We are anonymous, we are legion

PMO’s no to smart cards, insists on Aadhaar

praskrishna — 2016-04-20T02:19:18Z

The government has decided to stop issuing new smart cards to beneficiaries of government schemes as Aadhaar is now backed by a law.

The article by Somesh Jha was published in the Hindu on April 10, 2016. Sunil Abraham was quoted.

The Prime Minister’s Office (PMO) has issued strict instructions to the Information Technology Ministry to ensure that States and the Central governmentstop issuing smart cards for new programmes for beneficiaries, and to rely on the Aadhaar-based Direct Benefit Transfer platform instead.

The move will impact ministries such as Labour, Social Justice and Health, which are in the process or have already rolled out smart cards.

The government had said earlier that over 100 crore people, constituting 93 per cent of the adult population, had a unique identification (UID) number under the Aadhaar platform.

“The undersigned is directed to request the department to examine the need for state and central government departments to issue separate smart cards in the light of the near universal coverage of Aadhaar and the delivery of the most public welfare benefits through Aadhaar enabled platforms,” according to a directive issued by Gulzar N, Director, PMO, to Aruna Sharma, Secretary, Department of Electronics and Information Technology.

“The undersigned is also directed to request the department to prepare policy on the delivery of various public services using Aadhaar, Jan Dhan Yojana and existing platforms without the issuance of new smart cards.”

Last month, Union Minister for Social Justice and Empowerment Thaawar Chand Gehlot had announced that all differently abled persons would soon get a unique identity card to avail welfare schemes. .

State governments had also planned to use smart card technology for welfare schemes. For instance, Odisha was mulling smart cards for construction workers in the State.

The PMO sent a separate communiqué to Labour Secretary Shankar Aggarwal in the context of a proposal to issue 40 crore smart cards to informal sector workers, called the Unorganised Workers’ Identification Number (U-WIN). The UWIN cards were to be used by these workers to access benefits under schemes such as Rashtriya Swasthya Bima Yojana , Aam Aadmi Bima Yojana , Atal Pension Yojana, Pradhan Mantri Suraksha Bima Yojana and Jeevan Jyoti Bima Yojana.

The PMO rejected the proposal noting that Aadhaar would act as a “universal unique identifier for each citizen.”

“Adding a UWIN number would not only duplicate work, but also introduce further problems in linking up with other databases which have already been linked with Aadhaar,” said the missive reviewed by The Hindu.

However, experts are sceptical of the government’s move.

“Smart cards are always better than biometrics. If that was not the case, the global financial infrastructure today will be working on biometrics and not on smart cards,” said Sunil Abraham, executive director of The Centre for Internet and Society.

“Why are these banks working on smart cards? Smart cards work using cryptography, which is more fool-proof than biometrics. Biometrics allow for remote, covert and non-consensual identification,” Mr. Abraham said.

Smart card vendors, however, said the move may not impact their market. “The demand for smart cards is massive in all the other segments such as for use in debit and credit cards or driving licenses and vehicle registration numbers,” said Deven Mehta, managing director of the Mumbai-based Smart Card IT Solutions.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-april-10-2016-somesh-jha-pmo-no-to-smart-cards-insists-aadhaar

The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System

sumandro — 2016-04-19T13:18:42Z

Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.

Originally published in and cross-posted from The Wire.

Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.

The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.

The Aadhaar number has been recently offered as the ‘last chance’ for the ailing welfare system – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.

Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.

We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.

Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging ‘unrest at the ration shop’ across Rajasthan, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.

RTI activists at the Satark Nagrik Sangathan have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).

Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, may only take care of one form of corruption: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.

Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.

On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and has allowed for sharing of all data except core biometrics (fingerprints and iris scan) with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.

On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.

When it becomes publicly acceptable that the money bill route was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: welfare is the message, surveillance is the medium.

Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.

The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.

Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.

For more details visit https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system

Why is the UIDAI cracking down on individuals that hoard Aadhaar data?

praskrishna — 2016-04-17T16:16:26Z

Private firms' offer to print Aadhaar details on plastic card a breach of law.

The article by Alnoor Peermohamed was published by Business Standard on April 13, 2016. Sunil Abraham was quoted.

The billion-strong citizen identification system, Aadhaar, has given rise to businesses keen on illegal harnessing of this private data, say the authorities.

Outfits are offering services to print the Aadhaar details on plastic cards, something the Union information technology ministry warned against on Monday. These entities charge anywhere between Rs 50 and Rs 600, and are listed on e-commerce websites, apart from own online presence.

Under the Aadhaar law, collecting and storing of the data by private companies without the user’s consent is a crime. Monday’s warning from the ministry to e-commerce marketplaces such as Amazon, Flipkart and eBay to disallow merchants from collecting and printing such details was a result of this.

This newspaper could not find any listings of Aadhaar printing services on Flipkart but there was one on Amazon (taken down) and no less than five such listings on eBay.

PrintMyAadhaar is one of the more well organised outfits operating in this space. “Get your E-Aadhaar printed on a PVC card for easier handling,” reads their website. Users are prompted to fill their Aadhaar details on the website, pay Rs 50 and have the card sent to their houses. PrintMyAadhaar even offers discounts for bulk orders.

“Collecting such information or unauthorised printing of an Aadhaar card or aiding such persons in any manner may amount to a criminal offence, punishable with imprisonment under the Indian Penal Code and also Chapter VI of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016,” read the statement from the ministry.

Currently, Aadhaar stores a person’s name, date of birth, sex and address, apart from their biometric data.

While the biometric data isn’t available to these PDF printing shops, the rest of the information is, according to Srikanth Nadhamuni, chief executive officer of Khosla Labs and a former head of technology at the Unique Identification Authority of India. However, collecting this data poses no security risk to the Aadhaar infrastructure, he added.

“Allowing somebody to accumulate large amounts of data from Aadhaar users in general is not a good practice. We should ensure that the Aadhaar details of people remain private and it should only be up to the discretion of the end-user to share this,” said Nadhamuni.

Some security experts say Aadhaar does pose a security risk, as it makes available an individual's details in the public domain. Several institutions are treating Aadhaar just like any other proof of identity.

“Transactions that should have been conducted using biometric authentication are being conducted just by presentation of paper documents. What is happening most commonly is that people are giving a printout or photocopy of their Aadhaar acknowledgement as their proof of identity to get a SIM card. The risk here is that somebody can get a mobile number against your name,” said Sunil Abraham, executive director of the non-profit Centre for Internet and Society.

He says the other technical issue with Aadhaar is the lack of a smart card that stores a person’s information, as in a digital signature. Due to the lack of this, people don’t know what information to keep private and what to make public. Conventional security techniques would have had a person keeping their PIN private (as with a bank account). If this personal PIN would have been saved on a smart card, which users wouldn’t have had much to worry about.

“In the case of Aadhaar, the authentication factor and the identification factor are in the public domain, because many people might have your UID number and people release their biometric data everywhere. Due to this broken technological solution, we are now through policy putting band-aids, saying people should not disclose their UID number unnecessarily,” added Abraham.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data

Online Censorship on the Rise: Why I Prefer to Save Things Offline

nishant — 2016-06-05T03:26:50Z

As governments use their power to erase what they do not approve of from the web, cloud storage will not be enough.

The article was published in the Indian Express on April 17, 2016.

It took me some time to trust the cloud. Growing up with digital technologies that were neither resilient nor reliable — a floppy drive could go kaput without you having done anything, a CD once scratched could not be recovered, hard drives malfunctioned and it was a given that once every few months your PC would crash and need a re-install — I have always been paranoid about making backups and storing information. Once I kicked into my professional years, I developed a foolproof, albeit paranoid, system, where I backed up my machines to a common hard drive, made a mirror image of that hard drive, and for absolutely crucial documents, I would put them on to a separate DVD which would have the emergency documents. It was around 2006, when I discovered the cloud.

It began with Google’s unlimited email accounts where you could mail information to yourself and then it would stay there for a digital eternity. I noticed that the size of my digital storage began decreasing. I no longer download videos I find on the web. I don’t save information on a device and I have come to think of the web as one large cloud, relying on the fact that if something is online once, it will always be available to me.

However, over the last couple of months, I have started noticing something different in my usage patterns. These days, when I do come across interesting information, instead of merely indexing it, I find myself making an offline copy of that information. Tweets enter a Storify folder. YouTube videos get downloaded. I make PDF copies of blogs and take screenshots of digital medial updates. I have been wondering why I am suddenly so invested in archiving the web when, theoretically, it is always there.

When I voiced this to a group of young students, I was surprised to hear that I wasn’t alone. The web is becoming a space that is crowded with take-downs, deletions, removals, and retractions which leave no archival memory. The students quickly pointed out that these take-downs are not just personal redactions. In fact, what we personally choose to remove has very little chances of actually disappearing from the web. Instead, these are things that are removed by governments, private companies and intermediaries who are being largely held liable for the content of the information that they make available.

Turkey, recently, demanded that German authorities remove a satirical German video titled Erdowie, Erdowo, Erdogan mocking their President. In response, Germany reminded the Turkish diplomacy of that lovely little thing called freedom of speech, and in the meantime, Extra 3, the group that had released the video on YouTube, added English subtitles to the video. Just for perks. I hope you gave a brownie point to Germany, even as you scrambled to see the video.

On the home front, though, things are not as celebratory. The minister of state for information and broadcasting, Rajyavardhan Rathore, and the head of the BJP’s information and technology cell, Arvind Gupta, have called for action against journalist Raghav Chopra who tweeted a photoshopped image of PM Narendra Modi bending down to touch the feet of a man dressed in Saudi Arabia’s national dress, to make a political comment about the PM’s recent visit to SA.

The two politicos, who have not had much to say about the doctored videos that were used to convict innocent students in JNU or the photoshopping that the government’s Press Information Bureau had indulged in to give us that iconic image of the prime minister doing an aerial survey of #ChennaiFloods, have taken umbrage against an image because it seems (obviously) false, and are demanding its takedown.

My proclivity for saving things offline is perhaps fuelled by this web of partisan censorship and the atmosphere of precarious hostility that governments seem to be supporting. Increasingly, we have seen, in India and around the globe, a rush of political power that exercises its clout to remove information, images and stories that they do not approve of.

