We are anonymous, we are legion

Open Forum - DINL, Digital Infrastructure Association

praskrishna — 2015-11-07T14:45:58Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. Digital Infrastructure Netherlands Foundation is organizing this workshop at IGF on Tuesday, November 10, 2015. Jyoti Panday will be speaking at this workshop.

In this open forum we wish to discuss the increase in government engagement with “the internet” to protect their citizens against crime and abuse and to protect economic interests and critical infrastructures. The fact that the traditional benign neglect of states towards the internet is increasingly replaced with political interest has positive and negative effects. We are particularly concerned with those state interventions – often for reasons of national security or economic interest - that impact on the technical and logical ‘core’ of the internet ecosystem – such as interventions in the DNS - and in the impact on organizations and businesses that are traditionally thought of as ‘technical’ and whose roles are in danger of being politicized, such as ISPs, CERTs and hard- and software developers. There is a growing need to separate out the legitimate interests of states from political overreach into the technical and logical core of the internet. A cooperative or constructive approach towards interaction, founded in firm principles, may strengthen the balance and lead to a sustainable protection of Internet values. In this open forum we will present ideas about an agenda for the international protection of ‘the public core of the internet’ and seek to collect and discuss ideas for the formulation of norms and principles and for the identification of practical steps towards that goal. More specifically we aim to discuss: A definition of a public core of the internet: this would comprise the core protocols and infrastructure of the internet which all governments should consider as a global public good, governed by the Internet community and protected from direct activities and involvement by any government Definitions of proper interfaces: outlining norms and mutual expectations that should govern the relations between governments and various central actors in the technical and economic internet ecosystem, such as ISPs, CERTs and hard- and software developers when it comes to fighting cybercrime, retrieve information, mandate takedowns, request information and more.

Speakers
In this IGF open forum DINL wants to explore these ideas and discuss them with thought leaders from other countries. Speakers include:

Bastiaan Goslings (AMS-IX, NL)
Jyoti Panday (CIS, India)
Marilia Maciel (FGV, Brasil)
Dennis Broeders (NL Scientific Council for Government Policy) and will be chaired by Michiel Steltman (DINL), but aims to broaden the debate on this issue with those present.

More information on IGF website here.

For more details visit https://cis-india.org/internet-governance/news/open-forum-dinl-digital-infrastructure-association

Empowering the next billion by improving accessibility

praskrishna — 2015-11-07T14:04:57Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. On Friday, November 13, 2015, Dynamic Coalition on Accessibility and Disability and Global Initiative for Inclusive ICTs (G3ICT) is organizing this workshop. Sunil Abraham is a panelist. Pranesh Prakash will be taking part in the discussions.

While considerable attention is given to the availability of the communication infrastructure to expand usage of the Internet, little attention has been given to the accessibility barriers which prevent over one billion potential users to benefit from the Internet, including for essential services. Those barriers affect persons living with a variety of sensorial or physical disabilities as well as illiterate individuals who may benefit from the same solutions designed for persons with disabilities.

This session will examine the technological and programmatic solutions available today for an effective removal of such barriers, potentially bringing a considerable number of new users to the Internet. Examples in Education, Emergency services, Assistive Technologies for work and independent living in a variety of economic and geographic environments will be covered. The session will also provide a detailed benchmark and statistical overview of the progress made by countries around the world in implementing those solutions. A general discussion with government, industry and persons with disabilities representatives will ensue.

Read more on the IGF website here. List of attendees here.

For more details visit https://cis-india.org/internet-governance/news/empowering-the-next-billion-by-improving-accessibility

Big Data in the Global South International Workshop

praskrishna — 2015-11-06T02:04:49Z

Institute for Technology and Society of Rio de Janeiro welcomes you to an international workshop on Big Data at Hotel Windsor Florida, Rua Ferreira Viana, Flamengo, Rio de Janeiro, Brazil on November 16 and 17, 2015. Open Society Foundations and British Embassy Brasilia are sponsors for the event. The Centre for Internet & Society (CIS) is a research partner. Sunil Abraham, Pranesh Prakash and Vipul Kharbanda will be speaking at this event.

The event will bring together key representatives from government, civil society, the business sector and academia from Brazil, India, United Kingdom and several other countries. This is a closed multistakeholder round-table to discuss and map international examples of Big Data uses and regulation, both by private and public sectors, in order to develop practical strategies to promote adoption of harmonized rules by different actors. The event will also map existing initiatives involving the use of Big Data and present the results of a joint research initiative conducted by ITS and CIS in this field.

Resources

For more details visit https://cis-india.org/internet-governance/events/big-data-in-the-global-south-international-workshop

Breaking Down ICANN Accountability: What It Is and What the Internet Community Wants

ramya — 2015-11-05T15:29:26Z

At the recent ICANN conference held in Dublin (ICANN54), one issue that was rehashed and extensively deliberated was ICANN's accountability and means to enhance the same. In light of the impending IANA stewardship transition from the NTIA to the internet's multi-stakeholder community, accountability of ICANN to the internet community becomes that much more important. In this blog post, some aspects of the various proposals to enhance ICANN's accountability have been deconstructed and explained.

The Internet Corporation for Assigned Names and Numbers, known as ICANN, is a private not-for-profit organization, registered in California. Among other functions, it is tasked with carrying out the IANA function[1], pursuant to a contract between the US Government (through the National Telecommunications and Information Administration – NTIA) and itself. Which means, as of now, there exists legal oversight by the USG over ICANN with regard to the discharge of these IANA functions.[2]

However, in 2014, the NTIA, decided to completely handover stewardship of the IANA functions to the internet’s ‘global multistakeholder community’. But the USG put down certain conditions before this transition could be effected, one of which was to ensure that there exists proper accountability within the ICANN.[3]

The reason for this, was that the internet community feared a shift of ICANN to a FIFA-esque organization with no one to keep it in check, post the IANA transition if these accountability concerns weren’t addressed.[4]

And thus, to answer these concerns, the Cross Community Working Group (CCWG-Accountability) has come up with reports that propose certain changes to the structure and functioning of ICANN.

In light of the discussions that took place at ICANN54 in Dublin, this blog post is directed towards summarizing some of these proposals - those pertaining to the Independent Review Process or IRP (explained below) as well the various accountability models that are the subject of extensive debate both on and off the internet.

Building Blocks Identified by the CCWG-Accountability

The CCWG-Accountability put down four “building blocks”, as they call it, on which all their work is based. One of these is what is known as the Independent Review Process (or IRP). This is a mechanism by which internal complaints, either by individuals or by SOs/ACs[5], are addressed. However, the current version of the IRP is criticized for being an inefficient mechanism of dispute resolution.[6]

And thus the CCWG-Accountability proposed a variety of amendments to the same.

Another building block that the CCWG-Accountability identified is the need for an “empowered internet community”, which means more engagement between the ICANN Board and the internet community, as well as increased oversight by the community over the Board. As of now, the USG acts as the oversight-entity. Post the IANA transition however, the community feels they should step in and have an increased say with regard to decisions taken by the ICANN Board.

