We are anonymous, we are legion

ISO/IEC/ JTC 1/SC 27 Working Groups Meeting, Jaipur

vanya — 2015-12-21T02:38:46Z

I attended this event held from October 26 to 30, 2015 in Jaipur.

The Bureau of Indian Standards (BIS) in collaboration with Data Security Council of India (DSCI) hosted the global standards’ meeting – ISO/IEC/ JTC 1/SC 27 Working Groups Meeting in Jaipur, Rajasthan at Hotel Marriott from 26th to 30th of October, 2015, followed by a half day conference on Friday, 30th October on the importance of Standards in the domain. The event witnessed experts from across the globe deliberating on forging international standards on Privacy, Security and Risk management in IoT, Cloud Computing and many other contemporary technologies, along with updating existing standards. Under SC 27, 5 working groups parallely held the meetings on varied Projects and Study periods respectively. The 5 Working Groups are as follows:

WG1: Information Security Management Systems;
WG 2 :Cryptography and Security Mechanisms;
WG 3 : Security Evaluation, Testing and Specification;
WG 4 : Security Controls and Services; and
WG 5 :Identity Management and Privacy technologies; competence of security management

This key set of Working Groups (WG)met in India for the first time. Professionals discussed and debated development of standards under each working group to develop international standards to address issues regarding security, identity management and privacy.

CIS had the opportunity to attend meetings under Working Group 5. This group further had parallel meetings on several topics namely:

Privacy enhancing data de-identification techniques ISO/IEC NWIP 20889 : Data de-identification techniques are important when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles. The selection, design, use and assessment of these techniques need to be performed appropriately in order to effectively address the risks of re-identification in a given context. There is thus a need to classify known de-identification techniques using standardized terminology, and to describe their characteristics, including the underlying technologies, the applicability of each technique to reducing the risk of re-identification, and the usability of the de-identified data. This is the main goal of this International Standard. Meetings were conducted to resolve comments sent by organisations across the world, review draft documents and agree on next steps.
A study period on Privacy Engineering framework : This session deliberated upon contributions, terms of reference and discuss the scope for the emerging field of privacy engineering framework. The session also reviewed important terms to be included in the standard and identify possible improvements to existing privacy impact assessment and management standards. It was identified that the goal of this standard is to integrate privacy into systems as part of the systems engineering process. Another concern raised was that the framework must be consistent with Privacy framework under ISO 29100 and HL7 Privacy and security standards.
A study period on user friendly online privacy notice and consent: The basic purpose of this New Work Item Proposal is to assess the viability of producing a guideline for PII Controllers on providing easy to understand notices and consent procedures to PII Principals within WG5. At the Meeting, a brief overview of the contributions received was given,along with assessment of liaison to ISO/IEC JTC 1/SC 35 and other entities. This International Standard gives guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from PII principals online and is applicable to all situations where a PII controller or any other entity processing PII informs PII principals in any online context.
Some of the other sessions under Working Group 5 were on Privacy Impact Assessment ISO/IEC 29134, Standardization in the area of Biometrics and Biometric information protection, Code of Practise for the protection of personally identifiable information, Study period on User friendly online privacy notice and consent, etc.

ISO/IEC/JTC 1/ SC27 is a joint technical committee of the international standards bodies – ISO and IEC on Information Technology security techniques which conducts regular meetings across the world. JTC 1 has over 2600 published standards developed under the broad umbrella of the committee and its 20 subcommittees. Draft International Standards adopted by the joint technical committees are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote in favour of the same. In India, the Bureau of Indian Standards (BIS) is the National Standards Body. Standards are formulated keeping in view national priorities, industrial development, technical needs, export promotion, health, safety etc. and are harmonized with ISO/IEC standards (wherever they exist) to the extent possible, in order to facilitate adoption of ISO/IEC standards by all segments of industry and business.BIS has been actively participating in the Technical Committee work of ISO/IEC and is currently a Participating member in 417 and 74 Technical Committees/ Subcommittees and Observer member in 248 and 79 Technical Committees/Subcommittees of ISO and IEC respectively. BIS holds Secretarial responsibilities of 2 Technical Committees and 6 Subcommittees of ISO.

The last meeting was held in the month of May, 2015 in Malaysia, followed by this meeting in October, 2015 Jaipur. 51 countries play an active role as the ‘Participating Members, India being one, while a few countries as observing members. As a part of these sessions, the participating countries also have rights to vote in all official ballots related to standards. The representatives of the country work on the preparation and development of the International Standards and provide feedback to their national organizations.

There was an additional study group meeting on IoT to discuss comments on the previous drafts, suggest changes , review responses and identify standard gaps in SC 27.

On October 30, 2015 BIS-DSCI hosted a half day International conference on 30 October, 2015 on Cyber Security and Privacy Standards, comprising of keynotes and panel discussions, bringing together national and international experts to share experience and exchange views on cyber security techniques and protection of data and privacy in international standards, and their growing importance in their society. The conference looked at various themes like the Role of standards in smart cities, Responding to the Challenges of Investigating Cyber Crimes through Standards, etc. It was emphasised that due to an increasing digital world, there is a universal agreement for the need of cyber security as the infrastructure is globally connected, the cyber threats are also distributed as they are not restricted by the geographical boundaries. Hence, the need for technical and policy solutions, along with standards was highlighted for future protection of the digital world which is now deeply embedded in life, businesses and the government. Standards will help in setting crucial infrastructure for in data security and build associated infrastructure on these lines.

The importance of standards was highlighted in context of smart cities wherein the need for standards was discussed by experts. Harmonization of regulations with standards must be looked at, by primarily creating standards which could be referred to by the regulators. Broadly, the challenges faced by smart cities are data security, privacy and digital resilience of the infrastructure. It was suggested that in the beginning, these areas must be looked at for development of standards in smart cities. Also, the ISO/IEC has a Working Group and a Strategic Group focussing on Smart Cities. The risks of digitisation, network, identity management, etc. must be looked at to create the standards.

The next meeting has been scheduled for April 2016 in Tampa (USA).