Instinctively, I am reacting to the fact that intellectual questioning or cultural critique is being removed from the web at the behest of these vested powers, and that the cloud, light and airy as it sounds, is prone to some incredible acts of censorship and removal. I have found myself facing too many removal notices and take-down errors when trying to revisit bookmarked sites, that I am beginning to feel that the only way to keep my information safe might be to archive the whole web on a personal server.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-april-17-2016-online-censorship-on-the-rise

Aadhaar Act and its Non-compliance with Data Protection Law in India

vanya — 2016-04-18T11:43:02Z

This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Download the file: PDF.

Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.

In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("IT Act ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules"). Section 43A of the IT Act, 2000 holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.

Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.

In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.

1. Compensation and Penalty

Section 43A: Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.

Aadhaar Act : Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.

Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI.
Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository.
Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.

2. Privacy Policy

IT Rules: Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.

Aadhaar Act: Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.

Implications: Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.

3. Consent

IT Rules: Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

Aadhaar Act: The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).

Implications: If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.

4. Collection Limitation

IT Rules: Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.

Aadhaar Act: Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.

5. Notice

IT Rules: Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:

The fact that information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

Aadhaar Act: Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.

6. Retention Limitation

IT Rules: Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

Aadhaar Act: The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.

7. Purpose Limitation

IT Rules: Rule 5(5) requires that information must be used for the purpose that it was collected for.

Aadhaar Act Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.

Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

8. Right to Access and Correct

IT Rules : Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.

Aadhaar Act : The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.

9. Right to 'Opt Out' and Withdraw Consent

IT Rules: Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.

Aadhaar Act: The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.

10. Grievance Officer

IT Rules: Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.

Aadhaar Act: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.

11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure

IT Rules: Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.

Aadhaar Act: Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.

12. Requirements for Transfer of Sensitive Personal Data

IT Rules : Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

Aadhaar Act : The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.

13. Security of Information

IT Rules: Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.

Aadhaar Act: Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.

Implications of the Differences for Body Corporates in Aadhaar Ecosystem

An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other.

Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.

Appendix I

The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:

i. Opt-out clause: A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.

ii. Voluntary: To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.

iii. Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.

iv. Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.

v. Oversight Committee: The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.

Sources:

Appendix II - Section 43A: Compensation for Failure to Protect Data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

For the purposes of this section:

"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.

The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities"

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india

FAQ on the Aadhaar Project and the Bill

Elonnai Hickok, Vanya Rakesh, and Vipul Kharbanda — 2016-04-13T14:06:43Z

This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy.

To comment on and/or download the file, click here.

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq

Daunting task ahead for investigative agencies with WhatsApp's end-to-end encryption

praskrishna — 2016-04-09T09:45:12Z

Messaging service WhatsApp's decision to roll out end-to-end encryption for over 1 billion subscribers has been hailed as a positive step by users across the world, although things are set to get tougher for law enforcement and investigative agencies in India seeking to track terrorists.

The article by Neha Alawadhi was published in Economic Times on April 8, 2016. Sunil Abraham was quoted.

"It was anyway difficult to get any kind of data from WhatsApp and now it is going to be even more difficult," said a person familiar with the working of these agencies who did not wish to be identified.

Encryption scrambles data such as text messages, photos and documents and makes them unintelligible for unintended recipients. A service that is encrypted end-to-end cannot be monitored or intercepted. No one, except the people or group communicating with each other, can access the data. If telecom companies, Internet providers or even companies that run messaging services try to intercept the message, all they would get is garbled data.

While chats will not be accessible, associated information known as metadata will be available, such as when the conversations took place, the identities of senders and recipients, their locations, mobile numbers, profile photos and address books, which may be useful for security agencies.

"Definitely for law enforcement it means a big headache, but the metadata is there and with metadata, if you have a couple of other bits of information, you can piece it together," said Sunil Abraham, executive director at Bengaluru-based research organisation Centre for Internet and Society. "Agencies can get the metadata, but they won't get the payload unless they're able to compromise the device. And that intelligence agencies like NSA (National Security Agency of the US) have been able to do in the past."

While encryption offers privacy and security to users, it is the bane of law enforcement agencies globally, as exemplified most recently and notably by the Apple-FBI dispute in the US. The Federal Bureau of Investigation FBI asked Apple to weaken its encryption to access a dead terrorist's iPhone data and after the company refused, hacked into the device with help from a third party.

In India, it is difficult to bring US-based companies to the negotiating table. "We have had minimum cooperation from WhatsApp. All the data is controlled in the US and they rarely hand over the data that we request. We don't ask them for content. We only ask for metadata," said another person familiar with the process who declined to be identified.

While the Indian IT Act gives wide-ranging powers to the government to ask for access to encrypted information, very few requests for information, very few requests for information take the legal route. One reason is the long time that it takes to process such requests - on average, over three years - and the other, especially in the case of WhatsApp, is little or no cooperation, according to government officials.

WhatsApp, based in Mountain View, California, did not respond to an email request for comment. The messaging company was acquired by Facebook in 2014.

How security and investigative agencies in India use the data they access is also a grey area. "We do not have a privacy legislation here which will take care of the concerns that people have with respect to use of data. If the government needs to have access to communications, they also need to ensure there are adequate safeguards in place," said Prasanth Sugathan, counsel at Software Freedom Law Centre.

"In practice, end-to-end encryption will bring the end user and the device into focus, rather than WhatsApp or any particular messaging service. This should be a trigger for greater clarity on India's data protection policy," said Arun Mohan Sukumar, who heads the cyber security and internet governance initiative at think tank Observer Research Foundation.

In India, requests for information from companies such as WhatsApp and Google are handled by the Ministry of Home Affairs or the Indian Computer Emergency Response Team. Emails to both were unanswered at the time of going to print.

The Indian government was involved in a long-standing dispute with BlackBerry over access to encrypted data on its messenger and corporate email service. BlackBerry set up servers in Mumbai to comply with local regulations, but said it could not access encrypted data on its enterprise servers.

For more details visit https://cis-india.org/internet-governance/news/economic-times-april-8-2016-neha-alawadhi-daunting-task-ahead-for-investigative-agencies-with-whatsapp-end-to-end-encryption

India's biometric database crosses billion-member mark

praskrishna — 2016-04-07T02:54:08Z

India's biometric database notched up one billion members on Monday, as the government sought to allay concerns about privacy breaches in the world's biggest such scheme.

The news by AFP was published by Daily Mail, UK on April 4, 2016. Sunil Abraham gave inputs.

The database was set up seven years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93 percent of India's adult population have now registered their fingerprints and iris signatures and been given a biometric ID, according to the government.

IT minister Ravi Shankar Prasad hailed it as "an instrument of good governance" at a ceremony in New Delhi marking the crossing of the one-billion member mark.

Prasad said the initiative, inherited from the previous left-leaning Congress government, had enabled millions to receive cash benefits directly rather than dealing with middlemen.

He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone -- by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates.

He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database.

"We have taken all measures to ensure privacy. The data will not be shared with anyone except in cases of national security," Prasad said.

His comments come after parliament passed legislation last month giving government agencies access to the database in the interests of national security.

It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house.

The way it was passed, as well as the legislation itself, raised concerns about government agencies accessing private citizens' details.

Internet experts have also raised fears about the safety of such a massive database, including hacking and theft of details.

"It was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, 'we are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!'," Sunil Abraham, executive director of the Centre for Internet and Society, wrote in India's Frontline news magazine.

For more details visit https://cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark

The Panama Papers and the question of privacy

praskrishna — 2016-04-24T14:03:35Z

This statement was originally published on privacyinternational.org on 4 April 2016.

Read the entry by Claire Lauterbach published in Big News Network on April 6, 2016. Sunil Abraham was quoted.

We do agree with Ramon Fonseca about one thing: that "Each person has a right to privacy, whether they are a king or a beggar."

But that's where our commonality with co-founder of disgraced Panama law firm Mossack Fonseca ends.

Last year, a whistleblower leaked 11.5 million documents about the firm's business brokering offshore companies, details of which were published yesterday. Reportedly the largest leak in journalistic history, the cache reveals hidden assets by a dozen current and former world leaders, and scores of celebrities and tycoons, some of which are linked to high level corruption scandals.

This scandal isn't about privacy, though. If anything, it's about the need for transparency about how the powerful wield their power. We need transparency - and good solid investigation - to understand where and how our right to privacy is eroded.

Privacy and transparency are not opposites. They are two sides of the same coin. As privacy advocates, we use transparency capabilities to investigate surveillance. Meanwhile, privacy as a right requires transparency from the institutions that gather and use our data.

Privacy International, like other human rights groups, conducts investigations in the public interest. That allows us to understand, for example, how Colombia built a shadow surveillance system despite evidence of illegal interceptions, or how UK police appear to be collecting private communications data at protests, according to a Vice News investigation.

Many of the Panama Papers' revelations are in the public interest insofar as they concern the transformation of public assets - like taxpayers' money and state funds - into private gains, and allow the powerful to avoid scrutiny. Privacy and transparency are not opposites. They are two sides of the same coin.

Fonseca called journalism around the leaked files an "international campaign against privacy".

But what Fonseca is really doing is advocating a status quo of 'privacy for the kings, and transparency for the beggars'. Or rather, privacy for the business moguls, politicians, corporations and government agencies, and transparency for the citizens, consumers, activists and journalists.

For the public, our financial systems are now surveiled by design. Our transactions are labelled as suspicious and sent for mining by intelligence agencies. We need IDs to open accounts, and our records are profiled by credit agencies who facilitate key decisions about us and our families. Secretive institutions collate this information to decide whether or not we are terrorists. While a certain degree of this is necessary for public order, what's clear is that we are watched while the 'kings' are able to circumvent many of these measures and escape scrutiny. We should never make the mistake of conflating the right to privacy for the individual with the desire to hide shadowy, ethically dubious, borderline-or-actual illegal activity for the immensely wealthy and powerful.

The real issues around privacy include: the spreading of draconian laws, from the UK, to Pakistan, to Kenya, that sanction warrantless surveillance and online monitoring, with insufficient protection for the public. It's the intrusive biometric registration of some of the most desperate people, like refugees from Dadaab to Calais, desperate for food and medical care. It's the instrumentalisation of consumer data to draw conclusions about us, with or without our consent. It's also the parallel trend of rolling back Freedom of Information laws (see: UK and United States). And, as the Panama Papers show, it is allowing transfers of public funds for private gain to be obscured.

That is the real "campaign against privacy" - not public interest journalism.

