academy of Law Teaching, NLU-D; Delhi; March 31 and April 1, 2016). Nehaa Chaudhari was a speaker.
First Round-table on Innovation, IP and Competition (Organized by the Centre for Innovation, Intellectual Property & Competition (CIIPC) at the National Law University, Delhi; India Habitat Centre; New Delhi; April 1-2, 2016). Nehaa Chaudhari and Anubha Sinha attended the round-table.
Brainstorming Workshop on PG Programme on Media Studies for UGC E-Pathshala Programme (Organized by Jamia Milla Islamia; New Delhi; April 5, 2016).
Sensitization Seminar on IPR for Electronics & ICT Sectors (Organized by Andhra Pradesh Technology Development & Promotion Centre (APTDC) of Confederation of Indian Industry (CII), in association with Department of Electronics and Information Technology (DeitY); Vishakhapatnam; April 21, 2016).

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Work Plan

CIS - A2K Work Plan: July 2016 - June 2017 (CIS-A2K Team; April 2, 2016): We have revised the work plan template taking into account the changed proposal plan sent out by WMF and in light of the feedback that we have received from FDC assessment during last proposal application. The FDC feedback is taken into account at the level of design, RoI and ensuring quality for all our activities.

Article

Eight Challenges Indian-Language Wikipedias Need to Overcome (Subhashish Panigrahi; Global Voices; April 21, 2016). A version of this post was previously published on The Wire.

Media Coverage

Odia gets more space in e-world (Anwesha Ambaly; The Telegraph; April 7, 2016).
Exercise to Correct articles in Tulu Wikipedia begins (Raviprasad Kamila; The Hindu; April 28, 2016).

Event Organized

Tulu Wikipedia Editathon to Improve Quality of Articles in Tulu Wikipedia (Shri Ramakrishna PU College; Mangaluru; April 26 - 30, 2016).

-----------------------------------
Openness
-----------------------------------

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Monitoring Sustainable Development Goals in India: Availability and Openness of Data (Part II) (Kiran A.B.; April 12, 2016).

-----------------------------------
Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Cyber Security

Cyber Security of Smart Grids in India (Elonnai Hickok and Vanya Rakesh; April 25, 2016).

►Big Data

Blog Entry

RTI regarding Smart Cities Mission in India (Paul Thottan; April 21, 2016).

►Privacy

Blog Entries

FAQ on the Aadhaar Project and the Bill (Elonnai Hickok, Vanya Rakesh, and Vipul Kharbanda; April 13, 2016).
Aadhaar Act and its Non-compliance with Data Protection Law in India (Vanya Rakesh; April 14, 2016).
Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill? (Pooja Saxena; April 24, 2016).

Articles

Will Aadhaar Act Address India’s Dire Need For a Privacy Law? (Nehaa Chaudhari; Quint; March 31, 2016).
The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System (Sumandro Chattapadhyay; April 19, 2016).
The Aadhaar Act is Not a Money Bill (Amber Sinha; April 25, 2016).

Participation in Events

RightsCon Silicon Valley 2016 (Organized by RightsCon; March 31 and April 1, 2016). Elonnai Hickok attended the event.
Panel Discussion on UID/ Aadhar act 2016 and its impact on Social, Security (Organized by Students Christian Movement of India at SCM House; Bangalore; April 25, 2016). Sunil Abraham was a panelist.
The Centre for the Study of Law and Governance (CSLG), Jawaharlal Nehru University (JNU), organised a roundtable discussion on Tuesday, April 26, to discuss the Aadhaar project and Act. Along with Prasanna S, Apar Gupta, and Dr. Chirashree Dasgupta, Sumandro Chattapadhyay was one of the discussants.
Aadhaar by Numbers (Organized by National Institute of Public Finance and Policy; New Delhi; April 29, 2016). Sunil Abraham was a speaker.

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

Breakthroughs Needed For Digital India (Shyam Ponappa; Business Standard; April 6, 2016 and Organizing India BlogSpot; April 7, 2016).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Article

Buying into the Aakash Dream - A Tablet’s Tale of Mass Education (Sumandro Chattapadhyay and Jahnavi Phalkey; Economic & Political Weekly; April 23, 2016).

Announcement

Call for Proposal: Big Data for Development – Initial Field Studies (Sumandro Chattapadhyay; April 29, 2016).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2016-newsletter

Panel Discussion on UID/ Aadhar act 2016 and its impact on Social, Security

praskrishna — 2016-04-28T17:02:59Z

Sunil Abraham was a speaker at this event organized by Students Christian Movement of India at SCM House in Bangalore on April 25, 2016. Mathew Thomas and Usha Ramanathan also gave talks.

