We are anonymous, we are legion

Come, be my guest

praskrishna — 2015-11-16T02:11:01Z

The success of art residencies in the city has a lot to do with its openness and artists' initiatives.

The article was published in the Hindu on November 14, 2015.

Can we deny even for a moment that a setting has inspired many a creative minds in their pursuits? A space which allows you to express, create and innovate is crucial to a thinking mind. Bengaluru's art residencies afford that freedom and setting to artists.

Players like 1 Shanthiroad, Jaaga, Taj Residency have rendered city’s art residency scene vibrant. Shortly, TAJ Residency in collaboration with the Centre for Internet and Society, Bengaluru is coming out with “Silicon Plateau”, a book observing intersection of the arts, technology and society. There would be observations emerging from the personal experiences and perspectives of a variety of contemporary artists, writers and researchers, national and international, who either live in or have spent a period of time in the city, or have just crossed paths with its communities. “The book will have original work by the participants of residency,” says artist Tara Kelton who founded TAJ Residency with Galleryske’s Sunitha Kumar Emmart in 2013. When contemporary artist Tara Kelton returned to Bengaluru from New York, Tara felt a gap between people of divergent streams needed to be bridged. “I felt artists were only talking to artists which is why we wanted to build something interdisciplinary. So, we invite economists, scientists, designers, architects, writers and artists to our residencies,” says Tara. As two day residents and three live-in residents create art at the space in Cooke Town for six weeks TAJ Residency works in the direction of furthering a dialogue and facilitating collaborative projects. Over the last two years, the space has hosted around 50 residents.

Art residency is not a new concept but a slightly improved version of art camps which have been happening forever. With exchange programme through fellowships and grants given by Indian and international institutes, entering the fold, art residencies became more common. In Bangalore, artist-led space, 1 Shanthiroad elevated the art residencies to another level.

One of the most seminal names in the world of art residencies, Khoj, an alternative space for art in Delhi, also collaborated with 1 Shanthiroad for three years with a view to have South Asian artists work with artists from Bengaluru or different parts of Southern India.

“With Khoj being in Delhi, artists from Pakistan, Bangladesh would travel to Delhi and go back. The collaboration allowed them to travel down south. It went on to have several ripple effects. Suresh went on to co-curate the first Colombo Biennale in 2012,” says Pooja Sood, Director, Khoj.

According to her, the presence of several art schools also has a role to play. With not much infrastructure to boast, the artists coming out of these places worked towards creating these opportunities to cater to themselves.

The absence of a buoyant market for art unlike Delhi and Mumbai, the art community of Bengaluru started to look beyond. “Bangalore, as such is not a gallery-driven city which is why the residency space often executes the various functions of a gallery. 1 Shanthi Road stands out from many because it is an artist-led initiative, which is why TAKE has often chosen to collaborate with 1 Shanthi Road...” says Bhavna Kakar who runs Gallery Latitude in Delhi and also TAKE on art, an art magazine.

In 1 Shanthiroad again, Bhavna found a perfect platform to organise ‘TAKE on Residencies’ seminar in collaboration with India Foundation for the arts. “The ethos of the residency reflects that of the city — as it is born of the specific culture and is located within it, so naturally it will reflect that aspect of the city. 1 ShanthiRoad aims is to function as an experimental laboratory, it is different in its approach in that it is more homely with its open soup kitchen, its endless addas and the warm paternal presence of Suresh Jayaram as a mentor. It also addresses issues that are often considered ‘out of syllabus’ and it consciously creates a neighbourhood of cultural ethics in the heart of the city,” observes Kakar.

Bar 1, was another force to reckon with once upon a time with regard to art residencies in Bangalore. It hosted more than 120 local, national and international artists. “The India India Residency in collaboration with IFA was special as it brought people from different disciplines together. Six participants - writers, poets, curators - lived together for three months and created works. The residency had artists not only from Bangalore but from small towns and cities in Karnataka. For an artist of Coorg, Bijapur, seeing so much of art meant a lot,” says artist Surekha, who along with Christoph Storz, Ayisha Abraham, Suresh and Smitha Cariappa, formed the core group of BAR 1. It hosted its last residency in 2012.

Suresh Jayaram of 1 ShanthiRoad on art residencies

“These art residencies have put Bangalore on the cultural map of India and also made it a global player. Some major players who have pushed the cause of residencies are Goethe Institut, Pro-Helvetia Swiss Arts Council, Asialink Arts Residency Foundation, Asia New Zealand Foundation. And we have a long-term relationship with them.”

Raising the bar

Bar 1 was another force to reckon with, once upon a time, with regard to art residencies in Bangalore. It hosted more than 120 local, national and international artists. “The India India Residency in collaboration with IFA was special as it brought people from different disciplines together. Six participants - writers, poets, curators - lived together for three months and created works. The residency had artists not only from Bangalore but from small towns and cities in Karnataka. For an artist of Coorg, Bijapur, seeing so much of art meant a lot. While several interesting projects emerged from these residencies like Swiss artist Rahel Hagnauer worked on an environmental project of felling of trees due to construction of flyovers. Haruko created an inflatable space ship and Shreyas Karle created ‘Demon heads of Bangalore’,” says artist Surekha, who along with Christoph Storz, Ayisha Abraham, Suresh and Smitha Cariappa, formed the core group of BAR 1. It hosted its last residency in 2012.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-november-14-2015-come-be-my-guest

A Dialogue on "Zero Rating" and Network Neutrality

praskrishna — 2015-11-08T04:21:26Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. The workshop on Zero Rating and Network Neutrality will be held on November 12, 2015 at IGF 2015. Pranesh Prakash will be speaking at this event.

This was published on the IGF website. Read here the details.

Overview:
The objective of this session is to provide the global Internet community, and policymakers in particular, with an informed and balanced dialogue on the complex Internet policy issue of “zero-rating.”

The purpose of the session is to help others, in their respective countries and locales, in their own analyses of Zero-Rating (ZR). The session will promote access to expert insight and multistakeholder community discussion. We encourage remote and in-person participation and aim for complete diversity across stakeholder groups and perspectives. As a main session, translation will be available in the official UN languages.

There are many different viewpoints on ZR, with some stakeholders being completely against the practice to others being fully supportive. In the open discussion leading up to this session, it has become apparent that some stakeholder approaches to ZR are more nuanced and varied than “for or against.” The session will consider the full spectrum of views.

In the case where ZR is advanced as a means to drive Internet access and narrow the digital divide, this session will also explore alternative approaches, such as the use of community networks.

Agenda:

The agenda is currently being developed between organizers and moderators. Based upon list discussion to date, the session will involve the following elements:

Introduction and Opening - After a brief introduction by the session organizers, the lead moderator will ask expert speakers to provide a brief description of how they view ZR.

Multistakeholder, expert dialogue - A moderated discussion on zero-rating amongst experts holding different positions and perspectives. The discussion will be based upon policy questions contributed from the community.

Community questions and discussion - Remote and in-person participants will be invited to pose questions to the experts, as well as to engage in guided discussion on topics raised.

Alternatives - Alternatives to zero-rating as a means to advance access, such as community networks, will be explained and illustrated.

Contributions from relevant IGF workshops - A handful of workshops at this year’s IGF will consider zero-rating. Organisers or participants from these workshops will be invited to contribute a readout to the session.