As our friend and partner Sunil Abraham, Executive Director of the Centre for Internet and Society in India states succinctly, the right to privacy should "be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power."

For more details visit https://cis-india.org/internet-governance/news/big-news-network-april-6-2016-claire-lauterbach-panama-papers-and-question-of-privacy

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project

A Large Byte of Your Life

nishant — 2016-06-05T03:35:34Z

With the digital, memory becomes equated with storage. We commit to storage to free ourselves from remembering.

The article was published in Indian Express on April 3, 2016.

This is the story of a broken Kindle. A friend sent a message to a WhatsApp group that I belong to that she is mourning the loss of her second-generation Kindle, that she bought in 2012, and since then had been her regular companion. It is not the story of hardware malfunction or a device just giving up. Instead, it is a story of how quickly we forget the old technologies which were once new. The friend, on her Easter holiday, was visiting her sister, who has a six-year-old daughter.

This young one, a true digital native, living her life surrounded by smart screens, tablets, phones, and laptops, instinctively loves all digital devices and plays with them. In her wanderings through her aunt’s things, she came across the old Kindle — unsmart, without a touch interface, studded with keys, not connected to any WiFi, and rendered in greyscale. It was an unfamiliar device. But with all the assurance of somebody who can deal with digital devices, she took it in her hands to play with it.

Much to her dismay, none of the regular modes of operation worked. The old Kindle did not have a touch screen operated lock. It wasn’t responding to scroll, swipe and pinch. It had no voice command functions. As she continued to cajole it to come to life, it only stared at her, a lock on the digital interface, refusing to budge to the learned demands and commands of the new user. After about 20 minutes of trying to wake the Kindle up, she became frustrated with it and banged it harshly on the table, where it cracked, the screen blanked out and that was the end of the story.

Or rather, it is the beginning of one. As my friend registered the loss of her clunky, clumsy, heavy, non-intuitive Kindle, and messages of grief poured in, with the condolence that the new ones are so much better and the assurances that at least all her books are safe on the Amazon cloud, I see in this tale, the quest of newness that the digital always has to offer.

If it has missed your attention, the digital is always new. Our phones get discarded every few seasons, even as phone companies release new models every few months. Our operating systems are constantly sending us notifications that they need to be updated. Our apps operate in stealth mode, continuingly adding updates where bugs are fixed and features are added. Most of us wouldn’t know what to do if we were faced with a computer that doesn’t “heal”, “backup” or “restore” itself. If our lives were to be transferred back to dumb phones, or if we had to deal with devices that do not strive to learn and read us, it might lead to some severe anxiety.

The newness that the digital offers is also found in our socially mediated lives. Our digital memories are short-lived — relationships rise and fall in the span of days as location-based dating apps offer an infinite range of options to choose your customised partner; celebrities are made and unmade overnight as clicks lead to viral growth and then disappear to be replaced by the next new thing; communities find droves of subscribers, only to become a den of lurkers where nothing happens; must-have apps find themselves discarded as trends shift and new must-haves crop up overnight. Breathless, bountiful and boundless, the digital keeps us constantly running, just to be in the same place, always the same and yet, always new.

We would be hard pressed to remember that magical moment when we first discovered a digital object. For millennials, the digital is such a natural part of their native learning environments that they do not even register the first encounter or the subsequent shifts as they navigate across the connected world. Increasingly, we tune ourselves to the temporality and the acceleration of the digital, tailoring our memories to what is important, what is now, and what is immediately of use, excluding everything else and dropping it into digital storage, assured in our godlike capacities to archive everything.

This affordance of short digital memories is enabled partly by the fact that we are subject to information overload, but partly also to the fact that our machines can now remember, more accurately and more robustly than the paltry human, prone to error and forgetfulness. With the digital, memory becomes equated with storage, and the more we commit to storage, the more we free ourselves from the task of remembering.

The broken Kindle is a testimony not only to the ways in which we discard old devices but also our older forms of individual and collective memory — quickly doing away with information that is not of the now, that is not urgent, and that does not have immediate use value. My friend’s Kindle got replaced in two days. All her books were re-loaded and she was set to go. However, as she told me in a chat, she is not going to throw away her old broken Kindle. Because she wants to remember it — remember the joy of reading her favourite books on it. She is scared that if she throws it away, she might forget.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-april-3-2016-nishant-shah-a-large-byte-of-your-life

Mapping MAG: A study in Institutional Isomorphism

jyoti — 2017-03-03T00:59:48Z

The paper is an update to a shorter piece of MAG analysis that had been conducted in July 2015. At that time our analysis was limited by the MAG membership data that was made available by the Secretariat. Subsequently we wrote to the Secretariat and this paper is based on the data shared by them including for the years for which membership details were previously not available.

This paper that delves into the history of the formation of the Multi-Stakeholder Advisory Group (MAG) and the Internet Governance Forum (IGF) including the lessons from the past that should be applied in strengthening its present structure. The paper covers three broad areas:

History of the formation of the MAG, its role within the IGF structure, influences that have impinged on its scope of work, manner in which its evolution has deviated from conceptualization
Analysis of MAG membership (2006-2015): Trends in the selection and rotation of the MAG membership
Recommendations to reform MAG/IGF

Jyoti Panday^[1]

The recent renewal of the Internet Governance Forum^[2] (IGF) mandate at the World Summit on the Information Society (WSIS)+10 High-Level Meeting^[3] was something of a missed opportunity. The discussions unerringly focused on the periphery of the problem - the renewal of the mandate, leaving aside questions of vital importance such as strengthening and improving the structures and processes associated with the IGF. The creation of the IGF as a forum for governments and other stakeholders to discuss policy and governance issues related to Internet was a watershed moment in the history of the Internet.

In the first decade of its existence the IGF has proven to be a valuable platform for policy debates, a space that fosters cooperation by allowing stakeholders to self-organise to address common areas of concern. But the IGF rests at being a platform for multistakeholder dialogue and is yet to realise its potential as per its mandate to “find solutions to the issues arising from the use and misuse of the Internet” as well as “identify emerging issues […] and, where appropriate, make recommendations”.^[4]

From the information available in the public domain, it is evident that the IGF is not crafting solutions and recommendations or setting the agenda on emerging issues. Even if unintended, this raises the disturbing possibility that alternative processes and forums are filling the vacuum created by the unrealised IGF mandate and helming policy development and agenda setting on Internet use and access worldwide. This sits uneasily with the fact that currently there is no global arrangement that serves or could be developed as an institutional home for global internet governance issues.

Moreover, the economic importance of the internet as well as its impact on national security, human rights and global politics has created a wide range of actors who seek to exert their influence over its governance. Given the lack of a global centralized body with authority to enforce norms and standards across political and functional boundaries, control of internet is an important challenge for both developed and emerging economies. As the infrastructure over which the internet runs is governed by nation states and their laws, national governments continue to seek to exert their influence on global issues.

Divergence of approaches to regulation and differences in capacity to engage in processes, has led to fragmentation of approaches to common challenges.^[5] Importantly, not all governments are democratic and may exert restrictions on content and access that conflict with the open and global nature of the internet. Alongside national governments, transnational private corporations play a critical role in security and stability of the internet. Much like the state, they too raise the niggling question of how to guard against the guardians.

Corporations control of sensitive information, their institutional identity, secrecy of operations: all are essential to their functioning but could also erode the practice of democratic governance, and the rights and liberties of users online. Additionally, as issues of human rights, access and local content have become interlinked with public policy issues civil society and academia have become relevant to traditionally closed policy spaces. Considering the variety of stakeholders and their competing interests, concerns about ensuring stability and security of the Internet have led the international community to pursue a range of governance initiatives.

Implementing a Multistakeholder Approach

At the broadest level debates about the appropriate way forward has evolved as a contestation between the choice of two models. On the one hand is the state-centric ‘multilateral’ model of participation, and on the other a ‘multistakeholder’ approach that aims for bottom up participation by all affected stakeholders. The multistakeholder approach sees resonance across several quarters^[6] including a high level endorsement from the Indian government last year.^[7] An innovative concept, a multistakeholder approach fits well within the wider debate about rethinking governance in a globalized world.

Proponents of the multistakeholder approach see it as a democratic process that allows for a variety of views to be included in decision making.^[8] Nevertheless, the intertwining of the Internet and society pitches actors and interests at opposing ends. While a multistakeholder approach broadens the scope for participation, it also raises serious issues of representation and accountability. Since multistakeholder processes fall outside the traditional paradigm of governance, establishing legitimacy of processes and structures becomes all the more important.

The multistakeholder concept is only beginning to be critically studied or evaluated. There have been growing concerns, particularly, from emerging economies^[9] of a lack of representation in policy development bodies and that issues affecting marginalised communities being overlooked in policy development process. From this view, the multistakeholder model has created ‘transnational and semi privatized’ structures and ‘transnational elites’.^[10] Such critics define emerging and existing platforms derived from the multistakeholder concept as ‘an embryonic form of transnational democracy’ that are occupied by elite actors.^[11]

Elite actors may include the state, private and civil society organisations, technical and academic communities and intergovernmental institutions. In the context thus sketched out, the key question that the WSIS+10 Review should have addressed is whether the IGF provides the space for the development of institutions and solutions that are capable of responding to the challenges of applying the multistakeholder concept to internet governance. The existing body of work on the role of the IGF has yet to identify, let alone come to terms with, this problem.

Applying critical perspectives examining essential structures and processes associated with the IGF becomes even more relevant given its recently renewed mandate. However, already the forum’s first planning meeting scheduled to take place in Geneva this week is already mired in controversy^[12] after a new Chair was named by the UN Secretary General.

The decision for appointing a new Chair was made without any form of public process, or any indication on the selection criteria. Moreover, the "multistakeholder advisory group" (MAG), which decides the content and substance of the forum, membership was also renewed recently. Problematically most of the nominations put forth by different constituent groups to represent them were rejected and individuals were appointed through a parallel top-down and secretive UN process. Of the 55 MAG members, 21 are new but only eight were officially selected by their respective groups.^[13]

This paper focuses on the role of the MAG structure and functioning and highlights issues and challenges in its working so as to pave the way for strategic thinking on its improvement. A tentative beginning towards identifying what the levers for change can be made by sifting through the eddies of history to uncover how the MAG has evolved and become politicised.