This meeting was a good opportunity to interact with experts from various parts of the World and understand the working of ISO Meetings which are held twice/thrice every year. The Centre for Internet and Society will be continuing work and becoming involved in the standard setting process at the future Working group meetings.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-groups-meeting-jaipur

ISO/IEC JTC1/SC 27 Meetings

praskrishna — 2017-04-27T16:38:46Z

Udbhav Tiwari represented the Centre for Internet & Society in a series of meetings held at University of Waikato and Novotel in Hamilton, New Zealand between April 18 and 25, 2017.

The participation was by the virtue of our institutional membership in Information Systems Security Sectional Committee (LITD 17) at the Bureau of Indian Standards.

The first 5 days of the meetings (18 to 23 April, 2017) were the working group meetings, where Udbhav participated in Working Group 1 - Information security management systems and Working Group 5 - Identity management and privacy technologies. Udbhav's participation in WG1 was largely exploratory, where I made some connections and tagged projects for us to comment on prior to the next set of meetings. These projects were Cyber Security, Cyber Insurance, Government Use of the ISO 27001 Standards, International Framework for Cyber Security and the Standing Document on Regulatory Use of 27001.

In WG5, Udbhav was appointed as Co-Rapporteur in the Study Period on Smart Cities, which will go on for another 6 months. The plenary of SC 27 was held on April 24 and 25, 2017. The final resolutions from the Working Groups plenary can be accessed below:

WG1 Recommendations and Resolutions

WG5 Resolutions

For more details visit https://cis-india.org/internet-governance/news/iso-iec-jtc1-sc-27-meetings

ISO/IEC JTC 1 SC 27 Working Group Meetings - A Summary

vanya — 2016-12-16T23:53:19Z

The Centre for Internet & Society attended the ISO/IEC JTC 1 SC 27 Working Group Meetings from 22 to 27 October 2016 in Abu Dhabi at Abu Dhabi National Exhibition Centre.

Being a member of Working Group 5: Information technology - Security techniques – Identity management and privacy technologies, we attended the following meetings:

WD 29184 Guidelines for online privacy notices and consent- As technological advancement and wider availability of communication infrastructures has enabled collection and analysis of information regarding an individuals' activities, along with people becoming aware about privacy implications of the same, this standard aims to provides a framework for organizations to provide clear and easily under information to consumers about how the organization will process their PII.
SP PII Protection Considerations for Smartphone App providers - Being a 1-year long project proposed during the ISO/IEC SC 27 JTC 1 Working Group Meetings in Jaipur in the year 2015. This group aims to build off a privacy framework for mobile applications to guide app developers on the lines of ISO/IEC 29100 international standard (which defines a broad privacy framework for information technologies) in light of excessive data collection by apps in absence of consent or justification, lack of comprehensive policies, Non transparent practices, Lack of adequate choice and consent, to ensure protection of rights of the individuals, etc. and will work towards ensuring a harmonized and standardized privacy structure for mobile application data policies and practices.
WD 20889 Privacy enhancing data de-identification techniques- Given the importance of Data de-identification techniques when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles, the selection, design, use and assessment of these techniques needs to be performed appropriately in order to effectively address the risks of re-identification in a given context.
SP Privacy in Smart Cities- Being a 1-year long project proposed during the ISO/IEC SC 27 JTC 1 Working Group Meetings in Jaipur this group saw contributions from Japan, India, PRIPARE in EU, to name a few. The scope for the group was proposed to produce a framework in light of data ownership, communication channels, privacy risk and impact assessment in smart cities, data lifecycle privacy governance for smart cities, and Develop use cases and contexts for Privacy Controls w.r.t the data lifecycle in Smart Cities, along with detailed documentation of Privacy Controls for Smart Cities aligned to the primary controls and associated sub controls.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-group-meetings-a-summary

ISIS and Recruitment using Social Media – Roundtable Report

Vidushi Marda, Aditya Tejus, Megha Nambiar and Japreet Grewal — 2016-12-16T02:19:16Z

The Centre for Internet and Society in collaboration with the Takshashila Institution held a roundtable discussion on “ISIS and Recruitment using Social Media” on 1 September 2016 from 5.00 p.m. to 7.30 p.m. at TERI in Bengaluru.

The objective of this roundtable was to explore the recruitment process and methods followed by ISIS on social media platforms like Facebook and Twitter and to understand the difficulties faced by law enforcement agencies and platforms in countering the problem while understanding existing counter measures, with a focus on the Indian experience.

Reviewing Existing Literature

To provide context to the discussion, a few key pieces of existing literature on online extremism were highlighted. Discussing Charlie Winter’s “Documenting the Virtual Caliphate”, a participant outlined the multiple stages of the radicalisation process that begins with a person being exposed to general ISIS releases, entering an online filter bubble of like minded people, initial contact, followed by persuasion by the contact person to isolate the potential recruit from his/her family and friends. This culminates with the assignment of an ISIS task to such person. The takeaway from the paper, was the colossal scale of information and events put out by ISIS on the social media. It was pointed out that contrary to popular belief, ISIS publishes content under six broad themes: mercy, belonging, brutality, victimhood, war and utopia, least of which falls under the category of brutality which in fact garners the most attention worldwide. It was further elaborated that ISIS employs positive imagery in the form of nature and landscapes, and appeals to the civilian life within its borders. This strategy is that of prioritising quantity, quality, adaptability and differentiation while producing media. This strategy of producing media that is precise, adaptable and effective, according to the author, must be emulated by Governments in their counter measures, although there is no universal counter narrative that is effective. This effort, he stressed cannot be exclusively state-driven.

JM Berger’s “Making Countering Violent Extremism Work” was also discussed. Here, a slightly different model of radicalisation has been identified with potential recruits going through 4 stages: the first being that of Curiosity where there is exposure to violent extremist ideology, the second stage is Consideration where the potential recruit evaluates the ideology, the third being Identification where the individual begins to self identify with extremist ideology, and the last being that of Self-Critique which is revisited periodically. According to Berger, law enforcement need only be involved in the third stage identified in this taxonomy, through situational awareness programs and investigations. This paper stated that counter-messaging policies need not mimic the ISIS pattern of slick messaging. A data-driven study had found that suspending and suppressing the reach of violent extremist accounts and individuals on online platform was effective in reducing the reach of these ideologies, though not universally so. It also found that generic counter strategies used in the US was more efficient than targeted strategies followed in Europe.

