We are anonymous, we are legion

Is your facebook page your mini resume?

praskrishna — 2012-03-26T07:27:43Z

As privacy debates heat up across the world, Bangaloreans reveal the trend of employers asking job aspirants for their Facebook IDs and passwords has caught on here too. When Adil Pasha, 24, revealed at an advertising job interview that his main strength was creativity, his interviewers asked for his FB password to check his latest updates.

This was published in IBNLive on March 26, 2012 . Sunil Abraham is quoted in this.

They rejected him, as he was going through a break-up and had put up song lyrics as his status message. On the other hand, Sukanya Srinivasan, 19, got an internship chance at a leading IT firm solely based on her FB photo albums.

“A company recently rejected my application after looking at the number of people I’d blocked on my chat list. They thought I didn’t have good interpersonal skills. I might be a friendly, harmless flirt, but the company might think I could sexually harass women employees. If they see my photos at a party, they might think I’m an alcoholic,” said Kiran Giridhar (name changed), who has attended over 12 interviews in the last two months, where his social life mattered more.

Recently, Facebook chief privacy officer Erin Egan said they had seen a distressing increase in reports of employers seeking to gain access to people’s Facebook profiles or private information.

“The most alarming of these practices is the reported incidents of employers asking prospective or actual employees to reveal their passwords,” she wrote on the website’s privacy page. The controversy is now being fought on moral and ethical grounds.

"This is a privacy infringement but there is no provision in the law (IT Act-2008) that prohibits employers from asking for personal information. This is happening with the willingness of potential candidates. If a person finds it unacceptable, he/she shouldn’t share the password. Background checks are common as some companies deal with sensitive information. So it’s not illegal, but intrusive. I think some power relationships can be abused if they cross the social networking barrier — like a boss-employee and teacher-student relationship. Corporate policy should prevent such things," explained Sunil Abraham, executive director, Centre for Internet and Society.

For more details visit https://cis-india.org/news/facebook-page-mini-resume

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

praskrishna — 2017-02-27T01:56:28Z

Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization

Pranesh Prakash and Sunil Abraham have been quoted in this article published by Outlook on February 24, 2017.

The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.

“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally

Is This The Beginning Of The End For Facebook?

Admin — 2018-04-17T14:44:23Z

After two days of congressional hearings that collectively lasted over ten hours, there are many questions about Facebook, its policies and its future that experts are debating.

The article by Aayush Ailawadi was published in Bloomberg Quint on April 15, 2018. Pranesh Prakash was quoted.

Do Facebook’s privacy policies confuse more than they inform? Is the platform a near monopoly that may need to be broken? And how do you ensure that the vast wealth of data that Facebook has is not misused, particularly in elections?

BloombergQuint has collected views on some of these issues.

Privacy Policy Or Legalese?

Since the Cambrdge Analytica scandal came to light, Facebook has been receiving a lot of flak for its ambiguous and verbose privacy and data policy. Lawmakers quizzed founder Mark Zuckerberg about how an ordinary user was expected to decipher the terms of the user agreement, something even some of the lawmakers grilling him couldn’t comprehend.

Jitendra Waral of Bloomberg Intelligence says, “It’s so complicated that nobody reads it. Essentially the data sharing beyond the Facebook ecosystem came into question here. Is it just necessary to have data sharing for the service to work? Is it restricted to you sharing your content with your friends in your network or do the restrictions go beyond that? So basically they have a lot of work to do in terms of transparency, in terms how the data is used and shared.”

During the conversations, it also came to light that Facebook collects data even on those who don’t use the platform.

“In general we collect data on people who are not signed up for Facebook for security purposes," Zuckerberg said Wednesday in a hearing about the social network’s privacy practices in Washingtonbefore the House Energy and Commerce Committee.

While privacy experts and tech geeks have been crying foul for years about the data collection and storage practices adopted by tech behemoths like Facebook, this revelation by the Facebook founder was the first public acknowledgement of the fact.

Is Facebook A Monopoly?

It’s not just data concerns that were brought up at the hearings.

Sen. Lindsey Graham asked Zuckerberg if Facebook enjoys a monopoly on the type of service it provides to its users. He asked, “If I buy a Ford and it doesn’t work well and I don’t like it, I can buy a Chevy, if I’m upset with Facebook, what’s the equivalent product that I can go sign up for?”

Zuckerberg responded to say that there are other tech companies which operate in the same sphere as Facebook does. He offered statistics of how many Americans use different social apps nowadays, in support of his argument that Facebook does not enjoy a monopoly in the tech world.

Jeff Hauser, executive director of the Revolving Door Project at the non-partisan Center for Economic and Policy Research says, “ Zuckerberg's answer to who his competitor was kind of comically unsatisfying because there is no competition for Facebook and they do have monopoly power in the United States and in many other countries across the world. ”

So one idea is to take Facebook and break it into many other parts that it acquired through previous acquisitions. Instagram would be a powerful competitor to Facebook if it was independent of Facebook. WhatsApp would be a powerful competitor to Facebook if it was an independent competitor to Facebook.

Jeff Hauser, Center for Economic and Policy Research

Time To Regulate The Internet?

Another big moment during the testimony was when Zuckerberg conceded that it was only a matter of time before the internet would be regulated.

He said, “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.”

Waral agrees that light touch regulation is the way to prevent a Cambridge Analytica like scandal from occurring again in the future. But, he believes that regulation will only raise costs for a company like Facebook. He explains, “What it does is raise compliance costs through out the ecosystem. So, the impact on Facebook from this is that the company is going to increase expenses due to compliance costs.”