As part of empowering the community, the CCWG-Accountability identified five core areas in which the community needs to possess some kind of powers or rights. These areas are – review and rejection of the ICANN budget, strategic plans and operating plans; review, rejection and/or approval of standard bylaws as well fundamental bylaws; review and rejection of Board decisions pertaining to IANA functions; appointment and removal of individual directors on the Board; and recall of the entire Board itself. And it is with regard to what kind of powers and rights are to be vested with the community that a variety of accountability models have been proposed, both by the CCWG-Accountability as well as the ICANN Board. However, of all these models, discussion is now primarily centered on three of them – the Sole Member Model (SMM), the Sole Designator Model (SDM) and the Multistakeholder Empowerment Model (MEM).

What is the IRP?

The Independent Review Process or IRP is the dispute resolution mechanism, by which complaints and/or oppositions by individuals with regard to Board resolutions are addressed. Article 4 of the ICANN bylaws lay down the specifics of the IRP. As of now, a standing panel of six to nine arbitrators is constituted, from which a panel is selected for hearing every complaint. However, the primary criticism of the current version of the IRP is the restricted scope of issues that the panel passes decisions on.[7]

The bylaws explicitly state that the panel needs to focus on a set on procedural questions while hearing a complaint – such as whether the Board acted in good faith or exercised due diligence in passing the disputed resolution.

Changes Proposed by the Internet Community to Enhance the IRP

To tackle this and other concerns with the existing version of the IRP, the CCWG-Accountability proposed a slew of changes in the second draft proposal that they released in August this year. What they proposed is to make the IRP arbitral panel hear complaints and decide the matter on both procedural (as they do now) and substantive grounds. In addition, they also propose a broadening of who all have locus to initiate an IRP, to include individuals, groups and other entities. Further, they also propose a more precedent-based method of dispute resolution, wherein a panel refers to and uses decisions passed by past panels in arriving at a decision.

At the 19^th October “Enhancing ICANN-Accountability Engagement Session” that took place in Dublin as part of ICANN54, the mechanism to initiate an IRP was explained by Thomas Rickert, CCWG Co-Chair.[8]

Briefly, the modified process is as follows -

An objection may be raised by any individual, even a non-member.
This individual needs to find an SO or an AC that shares the objection.
A “pre-call” or remote meeting between all the SOs and ACs is scheduled, to see if objection receives prescribed threshold of approval from the community.
If this threshold is met, dialogue is undertaken with the Board, to see if the objection is sustained by the Board.
If this dialogue also fails, then IRP can be initiated.

The question of which “enforcement model” empowers the community arises post the initiation of this IRP, and in the event that the community receives an unfavourable decision through the IRP or that the ICANN Board refuses to implement the IRP decision. Thus, all the “enforcement models” retain the IRP as the primary method of internal dispute resolution.

The direction that the CCWG-Accountability has taken with regard to enhancement of the IRP is heartening. And these proposals have received large support from the community. What is to be seen now is whether these proposals will be fully implemented by the Board or not, in addition to all the other proposals made by the CCWG.

Enforcement – An Overview of the Different Models

In addition to trying to enhance the existing dispute resolution mechanism, the CCWG-Accountability also came up with a variety of “enforcement models”, by which the internet community would be vested with certain powers. And in response to the models proposed by the CCWG-Accountability, the ICANN Board came up with a counter proposal, called the MEM.

Below is a tabular representation of what kinds of powers are vested with the community under the SMM, the SDM and the MEM.

Power	SMM	SDM	MEM
Reject/Review Budget, Strategies and OPs. + Review/Reject Board decisions with regard to IANA functions.	Sole Member has the reserved power to reject the budget up to 2 times. Member also has standing to enforce bylaw restrictions on the budget, etc.	Sole Designator can only trigger Board consultations if opposition to budget, etc exists. Further, bylaws specify how many times such a consultation can be triggered. Designator only possesses standing to enforce this consultation.	Community can reject Budget up to two times. Board is required by bylaws to reconsider budget post such rejection, by consulting with the community. If still no change is made, then community can initiate process to recall the Board.
Reject/Review amendments to Standard bylaws and Fundamental bylaws	Sole Member has right to veto these changes. Further, member also standing to enforce this right under the relevant Californian law.	Sole Designator can also veto these changes. However, ambiguity regarding standing of designator to enforce this right.	No veto power granted to any SO or AC. Each SO and AC evaluate if they want to voice the said objection. If certain threshold of agreement reached, then as per the bylaws, the Board cannot go ahead with the amendment.
Appointment and Removal of individual ICANN directors	Sole Member can appoint and remove individual directors based on direction from the applicable Nominating Committee.	Sole Member can appoint and remove individual directors based on direction from the applicable Nominating Committee.	The SOs/ACs cannot appoint individual directors. But they can initiate process for their removal. However, directors can only be removed for breach of or on the basis of certain clauses in a “pre-service letter” that they sign.
Recall of ICANN Board	Sole Member has the power to recall Board. Further, it has standing to enforce this right in Californian courts.	Sole Designator also has the power to recall the Board. However, ambiguity regarding standing to enforce this right.	Community is not vested with power to recall the Board. However, if simultaneous trigger of pre-service letters occurs, in some scenarios, only then can something similar to a recall of the Board occur.

A Critique of these Models

SMM:

The Sole Member Model (or SMM) was discussed and adopted in the second draft proposal, released in August 2015. This model is in fact the simplest and most feasible variant of all the other membership-based models, and has received substantial support from the internet community. The SMM proposes only one amendment to the ICANN bylaws - a move from having no members to one member, while ICANN itself retains its character as a non-profit mutual-benefit corporation under Californian laws.

This “sole member” will be the community as a whole, represented by the various SOs and ACs. The SOs and ACs require no separate legal personhood to be a part of this “sole member”, but can directly participate. This participation is to be effected by a voting system, explained in the second draft, which allocates the maximum number of votes each SO and AC can cast. This ensures that each SO/AC doesn’t have to cast a unanimous vote, but each differing opinion within an SO/AC is given equal weight.

SDM:

A slightly modified and watered down version of the SMM, proposed by the CCWG-Accountability as an alternative to the same, is the “Sole Designator Model” or the SDM. Such a model requires an amendment to the ICANN bylaws, by which certain SOs/ACs are assigned “designator” status. By virtue of this status, they may then exercise certain rights - the right to recall the Board in certain scenarios and the right to veto budgets and strategic plans.

However, there is some uncertainty in Californian law regarding who can be a designator - an individual or an entity as well. So whether unincorporated associations, such as the SOs and ACs, can be a “designator” as per the law is a question that doesn’t have a clear answer yet.

Where most discussion with respect to the SDM has occurred has been in the area of the designator being vested with the power to “spill” or remove all the members of the ICANN Board. The designator is vested with this power as a sort of last-resort mechanism for the community’s voice to be heard. However, an interesting point raised in one of the Accountability sessions at ICANN54 was the almost negligible probability of this course of action ever being taken, i.e. the Board being “spilled”. So while in theory this model seems to vest the community with massive power, in reality, because the right to “spill” the Board may never be invoked, the SDM is actually a weak enforceability model.

