We are anonymous, we are legion

ভারতে পাঁচশোরও বেশি স্টেশনে ফ্রি ওয়াই-ফাই চালু হবে

praskrishna — 2015-10-02T14:19:34Z

"তবে ভারতে সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটির গবেষণা-প্রধান সুমন্দ্র চট্টোপাধ্যায় মনে করেন এই পদক্ষেপগুলো মসৃণভাবে রূপায়ণ করাটাই হবে প্রধান চ্যালেঞ্জ।

তাঁর কথায়, ‘সিলিকন ভ্যালির এই নৈশভোজটা দারুণ ব্যাপার সন্দেহ নেই। কিন্তু যেটা তত দারুণ নয় তা হল এই যে নতুন পার্টনারশিপ হতে চলেছে তার গভর্ন্যান্স কীভাবে হবে, কোন আইনি নথি মেনে হবে তা একেবারেই পরিষ্কার নয়।’ মি চট্টোপাধ্যায় বলছেন সম্প্রতি ভারতে এনক্রিপশন পলিসি নিয়ে যে বিতর্ক হল তাতে এটা পরিষ্কার হয়ে গেছে যে এ দেশে যাবতীয় যা কমিউনিকেশন হবে সরকার কোনও না কোনওভাবে তা তাদের নাগালে রাখতে ইচ্ছুক! ফলে এই সব কর্মসূচী বাস্তবায়নের পর্যায়ে আসতে গেলেই মব কোম্পানি জানতে চাইবে এনক্রিপশন বা ট্রান্সপারেন্সির প্রশ্নে ভারতের অবস্থান কী। তখন সরকার কী করে সেটাই দেখার!’ বলছেন সুমন্দ্র চট্টোপাধ্যায়।"

This was published in BBC on September 28, 2015. Sumandro Chattapadhyay is quoted.

For more details visit https://cis-india.org/internet-governance/news/9ad9be9b09a49c7-9aa9be98199a9b69b0993-9ac9c79b69bf-9b89cd99f9c79b69a89c7-9ab9cd9b09bf-9939af9bc9be987-9ab9be987-99a9be9b29c1-9b99ac9c7

‘By weakening our security, govt is putting us at risk of espionage’

praskrishna — 2015-10-02T03:09:46Z

After the BlackBerry encryption and IT Act fiascos of recent years, the government last week sent yet another cyber policy howler, the Draft National Encryption Policy, only to withdraw it in the face of severe protests. S. Raghotham and Mayukh Mukherjee spoke with Pranesh Prakash, policy director, Centre for Internet & Society, on the government’s continued misadventures with data privacy and encryption.

This interview of Pranesh Prakash was published in Asian Age on September 27, 2015.

First we had Section 66A in the Information Technology Act. Now we have these attempts at breaking encryption and invading privacy. Your comment.
The Draft National Encryption Policy (DNEP) was not only an invasion of privacy and a restriction on anonymous speech, but was, most importantly, a direct assault on national security. It was quite clearly drafted by people who did not understand encryption, who think that encryption is something that only a handful of people do, without realising that encryption is baked into most of our technologies.

It is clear that the government’s cyber-law division needs people who are better versed in both the law (including constitutional rights) as well as technical aspects of IT. It’s not just Section 66A, but a host of other provisions in the IT Act which display a similar cluelessness. For instance, gaining unauthorised access to a protected system for purposes of defamation is, as per Indian law, sufficient to commit the offence of “cyber terrorism”.

How does this compare with the previous government’s attempts to gain access to BlackBerry communications?
L’affaire BlackBerry concluded with the government realising that while they could get BlackBerry to locate a network operations centre in India, they still couldn’t decrypt everything since BlackBerry Enterprise Service allowed enterprises to control the encryption. However, the government seems to have drawn the wrong lesson from that, and wants to prevent end-users from using encryption the way they have already managed with telecom companies and Internet service providers, who are not allowed to deploy bulk encryption which saves their customers’ data from being intercepted by attackers.