Policy Questions:

Based upon submissions from the community, below are examples of the policy questions that will be addressed during the session:

Please describe ZR as you see it in 90 seconds.
Under what circumstances are there benefits of ZR? What are the benefits? Under what circumstances are there detriments from ZR? What are the detriments?
Is all zero-rating bad? Or are there business models of ZR that are good? Should the bad models be regulated? should the good models be regulated? How?
Is ZR an anti-competitive business practice, or does ZR enhance competition?
Does a focus on Zero-Rated Internet access in developing countries divert government attention and investment away from other efforts to enhance access?
In those countries which have banned zero rating, what has been the impact?
Does ZR limit or skew end-user behavior? If so, how? Is this effect different from that of other free offerings over the Internet?
1. What are your thoughts,, for example, the following hypothetical: Imagine that Developer says to Consumer, "Send me your Internet bill at the end of the month. If you are being charged $Y/MB, and you consume Z MB of our service, we will send you a check for $Y*Z or simply reduce your bill with us by that amount.
How should regulators / governments address the potential tension between expanding Internet connectivity and the desire for “pure net neutrality?”

Host Country Chair: Mr. Nivaldo Cleto, Owner at Classico Consultoria, Advisor to the Brazilian Internet Steering Committee of Brazil (CGI.br) and Board member of the Board of Trade of Sao Paulo (JUCESP), as a Representative of the Union.

Moderators:

The role of the moderators is to keep the discussion focused, self-referencing, fluid, friendly, and on time.

Lead/expert moderator: Robert Pepper, VP, Global Technology Policy, Cisco
Remote moderator: Ginger Paque, Director, Internet Governance Programmes, Diplo
Floor and Readout moderator: Carolina Rossini, VP, International Policy, Public Knowledge
Floor and Readout moderator: Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, Diplo

Expert speakers: (confirmed as of 29 October 2015)

Jochai Ben-Avie, Senior Global Policy Manager, Mozilla, USA
Eduardo Bertoni, Professor, Universidad de Palermo, Argentina
Igor Vilas Boas de Freitas, Commissioner, ANATEL, Brazil
Dušan Caf, Chairman, Electronic Communications Council, Republic of Slovenia
Silvia Elaluf-Calderwood, Research Fellow, London School of Economics, UK/Peru
Belinda Exelby, Director, Institutional Relations, GSMA, UK
Bob Frankston, Computer Scientist, USA
Helani Galpaya, CEO, LIRNEasia, Sri Lanka
Anka Kovacs, Director, Internet Democracy Project, India
Kevin Martin, VP, Mobile and Global Access Policy, Facebook, USA
Pranesh Prakash, Policy Director, Center for Internet and Society, India
Steve Song, Founder, Village Telco, South Africa/Canada
Dhanaraj Thakur, Research Manager, Alliance for Affordable Internet, USA/West Indies
Christopher Yoo, Professor of Law, Communication, and Computer & Information Science, University of Pennsylvania, USA

Plan for online interaction:

This session will include a remote panelist who will be prepared to speak from a remote hub.

Both in situ and remote interventions are being carefully coordinated to maximise a diversity of views in the available time.

This session will treat online participants on equal footing with in situ attendees, and will monitor remote attendees specifically to ensure that their requests to ask questions will be noted. Participant interventions in the session will consist of questions, at two structured points in the session. Floor moderators will collect the questions, and will consult with the panel remote moderator to ensure that remote questions are considered, as the moderators select for stakeholder balance and remote representation. Remote participant questions will be read into the session in English or Spanish by the remote moderator, to avoid 'transaction cost' (time and possible connection difficulties).

‘Feeder’ workshops and/or connections with other sessions:

We have identified the following workshops and other sessions as relevant. Each shall provide a 1-2 minute readout or preview from their session.

Workshop No. 156: Zero-rating and neutrality policies in developing countries
Workshop No. 79: Zero-rating, Open Internet, and Freedom of Expression
Workshop No. 21: SIDS Roundtable: “Free Internet” - Bane or Boon?
Dynamic Coalition Session: Dynamic Coalition on Net Neutrality
Access/PROTESTE event on Zero-Rating

Desired results/output:

As explained above, our desired result is to provide the global Internet community with a well-rounded and insightful dialogue on the Internet policy issue of zero-rating. The discussion is an output in and of itself, from which policymakers around the world should benefit. In accordance with the IGF reporting requirement, a rapporteur shall produce a neutral report of the session, which will not draw conclusions on the topic, but rather will summarise the main points discussed.

For more details visit https://cis-india.org/internet-governance/news/a-dialogue-on-zero-rating-and-network-neutrality

Transnational Due Process: A Case Study in MS Cooperation

praskrishna — 2015-11-08T03:27:02Z

nternet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. Internet & Jurisdiction Project is organizing a workshop on Transnational Due Process on November 13, 2015. Sunil Abraham is a panelist.

Multi-stakeholder cooperation is necessary to develop and implement operational solutions to Internet Governance challenges. One such challenge is the tension between the cross-border nature of the Internet and diverse national jurisdictions. As a result, direct requests are increasingly addressed by public authorities and courts in one country to Internet platforms and DNS operators in other jurisdictions for domain seizures, content takedowns and user identification.

Since 2012, the Internet & Jurisdiction Project facilitates a multi-stakeholder dialogue process on this issue. More than 80 entities have collaboratively produced a draft transnational due process framework. Here, the concept of multi-stakeholder cooperation is therefore relevant both as method (the dialogue process) and as outcome (the collaborative framework).

The roundtable will gather participants in the I&J Project from different stakeholder groups to describe:

the method employed to develop this framework, challenges encountered and solutions found
the potential distribution of roles among the respective stakeholders in the operation of the diverse framework components

The expected benefit is to share concrete experiences around innovative approaches for multi-stakeholder cooperation such as issue-based networks, inter-sessional work methods and transnational policy standards.

This session will also present the proposed framework to the IGF community to solicit feedback, reach out to new actors and discuss the way forward. The roundtable will be prepared in 2015 by two dedicated meetings in Germany and Brazil, as well as by a number of other sessions with stakeholders around the world organized by the Internet & Jurisdiction Project.

Click to read the details on IGF website.

For more details visit https://cis-india.org/internet-governance/news/transnational-due-process-a-case-study-in-ms-cooperation

Cases on the right to be forgotten, what have we learned?

praskrishna — 2015-11-08T02:24:22Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. Jyoti Panday is attending the workshop on "Cases on the right to be forgotten, what have we learned?" to be held on November 11, 2015 at IGF 2015.

Click to read the full details on the IGF website.

Since the EU Court of Justice ruled to uphold and codify the Right to Be Forgotten, Free expression activists fear that the decision will open the door to corporate and government censorship. However and apart from the European case, how much do we know from the rest of the world? It is part of a cross-workshop collaboration with Workshop 31 that look at the procedural and legal implications of such rulings.

In a conversational format, the roundtable seek to understand arguments, scope, discussions and current situation of the Right to be Forgotten outside the EU and around the world in rulings and legislations (enacted and proposed).

The round table will start with kick off presentations (3 minutes) of cases by local activists, such as

Mexican data authority IFAI fine to Google
Colombian Court case against El Tiempo and ultimately Google
Chilean bill intended to modify the Data Protection Act
Legislation in Nicaragua codifying the ‘right to be forgotten’
Japan's court case against Google
South Korean analysis process to adopt the ‘right to be forgotten’

After those presentations, participants will be divided into groups to be facilitated by the speakers. These groups will discuss and note problems, challenges and enabling environments on the cases in order to draw some “lessons learned”. The full group will reconvene on the roundtable format to detect particularities of the debate beyond EU and will present, discuss and define 10 lessons that can be drawn from these experiences to protect freedom of expression in these debates.