Lack of Co-ordination, Fragmentation between the States and Centre

Speaking of the Indian scenario in particular, another participant brought to light the lack of co-ordination and consensus between the State and Central Governments and law enforcement agencies with respect to countering violent extremism with leads to a breakage in the chain of action. Another participant added that the underestimation of the problem at the state level coupled with the theoretical and abstract nature of work done at the Centre is another pitfall. While the fragmentation of agencies was stated to be ineffective, bringing them under the purview of a single agency was also proposed as an ineffective measure. It was instead suggested that a neutral policy body, and not an implementing body, should coordinate the efforts of the multiple groups involved.

Unreliable Intelligence Infrastructure

It was pointed out that countries are presently underequipped due to the lack of intelligence infrastructure and technical expertise. This was primarily because agencies in India tend to use off-the shelf hardware and software produced by foreign companies, and such heavy dependence on unreliable parts will necessarily be detrimental to building reliable security infrastructure. Emphasis was laid on the significance of collaboration and open-source intelligence in countering online radicalisation. An appeal was made to inculcate a higher IT proficiency, indigenous production of resources, funding, collaboration, integration of lower level agencies and more research to be produced in this regard.

Proactive Counter Narratives

The importance of proactive counter-narratives to extremist content was stressed on, with the possibility of generating inputs from government agencies and private bodies backing the government being discussed. Another solution identified was the creation and internal circulation of a clear strategy to counter the ISIS narrative and the public dissemination of research on online radicalization in the Indian context.

Policies of Social Media Platforms

The conversation moved towards understanding policies of social media. One participant shed light on a popular platform’s strategies against extremism, wherein it was pointed out that the site’s tolerance policy extends not only to directly extremist content but also content created by people who support violent extremism .The involvement of the platform with several countries and platforms in order to create anti-extremist messaging and its intention to expand these initiatives was in furtherance of its philosophy to prevent any celebration of violence. The participant further explained that research shows that anti-extremist content that made use of humour and a lighter tone was more effective than media which relied on gravitas.

Having identified the existing literature and current challenges, the roundtable concluded with suggestions for further areas of research:

Understanding the use of encrypted messaging services like Whatsapp and Telegram for extremism, and an analysis of these platforms in the Indian context. A deeper understanding of these services is essential to gauge the dimensions of the problem and identify counter measures.
A lexical analysis of Indian social media accounts to identify ISIS supporters and group them into meta-communities, similar to research done by the RAND Corporation
Collation of ISIS media packages was also flagged off as an important measure in order to have a dossier to present to the government. This would help policymakers gain context around the issue, and also help them understand the scale of the problem.

For more details visit https://cis-india.org/internet-governance/blog/isis-and-recruitment-using-social-media-2013-roundtable-report

Is your personal information under lock and key?

Admin — 2018-01-16T16:54:33Z

Customers, be more careful about how you log in and log off!

The article by Sravanthi Challapalli was published by Hindu Businessline on January 16, 2018.

We’re coming off a year that was highlighted by several data breaches around the world. In India, the Aadhaar debate continues to make headlines, with allegations about its data theft and Big Brother potential for surveillance. And for quite a while now, the marketing world has been suffused with mention of artificial intelligence, chatbots, big data, data-driven analytics, and other such buzzwords. The ultimate, stated aim is to make life simpler for the citizen/customer. But how secure is our data, which we put out there both voluntarily and by mandate, and what can we do to protect it?

Laziness will hurt

A study by security services provider Gemalto found that retailers (76 per cent), banks (74 per cent) and social media sites (71 per cent) operating in India have a lot of work to do on this front. Consumers would leave if their personal information suffered a breach, it said. Even as the majority of customers said businesses don’t treat their data with due respect, they did not take enough precautions themselves, it observed. Fifty-one per cent of the study’s respondents used the same password across several online accounts and many did not use even available solutions such as two-factor authentication to protect social media accounts, making them susceptible to data breaches. They also believed the onus of protecting data lay on the business.

Caveats of little help

The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.

So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.
The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.

Efficiency all round

ICICI Prudential Life Insurance Executive Director Puneet Nanda says digital data storage has catalysed efficiency on several fronts. “Technology helps us swiftly identify the nominee and facilitates faster payouts as compared to the times when the information was stored physically. It has improved turnaround times and enabled delivery of superior service leading to higher customer satisfaction. Corporations can provide customers instant gratification. Today, we can issue a policy in minutes. Proliferation of technology has enabled corporations to identify customer needs and make offers best suited to their requirements.”

CIS will offer comments to the Srikrishna Committee. Abraham says such laws in other countries define what personal information is, establish the office of the regulator, have powers to receive and investigate complaints and ensure marketers fall in line. Regulators have punitive powers as well. In 2014, telecom major Verizon had to pay $7.4 million in the US to settle a Federal Communications Commission complaint about advertising to customers without letting them know they had an opt-out option. The privacy conditions one routinely “agrees” to online does not give the data controller a free ticket to do what they want with the information, he says.

Not much one can do

Abraham says there is very little the customer can do, other than “acts of civil disobedience, tell lies, fill out false information” when there’s little protection. Rana Gupta, Vice President – APAC, Identity and Data Protection, Gemalto, says one is not left with many choices in an increasingly digital world, not to mention the social pressure. Imagine asking for time off from work to withdraw some cash from your bank because you are suspicious of ATMs? “Users have to rely on organisations doing the right thing,” he says. Regulation making data encryption and second-factor authentication mandatory will help. Customers have begun to ask how data is being secured, and whether it is encrypted. Addressing such concerns would help businesses such as e-commerce and banks, which are increasingly dependent on an online presence.

Even though they’re painful to remember and key in, long passwords that include a capital letter, a special character and a number are deterrents to misuse, as are one-time passwords and messages that alert/ confirm users logging in to an account or transacting a deal. Rohan Bhargava, Co-founder of cashback and coupons site CashKaro.com, says businesses have to design the best methods to thwart the worst intentions. “Companies are vulnerable when they take short cuts at basic processes.”

Bhargava says his company prefers to build most of the technical products it needs, itself, rather than resort to third-party builders/providers. Marketers, he says, experiment with a lot of untested products and the scripts they use can be the root of the problem.