Other Variants of the Designator Model:

The CCWG-Accountability, in both its first and second report, discussed variants of the designator model as well. A generic SO/AC Designator model was discussed in the first draft. The Enhanced SO/AC Designator model, discussed in the second draft, also functions along similar lines. However, only those SOs and ACs that wanted to be made designators apply to become so, as opposed to the requirement of a mandatory designator under the SDM model.

After the second draft released by the CCWG-Accountability and the counter-proposal released by the ICANN Board (see below for the ICANN Board’s proposal), discussion was mostly directed towards the SMM and the MEM. However, the discussion with regard to the designator model has recently been revived by members of the ALAC at ICANN54 in Dublin, who unanimously issued a statement supporting the SDM.^{^[9]} And following this, many more in the community have expressed their support towards adopting the designator model.[10]

MEM:

The Multi-stakeholder Enforcement Model or MEM was the ICANN Board’s counter-model to all the models put forth by the CCWG-Accountability, specifically the SMM. However, there is no clarity with regard to the specifics of this model. In fact, the vagueness surrounding the model is one of the biggest criticisms of the model itself.

The CCWG-Accountability accounts for possible consequences of implementation every model by a mechanism known as “stress-tests”. The Board’s proposal, on the other hand, rejects the SMM due to its “unintended consequences”, but does not provide any clarity on what these consequences are or what in fact the problems with the SMM itself are.[11]

In addition, many are opposed to the Board proposal in general because it wasn’t created by the community, and therefore not reflective of the community’s views, as opposed to the SMM.[12]

Instead, the Board’s solution is to propose a counter-model that doesn’t in fact fix the existing problems of accountability.

What is known of the MEM though, gathered primarily from an FAQ published on the ICANN community forum, is this: The community, through the various SOs and ACs, can challenge any action of the Board that is CONTRADICTORY TO THE FUNDAMENTAL BYLAWS only, through a binding arbitration. The arbitration panel will be decided by the Board and the arbitration itself will be financed by ICANN. Further, this process will not replace the existing Independent Review Process or IRP, but will run parallely.

Even this small snippet of the MEM is filled with problems. Concerns of neutrality with regard to the arbitral panel and challenge of the award itself have been raised.[13]

Further, the MEM seems to be in direct opposition to the ‘gold standard’ multi-stakeholder model of ICANN. Essentially, there is no increased accountability of the ICANN under the MEM, thus eliciting severe opposition from the community.

What is interesting to note about all these models, is that they are all premised on ICANN continuing to remain within the jurisdiction of the United States. And even more surprising is that hardly anyone questions this premise. However, at ICANN54 this issue received a small amount of traction, enough for the setting up of an ad-hoc committee to address these jurisdictional concerns. But even this isn’t enough traction. The only option now though is to wait and see what this ad-hoc committee, as well as the CCWG-Accountability through its third draft proposal to be released later this year, comes up with.

[1]. The IANA functions or the technical functions are the name, number and protocol functions with regard to the administration of the Domain Name System or the DNS.

[2]. http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government

[3]. http://www.theregister.co.uk/2015/10/19/congress_tells_icann_quit_escaping_accountability/?page=1

[4]. http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government

[5]. SOs are Supporting Organizations and ACs are Advisory Committees. They form part of ICANN’s operational structure.

[6]. Leon Sanchez (ALAC member from the Latin American and Caribbean Region) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 5) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[7]. Leon Sanchez (ALAC member from the Latin American and Caribbean Region) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 5) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[8]. Thomas Rickert (GNSO-appointed CCWG co-chair) speaking at the Enhancing ICANN Accountability Engagement Session !, ICANN54, Dublin (see page 15,16) https://meetings.icann.org/en/dublin54/schedule/mon-enhancing-accountability/transcript-enhancing-accountability-19oct15-en

[9]. http://www.brandregistrygroup.org/alac-throws-spanner-in-icann-accountability-discussions

[10]. http://www.theregister.co.uk/2015/10/22/internet_community_icann_accountability/

[11]. http://www.theregister.co.uk/2015/09/07/icann_accountability_latest/

[12]. http://www.circleid.com/posts/20150923_empire_strikes_back_icann_accountability_at_the_inflection_point/

[13]. http://www.internetgovernance.org/2015/09/06/icann-accountability-a-three-hour-call-trashes-a-year-of-work/

For more details visit https://cis-india.org/internet-governance/blog/breaking-down-icann-accountability-what-it-is-and-what-the-internet-community-wants

Leveraging Mobile Network Big Data for Development Policy: Opportunities & Challenges

praskrishna — 2015-12-16T01:31:11Z

Amber Sinha participated in this event held at IRDC, New Delhi on November 2, 2015. The event was organized by LIRNEasia.

As part of the International Development Research Centre (IDRC) distinguished lecture series, Sriganesh Lokanathan, Team Leader- Big Data Research at LIRNEasia gave a talk in Delhi (Ramalingaswami Conference Hall, International Development Research Centre, 208 Jor Bagh, New Delhi 110003) on Monday, 2nd November 2015. Sriganesh spoke on the topic of “Leveraging mobile network big data for developmental policy: opportunities & challenges.”

Program:

11.00 a.m.: Welcome and introductions: Dr. Anindya Chatterjee, Asia Regional Director, IDRC

11.05 a.m.: Talk by Mr Sriganesh Lokanathan, Team Leader, Big Data Research, LIRNEasia, Sri Lanka

11.40 a.m.: Discussions and Q & A

12.15 p.m.: Closing remarks: Phet Sayo, Senior Program Officer, IDRC

See the programme details published by LIRNEasia.

For more details visit https://cis-india.org/internet-governance/news/leveraging-mobile-network-big-data-for-development-policy-opportunities-challenges

ISO/IEC/ JTC 1/SC 27 Working Groups Meeting, Jaipur

vanya — 2015-12-21T02:38:46Z

I attended this event held from October 26 to 30, 2015 in Jaipur.

The Bureau of Indian Standards (BIS) in collaboration with Data Security Council of India (DSCI) hosted the global standards’ meeting – ISO/IEC/ JTC 1/SC 27 Working Groups Meeting in Jaipur, Rajasthan at Hotel Marriott from 26th to 30th of October, 2015, followed by a half day conference on Friday, 30th October on the importance of Standards in the domain. The event witnessed experts from across the globe deliberating on forging international standards on Privacy, Security and Risk management in IoT, Cloud Computing and many other contemporary technologies, along with updating existing standards. Under SC 27, 5 working groups parallely held the meetings on varied Projects and Study periods respectively. The 5 Working Groups are as follows:

WG1: Information Security Management Systems;
WG 2 :Cryptography and Security Mechanisms;
WG 3 : Security Evaluation, Testing and Specification;
WG 4 : Security Controls and Services; and
WG 5 :Identity Management and Privacy technologies; competence of security management

This key set of Working Groups (WG)met in India for the first time. Professionals discussed and debated development of standards under each working group to develop international standards to address issues regarding security, identity management and privacy.