For more details visit https://cis-india.org/internet-governance/news/cases-on-the-right-to-be-forgotten-what-have-we-learned

The Benefits and Challenges of the “Free Flow” of Data

praskrishna — 2015-11-08T02:09:40Z

The Internet was designed so that global data flows would be dictated by efficiency, rather than centralized control or oversight. This engineering principle has provided businesses and consumers with access to the best available technology, information, and services, wherever those resources may be located around the world. It has benefitted virtually all industry sectors, from manufacturing to financial services, education, health care, and beyond. The “free flow” of data is what has allowed the Internet flourish into what it is today.

Yet governments, corporations, and non-state actors around the world are increasingly employing a variety of technical, legal, and administrative tools to restrict data flows, limiting routing and data storage to particular jurisdictions and restricting the kinds of content and data types that are permitted online. Some of these restrictions have been put in place for legitimate purposes, designed to further privacy protections, network security, and fair commerce, and have been justified within the bounds of international law and norms. Others, however, are less defensible, and are intended to unfairly support preferred commercial interests or to quell domestic political dissent.

This panel will discuss the many benefits and challenges of the free flow of data. It will foster a discussion of the ways in which stakeholders can address the underlying reasons for data flow restrictions (such as the need for law enforcement access to data or the desire to nurture local ICT industry development, etc.) without subverting the Internet’s core potential for innovation, economic growth, and public welfare.

Name, stakeholder group, and organizational affiliation of workshop proposal co-organizer(s)
Carolina Rossini
Civil Society
Public Knowledge

Has the proposer, or any of the co-organizers, organized an IGF workshop before?

no

Subject matter #tags that describe the workshop

#innovation #barriers #policy #cross-boarder flow #privacy

Description of the plan to facilitate discussion amongst speakers, audience members and remote participants

Each panelist will be given approximately 3 minutes for opening remarks, followed by a moderated discussion, and then audience question and answer. Remote participants will be given the opportunity to ask questions over an online forum, such as Webx and Twitter.

Names and affiliations (stakeholder group, organization) of the participants in the proposed workshop

Name Carolina Rossini Stakeholder group: Civil Society Organization: Public Knowledge Describe why this speaker has been selected: She is a world-renowned expert on Internet policy and law, a Brazilian national. Have you contacted the speaker? Yes Name Vint Cerf Stakeholder group: Private Sector/Technical Community Organization: Google Describe why this speaker has been selected: He has been involved in Internet issues for many years and currently serving in influential vice president and “chief evangelist” role at Google. Have you contacted the speaker? Yes Name Lawrence Strickling Stakeholder group: Government Organization: U.S. Department of Commerce, NTIA Describe why this speaker has been selected: He is the head of one of the United States government’s principal Internet policy agencies. Have you contacted the speaker? Yes Name Richard Leaning Stakeholder group: Government Organization: European Cyber Crime Centre (EC3), Europol Describe why this speaker has been selected: He understands the needs of the law enforcement community from a European perspective, a British national. Have you contacted the speaker? Yes Name Marietje Schaake Stakeholder group: Government Organization: European Parliament Describe why this speaker has been selected: She is a prominent privacy advocate within the European Parliament, a Netherlands national. Have you contacted the speaker? Yes Name Nasser Kettani Stakeholder group: Private Sector Organization: Microsoft Describe why this speaker has been selected: He helps build and design data centers for Microsoft in Africa, a Moroccan national. Have you contacted the speaker? Yes Name Sunil Abraham Stakeholder group: Civil Society Organization: Centre for Internet and Society, India Describe why this speaker has been selected: He is the executive director of one of India’s most influential Internet policy think tanks and advocacy groups. Have you contacted the speaker? No, but know him well. Name Zahra Rose Stakeholder group: Civil Society Organization: Developing Countries' Centre for Cyber Crime Law Describe why this speaker has been selected: A lawyer, she understands the needs of the law enforcement community from a civil society perspective in Pakistan. Have you contacted the speaker? No
Name of in-person Moderator(s) Jonah Force Hill
Name of Remote Moderator(s) Winter Casey, U.S. Department of Commerce, NTIA
Name of Rapporteur(s) Seth Bouvier, U.S. Department of State
Description of the proposer's plans for remote participation We intend to utilize the IGF’s WebX system to include remote participants in the question and answer portion of the panel. The remote participants will be afforded equal/proportional representation in the discussion. The remote moderator will facilitate the Q&A with the moderator. We’ll need a screen in the room to display the remote comments.

For more info visit IGF website.

For more details visit https://cis-india.org/internet-governance/news/the-benefits-and-challenges-of-the-201cfree-flow201d-of-data

Open Forum - DINL, Digital Infrastructure Association

praskrishna — 2015-11-07T14:45:58Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. Digital Infrastructure Netherlands Foundation is organizing this workshop at IGF on Tuesday, November 10, 2015. Jyoti Panday will be speaking at this workshop.

In this open forum we wish to discuss the increase in government engagement with “the internet” to protect their citizens against crime and abuse and to protect economic interests and critical infrastructures. The fact that the traditional benign neglect of states towards the internet is increasingly replaced with political interest has positive and negative effects. We are particularly concerned with those state interventions – often for reasons of national security or economic interest - that impact on the technical and logical ‘core’ of the internet ecosystem – such as interventions in the DNS - and in the impact on organizations and businesses that are traditionally thought of as ‘technical’ and whose roles are in danger of being politicized, such as ISPs, CERTs and hard- and software developers. There is a growing need to separate out the legitimate interests of states from political overreach into the technical and logical core of the internet. A cooperative or constructive approach towards interaction, founded in firm principles, may strengthen the balance and lead to a sustainable protection of Internet values. In this open forum we will present ideas about an agenda for the international protection of ‘the public core of the internet’ and seek to collect and discuss ideas for the formulation of norms and principles and for the identification of practical steps towards that goal. More specifically we aim to discuss: A definition of a public core of the internet: this would comprise the core protocols and infrastructure of the internet which all governments should consider as a global public good, governed by the Internet community and protected from direct activities and involvement by any government Definitions of proper interfaces: outlining norms and mutual expectations that should govern the relations between governments and various central actors in the technical and economic internet ecosystem, such as ISPs, CERTs and hard- and software developers when it comes to fighting cybercrime, retrieve information, mandate takedowns, request information and more.

Speakers
In this IGF open forum DINL wants to explore these ideas and discuss them with thought leaders from other countries. Speakers include:

Bastiaan Goslings (AMS-IX, NL)
Jyoti Panday (CIS, India)
Marilia Maciel (FGV, Brasil)
Dennis Broeders (NL Scientific Council for Government Policy) and will be chaired by Michiel Steltman (DINL), but aims to broaden the debate on this issue with those present.

More information on IGF website here.

For more details visit https://cis-india.org/internet-governance/news/open-forum-dinl-digital-infrastructure-association

Empowering the next billion by improving accessibility

praskrishna — 2015-11-07T14:04:57Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. On Friday, November 13, 2015, Dynamic Coalition on Accessibility and Disability and Global Initiative for Inclusive ICTs (G3ICT) is organizing this workshop. Sunil Abraham is a panelist. Pranesh Prakash will be taking part in the discussions.

