We are anonymous, we are legion

When politics gets social

praskrishna — 2014-04-04T07:52:46Z

In the run-up to the general election, social media companies explain how the political campaigns this time are very different from what they were five years ago.

The article by Chanpreet Khurana was published in Livemint on March 11, 2014. Sunil Abraham is quoted.

“Okay, I didn’t gain anything. I lost,” Aam Aadmi Party (AAP)’s Arvind Kejriwal conceded disarmingly during a town hall meeting on Facebook last week. He was responding to a question from Candidates 2014 host Madhu Trehan on his much critiqued dharna (sit-in protest) during his 49-day chief ministership of Delhi.

Even as elections to 543 constituencies approach, political parties and politicians are putting their online campaigns in top gear. Sample some of the activity in just the last week. On Sunday, the Indian National Congress party asked voters to share their thoughts on what to include in the party’s Lok Sabha election manifesto—on Twitter. On 8 March, Narendra Modi, the Bharatiya Janata Party’s prime ministerial candidate, held the second session in his Chai Pe Charcha with NaMo series—this time on women’s empowerment. And All India Trinamool Congress chief Mamata Banerjee’s “Girls are our assets” post on Facebook was liked more than 22,000 times.

	Recognizing the high level of engagement around politics on social media, companies like Facebook and Google are driving initiatives on this theme in peak election season—polling starts on 7 April. The Facebook Talks Live’s Candidates 2014 series (also broadcast on NDTV), which in its first week featured Kejriwal, Banerjee, Rashtriya Janata Dal chief Lalu Prasad and the Samajwadi Party’s Akhilesh Yadav, is one example. There are many new services being launched online in the run-up to the Lok Sabha election.

Recognizing the high level of engagement around politics on social media, companies like Facebook and Google are driving initiatives on this theme in peak election season—polling starts on 7 April. The Facebook Talks Live’s Candidates 2014 series (also broadcast on NDTV), which in its first week featured Kejriwal, Banerjee, Rashtriya Janata Dal chief Lalu Prasad and the Samajwadi Party’s Akhilesh Yadav, is one example.

There are many new services being launched online in the run-up to the Lok Sabha election.

Know your candidate

On 20 April 2011, US President Barack Obama appeared on Facebook Talks Live, opening the floodgates for a new kind of engagement between political leaders and the electorate. Cut to almost three years later, and the Facebook-led “town hall” meeting has come to India. On 4 March, Candidates 2014 launched with Kejriwal taking questions on issues like women’s safety, reservation for the backward classes and the plight of contractual workers, and detailing his vision for the country. A video of the town hall is available on Facebook and YouTube and has been viewed at least 30,000 times. As part of the format of the town hall, the questions came in equal parts from the live audience, Trehan and from a pool of questions submitted on the Facebook India page.

To the agile leader then, social media can be more than just another pulpit to broadcast views and give a speech from. It’s something Sunil Abraham, executive director of The Centre for Internet And Society, a non-profit research organization, can’t stress enough. “Social media provides unmediated access; in that sense it is a tremendously effective tool,” says Bangalore-based Abraham in a phone interview. “The question is, are political parties agile enough to take advantage of it?”

For more details visit https://cis-india.org/news/livemint-march-11-2014-chanpreet-khurana-when-politics-gets-social

When Netas Network

praskrishna — 2013-06-19T06:19:00Z

In September 2009, a freshly re-elected Congress took exception to a light-hearted tweet by its newly inducted minister Shashi Tharoor, chastising him not only for causing offence but also for being too quick to air his views on social media.

This article by Rukmini Shrinivasan was published in the Times of India on April 27, 2013. Sunil Abraham is quoted.

So much can change in less than four years.

Rocked by allegations of corruption, and with anti-incumbency firmly setting in, the Congress is struggling to reconnect with voters, and is belatedly embracing social media. Tharoor has had the last laugh;his social media activity has earned him praise and is being emulated by others in his cabinet.

As political discussion spills over from the neighbourhood tea shop and coffee house to Facebook and Twitter, their potential impact on electoral politics is something that those in power and those hoping to get there are taking very, very seriously.

The BJP runs its social media operation out of its headquarters in Delhi. Most of the party's top leaders have an official Facebook page and a verified Twitter handle, while others, including octogenarian L K Advani, blog.

The Congress is late to the party;it does not have an official Twitter account and has such a halfhearted Facebook presence that it isn't immediately clear that it's official. But it seems to be waking up - young leaders including Deepender Hooda are now part of a social media strategy team, and the younger cabinet ministers are enthusiastic social media adopters.

Rural India Logs On

Despite representing a largely rural, relatively impoverished constituency, 48-year-old Biju Janata Dal MP Baijayant Panda is a Twitter natural. "Rural Indians are slowly beginning to get more active online and I am beginning to interact more often with my constituents there. In fact, particularly on Facebook, there are already a significant number of Odia users, from all around the world, but also those living in my constituency, " Panda says.

Simultaneously, social media entrepreneurs are responding to what they see as an area of huge growth. The Australian web-based citizen-politician interaction platform OurSay has just come to India (see interview on page 5). In the run-up to the elections, Twitter and Google are both reaching out to politicians and civil society organisations in the citizen engagement game and have pitched town-hall style interactions to several politicians, including union cabinet members and state governments.

Social media entrepreneur and analyst Mahesh Murthy believes that Indian social media users have discovered the wonders of political engagement online. "Only now are they figuring out that the real news doesn't seem to get out on traditional media - and more importantly, that their response on traditional media (at best, a letter to the editor) is puny in comparison to the impact they can have via social, " he says. Moreover, says Murthy, the impact is not online alone. "The Nirbhaya case, the Palghar case, the recent child rape case - all would have gone generally unnoticed a few years ago. Each of them, thanks to social media, became a cause to rally around. Add to this disclosures under RTI, NGOs becoming more transparent, online petitions and more - the staid and set political world of India is undergoing the first wave of massive, irreversible change. "

Such evangelism about the potentially transformational impact of social media was echoed in a recent study which claimed that Facebook users could swing elections in 150 constituencies in the next Lok Sabha election. Apart from being statistically flawed, the study also failed to look beyond the number of people on social media, to the kinds of conversations they are actually having.

A Broadcast Medium?

With some exceptions, the majority of politicians on Twitter and Facebook use it as yet another broadcast medium for purely one-way traffic, a rare few respond to the hundreds who leave comments on their Facebook and Twitter posts. So while Gujarat chief minister Narendra Modi might have asked the FICCI ladies to get in touch with him on social media, what he omitted to mention was that he never responds.

Most politicians and parties are not doing a good job of engaging with citizens through social media, agrees Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "Most of them are still outsourcing this function completely. This reminds me of the early days of email in large corporations and government offices when every email was printed before it was read by its recipient and the response dictated and recorded using shorthand before it was entered into the computer. This approach will not work with social media users. Personal involvement will be one way to improve results, " says Abraham.

Arvind Gupta, who sold off his analytics firm to run the BJP's IT cell from its Lutyens' Delhi headquarters, disagrees. "The volume of responses on Twitter or Facebook make it impossible for Sushmaji [Swaraj] or Modiji to respond to them all, but they often meet online supporters offline too, or highlight insightful comments on their blogs, " says Gupta.
Younger leaders tend to be better at online interaction. So while 89-year-old Karunanidhi of the DMK has a Twitter account but follows no one, the party's youngest MLA, TRB Rajaa, has five Facebook pages and a Twitter handle, and replies personally. "I get several hundred messages on Facebook in a day, but I try to respond to at least half, especially those who are raising grievances, " he says.

Some times, the proximity of a politician to the blaze of online outrage can force action. "When (IIPM director) Arindam Choudhary got a remote district court to ban a UGC web page, social media turmoil spurred first Shashi Tharoor and then [minister of state for information technology] Milind Deora and then the government into action - and the case was challenged and the ban was overturned, " says Murthy.

Influencing First-time Voters

But the big question remains - in a country where the internet is for a privileged few, is it too early to start talking of social media playing a role in electoral politics?

Sanjay Jha who runs the website Hamara-Congress. com and is a member of the party's social media strategy team, believes the impact will largely be on youngt voters. "It will have an impact on first time voters of urban India as also on voters who are unsure about their political leanings, " he says.