Checks and balances at every stage, running security reviews whenever something changes, effectively managing the life cycle of the encryption keys and limiting access to customer data are vital. The responsibility for securing data lies with both customer and marketer but the latter’s is the larger responsibility as it is they who implement and have the infrastructure that the user does not, says Gemalto’s Gupta.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key

Is your facebook page your mini resume?

praskrishna — 2012-03-26T07:27:43Z

As privacy debates heat up across the world, Bangaloreans reveal the trend of employers asking job aspirants for their Facebook IDs and passwords has caught on here too. When Adil Pasha, 24, revealed at an advertising job interview that his main strength was creativity, his interviewers asked for his FB password to check his latest updates.

This was published in IBNLive on March 26, 2012 . Sunil Abraham is quoted in this.

They rejected him, as he was going through a break-up and had put up song lyrics as his status message. On the other hand, Sukanya Srinivasan, 19, got an internship chance at a leading IT firm solely based on her FB photo albums.

“A company recently rejected my application after looking at the number of people I’d blocked on my chat list. They thought I didn’t have good interpersonal skills. I might be a friendly, harmless flirt, but the company might think I could sexually harass women employees. If they see my photos at a party, they might think I’m an alcoholic,” said Kiran Giridhar (name changed), who has attended over 12 interviews in the last two months, where his social life mattered more.

Recently, Facebook chief privacy officer Erin Egan said they had seen a distressing increase in reports of employers seeking to gain access to people’s Facebook profiles or private information.

“The most alarming of these practices is the reported incidents of employers asking prospective or actual employees to reveal their passwords,” she wrote on the website’s privacy page. The controversy is now being fought on moral and ethical grounds.

"This is a privacy infringement but there is no provision in the law (IT Act-2008) that prohibits employers from asking for personal information. This is happening with the willingness of potential candidates. If a person finds it unacceptable, he/she shouldn’t share the password. Background checks are common as some companies deal with sensitive information. So it’s not illegal, but intrusive. I think some power relationships can be abused if they cross the social networking barrier — like a boss-employee and teacher-student relationship. Corporate policy should prevent such things," explained Sunil Abraham, executive director, Centre for Internet and Society.

For more details visit https://cis-india.org/news/facebook-page-mini-resume

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

praskrishna — 2017-02-27T01:56:28Z

Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization

Pranesh Prakash and Sunil Abraham have been quoted in this article published by Outlook on February 24, 2017.

The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.

“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally

Is This The Beginning Of The End For Facebook?

Admin — 2018-04-17T14:44:23Z

After two days of congressional hearings that collectively lasted over ten hours, there are many questions about Facebook, its policies and its future that experts are debating.

The article by Aayush Ailawadi was published in Bloomberg Quint on April 15, 2018. Pranesh Prakash was quoted.

Do Facebook’s privacy policies confuse more than they inform? Is the platform a near monopoly that may need to be broken? And how do you ensure that the vast wealth of data that Facebook has is not misused, particularly in elections?

BloombergQuint has collected views on some of these issues.

Privacy Policy Or Legalese?

Since the Cambrdge Analytica scandal came to light, Facebook has been receiving a lot of flak for its ambiguous and verbose privacy and data policy. Lawmakers quizzed founder Mark Zuckerberg about how an ordinary user was expected to decipher the terms of the user agreement, something even some of the lawmakers grilling him couldn’t comprehend.

Jitendra Waral of Bloomberg Intelligence says, “It’s so complicated that nobody reads it. Essentially the data sharing beyond the Facebook ecosystem came into question here. Is it just necessary to have data sharing for the service to work? Is it restricted to you sharing your content with your friends in your network or do the restrictions go beyond that? So basically they have a lot of work to do in terms of transparency, in terms how the data is used and shared.”

During the conversations, it also came to light that Facebook collects data even on those who don’t use the platform.

“In general we collect data on people who are not signed up for Facebook for security purposes," Zuckerberg said Wednesday in a hearing about the social network’s privacy practices in Washingtonbefore the House Energy and Commerce Committee.

While privacy experts and tech geeks have been crying foul for years about the data collection and storage practices adopted by tech behemoths like Facebook, this revelation by the Facebook founder was the first public acknowledgement of the fact.

Is Facebook A Monopoly?

It’s not just data concerns that were brought up at the hearings.

Sen. Lindsey Graham asked Zuckerberg if Facebook enjoys a monopoly on the type of service it provides to its users. He asked, “If I buy a Ford and it doesn’t work well and I don’t like it, I can buy a Chevy, if I’m upset with Facebook, what’s the equivalent product that I can go sign up for?”

Zuckerberg responded to say that there are other tech companies which operate in the same sphere as Facebook does. He offered statistics of how many Americans use different social apps nowadays, in support of his argument that Facebook does not enjoy a monopoly in the tech world.

Jeff Hauser, executive director of the Revolving Door Project at the non-partisan Center for Economic and Policy Research says, “ Zuckerberg's answer to who his competitor was kind of comically unsatisfying because there is no competition for Facebook and they do have monopoly power in the United States and in many other countries across the world. ”

So one idea is to take Facebook and break it into many other parts that it acquired through previous acquisitions. Instagram would be a powerful competitor to Facebook if it was independent of Facebook. WhatsApp would be a powerful competitor to Facebook if it was an independent competitor to Facebook.

Jeff Hauser, Center for Economic and Policy Research

Time To Regulate The Internet?

Another big moment during the testimony was when Zuckerberg conceded that it was only a matter of time before the internet would be regulated.

He said, “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.”

Waral agrees that light touch regulation is the way to prevent a Cambridge Analytica like scandal from occurring again in the future. But, he believes that regulation will only raise costs for a company like Facebook. He explains, “What it does is raise compliance costs through out the ecosystem. So, the impact on Facebook from this is that the company is going to increase expenses due to compliance costs.”

The Big Election(s) Year

During his testimony, Zuckerberg did acknowledge that a lot needs to be done to ensure data does not get misused, particularly in elections. Concerns about misuse of user data have emerged in countries like the U.S., but also in India.

Last month, the Union Minister for Law and Information Technology, Ravi Shankar Prasad warned Zuckerberg that if there was any data theft of Indian users due to Facebook’s data collection practices, he would stop at nothing short of summoning the Facebook founder to India.