While considerable attention is given to the availability of the communication infrastructure to expand usage of the Internet, little attention has been given to the accessibility barriers which prevent over one billion potential users to benefit from the Internet, including for essential services. Those barriers affect persons living with a variety of sensorial or physical disabilities as well as illiterate individuals who may benefit from the same solutions designed for persons with disabilities.

This session will examine the technological and programmatic solutions available today for an effective removal of such barriers, potentially bringing a considerable number of new users to the Internet. Examples in Education, Emergency services, Assistive Technologies for work and independent living in a variety of economic and geographic environments will be covered. The session will also provide a detailed benchmark and statistical overview of the progress made by countries around the world in implementing those solutions. A general discussion with government, industry and persons with disabilities representatives will ensue.

Read more on the IGF website here. List of attendees here.

For more details visit https://cis-india.org/internet-governance/news/empowering-the-next-billion-by-improving-accessibility

Big Data in the Global South International Workshop

praskrishna — 2015-11-06T02:04:49Z

Institute for Technology and Society of Rio de Janeiro welcomes you to an international workshop on Big Data at Hotel Windsor Florida, Rua Ferreira Viana, Flamengo, Rio de Janeiro, Brazil on November 16 and 17, 2015. Open Society Foundations and British Embassy Brasilia are sponsors for the event. The Centre for Internet & Society (CIS) is a research partner. Sunil Abraham, Pranesh Prakash and Vipul Kharbanda will be speaking at this event.

The event will bring together key representatives from government, civil society, the business sector and academia from Brazil, India, United Kingdom and several other countries. This is a closed multistakeholder round-table to discuss and map international examples of Big Data uses and regulation, both by private and public sectors, in order to develop practical strategies to promote adoption of harmonized rules by different actors. The event will also map existing initiatives involving the use of Big Data and present the results of a joint research initiative conducted by ITS and CIS in this field.

Resources

For more details visit https://cis-india.org/internet-governance/events/big-data-in-the-global-south-international-workshop

Breaking Down ICANN Accountability: What It Is and What the Internet Community Wants

ramya — 2015-11-05T15:29:26Z

At the recent ICANN conference held in Dublin (ICANN54), one issue that was rehashed and extensively deliberated was ICANN's accountability and means to enhance the same. In light of the impending IANA stewardship transition from the NTIA to the internet's multi-stakeholder community, accountability of ICANN to the internet community becomes that much more important. In this blog post, some aspects of the various proposals to enhance ICANN's accountability have been deconstructed and explained.

The Internet Corporation for Assigned Names and Numbers, known as ICANN, is a private not-for-profit organization, registered in California. Among other functions, it is tasked with carrying out the IANA function[1], pursuant to a contract between the US Government (through the National Telecommunications and Information Administration – NTIA) and itself. Which means, as of now, there exists legal oversight by the USG over ICANN with regard to the discharge of these IANA functions.[2]

However, in 2014, the NTIA, decided to completely handover stewardship of the IANA functions to the internet’s ‘global multistakeholder community’. But the USG put down certain conditions before this transition could be effected, one of which was to ensure that there exists proper accountability within the ICANN.[3]

The reason for this, was that the internet community feared a shift of ICANN to a FIFA-esque organization with no one to keep it in check, post the IANA transition if these accountability concerns weren’t addressed.[4]

And thus, to answer these concerns, the Cross Community Working Group (CCWG-Accountability) has come up with reports that propose certain changes to the structure and functioning of ICANN.

In light of the discussions that took place at ICANN54 in Dublin, this blog post is directed towards summarizing some of these proposals - those pertaining to the Independent Review Process or IRP (explained below) as well the various accountability models that are the subject of extensive debate both on and off the internet.

Building Blocks Identified by the CCWG-Accountability

The CCWG-Accountability put down four “building blocks”, as they call it, on which all their work is based. One of these is what is known as the Independent Review Process (or IRP). This is a mechanism by which internal complaints, either by individuals or by SOs/ACs[5], are addressed. However, the current version of the IRP is criticized for being an inefficient mechanism of dispute resolution.[6]

And thus the CCWG-Accountability proposed a variety of amendments to the same.

Another building block that the CCWG-Accountability identified is the need for an “empowered internet community”, which means more engagement between the ICANN Board and the internet community, as well as increased oversight by the community over the Board. As of now, the USG acts as the oversight-entity. Post the IANA transition however, the community feels they should step in and have an increased say with regard to decisions taken by the ICANN Board.

As part of empowering the community, the CCWG-Accountability identified five core areas in which the community needs to possess some kind of powers or rights. These areas are – review and rejection of the ICANN budget, strategic plans and operating plans; review, rejection and/or approval of standard bylaws as well fundamental bylaws; review and rejection of Board decisions pertaining to IANA functions; appointment and removal of individual directors on the Board; and recall of the entire Board itself. And it is with regard to what kind of powers and rights are to be vested with the community that a variety of accountability models have been proposed, both by the CCWG-Accountability as well as the ICANN Board. However, of all these models, discussion is now primarily centered on three of them – the Sole Member Model (SMM), the Sole Designator Model (SDM) and the Multistakeholder Empowerment Model (MEM).

What is the IRP?

The Independent Review Process or IRP is the dispute resolution mechanism, by which complaints and/or oppositions by individuals with regard to Board resolutions are addressed. Article 4 of the ICANN bylaws lay down the specifics of the IRP. As of now, a standing panel of six to nine arbitrators is constituted, from which a panel is selected for hearing every complaint. However, the primary criticism of the current version of the IRP is the restricted scope of issues that the panel passes decisions on.[7]

The bylaws explicitly state that the panel needs to focus on a set on procedural questions while hearing a complaint – such as whether the Board acted in good faith or exercised due diligence in passing the disputed resolution.

Changes Proposed by the Internet Community to Enhance the IRP

To tackle this and other concerns with the existing version of the IRP, the CCWG-Accountability proposed a slew of changes in the second draft proposal that they released in August this year. What they proposed is to make the IRP arbitral panel hear complaints and decide the matter on both procedural (as they do now) and substantive grounds. In addition, they also propose a broadening of who all have locus to initiate an IRP, to include individuals, groups and other entities. Further, they also propose a more precedent-based method of dispute resolution, wherein a panel refers to and uses decisions passed by past panels in arriving at a decision.

At the 19^th October “Enhancing ICANN-Accountability Engagement Session” that took place in Dublin as part of ICANN54, the mechanism to initiate an IRP was explained by Thomas Rickert, CCWG Co-Chair.[8]

Briefly, the modified process is as follows -

An objection may be raised by any individual, even a non-member.
This individual needs to find an SO or an AC that shares the objection.
A “pre-call” or remote meeting between all the SOs and ACs is scheduled, to see if objection receives prescribed threshold of approval from the community.
If this threshold is met, dialogue is undertaken with the Board, to see if the objection is sustained by the Board.
If this dialogue also fails, then IRP can be initiated.

The question of which “enforcement model” empowers the community arises post the initiation of this IRP, and in the event that the community receives an unfavourable decision through the IRP or that the ICANN Board refuses to implement the IRP decision. Thus, all the “enforcement models” retain the IRP as the primary method of internal dispute resolution.

The direction that the CCWG-Accountability has taken with regard to enhancement of the IRP is heartening. And these proposals have received large support from the community. What is to be seen now is whether these proposals will be fully implemented by the Board or not, in addition to all the other proposals made by the CCWG.