With the passage of the Aadhaar act 2016 is UID / Aadhar mandatory now? How do we understand the issue of Social Security in the context of the new law? What does it mean for those who need to access their senior citizen pension, rations, school and college scholarships, etc.

How does one understand the money bill route for introducing the bill in Parliament? What are implications of this for the validity of the law?

What will happen to the court cases challenging the UID now?

Where are we now on the thorny issues of surveillance, tracking, profiling, biometrics, private and foreign companies and subsidy? What does the law say?

This discussion will revisit the debates around the UID and examine the implications of the new law.

For more details visit https://cis-india.org/internet-governance/news/panel-discussion-on-uid-aadhar-act-2016-and-its-impact-on-social-security

Cyber Security of Smart Grids in India

Elonnai Hickok and Vanya Rakesh — 2016-04-28T15:34:17Z

An integral component of the ambitious flagship programme of the Indian Government- Digital India, which paves way for a digital data avalanche in the country, is a well-designed digital infrastructure ensuring high connectivity and integration of services, the potential areas being smart cities, smart homes, smart energy and smart grids, to list a few. Likewise, the 100 Smart Cities Mission envisions changing the face of urbanization in India, to manage the exponential growth of population in the cities by creating smart cities with ICT driven solutions, along with big data analytics. Smart grid technologies are key for both these schemes.

The article by Elonnai Hickok and Vanya Rakesh was published by Dataquest on April 25, 2016

Smart grid is a promising power delivery infrastructure integrated with communication and information technologies which enables monitoring, prediction and management of energy usages. Establishment of smart grids becomes highly important for the Indian economy, as the present grid losses are one of the highest in the world at upto 50% and costing India upto 1.5% of its GDP. India operates one of the largest synchronous grids in the world – covering an area of over 3 million sq km, 260 GW capacity and over 200 million customers with the estimated demand of India increasing 4 times by the year 2032.

In the year 2013, the Ministry of Power (MoP), in consultation with India Smart Grid Forum and India Smart Grid Task Force released a smart grid vision and roadmap for India, a key policy document aligned to MoP’s overarching objectives of “Access, Availability and Affordability of Power for All”. It lays plans for a framework to address cyber security concerns in smart grids as well. To achieve goals envisaged in the roadmap, the Government of India established the National Smart Grid Mission in the year 2015 for planning, monitoring and implementation of policies and programs related to Smart Grid activities.

A number of smart grid projects have been introduced, and are currently underway. KEPCO in Kerala has established smart meter/intelligent power transmission and distribution equipment system in the year 2011 and the smart grid operations focus on peak reduction, load standardization, reduction in power transmission/distribution loss, response to new/renewable energy and reduction in black-out time. Gujarat was introduced to India’s first modernized electrical grid in the year 2014, to study consumer behaviour of electricity usage and propose a tariff structure based on usage and load on the power utility by installing new meters embedded with SIM card to monitor the data. The Bangalore Electricity Supply Company Ltd. (BESCOM) project in Bangalore envisaged the Smart Grid Pilot Project for integration of renewable and distributed energy resources into the grid, which is vital to meet growing electricity demands of the country, curb power losses, and enhance accessibility to quality power.

Cybersecurity challenges

At the same time, the introduction of a smart grid brings with it certain security risks and concerns, particularly to a nation’s cyber security. Increased interconnection and integration may render the grids vulnerable to cyber threats, putting stored data and computers at great risk.With sufficient cyber security measures, policies and framework in place, a Smart Grid can be made more efficient, reliable and secure as failure to address these problems will hinder the modernization of the existing power system. Smart Grids, comprising of numerous communication, intelligent, monitoring and electrical elements employed in power grid, have a greater exposure to cyber-attacks that can potentially disrupt power supply in a city.

Cyber security and data privacy are some of the key challenges for smart grids in India, as establishment of digital electricity infrastructure entails the challenge of communication security and data management. Digital network and systems are highly prone to malicious attacks from hackers which can lead to misutilisation of consumers’ data, making cyber security the key issue to be addressed. Vulnerabilities allow an attacker to break a system, corrupt user privacy, acquire unauthorized access to control the software, and modify load conditions to destabilize the grid. Hackers or attackers, who compromise a smart meter can immediately alter their energy costs or change generated energy meter readings to monetize it by help of remote PCs. Also, inserting false information could mislead the electric utility into making incorrect decisions about the local usage and capacity.