CIS had the opportunity to attend meetings under Working Group 5. This group further had parallel meetings on several topics namely:

Privacy enhancing data de-identification techniques ISO/IEC NWIP 20889 : Data de-identification techniques are important when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles. The selection, design, use and assessment of these techniques need to be performed appropriately in order to effectively address the risks of re-identification in a given context. There is thus a need to classify known de-identification techniques using standardized terminology, and to describe their characteristics, including the underlying technologies, the applicability of each technique to reducing the risk of re-identification, and the usability of the de-identified data. This is the main goal of this International Standard. Meetings were conducted to resolve comments sent by organisations across the world, review draft documents and agree on next steps.
A study period on Privacy Engineering framework : This session deliberated upon contributions, terms of reference and discuss the scope for the emerging field of privacy engineering framework. The session also reviewed important terms to be included in the standard and identify possible improvements to existing privacy impact assessment and management standards. It was identified that the goal of this standard is to integrate privacy into systems as part of the systems engineering process. Another concern raised was that the framework must be consistent with Privacy framework under ISO 29100 and HL7 Privacy and security standards.
A study period on user friendly online privacy notice and consent: The basic purpose of this New Work Item Proposal is to assess the viability of producing a guideline for PII Controllers on providing easy to understand notices and consent procedures to PII Principals within WG5. At the Meeting, a brief overview of the contributions received was given,along with assessment of liaison to ISO/IEC JTC 1/SC 35 and other entities. This International Standard gives guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from PII principals online and is applicable to all situations where a PII controller or any other entity processing PII informs PII principals in any online context.
Some of the other sessions under Working Group 5 were on Privacy Impact Assessment ISO/IEC 29134, Standardization in the area of Biometrics and Biometric information protection, Code of Practise for the protection of personally identifiable information, Study period on User friendly online privacy notice and consent, etc.

ISO/IEC/JTC 1/ SC27 is a joint technical committee of the international standards bodies – ISO and IEC on Information Technology security techniques which conducts regular meetings across the world. JTC 1 has over 2600 published standards developed under the broad umbrella of the committee and its 20 subcommittees. Draft International Standards adopted by the joint technical committees are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote in favour of the same. In India, the Bureau of Indian Standards (BIS) is the National Standards Body. Standards are formulated keeping in view national priorities, industrial development, technical needs, export promotion, health, safety etc. and are harmonized with ISO/IEC standards (wherever they exist) to the extent possible, in order to facilitate adoption of ISO/IEC standards by all segments of industry and business.BIS has been actively participating in the Technical Committee work of ISO/IEC and is currently a Participating member in 417 and 74 Technical Committees/ Subcommittees and Observer member in 248 and 79 Technical Committees/Subcommittees of ISO and IEC respectively. BIS holds Secretarial responsibilities of 2 Technical Committees and 6 Subcommittees of ISO.

The last meeting was held in the month of May, 2015 in Malaysia, followed by this meeting in October, 2015 Jaipur. 51 countries play an active role as the ‘Participating Members, India being one, while a few countries as observing members. As a part of these sessions, the participating countries also have rights to vote in all official ballots related to standards. The representatives of the country work on the preparation and development of the International Standards and provide feedback to their national organizations.

There was an additional study group meeting on IoT to discuss comments on the previous drafts, suggest changes , review responses and identify standard gaps in SC 27.

On October 30, 2015 BIS-DSCI hosted a half day International conference on 30 October, 2015 on Cyber Security and Privacy Standards, comprising of keynotes and panel discussions, bringing together national and international experts to share experience and exchange views on cyber security techniques and protection of data and privacy in international standards, and their growing importance in their society. The conference looked at various themes like the Role of standards in smart cities, Responding to the Challenges of Investigating Cyber Crimes through Standards, etc. It was emphasised that due to an increasing digital world, there is a universal agreement for the need of cyber security as the infrastructure is globally connected, the cyber threats are also distributed as they are not restricted by the geographical boundaries. Hence, the need for technical and policy solutions, along with standards was highlighted for future protection of the digital world which is now deeply embedded in life, businesses and the government. Standards will help in setting crucial infrastructure for in data security and build associated infrastructure on these lines.

The importance of standards was highlighted in context of smart cities wherein the need for standards was discussed by experts. Harmonization of regulations with standards must be looked at, by primarily creating standards which could be referred to by the regulators. Broadly, the challenges faced by smart cities are data security, privacy and digital resilience of the infrastructure. It was suggested that in the beginning, these areas must be looked at for development of standards in smart cities. Also, the ISO/IEC has a Working Group and a Strategic Group focussing on Smart Cities. The risks of digitisation, network, identity management, etc. must be looked at to create the standards.

The next meeting has been scheduled for April 2016 in Tampa (USA).

This meeting was a good opportunity to interact with experts from various parts of the World and understand the working of ISO Meetings which are held twice/thrice every year. The Centre for Internet and Society will be continuing work and becoming involved in the standard setting process at the future Working group meetings.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-groups-meeting-jaipur

Porn. Panic. Ban: A Conversation on Sexual Expression, Pornography, Sexual Exploitation, Consent

praskrishna — 2015-11-29T07:36:58Z

Point of View and the Internet Democracy Project organized a conference to hold and facilitate an informed conversation on sexual expression, pornography, sexual exploitation and consent. Rohini Lakshané was a speaker. Tanveer Hasan also attended this conference held in New Delhi from October 28 to 30, 2015.

The conference was a first attempt to have an in-depth civil society conversation - among activists, lawyers, researchers working on either gender, sexuality or internet rights, or at their intersections. For more information on the event visit the Internet & Democracy website. Rohini presented her research on online amateur pornography and consent.

For more details visit https://cis-india.org/internet-governance/news/porn-panic-ban-a-conversation-on-sexual-expression-pornography-sexual-exploitation-consent

How India Regulates Encryption

Pranesh Prakash & Japreet Grewal — 2016-07-23T13:24:58Z

Governments across the globe have been arguing for the need to regulate the use of encryption for law enforcement and national security purposes. Various means of regulation such as backdoors, weak encryption standards and key escrows have been widely employed which has left the information of online users vulnerable not only to uncontrolled access by governments but also to cyber-criminals. The Indian regulatory space has not been untouched by this practice and constitutes laws and policies to control encryption. The regulatory requirements in relation to the use of encryption are fragmented across legislations such as the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) and several sector-specific regulations. The regulatory framework is designed to either limit encryption or gain access to the means of decryption or decrypted information.

Limiting encryption

The IT Act does not prescribe the level or type of encryption to be used by online users. Under Section 84A, it grants the Government the authority to prescribe modes and methods of encryption. The Government has not issued any rules in exercise of these powers so far but had released a draft encryption policy on September 21, 2015. Under the draft policy, only those encryption algorithms and key sizes were permitted to be used as were to be notified by the Government. The draft policy was withdrawn due to widespread criticism of various requirements under the policy of which retention of unencrypted user information for 90 days and mandatory registration of all encryption products offered in the country were noteworthy.

The Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), permits the use of encryption up to 40 bit key length in the symmetric algorithms or its equivalent in others.[1] The restriction applies not only to the ISPs but also to individuals, groups and organisations that use encryption. In the event an individual, group or organisation decides to deploy encryption that is higher than 40 bits, prior permission from the DoT must be obtained and the decryption key must be deposited with the DoT. There are, however no parameters laid down for use of the decryption key by the Government. Several issues arise in relation enforcement of these license conditions.