Enforcement – An Overview of the Different Models

In addition to trying to enhance the existing dispute resolution mechanism, the CCWG-Accountability also came up with a variety of “enforcement models”, by which the internet community would be vested with certain powers. And in response to the models proposed by the CCWG-Accountability, the ICANN Board came up with a counter proposal, called the MEM.

Below is a tabular representation of what kinds of powers are vested with the community under the SMM, the SDM and the MEM.

Power	SMM	SDM	MEM
Reject/Review Budget, Strategies and OPs. + Review/Reject Board decisions with regard to IANA functions.	Sole Member has the reserved power to reject the budget up to 2 times. Member also has standing to enforce bylaw restrictions on the budget, etc.	Sole Designator can only trigger Board consultations if opposition to budget, etc exists. Further, bylaws specify how many times such a consultation can be triggered. Designator only possesses standing to enforce this consultation.	Community can reject Budget up to two times. Board is required by bylaws to reconsider budget post such rejection, by consulting with the community. If still no change is made, then community can initiate process to recall the Board.
Reject/Review amendments to Standard bylaws and Fundamental bylaws	Sole Member has right to veto these changes. Further, member also standing to enforce this right under the relevant Californian law.	Sole Designator can also veto these changes. However, ambiguity regarding standing of designator to enforce this right.	No veto power granted to any SO or AC. Each SO and AC evaluate if they want to voice the said objection. If certain threshold of agreement reached, then as per the bylaws, the Board cannot go ahead with the amendment.
Appointment and Removal of individual ICANN directors	Sole Member can appoint and remove individual directors based on direction from the applicable Nominating Committee.	Sole Member can appoint and remove individual directors based on direction from the applicable Nominating Committee.	The SOs/ACs cannot appoint individual directors. But they can initiate process for their removal. However, directors can only be removed for breach of or on the basis of certain clauses in a “pre-service letter” that they sign.
Recall of ICANN Board	Sole Member has the power to recall Board. Further, it has standing to enforce this right in Californian courts.	Sole Designator also has the power to recall the Board. However, ambiguity regarding standing to enforce this right.	Community is not vested with power to recall the Board. However, if simultaneous trigger of pre-service letters occurs, in some scenarios, only then can something similar to a recall of the Board occur.

A Critique of these Models

SMM:

The Sole Member Model (or SMM) was discussed and adopted in the second draft proposal, released in August 2015. This model is in fact the simplest and most feasible variant of all the other membership-based models, and has received substantial support from the internet community. The SMM proposes only one amendment to the ICANN bylaws - a move from having no members to one member, while ICANN itself retains its character as a non-profit mutual-benefit corporation under Californian laws.

This “sole member” will be the community as a whole, represented by the various SOs and ACs. The SOs and ACs require no separate legal personhood to be a part of this “sole member”, but can directly participate. This participation is to be effected by a voting system, explained in the second draft, which allocates the maximum number of votes each SO and AC can cast. This ensures that each SO/AC doesn’t have to cast a unanimous vote, but each differing opinion within an SO/AC is given equal weight.

SDM:

A slightly modified and watered down version of the SMM, proposed by the CCWG-Accountability as an alternative to the same, is the “Sole Designator Model” or the SDM. Such a model requires an amendment to the ICANN bylaws, by which certain SOs/ACs are assigned “designator” status. By virtue of this status, they may then exercise certain rights - the right to recall the Board in certain scenarios and the right to veto budgets and strategic plans.

However, there is some uncertainty in Californian law regarding who can be a designator - an individual or an entity as well. So whether unincorporated associations, such as the SOs and ACs, can be a “designator” as per the law is a question that doesn’t have a clear answer yet.

Where most discussion with respect to the SDM has occurred has been in the area of the designator being vested with the power to “spill” or remove all the members of the ICANN Board. The designator is vested with this power as a sort of last-resort mechanism for the community’s voice to be heard. However, an interesting point raised in one of the Accountability sessions at ICANN54 was the almost negligible probability of this course of action ever being taken, i.e. the Board being “spilled”. So while in theory this model seems to vest the community with massive power, in reality, because the right to “spill” the Board may never be invoked, the SDM is actually a weak enforceability model.

Other Variants of the Designator Model:

The CCWG-Accountability, in both its first and second report, discussed variants of the designator model as well. A generic SO/AC Designator model was discussed in the first draft. The Enhanced SO/AC Designator model, discussed in the second draft, also functions along similar lines. However, only those SOs and ACs that wanted to be made designators apply to become so, as opposed to the requirement of a mandatory designator under the SDM model.

After the second draft released by the CCWG-Accountability and the counter-proposal released by the ICANN Board (see below for the ICANN Board’s proposal), discussion was mostly directed towards the SMM and the MEM. However, the discussion with regard to the designator model has recently been revived by members of the ALAC at ICANN54 in Dublin, who unanimously issued a statement supporting the SDM.^{^[9]} And following this, many more in the community have expressed their support towards adopting the designator model.[10]

MEM:

The Multi-stakeholder Enforcement Model or MEM was the ICANN Board’s counter-model to all the models put forth by the CCWG-Accountability, specifically the SMM. However, there is no clarity with regard to the specifics of this model. In fact, the vagueness surrounding the model is one of the biggest criticisms of the model itself.

The CCWG-Accountability accounts for possible consequences of implementation every model by a mechanism known as “stress-tests”. The Board’s proposal, on the other hand, rejects the SMM due to its “unintended consequences”, but does not provide any clarity on what these consequences are or what in fact the problems with the SMM itself are.[11]

In addition, many are opposed to the Board proposal in general because it wasn’t created by the community, and therefore not reflective of the community’s views, as opposed to the SMM.[12]

Instead, the Board’s solution is to propose a counter-model that doesn’t in fact fix the existing problems of accountability.

What is known of the MEM though, gathered primarily from an FAQ published on the ICANN community forum, is this: The community, through the various SOs and ACs, can challenge any action of the Board that is CONTRADICTORY TO THE FUNDAMENTAL BYLAWS only, through a binding arbitration. The arbitration panel will be decided by the Board and the arbitration itself will be financed by ICANN. Further, this process will not replace the existing Independent Review Process or IRP, but will run parallely.

Even this small snippet of the MEM is filled with problems. Concerns of neutrality with regard to the arbitral panel and challenge of the award itself have been raised.[13]

Further, the MEM seems to be in direct opposition to the ‘gold standard’ multi-stakeholder model of ICANN. Essentially, there is no increased accountability of the ICANN under the MEM, thus eliciting severe opposition from the community.

What is interesting to note about all these models, is that they are all premised on ICANN continuing to remain within the jurisdiction of the United States. And even more surprising is that hardly anyone questions this premise. However, at ICANN54 this issue received a small amount of traction, enough for the setting up of an ad-hoc committee to address these jurisdictional concerns. But even this isn’t enough traction. The only option now though is to wait and see what this ad-hoc committee, as well as the CCWG-Accountability through its third draft proposal to be released later this year, comes up with.

[1]. The IANA functions or the technical functions are the name, number and protocol functions with regard to the administration of the Domain Name System or the DNS.

[2]. http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government

[3]. http://www.theregister.co.uk/2015/10/19/congress_tells_icann_quit_escaping_accountability/?page=1

[4]. http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government

[5]. SOs are Supporting Organizations and ACs are Advisory Committees. They form part of ICANN’s operational structure.