While Pranesh Prakash, policy director at the Centre For Internet and Society, doesn’t believe the government would actually summon Zuckerberg to India, he says, “One new concern that's valid across the world, where there are limitations put on freedom of expression during times of campaigning and elections, how do they translate online? There is no typical answer to this.”

Most of the speech regulations apply to candidates and apply to media platforms, which are largely mass media platforms. Now, social media platforms where individuals express themselves might not be regulated the same way or currently at least aren’t regulated the same way.

Pranesh Prakash, Policy Director, Centre For Internet and Society

Pranesh thinks it is time to re-look at the existing election laws which might not prove to be as useful now as they were some time ago.

Hauser thinks Facebook should help users discern between fakes news and a legitimate source of news.

In the 2016 elections cycle, for fake news, a lot of bots and trolls liked them and they started appearing in the lot of users’ feeds. So the algorithm of Facebook encouraged manipulation. Facebook needs to address these concerns. I don’t think we can trust Facebook if it doesn’t make hard decisions about its algorithms. Right now, Facebook needs to say this is what the algorithm does.

Jeff Hauser, Center for Economic and Policy Research

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-aayush-ailawadi-april-15-2018-is-this-the-beginning-of-the-end-for-facebook

Is there a case for penalizing fake news?

Admin — 2018-03-07T14:23:05Z

Facebook and Twitter have been under increasing scrutiny for allowing targeted political ads from Russia-backed entities to manipulate voters and influence elections.

The article by Nilesh Christopher was published by ET Tech on March 7, 2018. Sunil Abraham was quoted.

In May 2017, rumours of child-lifters on the prowl circulated on WhatsApp led to the lynching of seven men in Jharkhand.

The same month, the administrator of a WhatsApp group was arrested and later released on bail after a member of the group posted a “morphed” photograph of Prime Minister Narendra Modi wearing a garland of shoes.

A month earlier, following the assembly election in Uttar Pradesh, a district magistrate and a police official issued a joint order warning that WhatsApp group administrators could be slapped with criminal charges if factually incorrect or rumours were circulated in the group. Officials in Bihar followed suit, issuing similar orders against circulation of hoaxes.

These are just a few instance of ‘fake news’ on digital platforms that India had to deal with in 2017. Between June 2016 and May last year, more than 20 criminal complaints involving online content were filed, and many people were detained for content circulated on WhatsApp or published on Facebook, as per research organisation Freedom House.

As the consequences of bogus news become more pervasive, stoking resentment and violence, many South Asian countries such as Philippines, Indonesia, and Vietnam have sought to treat the manipulation of content as a criminal offence.

“It is not penalising, but defining ‘fake news’ which is a challenge,” said Max Smeets, Cybersecurity fellow at Stanford University. “We currently lack a common definition of fake news. Is it about fake personas, spam, data theft, seeding stories in the press or creating fake stories? We have to be clear by what we mean if we want to penalise fake news (or more generally tackle it).”

Criminalising dissemination is difficult mainly because people who disseminate the information are not necessarily aware that they are involved in this practice.

The inherent ambiguity has led certain governments to frame stringent laws to deal with the menace. Philippines President Rodrigo Duterte signed stricter laws authorising punitive action resulting in a jail term of up to six months and heavy fines of up to an equivalent of Rs 2.5 lakh for publishers of fake news. But Duterte’s version of the law applies to anyone who expresses a contrarian view of the government or “causes damage to the state”. The government has set up a special task force in the national police to look into fake news, but experts say it amounts to a witch-hunt in the guise of a clampdown on fake news.

The proliferation of ‘fake news’ through misinformation and hyper-partisan content came to the fore in the run-up to the 2016 Presidential election in the United States. Facebook and Twitter have been under increasing scrutiny for allowing targeted political ads from Russia-backed entities to manipulate voters and influence elections.

Since then, “manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens’ ability to choose their leaders based on factual news and authentic debate,” as per Freedom on the Net 2017 report.

In one of the most high-profile crackdowns on the fake news in 2017, Indonesian police incarcerated administrators of organised crime ring Saracen, which peddled racist and sectarian fake news against political parties. “Indonesia had to start fighting ‘organised fake news’ organisations such as Saracen who were launching targeted fake news campaigns on behalf of political parties during the periods leading up to major elections,” said Spandana Singh, Millennial public policy fellow at New America.

With more than 800,000 followers on Facebook, the admins made millions through advertising revenue by creating memes and fake posts on their page. As a result, on January 3, Indonesia launched a separate cybersecurity task force to bring purveyors of fake news to task.

“Criminalising fake news is counterproductive,” said Sunil Abraham, executive director of the Centre for Internet and Society. “The trouble with criminalisation is the person circulating the news is ‘fooled’ and is unaware of the crime they are committing. It is very similar to copyright infringement at a non-commercial stage. Many just don’t know,” Abraham said.

“Fake news cannot be battled by the government alone. Often it is the parties in power who are involved in many fake news cases,” he said.

How do we fix this?

Of the 3.4 billion people with access to the internet, 42% live in countries where governments employ armies of “opinion shapers” to spread government views and counter government critics on social media, as per the Freedom on the Net 2017 report.

In the West, corporations are typically the ones that are expected to take up the mantle to tackle fake news. “But government censorship and corporate censorship are not the appropriate ways forward, as this impinges on freedom of speech,” Abraham said.

This raises the question as to who should fix the problem. For starters, in the European Union (EU), Germany has passed a law called the Network Enforcement Act or NetzDG advocating a crackdown on “punishable false reports”. Enforced in October 2017, the hate speech law mandates that companies remove hate speech within a certain time period, and this was created with the intention of also curbing fake news.

Policy experts say the only way forward is more collaboration among various stakeholders. In India, there are organisations such as SM Hoax Slayer and Altnews working to combat disinformation, but “stronger digital literacy, education, and transparency is the way to fight it”, Singh said. “Since there is a business model which has been established for fake news, more people may also try to join the illegal disinformation industry if it continues to prove profitable,” he said.

While existing laws are fragmented, Abraham offered a different policy view of the problem at hand. “The only way to combat bad speech is with good speech. Instead of criminalising, you can mandate public service announcements in on social media channels,” he said.

That is, if someone is using fake news to spark a riot, under the circumstances of an emergency, the government should be allowed to push actual facts around the area even in private WhatsApp groups. “A message similar to a ‘must carry’ obligation in broadcast regulation can come in,” Abraham said.