The government seems to be saying, if the US National Security Agency (NSA) doesn’t get you, we will. How are we to respond to this?
If you’re using Gmail, Yahoo Mail, Hotmail, etc., you already have opportunistic traffic-level encryption for email. Ironically, no @deity.gov.in or @nic.in address has even this basic level of encryption. This is the shocking state of affairs even many years after National Informatics Centre (NIC) publicly acknowledged that multiple email accounts that they host were hacked into. National security is a collective form of security — we can’t increase national security by making individuals less secure. We can’t, for instance, improve national security by telling people not to use locks on their houses. That will only decrease security, not increase it. And we are in a situation where our government conducts all their email communications using the online equivalent of postcards, rather than using sealed envelopes. The Central government urgently needs to appoint a group of security experts who work with NIC to shore up our defensive security.

A slide on an NSA programme called BOUNDLESSINFO-RMANT showed that in the month of February 2013, the NSA has collected 12.5 billion data records relating to phone calls from India, far more than what they had collected from China. The fact that our government mandates weak telecom security (by restricting bulk encryption) might account for this. By weakening our security, the government is putting us at greater risk of espionage and at the hands of hackers.

What are some of the ramifications for businesses and individuals if the government were to have keys to all encrypted information as it seeks?
The government, in the DNEP, did not even seek key escrow (which is what the debate was about in the 1990s in the US’ “crypto war”). Here the government more or less sought to tell companies and individuals that they have to keep plain text, making storage-level encryption pointless. This means that all your company’s information — emails, passwords and financial records — would be vulnerable to compromise by hackers. It is like telling a company that it is allowed to own a government-approved safe for storing important documents, but it has to keep a copy of all the important documents outside the safe.

Is the encryption policy fiasco some junior bureaucrat’s ignorance of what he was proposing or is it part of the government’s continued efforts to somehow gain control over information flows?
The government intended to gain greater access to everyday transactions. This would violate citizens’ privacy, which the government has been arguing is not a fundamental right. They went about it in a manner that is absurd in its consequences. The policy would have required you to record every mobile phone call and Skype call, to keep a plain text version of communications, which would harm national security. While I don’t believe the government would intentionally weaken national security, as they would have had this draft policy been carried forward, one cannot say that the government wouldn’t do so wantonly, much in the same way that they haven’t even employed basic security in their email systems.

Do you perceive a higher level of desire in the current government to control information flows?
The Indian government’s pursuance of harmful technology policies is nothing new. However, I hope that as a tech-savvy person heading an ostensibly tech-savvy government, Prime Minister Narendra Modi steps in and halts these deleterious policies. One disappointment of the last year has been the lack of progress on the Privacy Act, which seems to have been shelved for the time being. I believe the government’s motivations are genuine and grounded in the public interest. However, as in any constitutional democracy, the citizenry ought to be engaged in both defining the public interest as well as in debating how we best protect and uphold it within the norms laid down in our Constitution, which includes guarantees of fundamental rights which are inviolable except in limited circumstances.

For most of these policy problems, the best way forward is to ensure that the government follow a system of issuing green papers — essentially non-papers meant to stimulate public discussion — before it issues white papers which contain statements of policy intent, based on which it finally formulates policies or laws. Currently, interaction between policymakers and civil society is far too infrequent. The government needs to inject far more subject-matter expertise into policymaking.

For more details visit https://cis-india.org/internet-governance/news/asian-age-september-27-2015-s-raghotham-and-mayukh-mukherjee-by-weakening-our-security-govt-is-putting-us-at-risk-of-espionage

Some Key Words Are Missing

praskrishna — 2015-09-27T14:22:44Z

Google manipulating search results? The Competition Commission is on its case.

The article by Arindam Mukherjee was published in Outlook on September 21, 2015. Nehaa Chaudhari was quoted.

G’s Global Woes

Google’s problems aren’t restricted to India. It is facing similar cases around the world.

Europe: The search giant has been accused of using its dominant position on the web to dominate the market for online product searches. There’s another probe on possible abuse of dominant position with Android.

Brazil: Is being investigated for favouring its own services over others on the internet

Hong Kong & Argentina: Facing issues about collecting user data

Spain: Had to shut down Google News over copyright issues.

Germany: Its Google Street View navigation service got into problems over privacy issues

Mexico: The local regulator has brought up issues similar to those in Europe

There is an uneasy calm at Google’s India offices these days. Spokespersons are giving measured statements, watched over by an army of lawyers who are busy looking at the finer points. A case against Google’s advertising and search practices with the Competition Commission of India (CCI) has the potential to derail the search giant’s operations in India. Why, a nervous Google has even sought to make hearings in this case in-camera to totally shut out the media.