While this requirement is applicable to all individuals, groups and organisations using encryption it is difficult to enforce it as the ISP License only binds DoT and the ISP and cannot be enforced against third parties.
Further, a 40 bit symmetric key length is considered to be an extremely weak standard[2] and is inadequate for protection of data stored or communicated online. Various sector-specific regulations that are already in place in India prescribe encryption of more than 40 bits.

The Reserve Bank of India has issued guidelines for Internet banking^{^[3]} where it prescribes 128-bit as the minimum level of encryption and acknowledges that constant advances in computer hardware and cryptanalysis may induce use of larger key lengths. The Securities and Exchange Board of India also prescribes[4] a 64-bit/128-bit encryption for standard network security and use of secured socket layer security preferably with 128-bit encryption, for securities trading over a mobile phone or a wireless application platform. Further, under Rule 19 (2) of the Information Technology (Certifying Authorities) Rules, 2000 (CA Rules), the Government has prescribed security guidelines for management and implementation of information technology security of the certifying authorities. Under these guidelines, the Government has suggested the use of suitable security software or even encryption software to protect sensitive information and devices that are used to transmit or store sensitive information such as routers, switches, network devices and computers (also called information assets). The guidelines acknowledge the need to use internationally proven encryption techniques to encrypt stored passwords such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard as mentioned under Rule 6 of the CA Rules. These encryption algorithms are very strong and secure as compared to a 40 bit encryption key standard.
The ISP License also contains a clause which provides that use of any hardware or software that may render the network security vulnerable would be considered a violation of the license conditions.[5] Network security may be compromised by using a weak security measure such as the 40 bit encryption or its equivalent prescribed by the DoT but the liability will be imputed to the ISP. As a result, an ISP which is merely complying with the license conditions by employing not more than a 40 bit encryption may be liable for what appears to be contradictory license conditions.
It is noteworthy that the restriction on the key size under the ISP License has not been imported to the Unified Service License Agreement (UL Agreement) that has been formulated by the DoT. The UL Agreement does not prescribe a specific level of encryption to be used for provision of services. Clause 37.5 of the UL Agreement however makes it clear that use of encryption will be governed by the provisions of the IT Act. As noted earlier, the Government has not specified any limit to level and type of encryption under the IT Act however it had released a draft encryption policy that has been suspended due to widespread criticism of its mandate.

The Telecom Licenses (ISP License, UL Agreement, and Unified Access Service License) prohibit the use of bulk encryption by the service providers but they continue to remain responsible for maintaining privacy of communication and preventing unauthorized interception.

Gaining access to means of decryption or decrypted information

Besides restrictions on the level of encryption, the ISP License and the UL Agreement make it mandatory for the service providers including ISPs to provide to the DoT all details of the technology that is employed for operations and furnish all documentary details like concerned literature, drawings, installation materials and tools and testing instruments relating to the system intended to be used for operations as and when required by the DoT.[6] While these license conditions do not expressly lay down that access to means of decryption must be given to the government the language is sufficiently broad to include gaining such access as well. Further, ISPs are required to take prior approval of the DoT for installation of any equipment or execution of any project in areas which are sensitive from security point of view. The ISPs are in fact subject to and further required to facilitate continuous monitoring by the DoT. These obligations ensure that the Government has complete access to and control over the infrastructure for providing internet services which includes any installation or equipment required for the purpose of encryption and decryption.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

A decryption order usually entails a direction to a decryption key holder to disclose a decryption key, allow access to or facilitate conversion of encrypted information and must contain reasons for such direction. In fact, Rule 8 of the Decryption Rules makes it mandatory for the authority to consider other alternatives to acquire the necessary information before issuing a decryption order.
The Secretary in the Ministry of Home Affairs or the Secretary in charge of the Home Department in a state or union territory is authorised to issue an order of decryption in the interest of sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. It is useful to note that this provision was amended in 2009 to expand the grounds on which a direction for decryption can be passed. Post 2009, the Government can issue a decryption order for investigation of any offence. In the absence of any specific process laid down for collection of digital evidence do we follow the procedure under the criminal law or is it necessary that we draw a distinction between the investigation process in the digital and the physical environment and see if adequate safeguards exist to check the abuse of investigatory powers of the police herein.
The orders for decryption must be examined by a review committee constituted under Rule 419A of the Indian Telegraph Rules, 1951 to ensure compliance with the provisions under the IT Act. The review committee is required to convene atleast once in two months for this purpose. However, we have been informed in a response by the Department of Electronics and Information Technology to an RTI dated April 21, 2015 filed by our organisation that since the constitution of the review committee has met only once in January 2013.

Conclusion

While studying a regulatory framework for encryption it is necessary that we identify the lens through which encryption is looked at i.e. whether encryption is considered as a means of information security or a threat to national security. As noted earlier, the encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules. Would it help to analyse whether the prevailing scepticism of the Government is well founded against the need to have strong encryption? It would be useful to survey the statistics of cyber incidents where strong encryption was employed as well as look at instances that reflect on whether strong encryption has made it difficult for law enforcement agencies to prevent or resolve crimes. It would also help to record cyber incidents that have resulted from vulnerabilities such as backdoors or key escrows deliberately introduced by law. These statistics would certainly clear the air about the role of encryption in securing cyberspace and facilitate appropriate regulation.

[1] Clause 2.2 (vii) of the ISP License

[2] Schneier, Bruce (1996). Applied Cryptography (Second ed.). John Wiley & Sons

[3] Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations, 2011

[4] Report on Internet Based Trading by the SEBI Committee on Internet based Trading and Services, 2000; It is useful to note that subsequently SEBI had acknowledged that the level of encryption would be governed by DoT policy in a SEBI circular no CIR/MRD/DP/25/2010 dated August 27, 2010 on Securities Trading using Wireless Technology

[5] Clause 34.25 of the ISP License

[6] Clauses 22 and 23 of Part IV of the ISP License

For more details visit https://cis-india.org/internet-governance/blog/how-india-regulates-encryption

Net advocacy body probing linkages between telcos and Facebook’s auto-play video option

praskrishna — 2015-10-29T00:53:55Z

Centre for Internet and Society (CIS), India’s leading internet advocacy body, which has often been critical of Facebook’s Internet.org — now called Free Basics — initiative, has said that it is looking into the possibility of Facebook helping telecom companies through its auto-play video option.

The article by Prabhu Mallikarjunan was published in the Financial Express on October 28, 2015. Sunil Abraham gave inputs.

In an interaction with FE on Tuesday, Sunil Abraham, executive director of The Centre for Internet and Society, said CIS will inititiate research on the notion that the new video option will result in 50% increase in data billing for the telecom companies. It will also look into whether this, in turn, will encourage the telecom companies to be on the Internet.org platform.