[6]. Leon Sanchez (ALAC member from the Latin American and Caribbean Region) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 5) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[7]. Leon Sanchez (ALAC member from the Latin American and Caribbean Region) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 5) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[8]. Thomas Rickert (GNSO-appointed CCWG co-chair) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 15,16) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[9]. http://www.brandregistrygroup.org/alac-throws-spanner-in-icann-accountability-discussions

[10]. http://www.theregister.co.uk/2015/10/22/internet_community_icann_accountability/

[11]. http://www.theregister.co.uk/2015/09/07/icann_accountability_latest/

[12]. http://www.circleid.com/posts/20150923_empire_strikes_back_icann_accountability_at_the_inflection_point/

[13]. http://www.internetgovernance.org/2015/09/06/icann-accountability-a-three-hour-call-trashes-a-year-of-work/

For more details visit https://cis-india.org/internet-governance/blog/breaking-down-icann-accountability-what-it-is-and-what-the-internet-community-wants

Leveraging Mobile Network Big Data for Development Policy: Opportunities & Challenges

praskrishna — 2015-12-16T01:31:11Z

Amber Sinha participated in this event held at IRDC, New Delhi on November 2, 2015. The event was organized by LIRNEasia.

As part of the International Development Research Centre (IDRC) distinguished lecture series, Sriganesh Lokanathan, Team Leader- Big Data Research at LIRNEasia gave a talk in Delhi (Ramalingaswami Conference Hall, International Development Research Centre, 208 Jor Bagh, New Delhi 110003) on Monday, 2nd November 2015. Sriganesh spoke on the topic of “Leveraging mobile network big data for developmental policy: opportunities & challenges.”

Program:

11.00 a.m.: Welcome and introductions: Dr. Anindya Chatterjee, Asia Regional Director, IDRC

11.05 a.m.: Talk by Mr Sriganesh Lokanathan, Team Leader, Big Data Research, LIRNEasia, Sri Lanka

11.40 a.m.: Discussions and Q & A

12.15 p.m.: Closing remarks: Phet Sayo, Senior Program Officer, IDRC

See the programme details published by LIRNEasia.

For more details visit https://cis-india.org/internet-governance/news/leveraging-mobile-network-big-data-for-development-policy-opportunities-challenges

ISO/IEC/ JTC 1/SC 27 Working Groups Meeting, Jaipur

vanya — 2015-12-21T02:38:46Z

I attended this event held from October 26 to 30, 2015 in Jaipur.

The Bureau of Indian Standards (BIS) in collaboration with Data Security Council of India (DSCI) hosted the global standards’ meeting – ISO/IEC/ JTC 1/SC 27 Working Groups Meeting in Jaipur, Rajasthan at Hotel Marriott from 26th to 30th of October, 2015, followed by a half day conference on Friday, 30th October on the importance of Standards in the domain. The event witnessed experts from across the globe deliberating on forging international standards on Privacy, Security and Risk management in IoT, Cloud Computing and many other contemporary technologies, along with updating existing standards. Under SC 27, 5 working groups parallely held the meetings on varied Projects and Study periods respectively. The 5 Working Groups are as follows:

WG1: Information Security Management Systems;
WG 2 :Cryptography and Security Mechanisms;
WG 3 : Security Evaluation, Testing and Specification;
WG 4 : Security Controls and Services; and
WG 5 :Identity Management and Privacy technologies; competence of security management

This key set of Working Groups (WG)met in India for the first time. Professionals discussed and debated development of standards under each working group to develop international standards to address issues regarding security, identity management and privacy.

CIS had the opportunity to attend meetings under Working Group 5. This group further had parallel meetings on several topics namely:

Privacy enhancing data de-identification techniques ISO/IEC NWIP 20889 : Data de-identification techniques are important when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles. The selection, design, use and assessment of these techniques need to be performed appropriately in order to effectively address the risks of re-identification in a given context. There is thus a need to classify known de-identification techniques using standardized terminology, and to describe their characteristics, including the underlying technologies, the applicability of each technique to reducing the risk of re-identification, and the usability of the de-identified data. This is the main goal of this International Standard. Meetings were conducted to resolve comments sent by organisations across the world, review draft documents and agree on next steps.
A study period on Privacy Engineering framework : This session deliberated upon contributions, terms of reference and discuss the scope for the emerging field of privacy engineering framework. The session also reviewed important terms to be included in the standard and identify possible improvements to existing privacy impact assessment and management standards. It was identified that the goal of this standard is to integrate privacy into systems as part of the systems engineering process. Another concern raised was that the framework must be consistent with Privacy framework under ISO 29100 and HL7 Privacy and security standards.
A study period on user friendly online privacy notice and consent: The basic purpose of this New Work Item Proposal is to assess the viability of producing a guideline for PII Controllers on providing easy to understand notices and consent procedures to PII Principals within WG5. At the Meeting, a brief overview of the contributions received was given,along with assessment of liaison to ISO/IEC JTC 1/SC 35 and other entities. This International Standard gives guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from PII principals online and is applicable to all situations where a PII controller or any other entity processing PII informs PII principals in any online context.
Some of the other sessions under Working Group 5 were on Privacy Impact Assessment ISO/IEC 29134, Standardization in the area of Biometrics and Biometric information protection, Code of Practise for the protection of personally identifiable information, Study period on User friendly online privacy notice and consent, etc.

ISO/IEC/JTC 1/ SC27 is a joint technical committee of the international standards bodies – ISO and IEC on Information Technology security techniques which conducts regular meetings across the world. JTC 1 has over 2600 published standards developed under the broad umbrella of the committee and its 20 subcommittees. Draft International Standards adopted by the joint technical committees are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote in favour of the same. In India, the Bureau of Indian Standards (BIS) is the National Standards Body. Standards are formulated keeping in view national priorities, industrial development, technical needs, export promotion, health, safety etc. and are harmonized with ISO/IEC standards (wherever they exist) to the extent possible, in order to facilitate adoption of ISO/IEC standards by all segments of industry and business.BIS has been actively participating in the Technical Committee work of ISO/IEC and is currently a Participating member in 417 and 74 Technical Committees/ Subcommittees and Observer member in 248 and 79 Technical Committees/Subcommittees of ISO and IEC respectively. BIS holds Secretarial responsibilities of 2 Technical Committees and 6 Subcommittees of ISO.

The last meeting was held in the month of May, 2015 in Malaysia, followed by this meeting in October, 2015 Jaipur. 51 countries play an active role as the ‘Participating Members, India being one, while a few countries as observing members. As a part of these sessions, the participating countries also have rights to vote in all official ballots related to standards. The representatives of the country work on the preparation and development of the International Standards and provide feedback to their national organizations.

There was an additional study group meeting on IoT to discuss comments on the previous drafts, suggest changes , review responses and identify standard gaps in SC 27.

On October 30, 2015 BIS-DSCI hosted a half day International conference on 30 October, 2015 on Cyber Security and Privacy Standards, comprising of keynotes and panel discussions, bringing together national and international experts to share experience and exchange views on cyber security techniques and protection of data and privacy in international standards, and their growing importance in their society. The conference looked at various themes like the Role of standards in smart cities, Responding to the Challenges of Investigating Cyber Crimes through Standards, etc. It was emphasised that due to an increasing digital world, there is a universal agreement for the need of cyber security as the infrastructure is globally connected, the cyber threats are also distributed as they are not restricted by the geographical boundaries. Hence, the need for technical and policy solutions, along with standards was highlighted for future protection of the digital world which is now deeply embedded in life, businesses and the government. Standards will help in setting crucial infrastructure for in data security and build associated infrastructure on these lines.