There is a lot at stake. An investigation report of the CCI has found Google squarely guilty of abusing its dominant position to manipulate search results on the internet and online advertising results to its own advantage and to those of companies paying for it. Google was found to “have abused its dominant position in the relevant markets of online general web search service in India and online search advertising in India in violation of the Competition Act 2002”.

Indeed, the report (which has been reviewed by Outlook) is blunt on many of the issues: “Google is found to be indulging in practices of search bias and by doing so it causes harm to its competitors as well as users.... Google steers users to its own products and services and produces biased results. This structure offers abundant opportunities for leveraging and has also raised issues of conflict of interest.” It says that through such practices Google was adversely affecting the competitive landscape in the markets for online general web search, search advertising as well as adjacent markets like travel, maps, social networking and e-commerce.

The whole brouhaha started with complaints from two parties—Chennai-based matchmaking portal Bharatmatrimony.com and Jaipur-based consumer rights organisation CUTS International—in 2012. “People who are subscribing to Google’s Adwords and are paying Google or are buying keywords are getting preference in their search results. Many of the search results on Google are either ads or sponsored links and not genuine search results. Google is pushing ads as news items which normal users would be unable to distinguish,” says Sharad Bhansali, managing partner, APJ SLG Law Offices which is representing CUTS.

CUTS also complained that Google was promoting its own products through search. Says Udai Singh Mehta, CUTS director, “Preference was being given by Google to its products and subsidiaries in search.” This, being a dominant player in search and online advertising, amounts to abusing its position. According to market estimates, Google enjoys a 93 per cent share of the search market and gets about 85 per cent of the revenues of online advertising. Says Nikhil Pahwa, editor-in-chief of Medianama: “In search cases, Google is clearly the dominant player in the market. So when they start integrating content into search, there is a problem and it becomes an issue.”

In the course of the investigation, the CCI D-G also sought opinion from about 30 companies—most of them gave similar feedback about Google’s practices. The list includes Flipkart, mapmyindia.com, makemytrip.com, Microsoft and Nokia Maps.

Google will now have to appear before the full CCI bench on September 17 for a hearing based on the D-G report. After this, the CCI will take a final call on the issue. Of course, Google can seek an extension of this hearing. According to company insiders, they have not sought an extension yet. Google will have the right to appeal any order the CCI comes out with. The first appeal would be at the court of a competition appellate tribunal headed by a retired SC judge. The final appeal can happen only with the Supreme Court.

As expected, Google denies any wrongdoing and says the abuse of dominant position will need to be proved. Manas Chaudhuri, lawyer with Khaitan & Co which deals with competition cases, told Outlook, “The report says that Google is dominant, which is correct. If it is dominant, there is nothing wrong under the Competition Act. The issue is whether or not it has abused its dominance. The ‘abuse’ is a rule-of-reason argument and as such the CCI will have to assess quite a few international best practices theories eg, ‘objective justification’, ‘analysing the statutory mandate of meeting the competition in the relevant market’, ‘consumer harm’ and ‘counterfactuals’.”

In response to queries, a Google spokesperson said, “We’re currently reviewing the report from the CCI’s ongoing investigation. We continue to work closely with the CCI and remain confident that we comply fully with India’s competition laws. Regulators and courts around the world, including in the US, Germany, Taiwan, Egypt and Brazil, have looked into and found no concerns on many of the issues raised in this report.” Actually, Google is facing a similar case in the EU, while similar issues have been raised in Brazil, Hong Kong, Argentina and Mexico.

Sure, at first blush, the report appears tilted against Google. What may go in its favour is the CCI’s dismal record in treating such cases. Though it is the final investigation report, experts say it is not sacrosanct: the CCI bench might not agree with it. In the last six years, over 20 such investigation reports have been dismissed by the CCI after the final hearing. And Google will try its best to bring forth the fact that it has been exonerated in similar cases in the US, Germany and Taiwan.

But with the D-G’s final investigation report giving a clear verdict against Google’s practices, it might not be so easy for the search giant to come out cleanly from this one. Says Nehaa Chaudhari, lawyer with the Centre for Internet and Society (cis), “Given that India is not the only jurisdiction where Google is using its secret algorithm to promote its own products, there is enough for the CCI to proceed on against it.” What will also help is the testimony of several companies who have said that they have suffered because of Google’s web practices.