"Social media like mainstream media will influence its users. Internet users are still roughly around 10% of the population. However, they are elites and can influence wider offline discourse. Social media may have other benefits as it would help make the elections more transparent and free from manipulation, " says Abraham.

"One has to be careful - we don't know yet how many people on Facebook are registered to vote, and how many more will do so in time. We also need to understand better the ability of a youth on Facebook to influence his parents' and family's voting choices, " says Murthy.

In number terms, Murthy believes that social media will have some impact on 8-15 % of the electorate come 2014. "The 2014 elections will be a turning point. But I sense the 8% to 15% will more than double by 2019 elections - and that will be a moment when social media is far, far more important. The smarter parties and politicians will realise this and start making investments and efforts right away, " says Murthy.

Gupta strongly believes that a segment of the population that is politically engaged online but will not come to dharnas nevertheless votes, and should not be dismissed. "You often see people who make "I voted today" their Facebook status, " he says. Moreover, citizens politically engaged online are influencing each other and changing minds, he says.

Party Time

Many in politics also believe that besides the voter - who makes his or her decision based on a complex matrix of reasons - social media plays an important role in helping the leadership of parties connect with and energise their cadre and supporters.

"At the very least, social media will bring interested volunteers and party-workers closer to public representatives by making direct interaction possible. Certain candidates, even independent and otherwise lesser fancied ones, will have a shot at mobilising supporters at rallies, even though they have far fewer traditional resources to do so, " says Panda.
Rajaa agrees. "Not just voters, many motivated cadre also use social media to keep in touch with our youth wing and with the second-rung leadership, " he says.

With additional reporting by Kim Arora.

For more details visit https://cis-india.org/news/times-of-india-crest-edition-april-27-2013-rukmini-shrinivasan-when-netas-network

When laugh lines turn worry lines

K.V. Aditya Bharadwaj — 2019-03-20T16:06:46Z

Trolls instil fear in cartoonists’ minds.

The article by K.V. Aditya Bharadwaj was published in Hindu on March 15, 2019. Sunil Abraham was quoted.

The election season, with all its colour and drama, had been a festival for political cartooning. But no longer so. Cartoonists, especially those using social media platforms to publish their works, say they are under siege by a polarised electorate.

Several cartoonists have reported instances of their work being taken down from social media platforms and their accounts blocked after they were flagged by users for “offensive content, abuse and nudity”. They allege that while they have been experiencing a “tough time” with right-wing trolls over cartoons critical of the BJP, the situation has become worse in the run-up to the Lok Sabha election.

P. Mahmud, a senior political cartoonist from Karnataka, has been locked out of his Facebook account for a week. His cartoon on March 8 portraying demonetisation and GST as an air strike on the economy went viral on social media, but it was later pulled down after it was allegedly flagged for offensive content. Shorty after, his account was locked. “This is an attack on my freedom of expression, robbing me of a platform,” Mr. Mahmud said. Another work of his, critical of Masood Azhar, founder of the terrorist organisation Jaish-e-Mohammed, was reported for hurting religious sentiments as he had called it Jaish rather than by its full name. A user reported it as an attempt at “obfuscating the religion of terror”.

“I can take criticism. But this campaign against my work seems organised and connected to my religion as well,” Mr. Mahmud said.

Another senior cartoonist from the State, Satish Acharya, had to lodge a complaint with the Udupi police recently when a right-wing troll threatened to “teach him a lesson in public”.

“I have had my Facebook account blocked thrice over the past five years. Each time it was mass reported over cartoons critical of the Modi Sarkar [government]. It’s part of a deliberate strategy to ensure that critical perspective doesn’t find currency online,” he said.

Senior cartoonists Tanmay Tyagi from Delhi and Mumbai-based Manjul have had similar experiences. Mr. Tyagi’s social media handles have been suspended over six times since 2014. Last year, his personal computer was shacked and 20 years of work deleted.

Cartoonists are worried about this concerted effort to muzzle them. Manjul expressed sorrow over the lack of space for nuance, wit, sarcasm, irony and satire — tools that a cartoonist relies on to get their message across.

“You are branded and pigeon-holed in a world that seems to operate on a ‘you are either with us or with them’ narrative. In a polarised society readers look for a confirmation bias in the cartoons,” he said.

A steady stream of abusive comments is a daily reality for cartoonists. “These trolls seek to enter your mind and create fear so that the next time a cartoonist sits at his table to sketch, he will rethink what he draws. It’s aimed at self-censorship,” Mr. Acharya said. He believes that traditional media houses are also developing cold feet.

Sunil Abraham, executive director, Centre for Internet and Society, a Bengaluru-based research organisation, termed it a “private censorship regime” that was also opaque.

“At most of the social media platforms the function is done partly by machine and partly in person. No company has invested heavily on human resources to review content being reported, making most of the process automated. Once you know what patterns the machine is looking for, you can game the machine and provide such patterns. It is an attack on freedom of expression,” he said.

Last year, Facebook made a detailed document on its internal community standard policy public explaining the nature of the content it takes down. An email questionnaire to the company on its redressal system especially when posts are being falsely flagged for nudity went unanswered.

But is trolling a new phenomenon or restricted to just right-wing supporters? Manjul said the first time he faced this kind of censorship was in 2013 when Twitter took down one of his cartoons critical of the Congress.

His recent cartoon on Triple Talaq received much flak and a Muslim organisation called up the editor of the publication threatening to kill him.

“My cartoon of Lord Ganesha taking a taxi during the Surat Plague got me a barrage of hate mail in 1994. It’s an old disease, but the wound is now in the open and it is rotting. Right-wing trolls are more organised, tech savvy and nasty in their use of language,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindu-kv-aditya-bharadwaj-march-15-2019-when-laugh-lines-turn-worry-lines

When Data Means Privacy, What Traces Are You Leaving Behind?

Noopur Raval — 2011-11-24T09:24:03Z

How do you know yourself to be different from others? What defines the daily life that you live and the knowledge you produce in the span of this life? Is all that information yours or are you a mere stakeholder on behalf of the State whose subject you are? What does privacy really mean? In a society that is increasingly relying on information to identify people, collecting and archiving ‘personal’ details of your lives, your name, age, passport details, ration card number, call records etc, how private is your tweet, status update, text message or simply, your restaurant bill?

The CIC (central information commission) that arbitrates decisions on RTI appeals in case of conflict of interest provides interesting notions of what the State thinks is privacy. Ironically, the cornerstones of RTI that is privacy and its invasion are yet to be defined in the context of the judiciary. Then, how does the CIC decide what is private enough and what can be revealed to anyone? Of course, it relies on the discretion of its judges who attempt to draw from a range of sources that include the principles of natural justice drawn from western jurisprudence to quotes by Gandhi and Aristotle to the UK Data Protection Act, 1998 and US Torts that define invasion of privacy. To begin with, let us examine who constitutes the private sphere. As ruled in case of Mr. Ajeet Kumar Khanna vs Punjab & Sind Bank on 29 July, 2008 and Mr. G. Atchaiah vs State Bank of India on 22 August, 2008, the appellant can seek information only for himself/herself. Anyone outside the self, commonly believed as the personal connection, sons, daughters, parents or even spouse is not allowed information of a relative. One needs a distinct power of attorney for right to information. The contradiction is that one does not need to state the purpose for asking information, thereby making unnecessary any connection with the person you want information about.

CIC has been increasingly relying on the UK Data Protection Act, 1998 to make a correlation between data and privacy. Hence, to map privacy and its invasion, the RTI act depends on the UK Data Protection Act that classifies the following as sensitive personal data:

We have no equivalent of UK's Data Protection Act, 1998, Sec 2 of which, titled Sensitive Personal Data, reads as follows: In this Act "sensitive personal data" means personal data consisting of information as to:

The racial or ethnic origin of the data subject
His political opinions
His religious beliefs or other beliefs of a similar nature
Whether he is a member of a Trade Union
His physical or mental health or condition
His sexual life
The commission or alleged commission by him of any offence
Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

While this blanket reference to sensitive personal data does not account for nuances in the Indian context, it also does not capture the essence of public-private interaction. It is mostly at the intersection of the public domain and the individual that the demarcation occurs. While personal family photographs lying in my attic may constitute a beautiful memory that can be proudly displayed on my walls, it is when one acknowledges the dual nature of any information source, the potential of these photographs to contribute to larger politicized information narratives, that their access and usage comes to define the real crux of the privacy debate.