The Big Election(s) Year

During his testimony, Zuckerberg did acknowledge that a lot needs to be done to ensure data does not get misused, particularly in elections. Concerns about misuse of user data have emerged in countries like the U.S., but also in India.

Last month, the Union Minister for Law and Information Technology, Ravi Shankar Prasad warned Zuckerberg that if there was any data theft of Indian users due to Facebook’s data collection practices, he would stop at nothing short of summoning the Facebook founder to India.

While Pranesh Prakash, policy director at the Centre For Internet and Society, doesn’t believe the government would actually summon Zuckerberg to India, he says, “One new concern that's valid across the world, where there are limitations put on freedom of expression during times of campaigning and elections, how do they translate online? There is no typical answer to this.”

Most of the speech regulations apply to candidates and apply to media platforms, which are largely mass media platforms. Now, social media platforms where individuals express themselves might not be regulated the same way or currently at least aren’t regulated the same way.

Pranesh Prakash, Policy Director, Centre For Internet and Society

Pranesh thinks it is time to re-look at the existing election laws which might not prove to be as useful now as they were some time ago.

Hauser thinks Facebook should help users discern between fakes news and a legitimate source of news.

In the 2016 elections cycle, for fake news, a lot of bots and trolls liked them and they started appearing in the lot of users’ feeds. So the algorithm of Facebook encouraged manipulation. Facebook needs to address these concerns. I don’t think we can trust Facebook if it doesn’t make hard decisions about its algorithms. Right now, Facebook needs to say this is what the algorithm does.

Jeff Hauser, Center for Economic and Policy Research

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-aayush-ailawadi-april-15-2018-is-this-the-beginning-of-the-end-for-facebook

Is there a case for penalizing fake news?

Admin — 2018-03-07T14:23:05Z

Facebook and Twitter have been under increasing scrutiny for allowing targeted political ads from Russia-backed entities to manipulate voters and influence elections.

The article by Nilesh Christopher was published by ET Tech on March 7, 2018. Sunil Abraham was quoted.

In May 2017, rumours of child-lifters on the prowl circulated on WhatsApp led to the lynching of seven men in Jharkhand.

The same month, the administrator of a WhatsApp group was arrested and later released on bail after a member of the group posted a “morphed” photograph of Prime Minister Narendra Modi wearing a garland of shoes.

A month earlier, following the assembly election in Uttar Pradesh, a district magistrate and a police official issued a joint order warning that WhatsApp group administrators could be slapped with criminal charges if factually incorrect or rumours were circulated in the group. Officials in Bihar followed suit, issuing similar orders against circulation of hoaxes.

These are just a few instance of ‘fake news’ on digital platforms that India had to deal with in 2017. Between June 2016 and May last year, more than 20 criminal complaints involving online content were filed, and many people were detained for content circulated on WhatsApp or published on Facebook, as per research organisation Freedom House.

As the consequences of bogus news become more pervasive, stoking resentment and violence, many South Asian countries such as Philippines, Indonesia, and Vietnam have sought to treat the manipulation of content as a criminal offence.

“It is not penalising, but defining ‘fake news’ which is a challenge,” said Max Smeets, Cybersecurity fellow at Stanford University. “We currently lack a common definition of fake news. Is it about fake personas, spam, data theft, seeding stories in the press or creating fake stories? We have to be clear by what we mean if we want to penalise fake news (or more generally tackle it).”

Criminalising dissemination is difficult mainly because people who disseminate the information are not necessarily aware that they are involved in this practice.

The inherent ambiguity has led certain governments to frame stringent laws to deal with the menace. Philippines President Rodrigo Duterte signed stricter laws authorising punitive action resulting in a jail term of up to six months and heavy fines of up to an equivalent of Rs 2.5 lakh for publishers of fake news. But Duterte’s version of the law applies to anyone who expresses a contrarian view of the government or “causes damage to the state”. The government has set up a special task force in the national police to look into fake news, but experts say it amounts to a witch-hunt in the guise of a clampdown on fake news.

The proliferation of ‘fake news’ through misinformation and hyper-partisan content came to the fore in the run-up to the 2016 Presidential election in the United States. Facebook and Twitter have been under increasing scrutiny for allowing targeted political ads from Russia-backed entities to manipulate voters and influence elections.

Since then, “manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens’ ability to choose their leaders based on factual news and authentic debate,” as per Freedom on the Net 2017 report.

In one of the most high-profile crackdowns on the fake news in 2017, Indonesian police incarcerated administrators of organised crime ring Saracen, which peddled racist and sectarian fake news against political parties. “Indonesia had to start fighting ‘organised fake news’ organisations such as Saracen who were launching targeted fake news campaigns on behalf of political parties during the periods leading up to major elections,” said Spandana Singh, Millennial public policy fellow at New America.

With more than 800,000 followers on Facebook, the admins made millions through advertising revenue by creating memes and fake posts on their page. As a result, on January 3, Indonesia launched a separate cybersecurity task force to bring purveyors of fake news to task.

“Criminalising fake news is counterproductive,” said Sunil Abraham, executive director of the Centre for Internet and Society. “The trouble with criminalisation is the person circulating the news is ‘fooled’ and is unaware of the crime they are committing. It is very similar to copyright infringement at a non-commercial stage. Many just don’t know,” Abraham said.

“Fake news cannot be battled by the government alone. Often it is the parties in power who are involved in many fake news cases,” he said.

How do we fix this?

Of the 3.4 billion people with access to the internet, 42% live in countries where governments employ armies of “opinion shapers” to spread government views and counter government critics on social media, as per the Freedom on the Net 2017 report.