The importance of standards was highlighted in context of smart cities wherein the need for standards was discussed by experts. Harmonization of regulations with standards must be looked at, by primarily creating standards which could be referred to by the regulators. Broadly, the challenges faced by smart cities are data security, privacy and digital resilience of the infrastructure. It was suggested that in the beginning, these areas must be looked at for development of standards in smart cities. Also, the ISO/IEC has a Working Group and a Strategic Group focussing on Smart Cities. The risks of digitisation, network, identity management, etc. must be looked at to create the standards.

The next meeting has been scheduled for April 2016 in Tampa (USA).

This meeting was a good opportunity to interact with experts from various parts of the World and understand the working of ISO Meetings which are held twice/thrice every year. The Centre for Internet and Society will be continuing work and becoming involved in the standard setting process at the future Working group meetings.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-groups-meeting-jaipur

Porn. Panic. Ban: A Conversation on Sexual Expression, Pornography, Sexual Exploitation, Consent

praskrishna — 2015-11-29T07:36:58Z

Point of View and the Internet Democracy Project organized a conference to hold and facilitate an informed conversation on sexual expression, pornography, sexual exploitation and consent. Rohini Lakshané was a speaker. Tanveer Hasan also attended this conference held in New Delhi from October 28 to 30, 2015.

The conference was a first attempt to have an in-depth civil society conversation - among activists, lawyers, researchers working on either gender, sexuality or internet rights, or at their intersections. For more information on the event visit the Internet & Democracy website. Rohini presented her research on online amateur pornography and consent.

For more details visit https://cis-india.org/internet-governance/news/porn-panic-ban-a-conversation-on-sexual-expression-pornography-sexual-exploitation-consent

How India Regulates Encryption

Pranesh Prakash & Japreet Grewal — 2016-07-23T13:24:58Z

Governments across the globe have been arguing for the need to regulate the use of encryption for law enforcement and national security purposes. Various means of regulation such as backdoors, weak encryption standards and key escrows have been widely employed which has left the information of online users vulnerable not only to uncontrolled access by governments but also to cyber-criminals. The Indian regulatory space has not been untouched by this practice and constitutes laws and policies to control encryption. The regulatory requirements in relation to the use of encryption are fragmented across legislations such as the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) and several sector-specific regulations. The regulatory framework is designed to either limit encryption or gain access to the means of decryption or decrypted information.

Limiting encryption

The IT Act does not prescribe the level or type of encryption to be used by online users. Under Section 84A, it grants the Government the authority to prescribe modes and methods of encryption. The Government has not issued any rules in exercise of these powers so far but had released a draft encryption policy on September 21, 2015. Under the draft policy, only those encryption algorithms and key sizes were permitted to be used as were to be notified by the Government. The draft policy was withdrawn due to widespread criticism of various requirements under the policy of which retention of unencrypted user information for 90 days and mandatory registration of all encryption products offered in the country were noteworthy.

The Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), permits the use of encryption up to 40 bit key length in the symmetric algorithms or its equivalent in others.[1] The restriction applies not only to the ISPs but also to individuals, groups and organisations that use encryption. In the event an individual, group or organisation decides to deploy encryption that is higher than 40 bits, prior permission from the DoT must be obtained and the decryption key must be deposited with the DoT. There are, however no parameters laid down for use of the decryption key by the Government. Several issues arise in relation enforcement of these license conditions.

While this requirement is applicable to all individuals, groups and organisations using encryption it is difficult to enforce it as the ISP License only binds DoT and the ISP and cannot be enforced against third parties.
Further, a 40 bit symmetric key length is considered to be an extremely weak standard[2] and is inadequate for protection of data stored or communicated online. Various sector-specific regulations that are already in place in India prescribe encryption of more than 40 bits.

The Reserve Bank of India has issued guidelines for Internet banking^{^[3]} where it prescribes 128-bit as the minimum level of encryption and acknowledges that constant advances in computer hardware and cryptanalysis may induce use of larger key lengths. The Securities and Exchange Board of India also prescribes[4] a 64-bit/128-bit encryption for standard network security and use of secured socket layer security preferably with 128-bit encryption, for securities trading over a mobile phone or a wireless application platform. Further, under Rule 19 (2) of the Information Technology (Certifying Authorities) Rules, 2000 (CA Rules), the Government has prescribed security guidelines for management and implementation of information technology security of the certifying authorities. Under these guidelines, the Government has suggested the use of suitable security software or even encryption software to protect sensitive information and devices that are used to transmit or store sensitive information such as routers, switches, network devices and computers (also called information assets). The guidelines acknowledge the need to use internationally proven encryption techniques to encrypt stored passwords such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard as mentioned under Rule 6 of the CA Rules. These encryption algorithms are very strong and secure as compared to a 40 bit encryption key standard.
The ISP License also contains a clause which provides that use of any hardware or software that may render the network security vulnerable would be considered a violation of the license conditions.[5] Network security may be compromised by using a weak security measure such as the 40 bit encryption or its equivalent prescribed by the DoT but the liability will be imputed to the ISP. As a result, an ISP which is merely complying with the license conditions by employing not more than a 40 bit encryption may be liable for what appears to be contradictory license conditions.
It is noteworthy that the restriction on the key size under the ISP License has not been imported to the Unified Service License Agreement (UL Agreement) that has been formulated by the DoT. The UL Agreement does not prescribe a specific level of encryption to be used for provision of services. Clause 37.5 of the UL Agreement however makes it clear that use of encryption will be governed by the provisions of the IT Act. As noted earlier, the Government has not specified any limit to level and type of encryption under the IT Act however it had released a draft encryption policy that has been suspended due to widespread criticism of its mandate.

The Telecom Licenses (ISP License, UL Agreement, and Unified Access Service License) prohibit the use of bulk encryption by the service providers but they continue to remain responsible for maintaining privacy of communication and preventing unauthorized interception.

Gaining access to means of decryption or decrypted information

Besides restrictions on the level of encryption, the ISP License and the UL Agreement make it mandatory for the service providers including ISPs to provide to the DoT all details of the technology that is employed for operations and furnish all documentary details like concerned literature, drawings, installation materials and tools and testing instruments relating to the system intended to be used for operations as and when required by the DoT.[6] While these license conditions do not expressly lay down that access to means of decryption must be given to the government the language is sufficiently broad to include gaining such access as well. Further, ISPs are required to take prior approval of the DoT for installation of any equipment or execution of any project in areas which are sensitive from security point of view. The ISPs are in fact subject to and further required to facilitate continuous monitoring by the DoT. These obligations ensure that the Government has complete access to and control over the infrastructure for providing internet services which includes any installation or equipment required for the purpose of encryption and decryption.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

A decryption order usually entails a direction to a decryption key holder to disclose a decryption key, allow access to or facilitate conversion of encrypted information and must contain reasons for such direction. In fact, Rule 8 of the Decryption Rules makes it mandatory for the authority to consider other alternatives to acquire the necessary information before issuing a decryption order.
The Secretary in the Ministry of Home Affairs or the Secretary in charge of the Home Department in a state or union territory is authorised to issue an order of decryption in the interest of sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. It is useful to note that this provision was amended in 2009 to expand the grounds on which a direction for decryption can be passed. Post 2009, the Government can issue a decryption order for investigation of any offence. In the absence of any specific process laid down for collection of digital evidence do we follow the procedure under the criminal law or is it necessary that we draw a distinction between the investigation process in the digital and the physical environment and see if adequate safeguards exist to check the abuse of investigatory powers of the police herein.
The orders for decryption must be examined by a review committee constituted under Rule 419A of the Indian Telegraph Rules, 1951 to ensure compliance with the provisions under the IT Act. The review committee is required to convene atleast once in two months for this purpose. However, we have been informed in a response by the Department of Electronics and Information Technology to an RTI dated April 21, 2015 filed by our organisation that since the constitution of the review committee has met only once in January 2013.