The US Restatement of the Law, Second, Torts, defines the Intrusion to Privacy more generally in the following manner: “One, who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Of course, we don’t know whether a father paying for bills and wanting access to his daughter’s cell phone records can be seen as highly offensive to a reasonable person in the Indian context. In the context of the recent Padmanabhswamy Templetreasure trove found in Kerala, since under the Ancient Monuments and Archaeological Sites and Remains Act 1958, such sites qualify as sites of ‘national importance’ and imply a certain larger public interest, would one be able to access such 'nationally personal data' pertaining to a temple (public space) owned by a family trust registered with the government (publicly private), containing a national treasure lying locked on geographical territory (public) that is rightly shared by all citizens?

Here’s how the CIC defined the personal and the extent of personal in the context of state as illustrated in Mr. Kanhiya Lal vs MCD, GNCT, Delhi on 13 June, 2011.To qualify for this exemption the information must satisfy the following criteria:

It must be personal information

Words in a law should normally be given the meanings given in common language. In common language we would ascribe the adjective 'personal' to an attribute which applies to an individual and not to an institution or a corporate. From this it flows that 'personal' cannot be related to Institutions, organizations or corporate. (Hence, we could state that section 8 (1) (j) cannot be applied when the information concerns institutions, organizations or corporate). The phrase 'disclosure of which has no relationship to any public activity or interest' means that the information must have some relationship to a public activity. Various public authorities in performing their functions routinely ask for 'personal' information from Citizens, and this is clearly a public activity. When a person applies for a job, or gives information about himself to a public authority as an employee, or asks for a permission, licence or authorisation, all these are public activities. The information sought in this case by the appellant has certainly been obtained in the pursuit of a public activity. We can also look at this from another aspect. The State has no right to invade the privacy of an individual. There are some extraordinary situations where the State may be allowed to invade on the privacy of a Citizen. In those circumstances special provisos of the law apply, always with certain safeguards. Therefore it can be argued that where the State routinely obtains information from Citizens, this information is in relationship to a public activity and will not be an intrusion on privacy.

In that case, does data at several layers demand for us to relook privacy from the subject positions we acquire at different levels and hence, the larger private collectives that we partake of?

For more details visit https://cis-india.org/internet-governance/blog/privacy/when-data-is-privacy

When #GOIBlocks, twitterati fly off their ‘handles’

praskrishna — 2012-08-26T05:56:19Z

Ever since the news broke mid-week that some genuine Twitter accounts and six spoof accounts were blocked, the social networking platform has been in a tizzy.

Published in the Hindustan Times on August 26, 2012. Pranesh Prakash is quoted.

Hashtags like #GOIblocks and variations on the same theme began “trending” and the twitterati, functioning like a virtual democracy, have been bombarding the world in real time with posts about the issue. 16 accounts of the 15 million twitter users in India, among them those of a few journalists, spoof accounts like @PM0India, a right-wing parody of @PMOIndia, the official twitter account of the Prime Minister’s office, and a few anonymous accounts like Barbarian Indian (@barbarindian) and Dosabandit (@dosabandit) were blocked.

While Narendra Modi turned his twitter display picture black in solidarity with the idea of freedom of speech (and was promptly termed a hypocrite with many like @JagPaws, who has 641 followers, tweeting, “Whoa!! Is he supporting Jihadi sites?”), Pankaj Pachauri, (49,827 followers) Communications Adviser to the Prime Minister’s office, has put up twitter rules and the National Security Advisor Shivshankar Menon’s ominously pro-surveillance keynote address at the release of the IDSA report on “India’s Cyber Security Challenge”.

Many like Nitin Pai @acorn, with 16,988 followers, founder of Takshashila Institute, a public policy think tank, tweeted that “under extraordinary circumstances, the govt must do whatever it can under the constitution to prevent loss of life” and added that targeted and temporary blocks of sites, facebook pages and twitter handles that spewed hate were acceptable. Others like film maker Harini Calamur (@calamur) (11,277 followers) who says she is against censorship tweeted that “Blocking internet handles & sites is silly” and “the Govt’s job is to uphold the constitution & protect our fundamental rights. Not make value judgements.” Much of the debate has led to a genuine exchange, sometimes making comrades of people from opposing camps. Kanchan Gupta, a journalist known for his pro-Hindutva views, whose twitter handle @KanchanGupta (26,424 followers) was among those blocked, accepted on TV that scores of “people from all communities” many of whom “disagreed violently” with him had extended their support on twitter.

Others like writer Shivam Vij (@Dilidurast), who has 3,296 followers, whom Hindutvawadis has often branded ‘pseudo sickular’, surprised baiters by speaking against the ban.

Many were strident in their criticism of the arbitrary nature of the blocks and tweeted that it was indicative of authoritarianism. “Internet blocks in India have been increasing in frequency&intensity. I wouldn't put this down to knee-jerk/foolishness.There is *intent*,” tweeted Nikhil Pahwa (@nixxin), founder and editor of @medianama. Others like business journalist Samidha Sharma @samidhas worried that the government’s frequent attacks on freedom of expression shows that it is “following china in all the wrong things”.

While Pranesh Prakash (@pranesh_prakash) of the Centre for Internet and Society tweeted, “They've blocked sites from all parts of the spectrum: Muslim right-wing, Hindu right-wing, neutral news sites, etc. No politics”, many others saw the move as a “self-serving” one. “Dear GoI: why not be honest enough to say that this web censorship has NOTHING to do with security+ all to do with your own arrogance” tweeted Sunny Singh (@sunnysingh_nw3).

For more details visit https://cis-india.org/news/www-hindustan-times-aug-26-2012-when-goi-blocks-twitterati-fly-off-their-handles

WhatsApps with fireworks, apps with diyas: Why Diwali needs to go beyond digital

nishant — 2015-11-23T13:27:37Z

The idea of a 'digital' Diwali reduces our social relationships to a ledger of give and take. The last fortnight, I have been bombarded with advertisements selling the idea of a “Digital Diwali”. We have become so used to the idea that everything that is digital is modern, better and more efficient.

The article was published in the Indian Express on November 22, 2015.

I have WhatsApp messages with exploding fireworks, singing greeting cards that chant mystic sounding messages, an app that turns my smartphone into a flickering diya, another app that remotely controls the imitation LED candles on my windows, an invitation to Skype in for a puja at a friend’s house 3,000 km away, and the surfeit of last minute shopping deals, each one offering a dhamaka of discounts.

However, to me, the digitality of Diwali is beyond the surface level of seductive screens and one-click shopping, or messages of love and apps of light. Think of Diwali as sharing the fundamental logic that governs the digital — the logic of counting. As we explode with joy this festive season, we count our blessings, our loved ones, the gifts and presents that we exchange. If we are on the new Fitbit trend, we count the calories we consume and burn as we make our way through parties where it is important to see and be seen, compare and contrast, connect with all the people who could be thought of as friends, followers, connectors, or connections.

While there is no denying that there is a sociality that the festival brings in, there is also a cruel algebra of counting that comes along with it. It is no surprise that as we celebrate the victory of good over evil and right over wrong, we also simultaneously bow our heads to the goddess of wealth in this season.

Look beyond the glossy surface of Diwali festivities, and you realise that it is exactly like the digital. Digital is about counting. It is right there in the name — digits refers to numbers. Or digits refer to fingers — these counting appendages which we can manipulate and flex in order to achieve desired results. At the core of digital systems is the logic of counting, and counting, as anybody will tell us, is not a benign process. What gets counted, gets accounted for, thus producing a ledger of give and take which often becomes the measure of our social relationships.

I remember, as a child, my mother meticulously making a note of every gift or envelope filled with money that ever came our way from the relatives, so that there would be precise and exact reciprocation. I am certain that there is now an app which can keep a track of these exchanges. I am not suggesting that these occasions of gifting are merely mercenary, but they are embodiments of finely calibrated values and worth of relationships defined by proximity, intimacy, hierarchy and distance. The digital produces and works on a similar algorithm, which is often as inscrutable and opaque as the unspoken codes of the Diwali ledger.