In the West, corporations are typically the ones that are expected to take up the mantle to tackle fake news. “But government censorship and corporate censorship are not the appropriate ways forward, as this impinges on freedom of speech,” Abraham said.

This raises the question as to who should fix the problem. For starters, in the European Union (EU), Germany has passed a law called the Network Enforcement Act or NetzDG advocating a crackdown on “punishable false reports”. Enforced in October 2017, the hate speech law mandates that companies remove hate speech within a certain time period, and this was created with the intention of also curbing fake news.

Policy experts say the only way forward is more collaboration among various stakeholders. In India, there are organisations such as SM Hoax Slayer and Altnews working to combat disinformation, but “stronger digital literacy, education, and transparency is the way to fight it”, Singh said. “Since there is a business model which has been established for fake news, more people may also try to join the illegal disinformation industry if it continues to prove profitable,” he said.

While existing laws are fragmented, Abraham offered a different policy view of the problem at hand. “The only way to combat bad speech is with good speech. Instead of criminalising, you can mandate public service announcements in on social media channels,” he said.

That is, if someone is using fake news to spark a riot, under the circumstances of an emergency, the government should be allowed to push actual facts around the area even in private WhatsApp groups. “A message similar to a ‘must carry’ obligation in broadcast regulation can come in,” Abraham said.

For instance, Catalan is a minority language in Spain but all Spanish language broadcasters must carry some amount of news in Catalan, Abraham said, adding this could be one way of dealing with if not eradicating fake news.

So far, the only solution to prevent rumour mongering in “sensitive” areas in India has been blocking social media sites and suspending internet services. There have been nearly 40 information communication technology (ICT) shutdowns ordered by local authorities, some lasting several months in Jammu and Kashmir, as per the Freedom on the Net 2017 report.

“Platforms like Facebook, WhatsApp, Twitter and the like are different from each other. This makes it difficult to set common standards for all organizations and to compare them fairly,” Smeets said.

“It is especially difficult for highly compartmentalised platforms like WhatsApp to deal with fake news, compared to a more public forum like Facebook,” he said.

For more details visit https://cis-india.org/internet-governance/news/et-tech-nilesh-christopher-march-7-2018-is-there-a-case-for-penalizing-fake-news

Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data?

Admin — 2019-02-02T13:57:40Z

Is it merely an exercise in nostalgia? Or is it providing fodder for facial recognition algorithms on ageing?

The blog post by Devarsi Ghosh was published in Scroll.in on January 18, 2019. Pranesh Prakash was quoted.

“I like to look back at old memories and smile,” said the 25-year-old Kolkata resident Smitakshi Chowdhury. That’s what prompted her to upload a decade-old photo of herself alongside a recent one on Facebook last week without much thought. Chowdhury is among tens of thousands of people who have participated in the “ten year challenge” that has gone viral in recent days as social media users nostalgically display “then” and “now” images of themselves to the world.

Among the prominent Indian personalities who showed how they’d changed over the decade were movie stars Sonam Kapoor, Diana Penty and Shruti Haasan.

But is there a darker design to this initiative to get social media users to sportlingly show what a difference a decade can make? On January 15, an article in Wired suggested that the fad could be an ingenious ploy to gather data on a person’s age or how people age over time. The article by technology writer Kate O’Neill noted that data obtained in this way could be put to a variety of purposes, some benign such as targeted advertising, and some not so harmless.

“Age progression could someday factor into insurance assessment and health care,” O’Neill writes. “For example, if you seem to be ageing faster than your cohorts, perhaps you’re not a very good insurance risk. You may pay more or be denied coverage.”

This hypothesis set off a frenzy, as social media users issued warnings against participating in the challenge. But others noted that Facebook already has photographs of many long-time users from 10 years ago or more. It was also pointed out that the metadata of images posted online contains information about the date on which the photo was taken, where it was shot and the unique identification number of the photo device – even though most people don’t realise this. With so much information already out there, there isn’t much the 10-Year Challenge could add.

“Facebook has spookily sophisticated face-recognition technology, as anyone who’s seen Facebook’s automatic tagging software at work will tell you,” wrote Max Read in New York Magazine.

The debate has revolved around not only what tech companies know about social media users but how they share this information. For instance, Facebook’s facial tagging system identifies people in images to third parties, making it susceptible to misuse. In fact, Facebook had been storing data obtained through facial recognition software since 2011, without notifying or obtaining consent from its users. It was only in February 2018 that it gave users the chance to opt out of the system.

Facebook, on its part, in an official statement, said that it was not involved with the 10-Year Challenge.

Possibilities of misuse

While personal information uploaded online could potentially be misused in several ways, that does not mean just about any doomsday scenario is feasible, said Pranesh Prakash of the Centre for Internet and Society.

“Insurance companies always try to gather as much information as they can about a person to weed out bad risks but governments regulate these companies on the matter of what they can or cannot use,” he said.

For example, in 2018, the Delhi High Court ruled that insurance companies could not deny coverage to a person based on their genetic history, he noted. However, the contradictory ruling also said that if a disorder was established after genetic testing, the insurance company could deny coverage or demand higher premiums.

Prakash suggested a more dire situation. “Suppose the data produced from the 10-Year Challenge is used to improve the quality of deepfakes and that is put into making pornography about you against your will?” he said. “That business, unlike insurance, is unregulated.”