Initiatives in India

As cybersecurity is critical for Digital India and the Smart City Concept note highlights a smart grid to be resilient to cyber attacks, a National Cyber Coordination Centre is being established by the Indian Government. Also, National Cyber Safety and Security Standards has been started with a vision to safeguard the nation from the current threats in the cyberspace, undertaking research to understand the nature of cyber threats and Cyber Crimes by facilitating a common platform where experts shall provide an effective solution for the complex and alarming problems in the society towards cyber security domain. Innovative strategies and compliance procedures are being developed to curb the increasing complexity of the Global Cyber Threats faced by countries at large.

The National Cyber Security Policy 2013 was released with an umbrella framework for providing guidance for actions related to security of cyberspace, by the Department of Electronics and Information Technology (DeitY). The Working Group on Information Technology established under the Planning Commission has also published a 12 year plan on IT development in India with a road map for cyber security, stating six key priority and focus areas for cyber security including:Enabling Legal Framework ; Security Policy, Compliance and Assurance; Security R&D; Security Incident – Early Warning and Response ; Security awareness, skill development and training, and Collaboration.

In case of Bangalore, to ensure smooth implementation of BESCOM’s vision, the company realised the need to put a cyber-security system in place to protect the smart grid installations in Bangalore city. To ensure security, BESCOM has come out with a separate IT security policy and dedicated trained IT cadre to safeguard its data and servers, becoming one of the few Discoms in India to take such measures for safeguarding the servers and data network from cyber crimes and threats.

Way forward

An electric system like Smart grids has enormous and far-reaching economic and social benefits. However, increased interconnection and integration tends to introduce cyber-vulnerabilities into the grid. With the evolution of cyber threats/attacks over time, it can be said that there are a lot of challenges for implementing cyber security in Indian smart grid. Considering importance of secure smart grid networks for flagship projects in India, the existing regulatory framework does not seem to adequately take into consideration the cyber security implications.

In light of this, the government must aim to develop and adopt high level cybersecurity policy to withstand cyber-attacks. Also, India must focus on skills development in this domain and have a capable workforce to achieve the targets set by Indian Government. The country must look up to develop an overall intelligence framework that brings together industry, governments and individuals with specific capabilities for this purpose.

The National Cyber Security Policy 2013, protecting public and private infrastructure from cyber attacks, along with all kinds of information, such as personal information of web users, banking and financial information,etc. is yet to be implemented by the Government properly. In the Indian Power sector, the cyber security regulations or mandates are absent in the National Electricity Policy (NEP) as well as the Electricity Act 2003 and its amendment in 2007, with no reference to cyber security concerns. These key legislations must be amended to take into account the growing challenges due to increased use of ICT in the power sector.

As the concept of smart grids is still evolving in India, professional intervention from various domains has pushed for adoption and development of standard process and products. Many international standard setting organisations like IEC, IEEE, NIST, CENELEC are engaged in standardization activities of Smart Grids and in India, the Bureau of Indian Standards (BIS) has been rolling out several varieties of standards targeting various technologies. Therefore, BIS must develop standards taking into account the security challenges in the cyberspace as well.

Apart from policy and regulatory measure, the system on which the smart grids are built and networked must be made architecturally strong and secure.One of the areas where due attention is required is making the Supervisory Control and Data Acquisition (SCADA) secure, a system that operates with coded signals to provide control of remote equipment and is entirely based on computer systems and network. Numerous systems also employ the Public Key Infrastructure (PKI) to secure the Smart Grids and address the security challenges by enabling identification, verification, validation and authentication of connected meters for network access. This can be leveraged for securing data integrity, revenue streams and service continuity. The key vulnerable areas prone to cyber attacks on information transmission are network information, data integrity and privacy of information. The information transmission networks must be well-designed as the network unavailability may result in the loss of real-time monitoring of critical smart grid infrastructures and power system disasters.

Addressing these fast growing challenges and cyber security needs of the country by adopting suitable regulatory, policy and architectural steps would help achieve the objectives of Digital India and Smart Cities enabling “Access, Availability and Affordability for All”.

For more details visit https://cis-india.org/internet-governance/blog/dataquest-april-25-2016-vanya-rakesh-and-elonnai-hickok-cyber-security-of-smart-grids-in-india