There is something else that happens with counting. The only things that can have value are things that have value. I don’t know which ledger counts the coming together of my very distributed family for an evening of chatting, talking, sharing lives and laughter. I don’t know how anybody would reciprocate that one late night when a cousin came to our home and spent hours with my younger brother making a rangoli to surprise the rest of us. I have no idea how they will ever reciprocate gifts that one of the younger kids made at school for all the members of the family.

Diwali is about the things, but like the digital system, these are things that cannot be counted. And within the digital system, things that cannot be counted are things that get discounted. They become unimportant. They become noise, or rubbish. Our social networks are counting systems that might notice the low frequency of my connections with my extended family but they cannot quantify the joy I hear in the voice of my grandmother when I call her from a different time-zone to catch up with her. Digital systems can only deal with things with value and not their worth.

I do want to remind myself that there is more to this occasion than merely counting. And for once, I want to go beyond the digital, where my memories of the past and the expectations of the future are not shaped by the digital systems of counting and quantifying. Instead, I want Diwali to be analogue. I shall still be mediating my collectivity with the promises of connectivity, but I want to think of this moment as beyond the logics and logistics of counting that codify our social transactions and take such a central location in our personal functioning. This Diwali, I am rooting for a post-digital Diwali, that accounts for all those things that cannot be counted, but are sometimes the only things that really count.

For more details visit https://cis-india.org/internet-governance/blog/the-indian-express-nishant-shah-november-22-2015-whatsapps-with-fireworks-apps-with-diyas-why-diwali-needs-to-go-beyond-digital

WhatsApp spy attack and after

Theres Sudeep — 2019-12-15T05:06:27Z

Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.

The article by Theres Sudeep was published in Deccan Herald on November 6, 2019. Aayush Rathi was quoted.

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.

Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.

It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after

WhatsApp ruling: Experts seek privacy law

praskrishna — 2016-09-27T02:35:06Z

On August 25, Whatsapp updated its policy to share user content with social network; the decision opened new monetisation models for the messaging app.

The article by Apurva Venkat and Moulishree Srivastava quoted Sunil Abraham. It was published in the Business Standard on September 24, 2016.

The recent Delhi High Court ruling that messaging app Whatsapp cannot share user data highlights the need for legislation on privacy, according to experts.

On August 25, Whatsapp, a platform with 70 million users in India that was acquired by Facebook in 2014, updated its policy to share user content with the social network. The decision opened new monetisation models for the messaging app.

In response to a PIL, the court ordered WhatsApp to delete data of users who chose to opt out of its policy changes before September 25. It also orderedWhatsApp not to share data collected before September 25 with Facebook for users who had not opted out.

"The decision makes a strong statement on privacy," said Sunil Abraham, executive director of the Centre for Internet Society. According to him, a user trusts a platform and provides access to his data. As another firm acquires the platform, it gains access to the data.

"Facebook owns Whatsapp. It has to look at ways of monetising it," said Nikhil Pahwa, co-founder of SavetheInternet.in.

"With so much digital data being generated, there is a need for a privacy law in the country," said Pahwa.

"Facebook's consent interface is confusing. It can make a person who wants to opt out let the company access his data," said Abraham, adding a law would take care of such intricacies. The government is working on a privacy bill.

Saroj Kumar Jha, partner, SRGR Law Offices, said there were few judgments on privacy in India based on constitutional rights.

"While the Information Technology Act enables courts to pass judgments on global companies on privacy, enforcing the orders is difficult," he said.

"What is required is a privacy law that can protect user data and uphold the individual's right to privacy," he added.

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law

WhatsApp races against time to fix fake news mess ahead of 2019 general elections

Admin — 2018-07-25T15:27:20Z

On Friday, when WhatsApp announced that it would pilot a ‘five media-based forwards limit’ in India, the government came up with an unequivocal reminder.

The article by Venkat Ananth was published in Economic Times on July 24, 2018. Sunil Abraham was quoted.

“When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter face consequent legal action,” noted a ministry of electronics and information technology (MeitY) statement.

The statement also said there was a need for bringing in traceability and accountability, “when a provocative/inflammatory message is detected and a request is made by law enforcement agencies.”

Significantly, MeitY took aim at WhatsApp’s core end-to-end encryptionbased product feature and its oft-quoted and reiterated commitment to privacy. It was specific, going beyond the usual “do more” requests.

The stand also poses an interesting dilemma for the messenger service. How can it act while protecting its privacy commitment?

“It is practical ly impossible for WhatsApp to regulate content in the peer-to-peer encrypted environment it is set up in,” says Rahul Matthan, partner, Trilegal. “An encrypted platform is what we want. The government is trying to maintain a strict and difficult balance. The government tends to err on the side of violating civil liberties over offering privacy to innocent users. The WhatsApp case is going in that direction.”

No Longer Low-Key

In India, its largest market, WhatsApp has benefitted from quietly operating in the shadows of its more popular parent, Facebook, growing to a currently active user base of 200 million.

However, in the last six months, while it continues to be perceived as an asset by politicos for outreach and propaganda, WhatsApp is now increasingly being tapped by the bad guys to disseminate deliberate misinformation, rumour mongering and fake news. And not the Donald Trump kind either.

It is leading to loss of lives on the ground, through lynchings, kidnappings and related crimes.

WhatsApp spokesperson Carl Woog says, “The recent acts of violence in India have been heartbreaking and reinforce the need for government, civil society and technology companies to work together to keep people safe.”

“By focusing on solutions to fake news inside our smartphones, we are ignoring a tougher problem that requires several complementary solutions,” says Apar Gupta, a Delhi-based lawyer and cofounder of the Internet Freedom Foundation.

“Let us not forget that a platform is not responsible for policing.”

But the general public and government perception — and, to some extent, concern — remains that WhatsApp has been slow to react to these situations.

To Police or Not to Police

Interestingly, the government and ruling party realise WhatsApp could be pivotal to their fortunes in the next electoral cycle — in the run-up to Elections
2019.

“The government is coming under increased pressure to act on these lynchings, which is why it is taking a shootthe-messenger kind of an approach,” says Matthan. “An unsophisticated government would have advocated a blanket ban on the source. But here, the government, it appears, wants to regulate tech by having access to your device, through an app, in the case of the (telecom regulator) Trai DND app to battle spam.”

This is also why WhatsApp has intensified its outreach efforts. Over the past 10 days, a team of its US and India-based executives have been meeting key stakeholders in Delhi and Mumbai, including the Election Commission, political parties, the Reserve Bank of India, banks and civil society, as ET reported last week.

The team includes public policy manager Ben Supple, senior director, customer operations, Komal Lahiri and WhatsApp India communication manager Pragya Misra Mehrishi. They are now expected to meet key government officials from MeitY from Monday, sources say.

“The intense outreach efforts is essentially linked to WhatsApp wanting to protect its payments play in India,” says a Delhi-based public policy professional, who did not want to be named as he is not authorised to speak to the media.

“It (WhatsApp) is really worried about Google’s efforts with Tez and the gap that will only widen if the government delays grant of permission.”

WhatsApp is stressing some key points while reinforcing the steps it is taking to counter challenges. One, the best practices of using the platform. Two, the need to work together to prevent abuse of WhatsApp, and three, most importantly, to educate people about the best ways of using the platform. WhatsApp was primarily designed for private, oneon-one messaging or group chats among acquaintances, not for mass broadcast, which parties resort to during elections.

WhatsApp says it is working on a warfooting to tackle the problems. It has introduced product changes to counter user behaviour. There’s more control, where a group ‘admin’ can restrict users who can send messages to the group, modify a group icon or edit description, a feature for which it has taken a leaf out of rival Telegram’s book. To counter fake news, it added a ‘forwarded’ label. And now, limited the forwarding to five in India, and 20 in the rest of the markets, a significant reduction from 250 prior to that.

While the impact of these product tweaks is yet to be seen at an individual user level, the larger concern for WhatsApp today is the potential misuse of its platform to manipulate elections, a very real possibility next year.