The paper makes two separate, but interrelated claims: first, it argues that as the de-facto bureau essential to the functioning of the IGF, there is an urgent need to introduce transparency and accountability in the selection procedure of the MAG members. Striking an optimum balance between expertise and legitimacy in the MAG composition is essential to ensure that workshops and sessions are not dominated by certain groups or interests and that the IGF remains an open, well-functioning circuit of information and robust debate.

Second, it argues for immediate evaluation of MAG’s operations given the calls for the production of tangible outcomes. There has been on-going discussion within the broader community about the role of the IGF with divisions between those who prefer a narrow interpretation of its mandate, while others who want to broaden its scope to provide policy recommendations and solutions.^[14]

The interpretation of the IGF mandate and whether the IGF should make recommendations has been a sticking point and is closely linked to the question of IGF’s legitimacy and relevance. Be that as it may, the intersessional work, best practices forum and dynamic coalitions over the last ten years have led to the creation of a vast repository of information that should feed into the pursuit of policy options and identification of best practices.

The true test of the multistakeholder model is not only to bring together wide range of views but to also ensure that accumulated knowledge is applied to address common problems. Implementing a multistakeholder approach and developing solutions necessitates enhanced coordination amongst stakeholder groups and in the context of the IGF, is contingent on the strength and stability of the MAG to be able to facilitate such cooperation.

The paper is organised in three parts: in the first section I delve into the history of the formation of the MAG. To understand the MAG’s role within the IGF structure it is essential to revisit the influences that shaped its conceptualisation and subsequent evolution over the decade. A critical historical perspective provides the context of the multiple considerations that have impinged on MAG’s scope of work, of the manner in which MAG’s evolution has deviated from intentions, and the lessons from the past that should be applied in strengthening its present structure.

The second section analyses trends in the selection and rotation of the MAG membership and traces out the elite elements in the composition of the MAG. The analysis reveals two distinct stages in the evolution of the MAG membership which has remained significantly homogeneous across stakeholder representation. The final section of the paper focuses on a set of recommendations to ensure that the MAG is strengthened, becomes sustainable and provides the impetus for IGF reform in the future.

Origins of the IGF

The WSIS process was divided in two phases, the Geneva phase focused on principles of internet governance. The outcome documents of the first phase included a Declaration of Principles and a Plan of Action being adopted by 175 countries. Throughout the process, developing countries such as China, Brazil and Pakistan opposed the prevailing regime that allowed US dominance and control of ‘critical infrastructure’. As the first phase of the WSIS could not resolve these differences the Working Group on Internet Governance (WGIG) was set up by the UN Secretary General to deliberate and report on the issues.

The establishment of the WGIG is an important development in the WSIS process not only because of the recommendations it developed to feed into the second phase of the negotiations, but also because of the procedural legitimacy the WGIG established through its working. The WGIG embodied the multistakeholder principle in its membership and open consultation processes. WGIG members were selected and appointed in their personal capacity through an open and consultative process. As a result the membership demonstrated diversity in the geography, stakeholder groups represented and gender demographics.

The consultations were open, transparent and allowed for a diverse range of views in the form of oral and written submissions from the public to feed into the policy process. At its final meeting the WGIG membership divided into smaller working groups to focus on specific issues, and reassembled at the plenary to review, discuss and consolidate sections which were then approved in a public forum. As the WGIG background paper notes “The WGIG agreed that transparency was another key ingredient to ensure ownership of the process among all stakeholders.”^[15]

The WGIG final report^[16] identified a vacuum within the context of existing structures and called for the establishment of a forum linked to the UN. The forum was to be modelled on the best practices and open format of the WGIG consultative processes allowing for the participation of diverse stakeholders to engage on an equal footing. It was in this context that the IGF was first conceptualised as a space for global multistakeholder ‘dialogue’ which would interface with intergovernmental bodies and other institutions on matters relevant to Internet governance.

The forum was conceived as a body that would connect different stakeholders involved in the management of the internet, as well as contribute to capacity-building for governance for developing countries drawing on local sources of knowledge and expertise. Importantly, the forum was to promote and assess on an ongoing basis the embodiment of WSIS principles in Internet governance processes and make recommendations’ and ‘proposals for action’ addressing emerging and existing issues not being dealt with elsewhere. However, as things turned out the exercises of power between states and institutional arrangements ultimately led to the development of a subtly altered version of the original IGF mandate.

Aftermath of the WGIG Report

The WGIG report garnered much attention and was welcomed by most stakeholders with the exception of the US government which along with private sector representatives such as Coordinating Committee of Business Interlocutors (CCBI) disagreed with the recommendations.^[17] Pre-empting the publication of the report, the National Telecommunications and Information Administration (NTIA) issued a statement in June 2005 affirming its resolve to “maintain its historic role in authorizing changes or modifications to the authoritative root zone file.”^[18]

The statement reiterated US government’s intention to fight for the preservation of the status quo, effectively ruling out the four alternative models for internet governance put forward in the WGIG report. The statement even referenced the WGIG report stating, “Dialogue related to Internet governance should continue in relevant multiple fora. Given the breadth of topics potentially encompassed under the rubric of Internet governance there is no one venue to appropriately address the subject in its entirety.”^[19]

The final report was presented to PrepCom 3 of the second phase in July 2005 and the subsequent negotiations were by far, the most significant in the context of the role and structure that the IGF would take in the future. US stance on its role with regard to the root zone garnered pushback from both civil society and other governments including Russia, Brazil, Iran and China. However the most significant reaction to US stance came from the European Union issuing a statement after the commencement of PrepCom 3 in September.

EU’s position recognised that adjustments were needed in institutional arrangements for internet governance and called for a new model for international cooperation which would include “the development and application of globally applicable public policy principles.”^[20] the US had not preempted this “shocking and profound change” and now isolated in its position on international governance of the internet, and it sent forth a strongly worded letter^[21] invoking its long-standing relationship and urging the EU to reconsider its stance.

The pressure worked since the US was in a strong position to stymie the achievement of a resolution from WSIS process. Moreover, introducing reforms to the internet naming and numbering arrangements was not possible without US cooperation. The letter resulted in EU going back on its aggressive stance and with it, the push for the establishment of global policy oversight over the domain names and numbers lost its momentum.

The letter significantly impacted the WSIS negotiations and shaped the role of the IGF. By creating a deadlock and by applying pressure US was able to negotiate a favourable outcomes for itself. The last minute negotiations led to the status quo continuing and in exchange the US provided an undertaking that it would not interfere with other countries’ ccTLDs. The weakened mandate meant that even though creation of the IGF under the WSIS process moved forward the direction changed from its conceptualisation and origins from the WGIG report.

Institutionalizing the IGF

In 2006, the UN Secretary General appointed Markus Kummer to assist with the establishment of the IGF. The newly formed IGF Secretariat initiated an open consultation to be held in Geneva in and issued an open call to stakeholders seeking written submissions as inputs into the consultation.^[22] Notably neither the US government nor the EU sent in a response to the consultation and submissions made by other stakeholders were largely a repetition of the views expressed at WSIS.

The division on the mandate of IGF was evident in this very first consultation. Private sector representatives such as the CCBI and ICC-Basis, government representatives from OECD countries like Canada and the technical community represented by likes of Nominet and ISOC^[23] opposed the development of the IGF as platform for policy development. On the other hand, civil society representatives such as APC called for the IGF to produce specific recommendations on issues where there is sufficient consensus.^[24]

With reference to the MAG structure, again there was division on whether the “effective and cost-efficient bureau” referred to in the Tunis Agenda should have a narrow mandate limited to setting the agenda for plenary meetings or if it should have a more substantial role. Civil society stakeholders envisioned assigning the bureau a more substantial role and notably the Internet Governance Project (IGP) discussion paper released in advance of the February 2006 Geneva consultations.^[25]

The paper offered design criteria for the Forum including specific organizational structures and processes proposing “a small, quasi-representational decision making structure” for the IGF Bureau.^[26] The paper recommended formation of twelve member bureau with five representatives from governments (from each UN geographic region) and two each from private sector civil society academic and technical communities. The bureau would set the agenda for the plenary meeting not arbitrarily through private discussions, but driven by working group proposals and it would also have the power to approve or reject applications for forming working groups.

The proposed structure in the IGP paper had it been implemented would have developed the bureau along the lines of the IETF where the working groups would develop recommendations which would feed into the deliberation process. However, there was a clear divide on the proposed structure with many stakeholders opposing the establishment of sub-groups or committees under the IGF.^[27]

Following the written submissions the first open consultations on the establishment of the IGF were held in Geneva on 16 and 17 February 2006, and were chaired by Nitin Desai.^[28] The consultation was well attended with more than 300 participants including 40 representatives from governments and the proceedings were webcast. Further, the two-day consultation was structured as a moderated roundtable event at which most interventions were read from prepared statements, many of which were also tabled as documents and later made available from the IGF Web site. This ofcourse meant that there was a repetition of the views expressed in response to the questionnaire or the WGIG report and as a consequence, there was little opportunity for consensus-building.

Once again there was conflict on whether the IGF should be conceptualised as annual ‘event’ that would provide space for policy dialogue or a ‘process’ of engaging with policy issues which would culminate in an annual event. The CCBI reiterated that “[t]he Tunis Agenda is clear that the IGF does not have decision-making or policy-making authority,” and the NRO emphasised that the “IGF must be a multi-stakeholder forum without decision-making attributions.”^[29]

William Drake argued for the IGF “as a process, not as a series of one-off meetings, but as a process that would promote collective dialogue, learning, and mutual understanding on an ongoing basis.”^[30] Government representatives were split for example see El Salvador statement “that the Internet Governance Forum will come up with recommendations built on consensus on specific issues,” and Brazil even characterised the first meeting as “an excellent opportunity to initiate negotiations on a framework treaty to deal with international Internet public policy issues.”^[31]

Although a broad consensus was declared on need for a lightweight multi-stakeholder bureau there was no consensus on its size, composition and the mandate of this bureau. Nitin Desai held the issue for further written input and the subsequent consultation received twelve submissions with most respondents recommended a body of ten and twenty five members. The notable exceptions were submissions from the Group of 77 and China that sought a combined total of forty members half of which would be governmental representatives.

The discussions during the February consultations and the input received from the written submissions paved the way for what eventually became the MAG. The IGF Secretariat announced the formation of a bureau with forty members and while not expressly stated, half of these would be governmental representatives. It has been speculated that the large membership decision was a result of political wrangling among governments, especially the G77 governments insisting on large group that would accommodate all the political and regional differences among its members.^[32]

IGF Secretariat - Set to Fail?