On the other hand, the prospect of a person’s rate of ageing being calculated by algorithms could also be beneficial. “If a medical AI [artificial intelligence] company figures out your health looking at the data based on your face and detects early skin cancer, would anyone be complaining about this?” asked Shashank Bijapur, co-founder of SpotDraft, a Gurgaon-based company that creates and manages legal contracts using artificial intelligence.

He noted that while it is impractical to expect businesses to ignore the opportunity to use such data to their advantage, social media users should make informed decisions while signing up on platforms. “Every such app online has a privacy policy which is made available to whoever is using it right at the beginning,” Bijapur said.

For more details visit https://cis-india.org/internet-governance/news/scroll-in-january-18-2019-devarsi-ghosh-is-the-viral-10yearchallenge-just-another-sneaky-way-for-tech-firms-to-gather-users-personal-data

Is the new ‘interception’ order old wine in a new bottle?

Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare — 2018-12-29T16:02:00Z

The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.

An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in Newslaundry.com on December 27, 2018.

On December 20, 2018, through an order issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

On December 21, the Press Information Bureau published a press release providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.

Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.

As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.

- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.

- Condition 42 of the Unified Licence for Access Services, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.

- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.

- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.

Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—nine Central Government agencies and one State Government agency have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:

- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.

- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.

That said, the IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government authorised the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.

While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are constitutionally valid, the lack of transparency by the government and the prohibition of transparency by service providers, heavy handed penalties on service providers for non-compliance, and a lack of legal backing and oversight mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.

Conclusion

The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .

The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On December 24, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.

But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle

Is the govt caught in the 'censorship' web?

praskrishna — 2012-09-04T06:54:25Z

NDTV aired a one-hour debate on censorship in "We the People" episode hosted by Barkha Dutt on August 26, 2012. Pranesh Prakash participated in the discussions as a speaker.

Pranesh Prakash responded to Barkha Dutt's question on what does a government do in a time of social unrest:

"I think in a time of social unrest there is leeway provided in laws for the government to take action. The law existing and the law allowing for it is a very different matter from the government actually making use of it. There are as shown in the United Kingdom, much better ways of combating situations of riots. As we have seen in India for instance, there are people who provoke riots from podiums yet don't get arrested and as we have seen in the UK, there are people who take part in riots and have been punished a great deal."

Video

See the full debate on NDTV

For more details visit https://cis-india.org/news/www-ndtv-com-we-the-people-aug-26-2012-is-the-govt-caught-in-the-censorship-web

Is the govt bid to regulate content on the Internet a good thing?

praskrishna — 2011-12-08T07:12:24Z

The recent move by Union Minister Kapil Sibal to engage leading Internet platform providers like Google, Facebook, etc in regulating content has seen netizens react in different manners. The question of freedom of expression vis-a-vis objectionable content has come to the fore. Pranesh Prakash who deals with such issues on a regular basis at the Centre for Internet and Society was answering questions (more like comments) live on CNN-IBN's chat feature on December 7, 2011.

Q: OK... then how about this... People report abuse against a page...and after some hits that report will go to the governmental organization, and they will decide on what action to take... this may include hiring of some IT services company to do that and gives more employment to people too. Anyways thanks for replying to my questions.

Asked by: Tilak Kamath

A: How about just approaching courts, who are in a far better position to judge what is legal and what is illegal under Indian law than any IT services company or government organization.

Q: Suppose a group of rabble rousers does indeed use a forum and become violent, (the group being identifiable) would the state have the right to ask the forum to be discontinued?

Asked by: Zeus

A: Of course (if what you meant is 'the right to ask the forum to remove the violence-inciting content'). Indeed, this is how ultra-left wing and ultra-right wing publications that advocate violence (which is an imminent threat) are proscribed in India. And the same laws already apply for online fora. But just as you wouldn't ban a newspaper like DNA for carrying an offensive article (such as the anti-Muslim screed written by Subramanian Swamy a few months back), and just as the postal service wouldn't be discontinued for carrying Maoist letters, a forum shouldn't be banned for offensive content. There is no need for a new 'self-regulation code', since the 'report abuse' links found on many of these sites are exactly that: self-regulation.

Q: Article 19(2) of our constitution places arbitrary and subjective restrictions on free speech - public order, decency, morality are all subjective, according to the whims and fancies of those who are in control. Aren't you concerned this is going down the exact path (ignoring that this is impractical to begin with)?

Asked by: Karunakaran

A: No, because there is a rich jurisprudence laid down by the Supreme Court of what is and what isn't a "reasonable restriction". While I do believe that our Constitution does go beyond what the International Covenant on Civil and Political Rights (to which India is a signatory) allows for, Article 19(2)'s interpretation by the Supreme Court and the High Courts have been very progressive for the most part.

Q: The government has a mandate to govern and keep the society in harmony and take care of law & order... If no check on the expressions of netizens the chances of a spark generating debate can escalate to violence given the extremism we see today. The media in print as well as electronic we know & see does it's CENSORING, calling it as editing and publishing only what it likes and wants.This style is for all including CNN-IBN.The difference is in media, the EDITOR gets responsible in case of offensive or blashphemous material gets published. Social network the responsibility seems missing. Freedom always needs to be enjoyed with discipline. How do you the minority indisciplined netizens, who are there and no denying on that ?

Asked by: sundar1950in

A: I believe that killing speech is not the right way to prevent violence. Indeed, a newspaper editor in the Maldives recently noted that they have had less violence committed against the newspaper office ever since they allowed for online comments. Speech often allows people to vent out violence instead of acting it out. Violence should be curbed by reining in those who're committing it, and those who're inciting it on the ground. At any rate, the laws that apply to inciting violence in print apply to the Web also, and no new rules need to be drafted.