Tipping Point

The company’s noticeable change of tack comes after it noticed certain trends during the recent Karnataka elections, during which one of its executives spent a week in Bengaluru.

One of the political parties, which a person aware of the developments in WhatsApp declined to name, was using “dozens of accounts to create thousands of groups,” as part of its campaign.

The party, the source says, was adding random numbers (approximately 100) to the group during creation. By random numbers, he meant people who did not know each other, something WhatsApp can identify using the metadata it collects when a user gives it access to its phone book. WhatsApp deems this behaviour ‘organised spamming.’

“These were real people not necessarily known to each other,” says the person quoted above. “A specific account would be added to that group to be made the admin.”

Mostly, this admin was the number used to create these multiple groups or, in WhatsApp terms, the account that was not behaving the way private or group communication happens.

Also, the users would be a mix of fake accounts, which is a major red flag for WhatsApp. “The group starts with some bulk added users and then the real ones get bulk-added,” says the source. WhatsApp deems this practice a violation of its terms of service.

Company sources add that WhatsApp was able to detect these trends and proactively banned these users before they were able to add people. “In some cases, our systems didn’t catch this in time, but we were able to proactively prevent users from receiving such spam. That detection is now internalised and if someone tries to replicate that behaviour anywhere in the world, we will be able to detect them,” says another person familiar with developments at WhatsApp.

According to several media reports, the BJP and the Congress too created over 30,000 groups for campaigning and organising efforts. To counter organised political spamming, WhatsApp has now begun using machine learning tools. WhatsApp can trace the last few messages in a group and block it entirely from the platform. At the detection level, WhatsApp checks for familiarity. “Do the persons know each other, or have they interacted before?” through metadata it possesses through phone numbers.

The second person quoted in the story says the company now focuses its detection “upstream,” that is, catching the user at the registration stage. “When you register on WhatsApp and immediately create a group, questions asked are, ‘Does this behaviour look like what a regular user does? Or does it look like users who have misused it in the past?’” he says.

WhatsApp, sources tell ET, is also using machine learning to detect sequential numbers that could be used to create these groups. “If they go and buy a phone number, they go to one carrier and its mostly sequential. If we notice 100 numbers with the same prefix have signed up, nearly 80 get automatically banned. What we do is feed these sequences, permutations and combinations to detect good/bad users,” the person quoted above says. “It learns millions of these combination signals on behaviour and help us make a decision.”

Civil Society as a Key Layer

WhatsApp also sees an enabling role for civil society, especially for digital literacy. Its team has currently met seven non-governmental organisations, including digital literacy groups and others involved in the area of financial inclusion. This is part of its public policy efforts while also solidifying its payments play.

“The level of responsibility for a platform is to not consciously cause — and, in fact, to take active measures to prevent — social harm,” says Gupta of IFF. “It has to be done without injury to end-to-end encryption, which offers safety and privacy to users.

Many products and product strategies can be adopted — from increasing media diversity on the platform to promoting auditing features that rely on partnerships with fact-checking organisations. We must demand accountability but resist the rhetorical attraction of technophobia.”

As ET has reported, WhatsApp will adapt a fact-checking model, Verificado 2018, deployed during the recent Mexican presidential elections. Verificado proactively debunked fake news and misinformation on the platform. “The rumours were found to be very similar to India.

Verificado was specifically focused on misinformation from candidates,” says the first person quoted in the story. “Plus, it helped effectively tackle misinformation during an earthquake in Mexico.”

For WhatsApp, one of the key learnings from the Mexico elections was that it could look at the spam reports and categorise them as politics-related. The company, unsurprisingly, saw an increase in political spam in the buildup to election day.

“They realised Verificado assists users to get help within the app. But it also aids news organisations, political parties, the government and users,” adds the person. The company is undertaking a similar exercise in Brazil, where 24 media outlets have come together under the Comprova initiative to fact-check viral content and rumours on WhatsApp.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society believes WhatsApp can further tweak its product to enable real-time checks. “They can enable a ‘fact check this’ button for users to upload content to a fact-checking database. If the content has already been fact-checked, the score can be displayed immediately. Alternatively, the fact-checking service can return the score at a later date,” he explains.

For more details visit https://cis-india.org/internet-governance/news/economic-times-venkat-ananth-july-24-2018-whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections

What’s up with WhatsApp?

Aayush Rathi and Sunil Abraham — 2018-04-23T16:45:51Z

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing?

The article by Aayush Rathi and Sunil Abraham was published in Asia Times on April 20, 2018.

Back in April 2016, when WhatsApp Inc announced it was rolling out end-to-end encryption (E2EE) for its billion-plus strong user base as a default setting, the messaging behemoth signaled to its users it was at the forefront of providing technological solutions to protect privacy.

Emphasized in the security white paper explaining the implementation of the technology is the encryption of both forms of communication – one-to-one and group and also of all types of messages shared within such communications – text as well as media.

Simply put, all communication taking place over WhatsApp would be decipherable only to the sender and recipient – it would be virtual gibberish even to WhatsApp.

This announcement came in the backdrop of Apple locking horns with the FBI after being asked to provide a backdoor to unlock the San Bernardino mass shooter’s iPhone. This further reinforced WhatsApp Inc’s stand on the ensuing debate between the interplay of privacy and security in the digital age.

Kudos to WhatsApp, for there is growing discussion around how encryption and anonymity is central to enabling secure online communication which in turn is integral to essential human rights such as those of freedom of opinion and expression.

WhatsApp may have taken encryption to the masses, but here we outline why WhatsApp’s provisioning of privacy and security measures needs a more granular analysis – is the company doing what it claims to be doing? Security issues with WhatsApp’s messaging protocol certainly are not new.

Man-in-the-middle attacks

A study published by a group of German researchers from Ruhr University highlighted issues with WhatsApp’s implementation of its E2EE protocol to group communications. Another paper points out how WhatsApp’s session establishment strategy itself could be problematic and potentially be targeted for what are called man-in-the-middle (MITM) attacks.

An MITM attack takes the form of a malicious actor, as the term suggests, placing itself between the communicating parties to eavesdrop or impersonate. The Electronic Frontier Foundation also highlighted other security vulnerabilities, or trade-offs, depending upon ideological inclinations, with respect to WhatsApp allowing for storage of unencrypted backups, issues with WhatsApp’s web client and also with its approach to cryptographic key change notifications.

Much has been written questioning WhatsApp’s shifting approach to ensuring privacy too. Quoting straight from WhatsApp’s Privacy Policy: “We joined the Facebook family of companies in 2014. As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies.” Speaking of Facebook …

Culling out larger issues with WhatsApp’s privacy policies is not the intention here. What we specifically seek to explore is right at the nexus of WhatsApp’s security and privacy provisioning clashing with its marketing strategy: the storage of data on WhatsApp’s servers, or ‘blobs,’ as they are referred to in the technical paper. Facebook’s rather. In WhatsApp’s words: “Once your messages (including your chats, photos, videos, voice messages, files and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device.”

In fact, this non-storage of data on their ‘blobs’ is emphasizes at several other points on the official website. Let us call this the deletion-upon-delivery model.

A simple experiment

While drawing up a rigorous proof of concept, made near-impossible thanks to WhatsApp being a closed source messaging protocol, a simple experiment is enough to raise some very pertinent questions about WhatsApp’s outlined deletion-upon-delivery model. It should, however, be mentioned that the Signal Protocol developed by Open Whisper Systems and pivotal in WhatsApp’s rolling out of E2EE is open source. Here is how the experiment proceeds:

Rick sends Morty an attachment.

Morty then switches off the data on her mobile device.

Rick downloads the attachment, an image.

Subsequently, Rick deletes the image from his mobile device’s internal storage.

Rick then logs into a WhatsApp’s web client on his browser. (Prior to this experiment, both Rick and Morty had logged out from all instances of the web client)

Upon a fresh log-in to the web client and opening the chat with Morty, the option to download the image is available to Rick.

The experiment concludes with bewilderment at WhatsApp’s claim of deletion-upon-delivery as outlined earlier. The only place from which Morty could have downloaded the image would be from Facebook’s ‘blobs.’ The attachment could not have been retrieved from Morty’s mobile device as it had no way of sending data and neither from Rick’s mobile device as it no longer existed in the device’s storage.