This initiative from CIS comes on the eve of Facebook founder Mark Zuckerberg’s visit to India on Wednesday, where he will address a gathering at IIT, Delhi. Facebook has been trying to hard sell the Free Basics concept at a time when the Indian government is looking to work closely with the internet major to push the Digital India initiative. “The company (Facebook) has done some good things, and also done some not so good things. The good thing is that, they have changed the name of the application and called it Free Basics. Also, they have re-enabled https and have published “the technical requirements document, through which they have eliminated the exclusivity arm both on the telco end and for OTT (Over the top) players,” Abraham said.

“How does FB gain from making the videos autoplay. It doesn’t gain. Why should the telcos be made happy? We are looking into this theory of whether auto-play video option will result in 50% increase in data billing for the telecom companies,” Abraham said.

For more details visit https://cis-india.org/internet-governance/news/financial-express-prabhu-mallikarjunan-october-28-2015-net-advocacy-body-probing-linkages-between-telcos-and-facebooks-auto-play-video-option

Connected Trouble

sunil — 2015-10-28T16:47:58Z

The internet of things phenomenon is based on a paradigm shift from thinking of the internet merely as a means to connect individuals, corporations and other institutions to an internet where all devices in (insulin pumps and pacemakers), on (wearable technology) and around (domestic appliances and vehicles) humans beings are connected.

The guest column was published in the Week, issue dated November 1, 2015.

Proponents of IoT are clear that the network effects, efficiency gains, and scientific and technological progress unlocked would be unprecedented, much like the internet itself.

Privacy and security are two sides of the same coin―you cannot have one without the other. The age of IoT is going to be less secure thanks to big data. Globally accepted privacy principles articulated in privacy and data protection laws across the world are in conflict with the big data ideology. As a consequence, the age of internet of things is going to be less stable, secure and resilient. Three privacy principles are violated by most IoT products and services.

Data minimisation

According to this privacy principle, the less the personal information about the data subject that is collected and stored by the data controller, the more the data subject's right to privacy is protected. But, big data by definition requires more volume, more variety and more velocity and IoT products usually collect a lot of data, thereby multiplying risk.

Purpose limitation

This privacy principle is a consequence of the data minimisation principle. If only the bare minimum of personal information is collected, then it can only be put to a limited number of uses. But, going beyond that would harm the data subject. IoT innovators and entrepreneurs are trying to rapidly increase features, efficiency gains and convenience. Therefore, they don't know what future purposes their technology will be put to tomorrow and, again by definition, resist the principle of purpose limitation.

Privacy by design

Data protection regulation required that products and services be secure and protect privacy by design and not as a superficial afterthought. IoT products are increasingly being built by startups that are disrupting markets and taking down large technology incumbents. The trouble, however, is that most of these startups do not have sufficient internal security expertise and in their tearing hurry to take products to the market, many IoT products may not be comprehensively tested or audited from a privacy perspective.

There are other cyber security principles and internet design principles that are disregarded by the IoT phenomenon, further compromising security and privacy of users.

Centralisation

Most of the network effects that IoT products contribute to require centralisation of data collected from users and their devices. For instance, if users of a wearable physical activity tracker would like to use gamification to keep each other motivated during exercise, the vendor of that device has to collect and store information about all its users. Since some users always wear them, they become highly granular stores of data that can also be used to inflict privacy harms.

Decentralisation was a key design principle when the internet was first built. The argument was that you can never take down a decentralised network by bombing any of the nodes. Unfortunately, because of the rise of internet monopolies like Google, the age of cloud computing, and the success of social media giants, the internet is increasingly becoming centralised and, therefore, is much more fragile than it used be. IoT is going to make this worse.

Complexity

The more complex a particular technology is, the more fragile and vulnerable it is. This is not necessarily true but is usually the case given that more complex technology needs more quality control, more testing and more fixes. IoT technology raises complexity exponentially because the devices that are being connected are complex themselves and were not originally engineered to be connected to the internet. The networks they constitute are nothing like the internet which till now consisted of clients, web servers, chat servers, file servers and database servers, usually quite removed from the physical world. Compromised IoT devices, on the other hand, could be used to inflict direct harm on life and property.

Death of the air gap

The things that will be connected to the internet were previously separated from the internet through the means of an air gap. This kept them secure but also less useful and usable. In other words, the very act of connecting devices that were previously unconnected will expose them to a range of attacks. Security and privacy related laws, standards, audits and enforcement measures are the best way to address these potential pitfalls. Governments, privacy commissioners and data protections authorities across the world need to act so that the privacy of people and the security of our information society are protected.

For more details visit https://cis-india.org/internet-governance/blog/the-week-november-1-2015-sunil-abraham-connected-trouble

Encryption and Anonymity: Rights and Risks

praskrishna — 2015-10-27T02:37:45Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. ARTICLE 19 and Privacy International are organizing a workshop on Encryption and Anonymity on November 12, 2015. Pranesh Prakash is a speaker.

This was published on the IGF website.

Encryption and anonymity are two key aspects of the right to privacy and free expression online. From real-name registration in Iran to the UK Prime Minister's calls for Internet backdoors to encrypted communications, however, the protection of encrypted and anonymous speech is increasingly under threat. Recognising these challenges, the UN Special Rapporteur on freedom of expression, David Kaye, presented a report to the Human Rights Council in June 2015 which highlighted the need for greater protection of encryption and anonymity.

Five months on from the Special Rapporteur’s report, the participants in this roundtable will discuss his recommendations and the latest challenges to the protection of anonymity and encryption. For example, how can law enforcement demands be met while ensuring that individuals still enjoy strong encryption and unfettered access to anonymity tools? What steps should governments, civil society, individuals and the private sector take to avoid the legal and technological fragmentation of a tool now vital to expression and communication? How can individuals protect themselves from mass surveillance in the digital age?

At the end of the session, the participants should have identified areas for future advocacy both at the international and domestic levels as well as areas for further research for the protection of anonymity and encryption on the Internet.

Agenda

Moderator welcomes speakers and audience.
Outline of key issues on encryption and anonymity, including summary of the UN Special Rapporteur's report.
Each speaker speaks for 5-7 mins, giving their perspective re the issues.
Questions from participants, including remote participation via Twitter.
Conclusion and steps for further action.

About IGF 2015

Internet Governance Forum (IGF) is a multistakeholder, democratic and transparent forum which facilitates discussions on public policy issues related to key elements of Internet governance. IGF provides enabling platform for discussions among all stakeholders in the Internet governance ecosystem, including all entities accredited by the World Summit on the Information Society (WSIS), as well as other institutions and individuals with proven expertise and experience in all matters related to Internet governance.

After consulting the wider Internet community and discussing the overarching theme of the 2015 IGF meeting, the Multistakeholder Advisory Group decided to retain the title “Evolution of Internet Governance: Empowering Sustainable Development”. This theme will be supported by eight sub-themes that will frame the discussions at the João Pessoa meeting.

For more details visit https://cis-india.org/internet-governance/news/encryption-and-anonymity-rights-and-risks

The Social Role of the Communications and the Strengthening of the Freedom of Expression Panel - "Cultural Diversity and Freedom of Expression"

praskrishna — 2015-10-27T01:48:04Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. The Ministry of Culture and the Ministry of Communications of Brazil is organizing a panel on Cultural Diversity and Freedom of Expression on November 9, 2015, from 6.30 p.m. to 8.30 p.m., in the Sala de Concerto Maestro Jose Siqueria, located in the city of Jao Pessoa, Brazil. Sunil Abraham will be a panelist.