Q: Thanks for the information on the report abuse button. but can't we have a Governmental agency regulating websites like FB or Google... they can't say no, cos India is a Huge market for such companies.. and why don't we find many ultra offensive posts about the U.S. or other countries, as we find for Indians..

Asked by: Tilak Kamath

A: That would be a very bad idea. Governments don't have a regulatory agency to dictate what letters post-offices shouldn't carry, nor what articles newspapers shouldn't publish. They should definitely not have a regulatory agency dictate what status updates Facebook or Google+ should and shouldn't carry. You don't find ultra-offensive posts about the U.S. because you aren't looking around. They're *everywhere*, even more so than those that bad-mouth India. Yet, such offensive speech is the price we have to pay (gladly, I should add) for democracy and the freedom of speech.

Q: The idea to ban any post on something that would lead to communal strike is fine however, I feel this is not the intention. The intention is clearly political and due to the Anna movement becoming popular thanks to the posts on the internet as also certain remarks on the Gandhi family in particular and Congress leaders specifically has led to this decision. Kapil Sibal is a smart alec and he knows that this can be used against any adverse comments against them.

Asked by: Arun

A: I am less suspicious of Mr. Sibal. I believe, especially after speaking with some senior lawyer friends of his, that he genuinely believes what he is doing to be required and legal and constitutional, and not for the appeasement of one or two Congress leaders. That, however, does not make his suggested solution correct. Multiple High Courts' decisions have held otherwise, and the Supreme Court's decision in Ajay Goswami v. Union of India also provides them support.

Q: One best possible thing is to advertise the Report Abuse button on the Internet, don't you think so? again there should be proper authentication to do so to avoid miscreants blocking some good pages unnecessarily.

Asked by: Tilak Kamath

A: I believe that the "Report Abuse" option available on most large social media and social network websites is useful, but it is also potentially dangerous since it allows a private party (such as Facebook or Google), rather than a court, to dictate what content is and isn't acceptable, to the possible detriment of larger society.

Q: Good evening sir, my question is that it is legal to pre-screen the private data of users by sites and to interfere between their privacy.

Asked by: Shrey Goswami

A: Whether this proposal by Shri Sibal necessarily involves an invasion of privacy is an open question, since the details of the proposal as as yet not fully sketched out. On Google Plus and Facebook, one can restrictedly share information. Will such restricted sharing also have to be pre-screened, or only information that is going to be available to all members of the public? The proposal still consists only of press articles and a press conference held by the Minister. Even assuming it only require pre-screening of information that is going to be publicly accessible, it imposes too high a burden on intermediaries, and is impractical. And, as you might be aware, only very limited pre-censorship is allowed in India, and such a general requirement of pre-censorship does not seem to be constitutional, in my opinion.

Q: Yes, we were browsing FB yesterday and some content in there, could not be opened in front of my children. So Content is not always good, and there must be some kind of screening. Again, the current trend in India, to think that whatever the government does is not at all a good one. Governing must be left to government and not to news channels/civil society, etc. This looks dangerous, and sad no one is realising this.

Asked by: Narayanan S

A: Perhaps I should allow former Supreme Court Justice Hidyatullah's words speak for themselves: "Our standards must be so framed that we are not reduced to a level where the protection of the least capable and the most depraved amongst us determines what the morally healthy cannot view or read." - Justice Hidyatullah in K.A. Abbas v. Union of India. In the Janhit Manch case, the Bombay High Court held: "By the present petition what the petition seeks is that this court which is a protector of free speech to the citizens of this country, should interfere and direct the respondents to make a coordinated and sustained effort to close down the websites as aforestated. Once Parliament in its wisdom has enacted a law and has provided for the punishment for breach of that law any citizen of this country including the Petitioner who is aggrieved against any action on the part of any other person which may amount to an offence has a right to approach the appropriate forum and lodge a complaint upon which the action can be taken if an offence is disclosed. Court in such matters, the guardians of the freedom of speech, and more so a constitutional court should not embark on an exercise to direct State Authorities to monitor websites. If such an exercise is done, then a party aggrieved, depending on the sensibilities of persons whose view may differ on what is morally degrading or prurient will be sitting in judgment, even before the aggrieved person can lead his evidence and a competent court decides the issue. The Legislature having enacted the law a person aggrieved may file a complaint."

Q: Kapil Sibal has not been able to give conviction to objectionable content as social unrest can't take place through web and it needs well oiled machinery and as far as using offensive language against politicians is concerned it won't be curtailed through web and it will require better self regulation among politicians rather than being irresponsible

Asked by: Rij

A: I agree completely.

Q: Do you feel that Government (Congress in particular ) is trying to impose restrictions on social media to stifle the peoples anger against the Government and its leaders due to various scams and corruption?

Asked by: Santosh

A: No. I am taking Mr. Sibal's words at face value, that what they are trying to prevent is hate speech, inciting speech. Still, the means of doing so are undemocratic, ignorant of how the Internet functions, and liable to have very harmful consequences on our polity.

Q: Are our laws going to be like those in gulf countries with respect to censorship? In the name of communal messages, is there a motive to censor something else?

Asked by: Gaurav

A: It doesn't matter what the 'ulterior motive' is, and I'm not sure there is one. The touchstone should should be that of our Constitution and Article 19(1)(a), which guarantees freedom of speech and expression with the Article 19(2) laying down the reasons for which reasonable restrictions can be laid down. And in many ways our laws are worse than those in Saudi Arabia. There at least when a website is blocked or content removed the public is notified when they try and access the content. In India, there is no such notification.