As per the Privacy Policy, the data is stored on the ‘blobs’ for a period of 30 days after transmission of a message only when it can’t be delivered to the recipient. Upon delivery, the deletion-upon-delivery model is supposed to kick in.

Another straightforward experiment that leads to a similar conclusion is seeing the difference in time taken for a large attachment to be forwarded as opposed to when the same large attachment is uploaded. Forwarding is palpably quicker than uploading afresh: non-storage of attachments on the ‘blob’ would entail that the same amount should be taken for both.

The plot thickens. WhatsApp’s Privacy Policy goes on to state: “To improve performance and deliver media messages more efficiently, such as when many people are sharing a popular photo or video, we may retain that content on our servers for a longer period of time.” The technical paper offers no help in understanding how WhatsApp systems assess frequently shared encrypted media messages without decrypting it at its end.

A possible explanation could be the usage of metadata by WhatsApp, which it discloses in its Privacy Policy while simultaneously being sufficiently vague about the specifics of it. That WhatsApp may be capable of reading encrypted communication through the inclusion of a backdoor bodes well for law enforcement, but not so much for unsuspecting users.

The weakest link in the chain

Concerns about backdoors in WhatsApp’s product have led the French government to start developing their own encrypted messaging service. This will be built using Matrix – an open protocol designed for real-time communication. Indeed, the Privacy Policy lays out that the company “may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to respond pursuant to applicable law or regulations, to legal process, or to government requests.”

The Signal Protocol is the undisputed gold standard of E2EE implementations. It is the integration with the surrounding functionality that WhatsApp offers which leads to vulnerabilities. After all, a chain is only as strong as its weakest link. Assuming that the attachments stored on the ‘blobs’ are in encrypted form, indecipherable to all but the intended recipients, this does not pose a privacy risk for the users from a technological point of view.

However, it is easy lose sight of the fact that the Privacy Policy is a legally binding document and it specifically states that messages are not stored on the ‘blobs’ as a matter of routine. As a side note, WhatsApp’s Privacy Policy and Terms of Service are refreshing in their readability and lack of legalese.

As we were putting the final touches to this piece, news from WABetaInfo, a well-reputed source of information on WhatsApp features, has broken that newer updates of WhatsApp for Android are permitting users to re-download media deleted up to three months back. WhatsApp cannot possibly achieve this without storing the media in the ‘blobs,’ or in other words, in violation of its Privacy Policy.

As the aphorism goes: “When the service is free, you are the product.”

For more details visit https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp

What’s In a Name? — DNS Singularity of ICANN and The Gold Rush

sharath — 2013-03-31T05:35:33Z

March 2013 being the 28th birthday of the first ever registered Internet domain as well as the exigent launch of the Trademark Clearing House disguised as a milestone in rights protection by the Internet Corporation for Assigned Names and Numbers (ICANN) for it’s new gTLD program, Sharath Chandra Ram, dissects the transitory role of ICANN from being a technical outfit to the Boardroom Big Brother of Internet Governance.

Click to read more about the Trademark Clearing House.

As a non-profit organization, established in agreement with the US Department of Commerce in 1998, the current arrangement of ICANN has come under serious questions in recent years, with the United Nations wanting the ITU to oversee Internet Governance while Europe seeking more public participation in the decision making process that currently comprises a majority of private stakeholders as ICANN board members with vested interests. In this post we shall look at a few instances that give room for thought about the regulatory powers and methods adopted by ICANN as well as reparatory measures taken to reaffirm it’s image as an able governing body amidst disputes over trademarks and fair competition that might actually call for a wider and objective inclusion in future. An outline of functional and structural arrangements of ICANN maybe found at the CIS Knowledge Repository page.

The Business Model

Earlier this month, (March 15, 2013) was the 28^th birthday of symbolics.com, the first ever domain name registered in 1985 through the formal ICANN process. (nordu.net being the first domain name created by the registry on January 1, 1985 for the first root server, nic.nordu.net) Symbolics, that spun-off the MIT AI Lab and specialized in building workstations running LISP finally sold the domain for an undisclosed amount to XY.com, an Internet investment firm that has been proudly boasting about their acquired relic for over three years now. The golden days of fancy one word domain name resale at exorbitant prices are over, as Google’s page ranking crawler now really looks at unique content and backlinks. Nevertheless, those with the same archaic view of a real estate agent still believe that a good domain name does have a high ROI and have managed to find naïve takers who will offer ridiculous amounts. One of many such examples is the plain looking www.business.com that was bought initially for $1,50,000 and changed hands twice from $7.5 million to an absurd $345 million of R.H. Donnelley Inc., that soon filed for bankruptcy!

The top level domain market however, is consistently lucrative. A TLD registry on an average receives $5 - $7 per domain registered under it. So the .COM registry run by VeriSign which, as of 2013 has over a 100 million registered domains, receives a revenue of $500 to $700 million per year of which a fraction is paid to ICANN periodically on a per-registration or per-renewal basis. Competing registrars and registries across TLDs, their revenue generation practices as well as the application process for new TLDs gradually began to be regulated by ICANN in mysterious ways, as we will see in the following legal case studies.

VeriSign vs. ICANN

VeriSign began to operate the .COM and .NET TLD after taking over Network Solutions Inc. and entering into a contractual agreement with ICANN in 2001. Let’s take a look at some methods used by VeriSign to garner internet traffic and registrant revenue, that were clamped down by the ICANN, which resulted in a lawsuit by plaintiff VeriSign claiming prevention of fair competition and revenue by impeding innovation.

Clamping of Site Finder & WLS: In September 2003, VeriSign introduced a Wild Card DNS Service called Site Finder for all .com and .net domains. This meant that any user trying to access a non-existent domain name no longer received the 404 Error but were instead redirected to the VeriSign website with adverts and links to affiliate registrars. Often a result of a misspelled domain, in ICANN’s view, the redirection by VeriSign amounted to typo squatting internet users as within a month VeriSign’s traffic rose dramatically moving it to the top 20 most visited websites on the web. As seen below in this archived image of Alexa’s 2003 traffic statistic (Courtesy: cyber.law.harvard.edu).

Shortly, in October 2003, ICANN issued a suspension ultimatum pointing Site Finder in violation of the 2001 .Com agreement. This was not the first time ICANN clamped down on VeriSign’s ‘profiteering’ methods. In 2001, ICANN prevented VeriSign’s WLS (Wait Listing Service) that allowed a registrant (through selected participating affiliate registrars of VeriSign) to apply to register an already registered domain in the event that the registration is deleted – a nifty scheme considering the fact that about 25000 domains are deleted everyday!

Remarks and Submissions

The long drawn case of VeriSign Vs. ICANN ended on a reconciliatory note, with ICANN bringing the Site Finder service to a halt at the cost of VeriSign walking away happier with a free 5 year extension on the .COM domain (2007 extended to 2012).

While the ingenious Site Finder service did pose a huge problem to spam filters, both the WLS and yet another service that VeriSign launched to allow registration of non-English language SLDs were also met with a cringe by ICANN.

However looking closer, one may realize that the act of ICANN permitting a DNS root redirect service such as Site Finder for all TLD operators (with an acceptable template that also carried information about the 404 error besides other marketing options) meant the first step towards paving the way towards a plausible scenario of multiple competing DNS roots across TLDs being able to interact with each other — a system often argued by network theorists to be the most efficient and competitive model that would reduce the disjoint between the demand and supply of TLDs in a decentralized infrastructure, and that definitely was not in the best interest of ICANN’s monopolistic plan. Hence, this could be seen as a move by ICANN to nip the Site Finder bud while still young.