The unwieldy size of the MAG meant that it would have to rely on the newly constituted Secretariat for organization, agenda-setting, and results. This structure empowered the Secretariat while limiting the scope of the MAG, a group that was already divided in its interests and agenda. However, the Secretariat was restrained in its services to stakeholders as it had limited resources since it was not funded by the United Nations and relied upon voluntary donations to a trust fund.^[33]

Early donors included the Swiss Agency for Development and Cooperation (SWADC), ICANN and Nominet.^[34] Due to disjointed sources of funding, the Secretariat was vulnerable to the influence of its donors. For example, the decision to to base the Secretariat in Geneva was to meet the condition set by SWADC contribution. Distressingly, of the 20 non-governmental positions in the MAG, most were directly associated with the ICANN regime.

The over-representation of ICANN representatives in MAG selection was problematic since the IGF was conceptualised to address the lack of acceptance of ICANN’s legitimacy in the WSIS process. The lack of independent funding led to a deficit of accountability demonstrated in instances where it was possible for one of the MAG members to quietly insinuate that private sector support for the IGF and its Secretariat would be withdrawn if reforms unacceptable to that stakeholder group went ahead.^[35]

As might perhaps be expected from a Secretariat with such limited resources, its services to stakeholders were confined to maintaining a rudimentary website and responding to queries and requests. The transparency of the Secretariat’s activities was also very limited, most clearly exemplified by the process by which the Advisory Group was appointed.

Constituting the MAG

Following the announcement of the establishment of the MAG, a call for membership to the advisory group was made in March 2006. From the beginning the nomination process was riddled with lack of transparency and the nominations received from stakeholders were not acknowledged by the IGF Secretariat, nor was the selection criteria of made available. The legitimacy of the exercise was also marred by a top-down approach where first that nominees heard of the outcomes was the Secretariat's announcement of selected nominees. Lack of transparency and accountability resulted in the selection and appointment procedure being driven by patronage and lobbying.

The political wrangling was evident in the composition of the first MAG which was expanded to accommodate six regional coordinators personally appointed by Chair Nitin Desai to the Special Advisory Group (SAG). Of the twenty non-governmental positions, most were associated with the naming and numbering regime including sitting and former Board members and ICANN staff.^[36] Participation from civil society was limited as the composition did not recognise^[37] technical community as a distinct group, including it along with academic community and as part of civil society.

The political struggles at play was visible in the appointment of Michael D. Gallagher, the former head of the US Commerce Department's NTIA. This appointment was all the more relevant since it was Gallagher who had had only a few months back stated that the US government owns the DNS root and has no intention of giving it up. His presence signalled that the US government took the forum seriously enough to ensure its interests were voiced and received attention on the MAG.

Beyond issues of representation the working of the MAG suffered from a serious lack of transparency as meetings of the Advisory Group were closed, and no reports or minutes were released. The Advisory Group met in May and September in Geneva before the inaugural IGF meeting in Athens. Coordination between members for the preparations for Athens was done utilising a closed mailing list that was not publicly archived. Consequently, the detail of the operations of the Advisory Group ahead of the first IGF meeting were known only to its members.

Whatever little has been reported suggests that the Advisory Group possessed little formal authority, operating like a forum where members expressed views and debated issues without the object of taking formal decisions. Decisions were settled upon by rough consensus as declared by the Chair, and on all matters where there was no agreement the issues were summarised by the Chair in a report to the UN Secretary-General. The Secretary-General would take the report summary in consideration however retained the ultimate authority to make a formal decision.^[38]

The UN’s clear deciding role was not so obvious in the early years of the MAG’s existence because of the relatively novel nature of the IGF. Moreover Nitin Desai Chair, MAG and Markus Kummer, IGF Secretariat were appointed by the UN Secretary General and were on good terms with the then-Secretary General Kofi Annan and working together they acted as de facto selectors of the members of the MAG. Most of the MAG’s core membership in the first five years of its existence was made up of leaders from across the different stakeholder groups and self-selection within those groups was encouraged to lend broader stability.

Over the last decade, changes in institutional arrangements led the IGF to be moved as a ‘project’ under the UNDESA umbrella, where it is not a core mission, but simply one of many conferences that it handles across the world every year. The core personnel that shepherded the MAG and the IGF from its early days retired allowing for the creation a new core membership. The new group of leaders in the MAG membership have emerged partly as the result of selection and rotation process instituted by the UNDESA in appointing a ‘program committee’.

The history presented above is to help understand how the MAG was established under the UN umbrella and to highlight the key developments that shaped its scope and working. Importantly the weakened IGF mandate created divergences on the scope of the MAG to function as a ‘program committee’ limited to selecting proposals and planning the IGF or as an ‘advisory committee’ with a more substantial role in developing the forum as an innovative governance mechanism. In its conception the IGF was a novel idea and by empowering MAG and introducing transparency in the selection procedures of members and their workings could have perhaps led to a more democratic and accountable IGF. However, the possibility of this was stemmed early on.

The opacity in the appointment processes meant that patronage and lobbying became key to being selected as a member of the MAG. It established the worrying trend of ensuring diversity and representation taking precedent over the necessity of ensuring that representatives were appointed through a bottom-up multistakeholder process. Further, distributing the composition to ensure geographic representation severely limited participation of technical, academic and civil society. In the next section, I focus on the rotation of members of the MAG over the last ten years to identify and highlight trends that have emerged in its composition.

Analysis of MAG Composition (2006 - 2015)

This primary data for the analysis of the MAG membership has been collected from the membership list from 2010-2015 available on the I website. The membership list for 2005, 2006, 2007 and 2008 have been provided by the UN IGF Secretariat during the course of this research. To the best of my knowledge, this data is yet to be made publicly available and may be accessed here.^[39] The Secretariat notes that the MAG membership did not change in 2008 and 2009 and the confirmation is the only account of the list of members for both years, as the records were poorly maintained and are therefore unavailable in the public domain.

It is also worth noting that to the best of my knowledge, no data has been made available by the IGF Secretariat regarding the nomination process and the criteria on which a particular member has been re-elected to the MAG. The stakeholder groups identified for this analysis include government, civil society, industry, technical community and academia. Any overlap between two or more of these groups or movements of individuals between stakeholder groups and affiliations has been taken into account.

Over the decade of its existence, the MAG has had 196 unique members from various stakeholder groups. As per the Terms of Reference^[40] (ToR) of the MAG, it is the prerogative of the UN Secretary General to select MAG members. There also exists a policy of rotating one-third members of MAG every year for diversity and taking new viewpoints in consideration. Diversity within the UN is an ingrained process where every group is expected to be evenly balanced in geographic and gender representation. However, ensuring a diverse membership often comes at the cost of legitimate expertise. Further it may often lead to top-down decision making where individuals are appointed based on their characteristics rather than qualifications.

The complexity of the selection process is further compounded by the fact that the IGF Secretariat provides an initial set of recommendations identifying which members should be appointed to the MAG, but the selection and appointment is undertaken by UNDESA civil servants based in New York. Notably, while the IGF Secretariat staff is familiar with and interacts with stakeholder representatives at internet governance meetings and forums that are regularly held in Geneva, the New York UN based officials do not share such relationships with constituent groups.

Consequently, they end up selecting members who meet all their diversity requirements and have put themselves forward through the standard UN open nomination process. The practice of ensuring that UN diversity criteria is met, creates tension within the MAG membership as representatives nominated by different stakeholder and who have more legitimacy within their respective constituencies are not appointed to the MAG.

The stress on maintaining diversity is evident in the MAG membership’s gradual expansion from an initial group of 46 members in 2006 to include a total of 56 members as of 2015. However the increase in membership has not impacted representation of the technical, academic and civil society constituencies with only 56 members having been appointed from the three groups over the last decade.

This is problematic considering that at the time of its constitution of the MAG the composition did not recognise^[41] technical community as a distinct group, including it along with academic community as part of civil society. Consequently the three stakeholder groups have been represented collectively in the MAG and yet account for only 24.77% of the total membership compared to the government’s share of 39.3% and industry’s share of 35.7% respectively. At the regional level too membership across the three groups has ranged between 20-25% of the total membership.

The technical community is the least represented constituency accounting for only 5% of the total membership with only 10 members having been appointed over ten years. Of the 10, 6 were appointed from the WEOG region and there were no representatives appointed from the GRULAC region. Representatives from academia accounted for only 6% of the total membership with 13 representatives from the group having been appointed on the MAG. The technical community representation too was low from the US with only two members being appointed to the MAG and with each serving for a period of three years.

Civil society accounted for only 17% of the total membership with a total of 33 members and representation from the constituency was abysmally low across all regions. Civil society representation from the US included a total of five members, of which one served for one year, three served for two years each and only one representative continued for more than three years. Notably, there have been no academics from the US which is surprising given that most of the scholarship on internet governance is dominated by US scholars.

Industry was second largest represented group with a total of 64 members appointed to the MAG of which a whopping 30 members were appointed from the WEOG region. Representation was the highest across WEOG countries with 39.47% of the total membership and the group accounted for 32.4% and 32.5% of the total members from Africa and Asia Pacific respectively. Across Eastern European and GRULAC countries industry representation was very low accounting for merely 11.53% and 18.18% of the total membership respectively. Industry representative from the US Included two members serving one year each, five members who served two years each, two members who continued for three years each, one member was appointed for five years, one member who completed the maximum MAG term of eight years.

It is also interesting to note that the industry membership base expanded steadily, spiking in 2012 with a total of 40 representatives from the industry on the MAG. When assessed against the trend of the core leadership trickling out in 2012, the sudden increase in industry representation may point to attempts at capture from the stakeholder group in 2012. Industry representation from US in the MAG was by far the most consistent over the years and had the most evenly distributed appointment terms for members within a group.

Government has been the most dominant group within the MAG averaging a consistent 40% of the total membership over the last 10 years. At a regional level representation on the MAG was highest from Eastern Europe with more than 61% of its total membership comprising of individuals from the government constituency. GRULAC countries appointments to the MAG also demonstrate a preference for government representation with almost 58% of the total members appointed from within this group. The share of government representation in the total membership from Asia Pacific was 47.5% and 32.43% across Africa.