Q: Is this being done as the politicians on the whole and congressmen in particular are not upon notwithstanding how true the comment is. Is it particular so when they are charry if any adverse comment is made on the Gandhis. All these politicians who have opted for public life need to be open for adverse comments as they are in the public limelight and or it is their privilege.

Asked by: Arun

A: The examples being cited by Kapil Sibal are of harming religious sentiments and inciting hatred. Be that as it may, even if the content deserves to be removed—and I can't comment until I see the content he finds offensive—doing so by mandating pre-censorship by intermediaries with liability fixed on them otherwise is a wrong way of going about it.

* The chat is over. Read the original published in IBN Live Chat here

For more details visit https://cis-india.org/news/ibn-live-chat-with-pranesh

Is Privacy Obsolete?

Admin — 2018-06-23T05:01:21Z

Pranesh Prakash was a panelist at this event organized by TERI in Bangalore on June 22, 2018.

For more details visit https://cis-india.org/internet-governance/news/is-privacy-obsolete

Is India's government becoming Big Brother?

praskrishna — 2013-06-05T09:39:53Z

India's new Central Monitoring System will give officials unprecedented access to calls, texts, and online activity.

The blog post by Talia Ralph and Jason Overdorf was published in Global Post on May 9, 2013. Pranesh Prakash is quoted.

The government has quietly started putting into place its new Central Monitoring System, a project that will give it access to its citizens' telephone calls, texts, and online activities.

The system, in development since 2009, will enable state agencies to monitor all digital interactions, the Times of India reported.

Work on CMS has been kept quiet for the past few years, although the newspaper reported that several government agencies ordered specialized equipment and systems for monitoring telecommunications.

India's government has steadily been increasing its access to telecommunications since the 2008 Mumbai bombings to help track militants and illegal activities.

The country — one of the world's fastest-growing internet markets — enacted its information technology law in 2000, and amended it twice, in 2008 and again in 2011.

As PCWorld described the new system,

The CMS will have central and regional databases to help central and state-level enforcement agencies intercept and monitor communications, the government said. It will also have direct electronic provisioning of target numbers by government agencies without any intervention from telecom service providers, it added. It will also feature analysis of call data records and data mining of these records to identify call details, location details, and other information of the target numbers.

Internet freedom activists and privacy experts worry the project offers far too much access to citizens' communications. They say official agencies allegedly misused and leaked tapped phone conversations, while the government has sought to quash dissent and silence critics on the internet under the guise of preventing hate speech.

"In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome," Pranesh Prakash, the director of policy at the Center for Internet and Society, told the Times of India.

"Further, this has been done with neither public nor parliamentary dialog, making the government unaccountable to its citizens," he added.

The government last year blocked mobile phones and shut down social media sites ostensibly to prevent communal riots, but in the process blocked some 16 Twitter handles known to be critical of the government.

Critics of the CMS movement wrote a blog post arguing that the Indian government wants to use the law to censor "hate speeches and government criticism."

"We know the government today hates public criticizing it," the group Stop ICMS wrote on their blog. "The recent arrests of people for tweeting or posting on Facebook has proved that. Govt. does not like criticism that can be seen by everyone on the Internet."

The CMS program is in place in a "preliminary state" right now, with the full version expected to be in place by August 2014.

For more details visit https://cis-india.org/news/global-post-talia-ralph-jason-overdorf-may-9-2013-is-indias-govt-becoming-big-brother

Is India the next frontier for Facebook?

praskrishna — 2014-11-05T00:43:00Z

Pushing to bring hundreds of millions of Indians into the online world, Facebook founder Mark Zuckerberg on Thursday called for expanding his pet project to provide free mobile Internet for developing countries into India.

The article by Rama Lakshmi was published in Washington Post on October 9, 2014. Sunil Abraham was one of the signatories.

Zuckerberg, 30, the billionaire founder of the Facebook empire, arrives in India at a time when Facebook is losing its luster among American teens, but India’s vast market has yet to be fully tapped. A democratic country with a growing economy like India’s, with 1.2 billion people, two-thirds of whom are under the age of 35, is a market the company cannot afford to ignore.

India has the third-largest population of Internet users in the world at 205 million now, ranking after the United States and China. Yet the majority of its rural poor don’t have Internet access, and less than a tenth of its people, about 100 million, are on Facebook.

“Connectivity can’t be restricted to just the rich and powerful,” Zuckerberg said at a conference on connectivity in New Delhi. Rather, he said, it’s a basic “human right.”

Zuckerberg hopes to use his Internet.org connectivity initiative, which he started with a handful of other tech companies in 2013, to expand Indians’ online footprint and promote Facebook. He said the program will set aside $1 million to help develop local language apps for farmers, women and students in developing countries, including India.

In the past year, Zuckerberg said, Internet.org helped nearly 3 million people around the world gain access to the Internet and Facebook by working with cellphone operators in Indonesia, the Philippines, Paraguay, Tanzania and Zambia. In those countries, cellphone users signed up for data plans that included free but limited access to health and job information, Wikipedia, Google — and, of course, Facebook.

About 4.4 billion people in the world have no access to the Internet, and “the offline population is . . . disproportionately rural, low income, elderly, illiterate, and female,” said a report by McKinsey and Facebook. Countries such as Egypt, India and Indonesia face the greatest challenges with respect to incentives and infrastructure, the report said.

“It took 10 years for India to touch 100 million Internet users, but it grew to 200 million in just the last two years,” said Subho Roy, president of the Internet and Mobile Association of India. There are 930 million cellphone users in India today. “Cellphones have acted as the primary driver pushing Internet usage in the last two years,” Roy said.