For instance, Catalan is a minority language in Spain but all Spanish language broadcasters must carry some amount of news in Catalan, Abraham said, adding this could be one way of dealing with if not eradicating fake news.

So far, the only solution to prevent rumour mongering in “sensitive” areas in India has been blocking social media sites and suspending internet services. There have been nearly 40 information communication technology (ICT) shutdowns ordered by local authorities, some lasting several months in Jammu and Kashmir, as per the Freedom on the Net 2017 report.

“Platforms like Facebook, WhatsApp, Twitter and the like are different from each other. This makes it difficult to set common standards for all organizations and to compare them fairly,” Smeets said.

“It is especially difficult for highly compartmentalised platforms like WhatsApp to deal with fake news, compared to a more public forum like Facebook,” he said.

For more details visit https://cis-india.org/internet-governance/news/et-tech-nilesh-christopher-march-7-2018-is-there-a-case-for-penalizing-fake-news

Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data?

Admin — 2019-02-02T13:57:40Z

Is it merely an exercise in nostalgia? Or is it providing fodder for facial recognition algorithms on ageing?

The blog post by Devarsi Ghosh was published in Scroll.in on January 18, 2019. Pranesh Prakash was quoted.

“I like to look back at old memories and smile,” said the 25-year-old Kolkata resident Smitakshi Chowdhury. That’s what prompted her to upload a decade-old photo of herself alongside a recent one on Facebook last week without much thought. Chowdhury is among tens of thousands of people who have participated in the “ten year challenge” that has gone viral in recent days as social media users nostalgically display “then” and “now” images of themselves to the world.

Among the prominent Indian personalities who showed how they’d changed over the decade were movie stars Sonam Kapoor, Diana Penty and Shruti Haasan.

But is there a darker design to this initiative to get social media users to sportlingly show what a difference a decade can make? On January 15, an article in Wired suggested that the fad could be an ingenious ploy to gather data on a person’s age or how people age over time. The article by technology writer Kate O’Neill noted that data obtained in this way could be put to a variety of purposes, some benign such as targeted advertising, and some not so harmless.

“Age progression could someday factor into insurance assessment and health care,” O’Neill writes. “For example, if you seem to be ageing faster than your cohorts, perhaps you’re not a very good insurance risk. You may pay more or be denied coverage.”

This hypothesis set off a frenzy, as social media users issued warnings against participating in the challenge. But others noted that Facebook already has photographs of many long-time users from 10 years ago or more. It was also pointed out that the metadata of images posted online contains information about the date on which the photo was taken, where it was shot and the unique identification number of the photo device – even though most people don’t realise this. With so much information already out there, there isn’t much the 10-Year Challenge could add.

“Facebook has spookily sophisticated face-recognition technology, as anyone who’s seen Facebook’s automatic tagging software at work will tell you,” wrote Max Read in New York Magazine.

The debate has revolved around not only what tech companies know about social media users but how they share this information. For instance, Facebook’s facial tagging system identifies people in images to third parties, making it susceptible to misuse. In fact, Facebook had been storing data obtained through facial recognition software since 2011, without notifying or obtaining consent from its users. It was only in February 2018 that it gave users the chance to opt out of the system.

Facebook, on its part, in an official statement, said that it was not involved with the 10-Year Challenge.

Possibilities of misuse

While personal information uploaded online could potentially be misused in several ways, that does not mean just about any doomsday scenario is feasible, said Pranesh Prakash of the Centre for Internet and Society.

“Insurance companies always try to gather as much information as they can about a person to weed out bad risks but governments regulate these companies on the matter of what they can or cannot use,” he said.

For example, in 2018, the Delhi High Court ruled that insurance companies could not deny coverage to a person based on their genetic history, he noted. However, the contradictory ruling also said that if a disorder was established after genetic testing, the insurance company could deny coverage or demand higher premiums.

Prakash suggested a more dire situation. “Suppose the data produced from the 10-Year Challenge is used to improve the quality of deepfakes and that is put into making pornography about you against your will?” he said. “That business, unlike insurance, is unregulated.”

On the other hand, the prospect of a person’s rate of ageing being calculated by algorithms could also be beneficial. “If a medical AI [artificial intelligence] company figures out your health looking at the data based on your face and detects early skin cancer, would anyone be complaining about this?” asked Shashank Bijapur, co-founder of SpotDraft, a Gurgaon-based company that creates and manages legal contracts using artificial intelligence.

He noted that while it is impractical to expect businesses to ignore the opportunity to use such data to their advantage, social media users should make informed decisions while signing up on platforms. “Every such app online has a privacy policy which is made available to whoever is using it right at the beginning,” Bijapur said.

For more details visit https://cis-india.org/internet-governance/news/scroll-in-january-18-2019-devarsi-ghosh-is-the-viral-10yearchallenge-just-another-sneaky-way-for-tech-firms-to-gather-users-personal-data

Is the new ‘interception’ order old wine in a new bottle?

Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare — 2018-12-29T16:02:00Z

The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.

An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in Newslaundry.com on December 27, 2018.

On December 20, 2018, through an order issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

On December 21, the Press Information Bureau published a press release providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.

Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.

As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.

- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.

- Condition 42 of the Unified Licence for Access Services, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.

- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.

- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.

Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—nine Central Government agencies and one State Government agency have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:

- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.

- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.

That said, the IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government authorised the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.

While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are constitutionally valid, the lack of transparency by the government and the prohibition of transparency by service providers, heavy handed penalties on service providers for non-compliance, and a lack of legal backing and oversight mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.

Conclusion

The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .

The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On December 24, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.

But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle

Is the govt caught in the 'censorship' web?

praskrishna — 2012-09-04T06:54:25Z

NDTV aired a one-hour debate on censorship in "We the People" episode hosted by Barkha Dutt on August 26, 2012. Pranesh Prakash participated in the discussions as a speaker.

Pranesh Prakash responded to Barkha Dutt's question on what does a government do in a time of social unrest:

"I think in a time of social unrest there is leeway provided in laws for the government to take action. The law existing and the law allowing for it is a very different matter from the government actually making use of it. There are as shown in the United Kingdom, much better ways of combating situations of riots. As we have seen in India for instance, there are people who provoke riots from podiums yet don't get arrested and as we have seen in the UK, there are people who take part in riots and have been punished a great deal."