The entire world is watching India. Clearly, if the CCI upholds the D-G report and pronounces Google guilty, it could seriously affect the search giant’s growth in India, one of the fastest growing internet markets for Google with over 300 million internet users and an even faster growing Android landscape (where also it is a dominant player). With the final EU verdict on the case yet to come out, will India set a new example for the world to follow?

For more details visit https://cis-india.org/internet-governance/news/outlook-september-21-2015-arindam-mukherjee-some-key-words-are-missing

Faking a stand

praskrishna — 2015-09-27T12:41:51Z

A 'Like' here, a forward there, new-age India's patriotism is confined to social media

The article by Shweta T. Nanda was published in the Week on September 20, 2015. Pranesh Prakash was quoted.

On the eve of Independence Day, Pune-based homemaker Archana Chaurasia, 36, was engaged in an animated conversation with friends when a WhatsApp message notification broke the rhythm of their chat. The content of the forwarded text pushed her into a deep thought for a few seconds. Brimming with pride, she forwarded it to five others on her contact list before returning to the chitchat.

The message read:
The property left behind by Dr A.P.J. Abdul Kalam:
He owned 6 pants (2 DRDO uniforms), 4 shirts (2 DRDO uniforms), 3 suits (1 western, 2 Indian), 2500 books, 1 flat (which he has donated), 1 Padmashri, 1 Padmabhushan, 1 Bharat Ratna, 16 doctorates, 1 website, 1 twitter account, 1 email id. He didn't have any TV, AC, car, jewellery, shares, land or bank balance.

He had even donated the last 8 years' pension towards the development of his village. He was a real patriot and true Indian... India will forever be grateful to you, sir… Is there any politician compared to him? Make sure all your friends and dear ones read this before 15th August.

“Such forwards evoke patriotism. While most of us aren’t able to do much for the nation, the least one can do is forward such interesting messages and share your love for the country,” explains Chaurasia.

Taken in by a sense of national pride, netizens are not thinking twice before forwarding messages. What we overlook though is how such innocent forwards are propelling a sense of false patriotism, especially among the youth. Often, the content of such messages is erroneous. For instance, DRDO doesn’t have a uniform!

Similarly, you might have thought that when the Empire State Building in New York was lit up in tricolour for Independence Day, it was a US government initiative. But in reality, some Indian Americans had raised money, booked it in advance and adorned it with saffron, white and green lights. The building can be booked in advance by anyone like a swish hall in a five-star hotel.

The messages could be provocative in the garb of ‘faux patriotism’—a recent video clip showing Indian Army firing at its Pakistani counterpart was, in fact, a footage of a three-year-old artillery exercise. Likewise, forwarded messages claiming Brahmos Missiles have been deployed on the Indo-Pak border and UNESCO has judged Jana Gana Mana as the world’s best national anthem were also incorrect.

“The desire to proclaim the greatness of your own political identity, which can often be linked to a religion, is a large part of what fuels the forwarding phenomenon, apart from the innate desire to share new-found knowledge,” says Pranesh Prakash, policy director at The Centre for Internet and Society, Bengaluru. That is why, forwarded messages that celebrate the achievements of historical figures and reassert that Indians have always been great go viral, he explains. “As you trust the person who is sending it, you don’t think about its accuracy. In fact, you don’t tend to question the authenticity of anything that reinforces a view that you already hold,” he says.

Faiz Ullah, assistant professor of media and cultural studies at Tata Institute of Social Sciences, Mumbai, however, looks at it as the signal of a changing society, one that is witnessing the rise of a show-off culture, symbolism and individualism.

“The idea of patriotism is being trivialised,” he says. “It happens when you let the market decide your action. You are known for what you consume than what you give up. And the focus is more on forwarding patriotic messages or marketers announcing freedom sales than doing something substantial for the nation.”

E-forwards are a powerful tool in mobilising people, says Gaurav Singh, owner of Poltubaaz, an election management firm and political consultancy. The Delhi-based company also offers bulk e-texting services across social media and communication platforms.

While there is no study on the exact market size and open rate of such forwards across platforms, in case of emails, says Singh, out of 100 such messages, at least 30 are opened by users. Data analytics also allows one to zero in on the areas of interest of users and forward them relevant content accordingly.