Another general policy followed in the selection procedure is that members are appointed for a period of one year, which is automatically extendable for two more years consecutively depending on their engagement in MAG activities. Members serving for one year term is inevitable due to the rotation policy, as new members replace existing members and often it may be the case of filling slots to ensure stakeholder group, geographic and gender diversity. Due to the limited resources made available for coordination between MAG members, one year appointments may not allow sufficient time for integrating new members into the procedures and workings of UN institutions.

Over the last decade 24.36% of the total appointed MAG members have been limited to serving a term of one year. Of the total 55 one year appointments 26 individuals served their first term in 2015 alone. This includes all nine representatives of civil society and it could be argued that for a stakeholder group with only 11% of the total membership share, such a rehaul weakens the ability of members to develop linkages severely limiting their ability to exert influence on decision making within the MAG.

Interestingly, the analysis reveals that one year term was a trend in the early years of the MAG where a core group took on the leadership role and continued guiding activities for newcomers including negotiating often conflicting agendas. The pattern of one year appointments was hardly visible from 2008-2012 but picked up again in 2013 and has continued ever since. The trend is perhaps indicative of the movement in the core MAG leadership as many of the original members retired or moved on to other engagements from 2010.

Importantly, the MAG ToR note that in case there is a lack of candidates fitting the desired area or under exceptional circumstances a member may continue beyond three years. However in the formative years the MAG this exception was the norm with most members continuing for more than three years. An analysis of the membership reveals that between 2006-2012 an elite core emerges which guided and was responsible for shaping the MAG and the IGF in its present day format. No doubt some of these members were exceptional talents and difficult to replace, however the lack of transparency in the nomination system makes it difficult to determine the basis on which these people continued beyond the stipulated one year term.

The analysis also suggests a shift in the leadership core over the last three years and points that a new leadership group is emerging which is distinguishable in that most members have served on the MAG for three or four years. Members serving for one, two or three years makes up more than 75% of the total membership and 111 individual members have served more than 2 years on the MAG. This could be the result of the depletion in membership of those familiar with internal workings and power structures within the UN, and the selection and rotation criteria and procedures that have weakened the original composition over the last decade.

Rotating membership might be necessary to prevent capture from any particular constituency or group, on the other hand more than half of the total members have spent less than three years on the MAG which makes the composition a shifting structure that limits long term engagement. Regular rotation of members can also lead to power struggles as continuing members exercise their influence to ensure that more members from within their constituency groups are appointed. Only seven individuals have completed the maximum term of eight years on the MAG while 23 individuals have completed five years or more on the MAG.

Finally, in terms of gender diversity, the ratio of male to female members is approximately 13:7 in the total membership with the approximate value in percentage being 65% and 35% respectively. Female representatives from WEOG countries dominate with a total of 29 women having been appointed from the region. Participation of women was the lowest across Asia Pacific and Eastern Europe with only nine and five representatives having been appointed respectively. There was a better balance of gender ratios across countries from Africa and GRULAC with 12 and 14 females having been appointed from the region.

Further analysis and visualisations derived from the MAG composition and identifying trends in appointment of individual members are available on the CIS website. The visualizations include MAG membership distribution across region^[42] and stakeholder groups^[43], evolution of stakeholder groups over the years^[44], stakeholder group distribution across countries^[45] and the timeline of total number of years served by individual members^[46]. The valuation also include a comparison of stakeholder group representatives appointed across India and the USA.^[47]

Recommendations: Reforming MAG & the IGF

Between April 4-6, 2016 the MAG convened in Geneva towards the IGF’s first planning meeting for the year^[48]. The meeting marks the beginning of MAG’s work in planning and delivering the forum, the first in its recently renewed and now extended mandate. This report is a much needed documentation of its working and processes and has been undertaken as an attempt to scrutinize if the MAG is truly a multi-stakeholder institution or if it is has evolved as a closed group of elite members cloaked in a multi-stakeholder name.

There is very little literature on the evolution of, or critiquing the MAG structure partly due to it being a relatively new structure and partly due its workings being shrouded in secrecy. The above analysis has been conducted with the aim of trying to understand MAG’s functioning of the selection of its membership. The paper explores the history of the formation of IGF and the MAG to identify the geo-political influences that have contributed to the MAG’s evolution and role in shaping the IGF over the last decade.

In this section I apply the theory of institutional isomorphism developed by DiMaggio and Powell in their seminal paper^[49] on organizational theory and social change. The paper posits that as organisations emerge as a field, a paradox arises where rational actors make their organizations increasingly similar as they try to change them. A focus on institutional isomorphism can add a much needed perspective on the political struggle for organizational power and survival that is missing from much of discourse and literature around the IGF and the MAG.

A consideration of isomorphic processes also leads to a bifocal view of power and its application in modern politics. I believe that there is much to be gained by attending to similarity as well as to variation between organisations within the same field and, in particular, to change in the degree of homogeneity or variation over time. In this paper I have attempted to study the incremental change in the IGF mandate as well as in the selection of the MAG members.

Applying the theoretical framework proposed by DiMaggio and Powell I identify possible areas of concern and offer recommendations for improvement of the IGF and reform of the MAG. I detail these recommendations through the impact of resource centralization and dependency, goal ambiguity, professionalization and structuration on isomorphic change. There is variability in the extent to and rate at which organizations in a field change to become more like their peers. Some organizations respond to external pressures quickly; others change only after a long period of resistance.

DiMaggio and Powell hypothesize that the greater the extent to which an organizational field is dependent upon a single (or several similar) source of support for vital resources, the higher the level of isomorphism. Their organisational theory also posits that the greater the extent to which the organizations in a field transact with agencies of the state, the greater the extent of isomorphism in the field as a whole. As my analysis reveals both hypotheses hold true for the IGF which is currently defined as a ‘project’ of the UNDESA. Since the IGF and the MAG are dependent on the UN for their existence, it is not surprising that both structures emulate the UN principles for diversity and governmental representation.

It is also worth noting that UN projects are normally not permanent and require regular renewal of mandate, reallocation of resources and budgets. When budget cuts take place as was the case during the global economic crisis, project funding is jeopardized as was the case when the IGF was left without an executive coordinator or a secretariat due to UN budget cuts.

This led to constituent groups coming together to directly fund the IGF secretariat through a special IGF Trust Fund created under an an agreement with the United Nations and to be administered by the UNDESA.^[50] The fund was drawn up to expire on 31 December 2015 and efforts to renew contribution to the fund for 2016 is being opposed and questions on the legality of the arrangement are being raised.^[51]

It is widely rumoured that the third party opposing the contribution is UNDESA itself. Securing guaranteed, stable and predictable funding for the IGF, including through a broadened donor base, is essential for the forum’s long term stability and ability to realize its underutilized potential. There have been several suggestions from the community in this regard including IT for Change’s suggestion that part of domain names tax collected by ICANN should to be dedicated to IGF funding through statutory/ constitutional arrangements. Centralisation of resources may lead to power structures being created and therefore any attempts at IGF and MAG reform in the future must consider the choice between incorporating the IGF as a permanent body with institutional funding under the UN and the implications of that on the forum’s structure.

There are four other hypotheses in DiMaggio and Powell’s framework that may be helpful in identifying levers for improvement of the IGF and the MAG. The first states that, the greater the extent to which goals are ambiguous within afield, the greater the rate of isomorphic change. As my analysis suggests, there is an urgent need to address the decade long debate on the MAG’s scope as a programme committee limited to planning an annual forum.

The question is linked to the broader need to clarify if the IGF will continue to evolve as an annual policy-dialogue forum or if it can take on a more substantive role that includes offering recommendations and assisting with development of policy on critical issues related to internet governance. Even the MAG is divided in its interpretation of its roles and responsibilities. A resurgence of the IGF necessitates that the global community reassess the need of the forum not only on the mandate assigned to it at the time of its conceptualisation but also in light of the newer and more complex challenges that have emerged over the decade.

The second hypothesis holds that the greater the extent of professionalization in a field greater the amount of institutional isomorphic change. DiMaggio and Powell measure professionalization by the universality of credential requirements, the robustness of training programs, or the vitality of professional associations. As the MAG composition analysis reveals the structure has evolved in a manner that gives preference to participation from the government and industry over participation from civil society, technical and academic communities.

Since the effect of institutional isomorphism is homogenization, the best indicator of isomorphic change is a decrease in variation and diversity, which could be measured by lower standard deviations of the values of selected indicators in a set of organizations. Such professionalization is evident in the functioning of the MAG that has taken on bureaucratic structure akin to other UN bodies where governmental approval weighs down an otherwise light-weight structure. Further the high level of industry representation creates distrust amongst other stakeholders and may be a reason the forum lacks legitimacy as a mechanism for governance as it could be perceived as being susceptible to capture.

The third hypothesis states that fewer the number of visible alternative organizational models in a field, the faster the rate of isomorphism in that field. The IGF occupies a special place in the UN pantheon of semi-autonomous groups and is often held up as a shining example of the ‘multistakeholder model’, where all groups have an equal say in decisions. Currently, there is no global definition of the multistakeholder model which at best remains a consensus framework for legitimizing Internet institutions.

It is worth noting that the system of sovereignty where authority is imposed is at odds with the earned authority within Internet institutions. Given the various interpretations of the approach, if multistakeholderism is to survive as a concept then it needs to be understood as a legitimizing principle that is strictly at odds with state sovereignty-based conceptions of legitimacy.^[52] Under a true multistakeholder system, states can have roles in Internet governance but they cannot unilaterally declare authority, or collectively assert it without the consent of the rest of the Internet.

Unfortunately as the MAG membership reveals the composition is dominated by governmental representatives who seek to enforce territorial authority over issues of global significance. Further, while alternative approaches to its application exist within the ecosystem they are context specific and have evolved within unique environments.^[53] As critics note emerging and existing platforms derived from the multistakeholder concept create ‘an embryonic form of transnational democracy’. Therefore it is important to recognise that the IGF is a physical manifestation of a much larger ideal, one where individuals and organizations have the ability to help shape the Internet and the information society to which it is intrinsically connected. This points to the need to study and develop alternative models to multistakeholder governance while continuing to strengthen existing practices and platforms.

As such, the IGF and its related local, national and regional initiatives represent a critical channel for expression especially for countries where such conversation is not pursued adequately and keeps discussions of the internet in the public space as opposed to building from regional/national initiatives. However, interaction between the global IGF and national IGFs is yet to be established. The MAG can play a critical role in developing and establishing mechanism to improve the national IGFs coordination with regional and national initiatives. A strengthened IGF could better serve national initiatives by providing formal backing and support to develop as platforms for engaging with long standing and emerging issues and identifying possible ways to address them.