The experience of Internet as a global network has generated paradoxes in relation to the nationally established values and those practiced by companies providers of applications. In general, the challenge lies in fundamental civil rights balance such as freedom of expression and the personality's rights.

Although the 2005 UNESCO Convention on the Protection and Promotion of the Diversity of Cultural Expressions enables the countries to adopt national policies directed to the protection of their cultural diversity, terms of use and codes of conduct are globally uniform and establish common rules to users around the world, which may affect cultural diversity.

In order to address these issues the Ministry of Culture and the Ministry of Communications, Brazil are organizing this event at IGF 2015.

About IGF 2015

For more details visit https://cis-india.org/internet-governance/news/the-social-role-of-the-communications-and-the-strengthening-of-the-freedom-of-expression-panel-cultural-diversity-and-freedom-of-expression

The rise and rise of slacktivism

praskrishna — 2015-10-25T14:49:58Z

Can we change the world with the click of a mouse? Or is it just another feel-good phenomenon? The writer explores the growing penchant for online petitions and desktop activism.

The article by Divya Gandhi was published in the Hindu on October 3, 2015. Pranesh Prakash was quoted.

“I am a female journalist and Kumudam’s history of objectifying and judging women sickens me,” writes reporter Kavitha Muralidharan in a no-holds-barred petition on change.org. Tamil magazine Kumudam, which last week published pictures of women in leggings describing them as “vulgar”, must apologise, she said. The apology didn’t come, but on last count the letter to Kumudam’s editor had galvanised over 20,000 signatures and, at least in part, the petition’s aim — to flag sexism in the media — had been met.

Online activism forums such as change.org, jhatkaa.org, avaaz.org or bitgiving.com have turned the Net into a vibrant space for debate, influencing public opinion and, to varying degrees, catalysing change.

Slacktivism — if we must call it that — has existed a while and cannot be dismissed, says Policy Director at the Centre for Internet and Society, Pranesh Prakash. “We can’t underestimate the power of the collective, the power of the word in influencing public opinion and policy.”

Take, for instance, the three-minute ‘Kodaikanal Won’t’ video promoted by Jhatkaa where artist Sofia Ashraf raps about Unilever’s flouting of environmental and safety norms at its thermometer unit in Kodaikanal. The video was watched over 3,00,000 times in its first 48 hours, and a parallel online petition, which asks the company to clean up its “toxic mess” got 91,054 signatures.

No, Unilever has not formally committed to ‘clean up its mess’ yet but what the campaign did was to create public pressure on the company to engage with the mainstream media, says Nityanand Jayaram, an environmental activist who has worked on the Kodaikanal case since 2001. “We had 14 years of invisible hard work behind us. That shroud of invisibility was removed with one social media campaign.”

“Most petitions I can think of have been accompanied by actions on the ground as well,” says Kavita Krishnan, Secretary, All India Progressive Women’s Association. “For instance, if an online petition that says arrest those threatening John Dayal gets 6,000 signatures in 48 hours, these are 6,000 people across the country. I cannot collect them on a Delhi street within 48 hours. It is not that these people would not join a demonstration if they could, but there is no real difference between their having attended a demonstration and their having signed that petition. There are other issues for which you need sustained action or quiet, behind-the-scenes work, but in terms of protests, I think online petitions are very effective.”

How do the views and shares and signatures turn into yardsticks to measure the success of a campaign? In the case of BitGiving, virality translates into crowdfunding. Among its success stories, it counts a campaign to help send India’s ice hockey team, which got no government support, to the Ice Hockey Championship Cup of Asia this year. The campaign came alive on social media, was highlighted in mainstream media, captured the interest of several high-profile funders, and managed to raise more money than the team needed for training, accommodation, airfare and equipment. Jhatkaa measures its campaigns by various criteria, says Deepa Gupta, Executive Director. “We track outcome, the number of people impacted… and we track media coverage.”

A quick scroll down some of these sites reflects the staggering range of subjects that has captured the urban imagination — from OROP to hyper-local issues (garbage in Bengaluru) or animal rights (the culling of stray dogs in Kerala). Just this past week on change.org, “#Khans4Kisaans” shouted out to Shah Rukh, Salman and Aamir to “help the farmers dying in Bollywood’s backyard”; another called for the declassification of Netaji-related files; and a third protested the ban on beef.

So are these forums then turning the apathetic urbanite into a political animal, someone who takes a stance? “Yes and no,” says Prakash. “It really is about how much people get involved in the issue. Often we have citizen groups that form around issues offline, and we have seen very real action on the ground, say, cleaning a lake or even getting a road repaired.”

Gupta says that Jhatkaa’s baseline assumption is not that Indians are apolitical, but that there aren’t enough meaningful ways for them to participate in our democracy outside of elections. “As individuals who aren’t issue experts, many citizens feel powerless when it comes to affecting change on the issues that they care most about.”

She was perplexed, she says, at how difficult it can be for citizens to meaningfully engage with government institutions or corporations in a way that they are heard. “I knew the only way to build a nation-wide constituency of citizens who could take collective action would be if we mobilised people with the help of modern communications and social media.”

Ghousiya Sultana, a PhD student, agrees. She has signed several online petitions and believes that she is, in some small way, making a difference. “I want to feel like I fought a good fight.” On the other hand, corporate executive Anant Kumar says he doesn’t believe in this trend. He is concerned about transparency, how his donation might be used or misused, and he does not see how a letter with a few thousand signatures can have much of a bearing on issues.

But, as Krishnan says, “An online petition doesn’t work like an on-off switch that resolves an issue immediately. It is about whether you successfully shamed them in public. It is about sparking a dialogue.”

With inputs from Zara Khan

For more details visit https://cis-india.org/internet-governance/news/hindu-october-3-2015-divya-gandhi-the-rise-and-rise-of-slacktivism

Do we need a Unified Post Transition IANA?

Pranesh Prakash, Padmini Baruah and Jyoti Panday — 2015-10-27T00:46:37Z

As we stand at the threshold of the IANA Transition, we at CIS find that there has been little discussion on the question of how the transition will manifest. The question we wanted to raise was whether there is any merit in dividing the three IANA functions – names, numbers and protocols – given that there is no real technical stability to be gained from a unified Post Transition IANA. The analysis of this idea has been detailed below.

The Internet Architecture Board, in a submission to the NTIA in 2011 claims that splitting the IANA functions would not be desirable.[1] The IAB notes, “There exists synergy and interdependencies between the functions, and having them performed by a single operator facilitates coordination among registries, even those that are not obviously related,” and also that that the IETF makes certain policy decisions relating to names and numbers as well, and so it is useful to have a single body. But they don’t say why having a single email address for all these correspondences, rather than 3 makes any difference: Surely, what’s important is cooperation and coordination. Just as IETF, ICANN, NRO being different entities doesn’t harm the Internet, splitting the IANA function relating to each entity won’t harm the Internet either. Instead will help stability by making each community responsible for the running of its own registers, rather than a single point of failure: ICANN and/or “PTI”.