Finally, as brought to public notice in more than one instance (name.Space Vs. ICANN, IOD Vs. ICANN), the vested interests of ICANN board members has come under glaring light. Can the ICANN leadership consisting of members from the very same domain name business industry be able to objectively deal with competing registry services and legal issues? Conspicuous targets have been chairperson Steve Crocker who owns a consulting firm Shinkuro, whose subtle investor is infact AFILIAS INC which runs the .INFO and .MOBI TLDs, provides backend services to numerous TLDs (.ORG, .ASIA, .AERO (aviation)), has applied for a further 31 new TLDs and has it’s CTO Ram Mohan on the Board of Directors of ICANN. Also ICANN Vice Chariman, Bruce Tonkin is Senior Executive at Australia’s largest domain name provider Melbourne IT, and Peter Thrush former chairman of the ICANN Board of Directors is Executive Chairman of Top Level Domain Holdings,Inc which filed 92 gTLD applications in 2012.

Trademark Protection and Domain Names

Image Online Design (IOD) is a company that since 1996 has been providing Internet registry services using the trademark .WEB (trademark #3,177,334 including computer accessories) registered with the US Patents and Trademarks Office (USPTO).

It’s registry services however, were not through the primary DNS root server maintained by ICANN, but through an alternate DNS root that required prospective users to manually make changes in their browser settings in order to resolve .WEB domains registered through IOD. Despite not running the primary DNS root server for. WEB, by the year 2000 IOD had acquired about 20,000 registered .WEB customers.

The beacon of ‘hope’ arrived upon IOD in mid-2000 as ICANN (on advise of supporting organization GNSO) opened a call for proposals for registrations of new TLDs, with a non-refundable deposit of $50,000 for an application to be considered. By then the importance of the .WEB TLD for e-commerce was well known amongst ICANN board members with Louis Touton lobbying for his preferred applicant AFILIAS INC to be given the .WEB TLD, with others raising concerns about IOD’s preregistration of .WEB domains. One of the founding fathers of the internet, Vinton Cerf, the then Chairman of ICANN took a benevolent stance-- "I'm still interested in IOD," he repeated over Touton's objections. "They've worked with .WEB for some time. To assign that to someone else given that they're actually functioning makes me uneasy," he said, prompting board member Linda Wilson to chime in, "I agree with Vint." (http://goo.gl/d1v6X , http://goo.gl/eV9Jd).

Finally amidst all the contention, no one was offered the .WEB domain and ICANN announced that all applications not selected will remain pending and those who submitted will have the option of being re-considered when additional TLD selections are made in future. And the future being, 2012, when ICANN invited a new round of TLD applicants, this time with the non-refundable deposit of whopping $185,000 for a single application (1 TLD/application as opposed to the $50,000 in the year 2000 that allowed multiple TLD requests within the same application) to be considered. While 7 new applicants for the .WEB TLD registered their interest, IOD considered their application to be still pending and did not join the new pool that included AFILIAS INC. and GOOGLE.

The litigation of IOD Vs ICANN ended in Feb 2013, with IOD claiming weak causes of action under “Trademark Infringement” and “Breach of Contract” &“Fair Dealing” hinging on the fact that the initial $50,000 application was still pending and never was officially rejected by ICANN. Further, there was not enough room to make a valid trademark infringement, as there was no substantial room for consumer confusion in the .WEB case.

Remarks and Submissions

The IOD Vs. ICANN case not only increased concerns globally, over the uncertainty associated with the ICANN application process for generic TLDs along with questions regarding the objectivity of its board members, but at the same time has alerted ICANN to take the necessary big sister steps to ensure that it’s well in the game.

The fact of the matter is that the USPTO does not provide trademark protection services for the Top level Domain industry citing the reason that TLDs trademarks do not provide a distinct service mark that can identify or differentiate the service of an applicant from others, and further cannot be used to ascertain the source of an applicant’s services. This view is flawed, as by looking at a TLD, say BBC.com, an informed person can easily say that VeriSign INC manages the service of directing a user to a correct location on the .COM registry. With introduction of new gTLDs, perhaps BBC would shift it’s content to BBC.news, where the source may be an abstracted Registrar and the nature of service being quite evident. And to those registered trademarks, especially those that shall result in substantial brand confusion to the customer if infringed, granting a TLD like .ibm or .bbc may well be granted to the owner of the trademark who may then outsource registry services to a service provider. This shall invert the current model by relegating the role of a TLD registry holder to that of a contracted service provider.

So the question is, should have the US Department of Commerce, who contracted ICANN in the first place, mediated with USPTO to place the business of a registrar on par with other trades and businesses, and modify it’s trademark infringement policies? And more importantly, will ICANN view this as introducing yet another key stakeholder to the gTLD assignment process?

The answer to the latter is already clear as ICANN being in the top of it’s game decided to take matters into its own hands and on March 26, 2013) launched http://trademark-clearinghouse.com/ with a new set of guidelines for accepted trademarks and a mechanism that allows trademark holders to submit their application to a central repository.

Accepted trademark holders shall be given priority to register gTLDs during the ‘sunrise’ period. Deloitte Enterprise Risk Services have been assigned the responsibility of evaluating submitted trademarks while IBM shall maintain the actual database of trademarks by the later half of 2013.

The tip of the iceberg is well in scope of view. ICANN46 is currently being hosted in Beijing, at the China Internet Network Information Centre (CINIC) from April 7 to 11, 2013 while hopefully parallel discussions will happen on all other global forums to hopefully re-consider a future of multiple competing DNS root servers towards healthy competition that is decentralized.

Key References

http://www.icann.org/en/news/litigation
http://cyber.law.harvard.edu/tlds/
Lynn, S. [2001] “Discussion Draft: A Unique, Authoritative Root for the DNS” Internet Corporation for Assigned Names and Numbers, 28 May, 2001.
Internet Architecture Board [2000] “IAB Technical Comment on the Unique DNS Root.” RFC 2826, Internet Society, May 2000.

For more details visit https://cis-india.org/internet-governance/blog/dns-singularity-of-icann-and-the-gold-rush

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

What You Need To Worry About Before Linking Your Mobile Number With Aadhaar

Admin — 2017-11-26T05:55:49Z

As part of the directive issued by the Department of Telecommunications (DoT) dated March 23, 2017, major telecom service providers have issued a deadline of February 6, 2018, for linking mobile numbers with Aadhaar as part of the E-KYC verification.

The blog post by Roopa Raju and Shekhar Rai was published in Youth Ki Awaaz on November 8, 2017

The landmark case referenced by the DoT in the circular was the order issued by the Supreme Court on February 6, 2017, delivered by Justice JS Khehar (the erstwhile Chief Justice of India) in the case of Lokniti Foundation vs Union of India. The petitioner contended that terrorists, criminals and anti-social elements frequently used SIM cards to commit atrocious, organised and unorganised crimes across the country. The petition called for ensuring 100% verification on the identity of telecom service subscribers in public interest under Article 32 of the Constitution of India. The PIL added that unverified SIM cards pose a serious threat to the country’s security as they are routinely used in criminal and terrorist activities, thereby affecting a citizen’s right (as ensured under Article 21 of the Constitution). As per the CAG report tabled at the Parliament in 2014, the identities of 4.59 crore mobile users still remained unverified.

Article 21 of the Constitution of India, 1949, states that – “No person shall be deprived of his life or personal liberty except according to procedure established by law.” While there is a threat to the common public interest through increased acts of terrorism and atrocities due to unverified SIM cards, the safety of information provided and linked to Aadhaar are increasingly being questioned.

In a study dated May 1, 2017, published by the Centre for Internet and Society (CIS), a Bangalore-based organisation, it was observed that data of over 130 million Aadhaar card-holders were leaked from just four government portals dealing with the National Social Assistance programme, the National Rural Employment Guarantee Scheme, the Chandranna Bima Scheme and the Daily Online Payment Reports of NREGA.

On October 25, 2017, the chief minister of West Bengal, Mamata Banerjee, also strongly opposed the government’s plan to link mobile numbers with Aadhaar cards. She said that it was a breach of privacy and that the ruling government was intruding upon the citizen’s right to personal freedom. However, the Supreme Court questioned the state government’s right to challenge the Centre and asked her to file a plea with the court in her individual capacity.

As per the data published by Telecom Regulatory Authority of India (TRAI) on September 14, 2017, India’s telecom subscriber base dipped by 1.3 lakh to 121.07 crore in July 2017. Moreover, only three operators – Reliance Jio, Bharti Airtel and the state-run BSNL – reported additions to their subscriber base.