Researchers note that new users’ first experience on the Internet is often on Facebook.

The free basic services that Facebook has promoted in different countries help cellphone users “to experience the Internet, use some things, to understand why it would be valuable for them and get exposure to other services that they might over time want to pay for,” Zuckerberg said.

But many critics say that commerce is driving Zuckerberg’s push for connectivity rather than philanthropy. They say many new users may not pay for wider Web access and that can create entrenched monopolies for companies like Facebook and Google.

“You are allowing people to roam the walled garden of Internet for free. But if they don’t pay to use unlimited Web access, you are also creating monopolies and blocking competition in the Internet space,” said Sunil Abraham, executive director of the Center for Internet and Society in Bangalore. “But in India, we are so hungry for Internet access that we cannot afford to look a gift horse in the mouth. Until India builds physical Internet infrastructure, this will help us in the short term to get connected.”

Zuckerberg said cellphone operators are free to choose which services they want to include in the package: “There is no rule that says that Facebook or any other company has to be included in this. All we are saying is that this is a model that works to get more people on the Internet.”

And Facebook’s India push is not all about chasing numbers, Zuckerberg said.

“The sheer numbers are obviously a very important part of it,” he said. “If you can do it in a country like India, you are improving hundreds of millions, or maybe a billion, people’s lives, whereas doing it in almost any other country, you wouldn’t be able to have that impact.”

India’s new prime minister, Narendra Modi, a user of social media, has set an ambitious target of building a broadband highway connecting 250,000 village councils across the country in the next three years. Zuckerberg said he will meet Modi on Friday to “see how Facebook can help” in India’s new connectivity drive.

For more details visit https://cis-india.org/internet-governance/news/washington-post-october-9-2014-rama-lakshmi-is-india-the-next-frontier-for-facebook

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

Is India Ignoring its own Internet Protections?

praskrishna — 2012-01-17T05:33:40Z

India’s information technology law of 2008 limits the liability of Internet companies for material posted on their Web sites by users, including anything government regulators deem objectionable. The firms are supposed to be notified of offensive content — by users or the authorities — and then remove it when legally warranted.

If that’s how the system is supposed to work, then why did the Indian government just sanction a criminal lawsuit against Google, Facebook and 19 other companies that all but ignores those protections in the information technology law?

That is one of the most puzzling elements of the legal drama over free speech on the Web that is unfolding in New Delhi.

The case against the companies, brought by Urdu weekly journalist Vinay Rai, accuses them of violating various provisions of India’s criminal code by allowing material that is mocking or offensive to religious and political figures to stay on their social networking sites. There are charges of inciting communal passions and disturbing public order – catchall stuff normally meant to give police tools to rein in hooligans.

The punishments for these criminal offenses can include several years of jail time and stiff fines. That these elements of the criminal code are now being used to target Internet companies is somewhat bizarre, especially when one considers the apparently careful lawyering that went into drafting protections for Internet companies a few years ago.

As Google and others fight the charges – today they are continuing an appeal in Delhi High Court to quash the case – they will likely make the case that the courts cannot ignore India’s I.T. law. “It isn’t a trivial defense – the court cannot dismiss it,” said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, a civil liberties advocacy group. “The I.T. act provides immunity to (Internet companies) and that should be the default starting position.”

A spokesman for India’s telecom ministry did not immediately respond to a request for comment. We’ve described Mr. Rai’s rationale for filing the lawsuit in a separate post.

The crackdown on Web companies couldn’t come at a worse time for the emerging Internet sector in India, which many analysts believe has a potential to grow from about 100 million users to more than 300 million within a few years if nurtured. Facebook and Google representatives declined to comment on the case.

The protections for Internet firms are fairly clear in Section 79 of the 2008 law, known as India’s I.T. Act Amendments. An “intermediary,” or Internet firm, “shall not be liable for any third party information, data or communication link.” There are several caveats, of course – the company can’t initiate or solicit the harmful post and can’t coordinate with the offender. Under the rules that India put into place last April to implement the act, companies must remove material that is “grossly harmful, harassing, blasphemous, defamatory” as well as anything “ethnically objectionable, disparaging” or “otherwise unlawful in any manner.”

Internet companies and civil society advocates weren’t happy with those guidelines, finding them far too draconian and subjective. But at least the law required that the companies be notified of such content and be given a chance to remove it within 36 hours. (The punishments for not removing offensive content within 36 hours would depend on the underlying laws governing that content in India; in general, prison time and fines would both be possible.)

In the case of the Vinay Rai lawsuit, such procedures don’t appear to have been followed. Google has told the court it hasn’t seen the allegedly offensive material or been notified about it. Mr. Rai says he didn’t flag the content to Google or others, because he believed his duty as a citizen was to notify the government.

What was the point of passing the I.T. law if it’s being swept to the side?

The article by Amol Sharma was published in the Wall Street Journal on 16 January 2012

For more details visit https://cis-india.org/news/is-india-ignoring-its-own-internet-protections

Is freedom of expression under threat in the digital age?

praskrishna — 2013-02-03T10:50:52Z

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

This post by Mahima Kaul was published in Index on Censorship on January 18, 2013.

Index on Censorship, in partnership with The Editors Guild of India, hosted a debate in New Delhi on Tuesday (15 January) asking, “Is freedom of expression under threat in the digital age?” Discussing the topic were Ajit Balakrishnan (founder and Chief Executive of rediff.com), Index on Censorship CEO Kirsty Hughes, Sunil Abraham (Executive Director of the centre for Internet and Society), and Professor Timothy Garton Ash, Director of the Free Speech Debate project.