Conclusion

While studying a regulatory framework for encryption it is necessary that we identify the lens through which encryption is looked at i.e. whether encryption is considered as a means of information security or a threat to national security. As noted earlier, the encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules. Would it help to analyse whether the prevailing scepticism of the Government is well founded against the need to have strong encryption? It would be useful to survey the statistics of cyber incidents where strong encryption was employed as well as look at instances that reflect on whether strong encryption has made it difficult for law enforcement agencies to prevent or resolve crimes. It would also help to record cyber incidents that have resulted from vulnerabilities such as backdoors or key escrows deliberately introduced by law. These statistics would certainly clear the air about the role of encryption in securing cyberspace and facilitate appropriate regulation.

[1] Clause 2.2 (vii) of the ISP License

[2] Schneier, Bruce (1996). Applied Cryptography (Second ed.). John Wiley & Sons

[3] Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations, 2011

[4] Report on Internet Based Trading by the SEBI Committee on Internet based Trading and Services, 2000; It is useful to note that subsequently SEBI had acknowledged that the level of encryption would be governed by DoT policy in a SEBI circular no CIR/MRD/DP/25/2010 dated August 27, 2010 on Securities Trading using Wireless Technology

[5] Clause 34.25 of the ISP License

[6] Clauses 22 and 23 of Part IV of the ISP License

For more details visit https://cis-india.org/internet-governance/blog/how-india-regulates-encryption

Net advocacy body probing linkages between telcos and Facebook’s auto-play video option

praskrishna — 2015-10-29T00:53:55Z

Centre for Internet and Society (CIS), India’s leading internet advocacy body, which has often been critical of Facebook’s Internet.org — now called Free Basics — initiative, has said that it is looking into the possibility of Facebook helping telecom companies through its auto-play video option.

The article by Prabhu Mallikarjunan was published in the Financial Express on October 28, 2015. Sunil Abraham gave inputs.

In an interaction with FE on Tuesday, Sunil Abraham, executive director of The Centre for Internet and Society, said CIS will inititiate research on the notion that the new video option will result in 50% increase in data billing for the telecom companies. It will also look into whether this, in turn, will encourage the telecom companies to be on the Internet.org platform.

This initiative from CIS comes on the eve of Facebook founder Mark Zuckerberg’s visit to India on Wednesday, where he will address a gathering at IIT, Delhi. Facebook has been trying to hard sell the Free Basics concept at a time when the Indian government is looking to work closely with the internet major to push the Digital India initiative. “The company (Facebook) has done some good things, and also done some not so good things. The good thing is that, they have changed the name of the application and called it Free Basics. Also, they have re-enabled https and have published “the technical requirements document, through which they have eliminated the exclusivity arm both on the telco end and for OTT (Over the top) players,” Abraham said.

“How does FB gain from making the videos autoplay. It doesn’t gain. Why should the telcos be made happy? We are looking into this theory of whether auto-play video option will result in 50% increase in data billing for the telecom companies,” Abraham said.

For more details visit https://cis-india.org/internet-governance/news/financial-express-prabhu-mallikarjunan-october-28-2015-net-advocacy-body-probing-linkages-between-telcos-and-facebooks-auto-play-video-option

Connected Trouble

sunil — 2015-10-28T16:47:58Z

The internet of things phenomenon is based on a paradigm shift from thinking of the internet merely as a means to connect individuals, corporations and other institutions to an internet where all devices in (insulin pumps and pacemakers), on (wearable technology) and around (domestic appliances and vehicles) humans beings are connected.

The guest column was published in the Week, issue dated November 1, 2015.

Proponents of IoT are clear that the network effects, efficiency gains, and scientific and technological progress unlocked would be unprecedented, much like the internet itself.

Privacy and security are two sides of the same coin―you cannot have one without the other. The age of IoT is going to be less secure thanks to big data. Globally accepted privacy principles articulated in privacy and data protection laws across the world are in conflict with the big data ideology. As a consequence, the age of internet of things is going to be less stable, secure and resilient. Three privacy principles are violated by most IoT products and services.

Data minimisation

According to this privacy principle, the less the personal information about the data subject that is collected and stored by the data controller, the more the data subject's right to privacy is protected. But, big data by definition requires more volume, more variety and more velocity and IoT products usually collect a lot of data, thereby multiplying risk.

Purpose limitation

This privacy principle is a consequence of the data minimisation principle. If only the bare minimum of personal information is collected, then it can only be put to a limited number of uses. But, going beyond that would harm the data subject. IoT innovators and entrepreneurs are trying to rapidly increase features, efficiency gains and convenience. Therefore, they don't know what future purposes their technology will be put to tomorrow and, again by definition, resist the principle of purpose limitation.

Privacy by design

Data protection regulation required that products and services be secure and protect privacy by design and not as a superficial afterthought. IoT products are increasingly being built by startups that are disrupting markets and taking down large technology incumbents. The trouble, however, is that most of these startups do not have sufficient internal security expertise and in their tearing hurry to take products to the market, many IoT products may not be comprehensively tested or audited from a privacy perspective.

There are other cyber security principles and internet design principles that are disregarded by the IoT phenomenon, further compromising security and privacy of users.

Centralisation

Most of the network effects that IoT products contribute to require centralisation of data collected from users and their devices. For instance, if users of a wearable physical activity tracker would like to use gamification to keep each other motivated during exercise, the vendor of that device has to collect and store information about all its users. Since some users always wear them, they become highly granular stores of data that can also be used to inflict privacy harms.

Decentralisation was a key design principle when the internet was first built. The argument was that you can never take down a decentralised network by bombing any of the nodes. Unfortunately, because of the rise of internet monopolies like Google, the age of cloud computing, and the success of social media giants, the internet is increasingly becoming centralised and, therefore, is much more fragile than it used be. IoT is going to make this worse.

Complexity

The more complex a particular technology is, the more fragile and vulnerable it is. This is not necessarily true but is usually the case given that more complex technology needs more quality control, more testing and more fixes. IoT technology raises complexity exponentially because the devices that are being connected are complex themselves and were not originally engineered to be connected to the internet. The networks they constitute are nothing like the internet which till now consisted of clients, web servers, chat servers, file servers and database servers, usually quite removed from the physical world. Compromised IoT devices, on the other hand, could be used to inflict direct harm on life and property.

Death of the air gap

The things that will be connected to the internet were previously separated from the internet through the means of an air gap. This kept them secure but also less useful and usable. In other words, the very act of connecting devices that were previously unconnected will expose them to a range of attacks. Security and privacy related laws, standards, audits and enforcement measures are the best way to address these potential pitfalls. Governments, privacy commissioners and data protections authorities across the world need to act so that the privacy of people and the security of our information society are protected.

For more details visit https://cis-india.org/internet-governance/blog/the-week-november-1-2015-sunil-abraham-connected-trouble