DiMaggio and Powell’s final hypothesis holds that the greater the extent of structuration of a field, the greater the degree of isomorphism. As calls for creating structures to govern cyberspace pick up pace and given the extension of the IGF mandate its structure and working are in need of a rehaul. More research and analysis is needed to understand if there is a preferred approach for multistakeholder participation and engagement is emerging within both the IGF and MAG.

For example, if a portion or category of stakeholder group, countries and regions are not engaging in common dialogue, does the MAG have the mandate to promote and encourage participation? Has a process been established for ensuring a right balance when engaging different stakeholders and if yes, how is such a process initiated and promoted? The data shared by the IGF Secretariat confirmed that there were no records of the nomination procedure, that the membership list was missing for a year and that there was confusion in some cases who the nominees were are actually representing.

This opens up glaring questions on the legitimacy of the MAG such as on what criteria were MAG members selected and rotated? Was this evaluation undertaken by objective criteria or were representative handpicked by the UN? Moreover, it is important to asses of selection took place following an open call for nominations; or if members were handpicked by UN. Such analysis will help determine if there is scope within the current selection procedure to reach out to the wider multistakeholder community or if all MAG activities and discussions are restricted to its constituent membership. Clarifying the role of the IGF in the internet governance and policy space is inextricably linked to reforms in the MAG structure and processes and the questions raised above need urgent attention.

While these issues have been well known and documented for a number of years, yet there has been no progress on resolving them. Currently there is no website or document that lists the activities conducted by MAG in furtherance of ToR, nor does it produce annual report or maintain a publicly archived mailing list. Important recommendations for strengthening the IGF were made by the UN CSTD working group on IGF improvements.

The group took two years to produce its report identifying problems and offering recommendations that were to be implemented by end of 2015 and yet many of the problems identified within it have yet to be addressed. Worryingly, an internal MAG proposal to set up a working group to dig into the delays is being bogged down with discussions over scope and membership and a similar effort six months ago was also shot down.^[54]

The ineffectiveness of the MAG to institute reform have led to calls for a new oversight body with established bylaws as the MAG in its present form does not seem up to the task. Further the opaque decision making process and lack of clarity on the scope of the MAG means that each time it undertakes efforts for improvements these are thwarted as being outside of its mandate. There remains a lot of work to be done in strengthening the MAG structure as the group that undertakes the day-to-day work of the IGF and the many issues that plague the role and function of the IGF. A tentative beginning can be made by introducing transparency and accountability in MAG member selection.

^[1] This paper has been authored as part of a series on internet governance and has been made possible through a grant from the MacArthur Foundation.

^[2] The Internet Governance Forum See: http://www.intgovforum.org/cms/

^[3] World Summit on the Information Society (WSIS)+10 High-Level Meeting See: https://publicadministration.un.org/wsis10/

^[4]The mandate and terms of reference of the IGF are set out in paragraphs 72 to 80 of the Tunis Agenda for the Information Society (the Tunis Agenda). See: http://www.itu.int/net/wsis/docs2/tunis/off/6rev1.html

^[5] Samantha Bradshaw, Laura DeNardis, Fen Osler Hampson, Eric Jardine and Mark Raymond ‘The Emergence of Contention in Global Internet Governance’, the Centre for International Governance Innovation and Chatham House, 2015 See: https://www.cigionline.org/sites/default/files/no17.pdf

^[6] Mikael Wigell, ‘Multi-Stakeholder Cooperation in Global Governance’, The Finnish Institute of International Affairs. June 2008, See: https://www.ciaonet.org/attachments/6827/uploads

^[7] Arun Mohan Sukumar, India’s New ‘Multistakeholder’ Line Could Be a Game Changer in Global Cyberpolitics,The Wire, 22 June 2015 See:http://thewire.in/2015/06/22/indias-new-multistakeholder-line-could-be-a-gamechanger-in-global-cyberpolitics-4585/

^[8] Background Note on Sub-Theme Principles of Multistakeholder/Enhanced Cooperation, IGF Bali 2013 See: https://www.intgovforum.org/cmsold/2013/2013%20Press%20Releases%20and%20Articles/Principles%20of%20Multistakeholder-Enhanced%20Cooperation%20-%20Background%20Note%20on%20Sub%20Theme%20-%20IGF%202013-1.pdf

^[9] Statement by Mr. Santosh Jha, Director General, Ministry of External Affairs, at the First Session of the Review by the UN General Assembly on the implementation of the outcomes of the World Summit on Information Society in New York on July 1, 2015 See: https://www.pminewyork.org/adminpart/uploadpdf/74416WSIS%20stmnt%20on%20July%201,%202015.pdf

^[10] Jean-Marie Chenou, Is Internet governance a democratic process ? Multistakeholderism and transnational elites, IEPI – CRII Université de Lausanne, ECPR General Conference 2011,Section 35 Panel 4 See: http://ecpr.eu/filestore/paperproposal/1526f449-d7a7-4bed-b09a-31957971ef6b.pdf

^[11] Ibid. 9

^[12] Kieren McCarthy, ‘Critics hit out at 'black box' UN internet body’, The Register 31 March 2016 See: http://www.theregister.co.uk/2016/03/31/black_box_un_internet_body/?page=3

^[13] Ibid.

^[14] Malcolm Jeremy, ‘Multistakeholder governance and the Internet Governance Forum, Terminus Press 2008

^[15] Background Report of the Working Group on Internet Governance June 2005 See: https://www.itu.int/net/wsis/wgig/docs/wgig-background-report.pdf

^[16] Report of the Working Group on Internet Governance, Château de Bossey June 2005 http://www.wgig.org/docs/WGIGREPORT.pdf

^[17] Compilation of Comments received on the Report of the WGIG, PrepCom-3 (Geneva, 19-30 September 2005) See: http://www.itu.int/net/wsis/documents/doc_multi.asp?lang=en&id=1818%7C2008

^[18] U.S. Principles on the Internet's Domain Name and Addressing System June 30, 2005 See: https://www.ntia.doc.gov/other-publication/2005/us-principles-internets-domain-name-and-addressing-system

^[19] Ibid. 16.

^[20] Tom Wright, ‘EU Tries to Unblock Internet Impasse’, International Herald Tribune

Published: September 30, 2005 See: http://www.nytimes.com/iht/2005/09/30/business/IHT-30net.html

^[21] Kieren McCarthy, Read the letter that won the internet governance battle’, The Register, 2 Dec 2005 See: http://www.theregister.co.uk/2005/12/02/rice_eu_letter/

^[22] United Nations Press Release, 2 March, 2006 Preparations begin for Internet Governance Forum,

http://www.un.org/press/en/2006/sgsm10366.doc.htm

^[23] The Internet Society’s contribution on the formation of the Internet Governance Forum, February 2006 See: http://www.internetsociety.org/sites/default/files/pdf/ISOC_IGF_CONTRIBUTION.pdf

^[24] APC, Questionnaire on the Convening the Internet Governance Forum (IGF) See:http://igf.wgig.org/contributions/apc-questionnaire.pdf

^[25] Milton Mueller, John Mathiason, Building an Internet Governance Forum, 2 Febryary 2006, See: http://www.internetgovernance.org/wordpress/wp-content/uploads/igp-forum.pdf

^[26] Ibid.

^[27] Supra note 11.

^[28] Supra note 20.

^[29] Consultations on the convening of the Internet Governance Forum, Transcript of Morning Session 16 February 2006. See: http://unpan1.un.org/intradoc/groups/public/documents/igf/unpan038960.pdf

^[30] Ibid.

^[31] Ibid.

^[32]Milton Mueller, ICANN Watch, ‘The Forum MAG: Who Are These People?’ May 2006 See: http://www.icannwatch.org/article.pl?sid=06/05/18/226205&mode=thread

^[33] IGF Funding, See: https://intgovforum.org/cmsold/funding

^[34] Supra note 12.

^[35] Ibid.

^[36] ICANN’s infiltration of the MAG was evident in the composition of the first advisory group which included Alejandro Pisanty and Veni Markovski who were sitting ICANN Board members, one staff member (Theresa Swineheart), two former ICANN Board members (Nii Quaynor and Masanobu Katoh); two representatives of ccTLD operators (Chris Disspain and Emily Taylor); two representatives of the Regional Internet Address Registries (RIRs) (Raul Echeberria and Adiel Akplogan). Even the "civil society" representatives appointed were all associated with either ICANN's At Large Advisory Committee or its Noncommercial Users Constituency (or both) Adam Peake of Glocom, Robin Gross of IP Justice, Jeanette Hofmann of WZ Berlin, and Erick Iriarte of Alfa-Redi.

^[37] United Nations Press Release, Secretary General establishes Advisory Group to assist him in convening Internet Governance Forum, 17 May 2006 See: http://www.un.org/press/en/2006/sga1006.doc.htm

^[38] Jeremy Malcolm, Multi-Stakeholder Public Policy Governance and its Application to the Internet Governance Forum See: https://www.malcolm.id.au/thesis/x31762.html

^[39] MAG Spreadsheet CIS Website https://docs.google.com/spreadsheets/d/1uZzfBz9ihj1M0QSvlnORE0nRD62TCRxhA5d1E_RKfhc/edit#gid=1912343648

^[40] Terms of Reference for the Internet Governance Forum (IGF) Multistakeholder Advisory Group (MAG) Individual Member Responsibilities and Group Procedures See: http://www.intgovforum.org/cms/175-igf-2015/2041-mag-terms-of-reference

^[41] United Nations Press Release, Secretary General establishes Advisory Group to assist him in convening Internet Governance Forum, 17 May 2006 See: http://www.un.org/press/en/2006/sga1006.doc.htm

^[42] IGF MAG Membership Analysis, 2006-2015 http://cis-india.github.io/charts/2016.04_MAG-analysis/CIS_MAG-Analysis-2016_Treemap.html

^[43] IGF MAG Membership - Stakeholder Types and Regions - 2006-2015 See: http://cis-india.github.io/charts/2016.04_MAG-analysis/CIS_MAG-Analysis-2016_StakeholderTypes-Regions.html