Video

See the full debate on NDTV

For more details visit https://cis-india.org/news/www-ndtv-com-we-the-people-aug-26-2012-is-the-govt-caught-in-the-censorship-web

Is the govt bid to regulate content on the Internet a good thing?

praskrishna — 2011-12-08T07:12:24Z

The recent move by Union Minister Kapil Sibal to engage leading Internet platform providers like Google, Facebook, etc in regulating content has seen netizens react in different manners. The question of freedom of expression vis-a-vis objectionable content has come to the fore. Pranesh Prakash who deals with such issues on a regular basis at the Centre for Internet and Society was answering questions (more like comments) live on CNN-IBN's chat feature on December 7, 2011.

Q: OK... then how about this... People report abuse against a page...and after some hits that report will go to the governmental organization, and they will decide on what action to take... this may include hiring of some IT services company to do that and gives more employment to people too. Anyways thanks for replying to my questions.

Asked by: Tilak Kamath

A: How about just approaching courts, who are in a far better position to judge what is legal and what is illegal under Indian law than any IT services company or government organization.

Q: Suppose a group of rabble rousers does indeed use a forum and become violent, (the group being identifiable) would the state have the right to ask the forum to be discontinued?

Asked by: Zeus

A: Of course (if what you meant is 'the right to ask the forum to remove the violence-inciting content'). Indeed, this is how ultra-left wing and ultra-right wing publications that advocate violence (which is an imminent threat) are proscribed in India. And the same laws already apply for online fora. But just as you wouldn't ban a newspaper like DNA for carrying an offensive article (such as the anti-Muslim screed written by Subramanian Swamy a few months back), and just as the postal service wouldn't be discontinued for carrying Maoist letters, a forum shouldn't be banned for offensive content. There is no need for a new 'self-regulation code', since the 'report abuse' links found on many of these sites are exactly that: self-regulation.

Q: Article 19(2) of our constitution places arbitrary and subjective restrictions on free speech - public order, decency, morality are all subjective, according to the whims and fancies of those who are in control. Aren't you concerned this is going down the exact path (ignoring that this is impractical to begin with)?

Asked by: Karunakaran

A: No, because there is a rich jurisprudence laid down by the Supreme Court of what is and what isn't a "reasonable restriction". While I do believe that our Constitution does go beyond what the International Covenant on Civil and Political Rights (to which India is a signatory) allows for, Article 19(2)'s interpretation by the Supreme Court and the High Courts have been very progressive for the most part.

Q: The government has a mandate to govern and keep the society in harmony and take care of law & order... If no check on the expressions of netizens the chances of a spark generating debate can escalate to violence given the extremism we see today. The media in print as well as electronic we know & see does it's CENSORING, calling it as editing and publishing only what it likes and wants.This style is for all including CNN-IBN.The difference is in media, the EDITOR gets responsible in case of offensive or blashphemous material gets published. Social network the responsibility seems missing. Freedom always needs to be enjoyed with discipline. How do you the minority indisciplined netizens, who are there and no denying on that ?

Asked by: sundar1950in

A: I believe that killing speech is not the right way to prevent violence. Indeed, a newspaper editor in the Maldives recently noted that they have had less violence committed against the newspaper office ever since they allowed for online comments. Speech often allows people to vent out violence instead of acting it out. Violence should be curbed by reining in those who're committing it, and those who're inciting it on the ground. At any rate, the laws that apply to inciting violence in print apply to the Web also, and no new rules need to be drafted.

Q: Thanks for the information on the report abuse button. but can't we have a Governmental agency regulating websites like FB or Google... they can't say no, cos India is a Huge market for such companies.. and why don't we find many ultra offensive posts about the U.S. or other countries, as we find for Indians..

Asked by: Tilak Kamath

A: That would be a very bad idea. Governments don't have a regulatory agency to dictate what letters post-offices shouldn't carry, nor what articles newspapers shouldn't publish. They should definitely not have a regulatory agency dictate what status updates Facebook or Google+ should and shouldn't carry. You don't find ultra-offensive posts about the U.S. because you aren't looking around. They're *everywhere*, even more so than those that bad-mouth India. Yet, such offensive speech is the price we have to pay (gladly, I should add) for democracy and the freedom of speech.

Q: The idea to ban any post on something that would lead to communal strike is fine however, I feel this is not the intention. The intention is clearly political and due to the Anna movement becoming popular thanks to the posts on the internet as also certain remarks on the Gandhi family in particular and Congress leaders specifically has led to this decision. Kapil Sibal is a smart alec and he knows that this can be used against any adverse comments against them.

Asked by: Arun

A: I am less suspicious of Mr. Sibal. I believe, especially after speaking with some senior lawyer friends of his, that he genuinely believes what he is doing to be required and legal and constitutional, and not for the appeasement of one or two Congress leaders. That, however, does not make his suggested solution correct. Multiple High Courts' decisions have held otherwise, and the Supreme Court's decision in Ajay Goswami v. Union of India also provides them support.

Q: One best possible thing is to advertise the Report Abuse button on the Internet, don't you think so? again there should be proper authentication to do so to avoid miscreants blocking some good pages unnecessarily.

Asked by: Tilak Kamath

A: I believe that the "Report Abuse" option available on most large social media and social network websites is useful, but it is also potentially dangerous since it allows a private party (such as Facebook or Google), rather than a court, to dictate what content is and isn't acceptable, to the possible detriment of larger society.

Q: Good evening sir, my question is that it is legal to pre-screen the private data of users by sites and to interfere between their privacy.

Asked by: Shrey Goswami

A: Whether this proposal by Shri Sibal necessarily involves an invasion of privacy is an open question, since the details of the proposal as as yet not fully sketched out. On Google Plus and Facebook, one can restrictedly share information. Will such restricted sharing also have to be pre-screened, or only information that is going to be available to all members of the public? The proposal still consists only of press articles and a press conference held by the Minister. Even assuming it only require pre-screening of information that is going to be publicly accessible, it imposes too high a burden on intermediaries, and is impractical. And, as you might be aware, only very limited pre-censorship is allowed in India, and such a general requirement of pre-censorship does not seem to be constitutional, in my opinion.