Sunil Abraham questioned the idea of technology specific “internet freedom” that has been advocated by many not least the US Secretary of State Hillary Clinton. He said there was for instance much greater freedom and diversity on Indian TV than in the US. He also argued that that this freedom does not seem to extend to a right of access to knowledge, as demonstrated by the charges brought against open access activist and developer Aaron Swartz, who committed suicide earlier this month. Swartz was facing charges for allegedly downloading 4.8 million academic articles from subscription-only digital library JSTOR.

Abraham said one unintentional effect of censorship by governments is that it teaches citizens how to protect themselves online. Finally, he questioned the Indian government’s draconian laws and arbitrary actions in the digital realm, wondering whether this is the authorities’ way of warning future netizens about “acceptable online behaviour”, to condition the public not to criticise the government and to create a chilling effect.

Digital

Is freedom of expression under threat in the digital age?

18 Jan 2013

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

Freedom of expression is always under threat and in need of defending, argued Timothy Garton Ash. However, he didn’t think the threat was particularly high today in the digital realm — rather the threats to privacy were what were particularly concerning online. With 76.8 per cent of India’s 1.2 billion population connected by mobile phone, there is an extraordinary opportunity for the prevalence of freedom of expression brought about by new technologies. But he said there are also a lot of challenges to free expression in India — and that “swing states” such as Brazil and India will be very important in determining where the global conversation goes on freedom of expression

Ajit Balakrishnan, founder of web portal Rediff.com, explained that many of the problems that have occurred in the digital realm in India have to do with poor drafting of legislation. He was particularly concerned about intermediary liability and explained why and how intermediaries roles needed protecting. He also explained that government officials have genuine problems with phrasing, and that when it comes to the application of these laws, understanding them and when they should be applied will take another 25 years. He added that the country is challenged by a legal system ill-equipped for coping with new technologies.

Kirsty Hughes said that freedom of expression is a universal right, meant to be applied across borders not just within countries. She said that while the digital domain allowed a big expansion in freedom of expression there were risks we are heading towards a more controlled net, a partially censored net, and a fragmented net (for instance with Iran attempting to build its own internet disconnected from the rest of the world). She said that some of the negative reactions by government to social media in India were seen to in the UK where there had been a trend towards criminalising supposedly offensive comment — although the new interim guidelines on social media prosecutions were a step in the right direction. Hughes emphasised three main concerns — state censorship, privatisation of censorship and the role of big companies, and mass surveillance. She pointed out that the British government had pushed for extensive surveillance with the Communications Data Bill, but this has now been shelved after a critical report from MPs.

Ramanjit Singh Chima, policy adviser for Google, said that the question is not about absolute freedom, but about what is appropriate and lawful. He emphasised that in the US, judges had strongly defended free expression online as they saw the digital world as a powerful space for free exprssion. He pointed out how effective social media tools, including Google’s own products, have become in helping during emergency situations like natural disasters and terrorist attacks. He also pointed out that the internet is not only about free expression but business as well. The internet contributes to 1.6 per cent of India’s GDP. Singh Chima said positive judgements by US and EU courts protect the users, adding that regulation for the net should be appropriate for its engineering.

For more details visit https://cis-india.org/news/index-on-censorship-mahima-kaul-january-18-2013-is-freedom-of-expression-under-threat-in-the-digital-age

Is freedom of expression under threat in digital age?

praskrishna — 2013-01-17T06:16:09Z

With social networking site Facebook boasting of 1 billion members globally and micro-blogging site Twitter claiming millions, opinion was divided on whether the freedom of expression was under threat in the digital age.

This article was originally published by Indo Asian News Service on January 16, 2013. It was also covered in Business Standard, Vancouver Desi, DNA, and Tech2. Sunil Abraham is quoted.

"Censorship of content should be the last resort as curbing a particular content online actually amplifies its spread over the internet," said Sunil Abraham from Centre for Internet and Society.

He was speaking at a panel discussion organised by London based Index on Censorship and the Editors Guild of India on the issue at the India International Centre Tuesday evening.

"The government has refused to amend Section 66(A) of the IT Act which is used to curb free speech on the net," said Guild chief TN Ninan who moderated the debate. "The law treats digital media differently than the print media," he said.

Director of Free Speech Debate, Oxford University, Timothy Garton Ash said, "There was no threat to the freedom of speech as internet was actually an opportunity for spreading freedom of expression."

India with the large number of net users could act as swing state between two extremes of China which is trying to control the net and the US which champions free speech, he said.

"The question is what are the legitimate limits of free speech rather than asking for unlimited speech," said Ash.

Ajit Balakrishnan, CEO and founder of online portal rediff.com, said "there was a sense of powerlessness among nation states as only local laws applied to any such violations."

He said the internet was not so democratic as it sounded as the actual numbers of users who posted content on Facebook were just 8-9 million while the rest just watched. The same was with Twitter with just 7-8 percent users actually posting messages.

Kirsty Hughes, CEO, Index on Censorship, said "freedom of speech was universal" while noting a "worrying trend that increasingly governments were moving to control the internet."

"The risks of such controls are that we could have a much more controlled, censored and fragmented internet," she said.

Ramanjit Singh Chima of Google India stressed on the need to have laws to protect internet freedom as such curbs affected livelihood of many users and contributed to local economies.

He said the internet allowed people to instantly collaborate and publish critical information during emergency situations.

For more details visit https://cis-india.org/news/ians-news-is-freedomexpression-under-threat-in-digital-age