^[44] IGF MAG Membership - Stakeholder Types across Years - 2006-2015 See: http://cis-india.github.io/charts/2016.04_MAG-analysis/CIS_MAG-Analysis-2016_StakeholderTypes-Years.html

^[45] IGF MAG Membership - Stakeholder Types and Countries - 2006-2015 See: http://cis-india.github.io/charts/2016.04_MAG-analysis/CIS_MAG-Analysis-2016_StakeholderTypes-Country.html

^[46] IGF MAG Membership Timeline, 2006-2015 See: http://cis-india.github.io/charts/2016.04_MAG-analysis/CIS_MAG-Analysis-2016_Member-Timeline.html

^[47] MAG Membership - India and USA - 2006-2015

See: http://cis-india.github.io/charts/2016.04_MAG-analysis/CIS_MAG-Analysis-2016_StakeholderTypes-India-USA.html

^[48] MAG Meetings in 2016

http://www.intgovforum.org/cms/open-consultations-and-mag-meeting

^[49] Paul J. DiMaggio and Walter W. Powell, ‘The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields’, Yale University, American Sociological Review 1983, Vol. 48 (April: 147-160)

^[50] United Nations Funds-In-Trust Project Document Project number: GLO/11/X01 Project title: Internet Governance Forum Country/area: Global Start date: 1 April 2011 End date: 31 December 2015 Executing agency: UNDESA Funding: Multi-donor – extrabudgetary Budget: Long-term project framework – budget “A” See: http://www.intgovforum.org/cms/2013/TrustFund/Project%20document%20IGF.pdf

^[51] Kieren McCarthy, Critics hit out at 'black box' UN internet body, The Register 31 March 2016 See: http://www.theregister.co.uk/2016/03/31/black_box_un_internet_body/?page=2

^[52] Eli Dourado, Too Many Stakeholders Spoil the Soup, Foreign Policy, 15 May 2013 See:http://foreignpolicy.com/2013/05/15/too-many-stakeholders-spoil-the-soup/

^[53] IANA Transition, NetMundial are some of the other examples of multi-stakeholder engagement.

^[54] Ibid.

For more details visit https://cis-india.org/internet-governance/blog/mapping-mag-a-study-in-institutional-isomorphism

RightsCon Silicon Valley 2016

praskrishna — 2016-04-06T15:10:21Z

RightsCon is the world’s leading event convened around the issues of the internet and human rights. The annual conference convenes business leaders, visionaries, technologists, legal experts, civil society members, activists, and government representatives from across the globe on issues at the intersection of tech and human rights. The event was organized by RightsCon.

Program

This year, we had three days ofprogrammingplus a day of satellite events (Day Zero satellite events + three full days of main programming), tackling some of today’s most challenging business and policy issues: freedom of expression, online harassment and countering violent extremism, privacy and digital security, encryption, network discrimination and connectivity, human rights, trade and business, transparency reporting, digital inclusion, internet governance, and much more. Click here to see our program schedule.

With 250+ sessions and over 1,000 registered participants, RightsCon 2016 provided unparalleled opportunities to engage with leading speakers and organizations, both in sessions and through private meetings and discussions. It was also home to an array of parties, movie screenings, and social events throughout the week to help participants meet others in the space.

Elonnai Hickok participated in the following panels and meetings at RightsCon held at Mission Bay Conference Center in San Francisco, California from March 30 to April 1, 2016:

1. Beyond CSR: Promoting Strong Human Rights Performance - Centre for Law and Democracy
2. Ranking ICT Companies on Digital Rights; A How to Guide - Ranking Digital Rights
3. Who is an Intermediary? Harmonizing Definitions? - CIS
4. Manila Principles: One Year Later - CIS and EFF
5. Cross Border Data Requests - American University Washington College of Law, University of Kentucky College of Law.
6. Closed door meeting for Ranking Digital Rights
7. GNI meeting on Mutual Legal Assistance

More info on the RightsCon website

For more details visit https://cis-india.org/internet-governance/news/rightscon-silicon-valley-2016

Will Aadhaar Act Address India’s Dire Need For a Privacy Law?

nehaa — 2016-04-05T16:01:06Z

The article was published by Quint on March 31, 2016.

The passage of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (will hereby be referred to as “the Act”) has led to flak for the government from privacy advocates, academia and civil society, to name a few.

To my mind, the opposition deserves its fair share of criticism (lacking so far), for its absolute failure to engage with and act as a check on the government in the passage of the Act, and the events leading up to it.

The government’s introduction of the Act as a ‘money bill’ under Article 110 of the Constitution of India (“this/the Article”) is a mockery of the constitutional process. It renders redundant, the role of the Rajya Sabha as a check on the functioning of the Lower House.

Article 110 limits a ‘money bill’ only to six specific instances: covering tax, the government’s financial obligations and, receipts and payments to and from the Consolidated Fund of India, and, connected matters.

The Act lies well outside the confines of the Article; the government’s action may attract the attention of the courts.

Political One-Upmanship


Finance Minister Arun Jaitley (left) listens to Reserve Bank of India (RBI) Governor Raghuram Rajan. (Photo: Reuters)

In the past, the Supreme Court (“the Court”) has stepped into the domain of the Parliament or the Executive when there was a complete and utter disregard for India’s constitutional scheme. In recent constitutional history, this is perhaps most noticeable in the anti-defection cases, (beginning with Kihoto Hollohan in 1992); and, in the SR Bommai case in 1994, on the imposition of the President’s rule in states.

In hindsight, although India has benefited from the Court’s action in the Bommai and Hollohan cases, it is unlikely that the passage of the Aadhaar Act as a ‘money bill’, reprehensible as it is, meets the threshold required for the Court’s intervention in Parliamentary procedure.

Besides, the manner of its passage, the Act warrants

Censure for its process
Its (in)compatibility with fundamental rights
The failure to incorporate the suggestions of the Yashwant Sinha-led Standing Committee to UPA’s NIDAI Bill
The possibility of surveillance that it presents
The lack of measures to protect personal information
Its inadequate privacy safeguards
The questions around the realisation of its stated purpose.

Instead, a part of the Aadhaar debate has involved political one-upmanship between the Congress and the BJP, pitting the former’s NIDAI Bill against the latter’s Aadhaar Act.

While an academic comparison between the two is welcome, its use as a tool for political supremacy would be laughable, were it not deeply problematic, given the many serious concerns highlighted above.

Better Than UPA Bill?


The Act may have more privacy safeguards than the earlier UPA Bill. (Photo: iStockphoto)

And while the Act may have more privacy safeguards than the earlier UPA Bill, critics have argued that they not up to the international standard, and instead, that they are plagued by opacity.

Additionally, despite claims that the Act is a significant improvement over the UPA Bill, it fails to address concerns, including around the centralised storage of information, that were raised by civil society members and others.

Perhaps most problematically, however, the Act takes away an individual’s control of her own information. Subsidies, government benefits and services are linked to the mandatory possession of an Aadhar number (Section 7 of the Act), effectively negating the ‘freedom’ of voluntary enrollment (Section 3 of the Act). This directly contradicts the recommendations of the Justice AP Shah Committee, before whom the Unique Identification Authority of India had earlier stated that enrollment in Aadhaar was voluntary.

To make matters worse, the individual does not have the authority to correct, modify or alter her information; this lies, instead, with the UIDAI alone (Section 31 of the Act). And the sharing of such personal information does not require a court order in all cases.


Kanhaiya Kumar speaking in JNU on 3 March 2016. (Photo: PTI)

It may be authorised by Executive authorities under the vague, ill-understood concept of ‘national security’, (Section 33(2) of the Act) which the Act does not define. We would do well to learn the dangers of leaving ‘national security’ open to interpretation, in the aftermath of the recent events at JNU.

These recent events around Aadhaar have only underscored the dire urgency for comprehensive privacy legislation in India and, the need to overhaul our data protection laws to meet our constitutional commitments along with international standards.

Meanwhile, constitutional challenges to the Aadhaar scheme are currently pending in the Supreme Court. The Court’s verdict may well decide the future of the Aadhaar Act, with the stage already set for a constitutional challenge to the legislation. The BJP’s victory in this case may be short-lived.

For more details visit https://cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law

Woman Alleges Harassment at Major International Conference

praskrishna — 2016-03-30T17:06:10Z

A prospective lawyer's name tag was flipped, and she was asked rude questions by a CEO at a conference, where, ironically enough, she was invited to devise sexual harassment policies.

The article by Kavita Patil was published in Bangalore Mirror on March 30, 2016.

Padmini Baruah, 22, a National Law School of India University (NLSIU) student representing Centre for Internet and Society (CIS), at the ICANN55 (Internet Corporation for Assigned Names and Numbers) held at Marrakech, alleged that she was sexually harassed by Khaled Fattal, the chairman and CEO of The Multilingual Internet Group.

On March 2, Baruah had reached out to the conference ombudsman and expressed her concerns about the lack of a specific sexual harassment policy. She was directed to the ICANN55's Standards of Behavior, who invited her for a discussion at the conference in Marrakech.

About three hours before her meeting with the ombudsman on March 6, she had a shock. "I was, unfortunately, subjected to sexual harassment in the nature of verbal remarks and infringement of my personal space by the perpetrator in question, a man I eventually came to know was called Khaled Fattal," she recalled. "Fattal approached me, pulled at my name tag, examined it and dropped it. A little later, he lifted my name tag and flipped it back and forth asking me, "Where are you from?"

He then leaned in, lecherously looked at me and asked, "Do you know how to make a cheese sandwich?" I was taken aback and responded angrily saying, "Yes, that is why I came here, to make you cheese sandwiches." He went on to throw another lecherous look my way and said, "Well, I love veg sandwiches."

Sunil Abraham, executive director of the CIS, said, "ICANN doesn't have a special cell where complaints can be raised but they have an ombudsman. The ombudsman is investigating the case and is in touch with both Baruah and also the perpetrator." He said after she raised the sexual harassment complaint, he received many mails from women who had faced harassment at the event but never made an attempt to raise their voice. "Through CIS we have issued a public statement of support for Baruah and we are waiting for the result of the investigation," he said.

Fattal and the ombudsman were not available for comment despite repeated attempts made by BM to get a response. Baruah, meanwhile, was informed by the ombudsman that her's was the first harassment case reported in the history of ICANN.

For more details visit https://cis-india.org/internet-governance/news/bangalore-mirror-march-30-2016-kavita-patil-woman-alleges-harassment-at-major-international-conference