Q: Yes, we were browsing FB yesterday and some content in there, could not be opened in front of my children. So Content is not always good, and there must be some kind of screening. Again, the current trend in India, to think that whatever the government does is not at all a good one. Governing must be left to government and not to news channels/civil society, etc. This looks dangerous, and sad no one is realising this.

Asked by: Narayanan S

A: Perhaps I should allow former Supreme Court Justice Hidyatullah's words speak for themselves: "Our standards must be so framed that we are not reduced to a level where the protection of the least capable and the most depraved amongst us determines what the morally healthy cannot view or read." - Justice Hidyatullah in K.A. Abbas v. Union of India. In the Janhit Manch case, the Bombay High Court held: "By the present petition what the petition seeks is that this court which is a protector of free speech to the citizens of this country, should interfere and direct the respondents to make a coordinated and sustained effort to close down the websites as aforestated. Once Parliament in its wisdom has enacted a law and has provided for the punishment for breach of that law any citizen of this country including the Petitioner who is aggrieved against any action on the part of any other person which may amount to an offence has a right to approach the appropriate forum and lodge a complaint upon which the action can be taken if an offence is disclosed. Court in such matters, the guardians of the freedom of speech, and more so a constitutional court should not embark on an exercise to direct State Authorities to monitor websites. If such an exercise is done, then a party aggrieved, depending on the sensibilities of persons whose view may differ on what is morally degrading or prurient will be sitting in judgment, even before the aggrieved person can lead his evidence and a competent court decides the issue. The Legislature having enacted the law a person aggrieved may file a complaint."

Q: Kapil Sibal has not been able to give conviction to objectionable content as social unrest can't take place through web and it needs well oiled machinery and as far as using offensive language against politicians is concerned it won't be curtailed through web and it will require better self regulation among politicians rather than being irresponsible

Asked by: Rij

A: I agree completely.

Q: Do you feel that Government (Congress in particular ) is trying to impose restrictions on social media to stifle the peoples anger against the Government and its leaders due to various scams and corruption?

Asked by: Santosh

A: No. I am taking Mr. Sibal's words at face value, that what they are trying to prevent is hate speech, inciting speech. Still, the means of doing so are undemocratic, ignorant of how the Internet functions, and liable to have very harmful consequences on our polity.

Q: Are our laws going to be like those in gulf countries with respect to censorship? In the name of communal messages, is there a motive to censor something else?

Asked by: Gaurav

A: It doesn't matter what the 'ulterior motive' is, and I'm not sure there is one. The touchstone should should be that of our Constitution and Article 19(1)(a), which guarantees freedom of speech and expression with the Article 19(2) laying down the reasons for which reasonable restrictions can be laid down. And in many ways our laws are worse than those in Saudi Arabia. There at least when a website is blocked or content removed the public is notified when they try and access the content. In India, there is no such notification.

Q: Is this being done as the politicians on the whole and congressmen in particular are not upon notwithstanding how true the comment is. Is it particular so when they are charry if any adverse comment is made on the Gandhis. All these politicians who have opted for public life need to be open for adverse comments as they are in the public limelight and or it is their privilege.

Asked by: Arun

A: The examples being cited by Kapil Sibal are of harming religious sentiments and inciting hatred. Be that as it may, even if the content deserves to be removed—and I can't comment until I see the content he finds offensive—doing so by mandating pre-censorship by intermediaries with liability fixed on them otherwise is a wrong way of going about it.

* The chat is over. Read the original published in IBN Live Chat here

For more details visit https://cis-india.org/news/ibn-live-chat-with-pranesh

Is Privacy Obsolete?

Admin — 2018-06-23T05:01:21Z

Pranesh Prakash was a panelist at this event organized by TERI in Bangalore on June 22, 2018.

For more details visit https://cis-india.org/internet-governance/news/is-privacy-obsolete

Is India's government becoming Big Brother?

praskrishna — 2013-06-05T09:39:53Z

India's new Central Monitoring System will give officials unprecedented access to calls, texts, and online activity.

The blog post by Talia Ralph and Jason Overdorf was published in Global Post on May 9, 2013. Pranesh Prakash is quoted.

The government has quietly started putting into place its new Central Monitoring System, a project that will give it access to its citizens' telephone calls, texts, and online activities.

The system, in development since 2009, will enable state agencies to monitor all digital interactions, the Times of India reported.

Work on CMS has been kept quiet for the past few years, although the newspaper reported that several government agencies ordered specialized equipment and systems for monitoring telecommunications.

India's government has steadily been increasing its access to telecommunications since the 2008 Mumbai bombings to help track militants and illegal activities.

The country — one of the world's fastest-growing internet markets — enacted its information technology law in 2000, and amended it twice, in 2008 and again in 2011.

As PCWorld described the new system,

The CMS will have central and regional databases to help central and state-level enforcement agencies intercept and monitor communications, the government said. It will also have direct electronic provisioning of target numbers by government agencies without any intervention from telecom service providers, it added. It will also feature analysis of call data records and data mining of these records to identify call details, location details, and other information of the target numbers.

Internet freedom activists and privacy experts worry the project offers far too much access to citizens' communications. They say official agencies allegedly misused and leaked tapped phone conversations, while the government has sought to quash dissent and silence critics on the internet under the guise of preventing hate speech.

"In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome," Pranesh Prakash, the director of policy at the Center for Internet and Society, told the Times of India.

"Further, this has been done with neither public nor parliamentary dialog, making the government unaccountable to its citizens," he added.

The government last year blocked mobile phones and shut down social media sites ostensibly to prevent communal riots, but in the process blocked some 16 Twitter handles known to be critical of the government.

Critics of the CMS movement wrote a blog post arguing that the Indian government wants to use the law to censor "hate speeches and government criticism."

"We know the government today hates public criticizing it," the group Stop ICMS wrote on their blog. "The recent arrests of people for tweeting or posting on Facebook has proved that. Govt. does not like criticism that can be seen by everyone on the Internet."

The CMS program is in place in a "preliminary state" right now, with the full version expected to be in place by August 2014.

For more details visit https://cis-india.org/news/global-post-talia-ralph-jason-overdorf-may-9-2013-is-indias-govt-becoming-big-brother