A number of commentators have supported this viewpoint in the past: Bill Manning of University of Southern California’s ISI (who has been involved in DNS operations since DNS started), Paul M. Kane (former Chairman of CENTR's Board of Directors), Jean-Jacques Subrenat (who is currently an ICG member), Association française pour le nommage Internet en coopération (AFNIC), the Internet Governance Project, InternetNZ, and the Coalition Against Domain Name Abuse (CADNA).

The Internet Governance Project stated: “IGP supports the comments of Internet NZ and Bill Manning regarding the feasibility and desirability of separating the distinct IANA functions. Structural separation is not only technically feasible, it has good governance and accountability implications. By decentralizing the functions we undermine the possibility of capture by governmental or private interests and make it more likely that policy implementations are based on consensus and cooperation.”[2]

Similarly, CADNA in its 2011 submission to NTIA notes that that in the current climate of technical innovation and the exponential expansion of the Internet community, specialisation of the IANA functions would result in them being better executed. The argument is also that delegation of the technical and administrative functions among other capable entities (such as the IETF and IAB for protocol parameters, or an international, neutral organization with understanding of address space protocols as opposed to RIRs) determined by the IETF is capable of managing this function would ensure accountability in Internet operation. Given that the IANA functions are mainly registry-maintenance function, they can to a large extent be automated. However, a single system of automation would not fit all three.

Instead of a single institution having three masters, it is better for the functions to be separated. Most importantly, if one of the current customers wishes to shift the contract to another IANA functions operator, even if it isn’t limited by contract, it is limited by the institutional design, since iana.org serves as a central repository. This limitation didn’t exist, for instance, when the IETF decided to enter into a new contract for the RFC Editor role. This transition presents the best opportunity to cleave the functions logically, and make each community responsible for the functioning of their own registers, with IETF, which is mostly funded by ISOC, taking on the responsibility of handing the residual registries, and a discussion about the .ARPA and .INT gTLDs.

From the above discussion, three main points emerge:

Splitting of the IANA functions allows for technical specialisation leading to greater efficiency of the IANA functions.
Splitting of the IANA functions allows for more direct accountability, and no concentration of power.
Splitting of the IANA functions allows for ease of shifting of the {names,number,protocol parameters} IANA functions operator without affecting the legal structure of any of the other IANA function operators.

[1]. IAB response to the IANA FNOI, July 28, 2011. See: https://www.iab.org/wp-content/IAB-uploads/2011/07/IANA-IAB-FNOI-2011.pdf

[2]. Internet Governance Project, Comments of the Internet Governance Project on the NTIA's "Request for Comments on the Internet Assigned Numbers Authority (IANA) Functions" (Docket # 110207099-1099-01) February 25, 2011 See: http://www.ntia.doc.gov/federal-register-notices/2011/request-comments-internet-assigned-numbers-authority-iana-functions

For more details visit https://cis-india.org/internet-governance/blog/do-we-need-a-unified-post-tranistion-iana

CIS Participation at ICANN 54

praskrishna — 2016-01-18T12:47:19Z

Centre for Internet and Society (CIS), India participated in the 54th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) held at the Convention Center in Dublin from 17 October 2015 to 22 October 2015. Pranesh Prakash, Jyoti Panday and Padmini Baruah attended the meeting.

CIS representation was possible at the meeting due to the generous support of MacArthur grant, NCUC ICANN Travel Grant and financial support from the National Internet Exchange of India (NIXI). The issue-wise detail of CIS engagement is set out below.

At the Public Forum, Jyoti Panday asked the ICANN Board to clarify its role and the role of the community in the development of the proposal with Verisign on its role as the Root Zone Maintainer. ICANN CEO confirmed what many feared, that there will be no community involvement on this proposal as ICANN's relationship with Verisign is an "implementation" detail. He added the assurance that post transition, on the decision of renewal of the contract and whether it will be awarded to Verisign, ICANN will seek inputs from the community. Jyoti's statement is replicated below:

"I want to ask the Board why when asked by the NTIA to develop a draft proposal for the with Verisign on its Root Zone Maintainer role, did you not pass on that mandate to the community, to the CWG which already exists, and ask the community to draft out the proposal with VeriSign? Will the ICANN Board seek public comments on the final proposal before it is approved? After all, ICANN cannot claim that it is an inverted pyramid where all decisions start from the community and flow up to the Board when on a crucial issue like this, the ICANN Board and staff have not taken the community in confidence nor invited its participation."

Padmini Baruah reiterated CIS message at the Public Forum on the lack of diversity observed through the transition and presented new data. Padmini's statement is replicated below:
Today, more than 50% of Internet users are in the Asia-Pacific region, and less than 10% are in North America. Yet, when one studies diversity within the ICANN community and in ICANN processes, one finds that diversity is sorely lacking, and it is dominated by people from the United States of America. Take the IANA transition, for instance. CIS studied participant data from ICANN, NRO, and IETF's lists related to the IANA transition. Of the substantive contributors, of which there were 98, we found:
* 1 in 4 (39 of 98) were from a single country: the United States of America.
* 4 in 5 (77 of 98) were from countries which are part of the WEOG grouping, which only has developed countries.
* None were from readily identifiable as being based in Eastern European and Russia, and only 5 of 98 from all of Latin American and the Caribbean.
* 4 in 5 (77 of 98) were male and 21 were female.
* 4 in 5 (76 of 98) were from industry or the technical community, and only 4 (or 1 in 25) were identifiable as primarily speaking on behalf of governments.
It would be a travesty of language to call this the "global multistakeholder community".
Further this problem is pervasive in the ICANN community:
* 66% (34 of 51) of the Business Constituency at ICANN, as per their own data, are from a single country: the United States of America.
* 3 in 5 registrars are from the United States of America (624 out of 1010, as of March 2014, according to ICANN's accredited registrars list), with only 0.6% being from the 54 countries in Africa (7 out of 1010).
* 45% of all the registries are from the United States of America! (307 out of 672 registries listed in ICANN’s registry directory in August 2015.)
Please take this as your top priority, since ICANN's legitimacy depends on being able to call itself globally representative.

CIS attended also raised a series of concerns at the following sessions:

Enhancing ICANN Accountability Open Engagement: CIS intervened with its stance on jurisdiction and their enforcement models, and our concerns about transparency.
GAC sessions
NCSG meeting
IANA Transition Stewardship Transition Engagement Session
CCWG Accountability Working Session
Illicit Internet Pharmacies
NCUC Meeting+engagement with Larry Strickling: Jyoti Panday asked about the dual role of Verisign as a Root zone maintainer and TLD operator. Padmini Baruah asked him about jurisdiction. He said the US Congress will not support a shift in ICANN's jurisdiction.
NCSG/gNSO (CIS work on DIDP got public mention)
Contractual Compliance Programme Update
CWG Stewardship working session
Role of Voluntary Practices in Combating Abuse and Illegal Activity
Joint meeting of the ICANN Board and NCSG

For more details visit https://cis-india.org/internet-governance/news/icann-54