Month	Telephone subscriber base (in million)	Growth rate
Mar-17	1194.58	–
Apr-17	1198.89	0.36%
May-17	1204.98	0.51%
Jun-17	1210.84	0.49%
Jul-17	1210.71	-0.01%

(Source: TRAI monthly subscription data)

The dip in the subscriber count for various telecom operators can be accredited to the phasing of registration of SIM cards through E-KYC for new mobile numbers. While there is a the possibility of addition of genuine subscribers in the following months, the direct subscriber acquisition cost (DSAC) has been significantly reduced owing to the overall reduction in subscriber addition (assuming exclusion of sunk cost).

Prior to the DoT directive, telecom service providers relied heavily on the documents provided by the subscribers for SIM registration. The two-fold impact of this was the delay in SIM activation, owing to the transfer of documents from the retailer to the distributor to the company and the possibility of documents not matching with the usage timeline of usage. Additionally, tracking the ever-changing retailers was difficult for the service providers – and with the subscriber documents being collected and stored at one location by the service providers, verification of dummy subscribers was difficult.

With the introduction of Aadhaar linkage for mobile numbers, subscribers are held accountable for its usage, thereby tagging responsibility for any acts arising as a result. Savings from the digitisation of documents and paper should also be considered.

However, an increased number of job losses is possible, owing to the ‘optimisation’ of the process by way of document verification, servicing costs and reliance on third parties (to name just a few). Increased compliance costs are also an issue of concern.

The key question that looms prominently with the approaching deadline is how secure public data will be, given that it may possibly be linked with bank account numbers and income tax returns. With retailers using fingerprints of the subscribers to validate Aadhaar numbers with the mobile numbers at the time of SIM registration, there is an increased risk of exposure to identity theft.

While the government is increasingly trying to bring in a seamless process to assimilate data for transparency in analysing consumer patterns, it is suggested that they also allocate funds for enhancing the cyber-security of the data consolidated from this directive. Furthermore, cyber security regulations can be strengthened to avoid data leakages to third party organisations. Severe penalties should also be implemented to ensure robust compliance to these measures.

For more details visit https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar

What the government's draft IT intermediary guidelines say

Admin — 2019-02-13T00:31:29Z

Intermediaries will have to hand over to government agencies any information within 72 hours. Intermediaries will have to use automated tools to trace the person posting unlawful content.

The article by Abhijit Ahaskar was published in Livemint on February 12, 2019. CIS research was quoted.

With voices for regulating tech companies getting stronger in the wake of growing incidence of fake news being circulated through social media platforms, the Ministry of Electronics and Information Technology (MEITY) of India has decided to re-examine the Information Technology (IT) Intermediary Guidelines, 2011, under the IT Act, 2000.

Setting the wheel in motion, the ministry proposed a draft called Information Technology Intermediaries Guidelines (Amendment), 2018, and released the recommendations on its website for public comments in December 2018. The first round of comments ended on 31 January, 2019 and was made public last week. The second round of comments and counter-comments will close on 14 February, 2019.

What the draft proposes

The term intermediary refers to all tech companies that are hosting user data or are providing users with a platform for communication. This brings all internet, social media, telecom companies in its ambit.

The draft amendment proposes that intermediaries will have to hand over to governmentagencies any information that might be related to cyber security, national security and related with the investigation, prosecution or prevention of an offence, within 72 hours.

They will have to take down or disable content considered defamatory or against national security under Article 19 (2) of the Constitution within 24 hours on being notified by the appropriate government or its agency in addition to using automated tools to identify, remove and trace the origin of such content. Intermediaries with over 55 lakh users will be required to have a permanent registered office with physical address and a senior official who would be available for coordination with law enforcement agencies.

Concerns over the draft guidelines

Microsoft notes that the problem MEITY is trying to address is of fake news. “Existing regulations provide enough powers to work with social media platforms. There may be a case to bring out additional guidelines for certain types of intermediaries like social media platforms. There may also be a case to strengthen other laws which make the punishment of fake news and misuse of social media stringent. The focus should be on the perpetrators of the crime rather than the intermediaries," it has said in response to the guidelines. Regarding deployment of tools to proactively identify and remove unlawful content, Microsoft cautions that intermediaries will have to monitor all content passing through their systems for this, which is a violation of their individual privacy and right to freedom of expression. It will also be technically impractical due to the high cost of deploying such tech.

According to Broadband India Forum, one of the grounds for the Supreme Court striking down Section 66A of the IT Act, 2000, in Shreya Singhal vs Union of India was the vagueness of the terms used in the provision, such as offensive, menacing and dangerous, which invaded the right of free speech. However, words with a similar level of vagueness, such as grossly harmful, harassing and hateful exist in the proposed draft.

The Centre for Internet and Society (CIS) pointed out that existing laws provide enough teeth to the Indian agencies to act. For instance, Section 505 of the IPC has provisions to penalise disinformation while Sections 290 and 153A of the IPC have provisions if the disinformation is being used to create communal strife. CIS has also flagged the scope of the term unlawful as it is not clearly defined, leaving room for broad interpretation. On the traceability clause, CIS draws attention to the lack of clarity on whether it applies on just social media platforms and messaging services or all intermediaries.

This can be a bit of problem for ISPs which may have no access to contents of an encrypted communication sent and received on its network.

Threat to privacy

The traceability clause, which requires intermediaries to use automated tools to trace the person posting unlawful content, came in for a lot of criticism. While the Ministry in an official tweet in January 2018 clarified that it only requires intermediaries to trace the origin of messages which lead to unlawful activities without breaking encryption, experts believe it isn’t possible without lowering encryption standards or building a backdoor to access encrypted communications.

Amnesty International slammed the clause, arguing, “While governments can legitimately use electronic surveillance to protect people from crime, forcing companies to weaken encryption will affect all users’ online privacy. Such measures would be inherently disproportionate, and therefore impermissible under international human rights law."

Wipro in its response rues such a traceability requirement could lead to breaking of encryption on apps such as WhatsApp and Signal, and this will be a major threat to the privacy rights of citizens as enshrined in the Puttaswamy judgment of the Supreme Court.

Undue burden on small companies

Commenting on the 72 hours timeline for furnishing user data, the Internet Freedom Foundation says that such short deadline for compliance can only be fulfilled by large social media platforms. This might make smaller companies over compliant to government demands for immunity resulting in a total disregard for user privacy.

Regarding taking down of unlawful content, technology policy researchers form National Institute of Public Finance & Policy (NIPFP) caution that overzealous implementation along with over reliance on technological tools for the detection of unlawful content would lead to the curtailment of online speech. They pointed out the instance where Facebook had removed posts documenting the ethnic cleansing of Rohingyas as it had classified Rohingya organisations as dangerous militant groups.

For more details visit https://cis-india.org/internet-governance/news/livemint-abhijit-ahaskar-february-12-2019-what-the-governments-draft-it-intermediary-guidelines-say

What the experts said on live chat

praskrishna — 2015-03-26T02:35:49Z

Three eminent panellists shared their views and answered questions from readers on the Supreme Court verdict striking down Section 66 A of the IT Act that allowed the arrest of people posting “offensive content” on the Internet, in a live chat hosted by The Hindu.

The article was published in the Hindu on March 25, 2015. Geetha Hariharan was one of the panelists.

Does this now mean anything goes on the Internet, asked one reader.

“No, the standard penal laws — against defamation, hate speech (S. 153A), religious incitement (S. 295A) — continue to apply,” said Gautam Bhatia, a practicing lawyer and author of forthcoming book “Offend, shock or disturb: Free Speech under the Constitution.” The argument that the Internet needed separate rules when it came to the content of speech was what was rejected by the Court, he said.

What was the rationale for the Court upholding Section 69 A, allowing the blocking of websites, asked another.

“One wishes that the court had paid as much attention to the blocking orders as they did to 66A,” said Lawrence Liang, lawyer and researcher at Alternative Law Forum working on free speech.

Geetha Hariharan, a Programme Officer at Centre for Internet and Society, focusing on Internet governance and freedom of expression, was the third expert on the panel.

Click here to read the full transcript of the chat

For more details visit https://cis-india.org/internet-governance/news/the-hindu-march-25-2015-what-the-experts-said-on-live-chat