“Some people create such messages just for fun, some do it to serve a commercial purpose, and some others aim to gain political mileage out of it,” says Singh. “For instance, supporters of political parties or those who swear by a certain kind of ideology create and circulate such messages to evoke a particular kind of mass sentiment.” Agrees Rakshit Tandon, a consultant with Internet and Mobile Association of India: “These networks play a key role in peddling strong ideologies.”

Congress spokesman Randeep Singh Surjewala says many such messages are the work of BJP supporters, who want to alter the country’s cultural landscape to reap long-term political dividends. “Their dirty tricks department is using vitriolic measures and false propaganda to influence people,” he says.

But Vinod Bansal, a spokesman of Vishva Hindu Parishad and Bajrang Dal, says these organisations don't believe in false propaganda but in doing national service. “Anyway, if such forwarded messages are factually correct and evoke patriotism, there is nothing wrong with them,” he says. For instance, if a video of terrorist Yakub Memon’s hanging is being popularised, you can’t call it Hinduisation; instead it is nationalism, he adds.

Another entrepreneur who owns a political campaign management firm that provided consultancy services to a national party in the 2014 general elections, however, reveals that party supporters, particularly of the youth wing, work round-the-clock to circulate e-forwards targeting a particular vote bank, aiming at both long-term and immediate political benefits. “We cater to such requests, and make sure that the content is not in-your-face but subtle yet effective.”

But is there a way to curb such erroneous e-forwards? Although it is possible to zero in on the point of origin of such messages on social media, it also means invading users’ privacy, says Rakesh Sharma, Supreme Court lawyer and founder of social networking platform Sabakuch.com. “Until someone objects to the content of the forwarded message [finding it defaming or explicit], we can’t do anything about it.”

Tandon, who is also an adviser to Uttar Pradesh Police’s cyber complaint redressal cell, says that unless cyber users learn “netiquettes” and take to “internet hygiene”, this menace will not stop. “Users have a responsibility, too,” he says. “Unless you know the authenticity of forwarded messages, don’t circulate them. Also, educate others.”

For more details visit https://cis-india.org/internet-governance/news/the-week-september-20-2015-shweta-t-nanda-faking-a-stand

Asian Regional Consultation on the WSIS+10 Review

praskrishna — 2015-09-27T11:33:33Z

The Asian Regional Consultation on the WSIS+10 Review was held in Pattaya, Thailand from September 3 to 5, 2015. The event was organized by The Internet Democracy Project, Bytes for All, APNIC, the Association for Progressive Communications, ISOC, Global Partners Digital and ICT Watch. Jyoti Panday participated in the meeting.

The Asian Regional Consultation on the WSIS+10 Review brought together experts from different backgrounds and from around the Asian region who were concerned about issues concerning ICTs, sustainable development, human rights and Internet governance, to ask: what are the issues that our governments need to squarely address in the process of the review?

The meeting was conceived as a highly interactive working meeting that was geared towards producing a joint submission to the next input round on the Review outcome document.

Agenda of the meeting can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/asian-regional-consultation-on-the-wsis-10-review

Hiding behind rules on naming sites it banned, govt reveals fears

praskrishna — 2015-09-27T10:59:56Z

With the union government's ban on 857 porn sites in July creating brouhaha across the country, there had been a concern over the voice of the youth being stifled and censorship making a comeback.

The article by Harjeet Inder Singh Sahi was published in the Hindustan Times on September 3, 2015.

Even though there was a partial rollback of the ban, the government still seems intent on being obtrusive with information and deny access to it, especially about the internet and the way it intends to govern it.

This has been illustrated by the union government's department of telecommunications refusing to provide information on websites it has banned to a petition under the Right to Information (RTI) Act.

The reply

"The group coordinator, cyber law division, department of electronics and information technology, has been authorised as designated officer and issues instructions for blocking/unblocking of websites/URLs. The clause 16 of Information Technology Procedure and Safeguards for blocking access of information by Public, Rules 2009, says strict confidentiality shall be maintained regarding all requests and complaints received and actions taken thereof," says the reply to the RTI application filed by this correspondent on August 3.

The reply to the petition - filed at www.rtionline.gov.in with registration number DOTEL/R/2015/61348 - was received on August 27.

Background to the case

In July this year, the department of electronics and information technology had banned 857 pornographic websites listed in the petition of Indore-based advocate Kamlesh Vaswani in the supreme court. The websites were banned by citing 'morality' and 'decency' enshrined in Article 19 (2) of the Constitution of India and under provisions of the Information Technology Act, 2000. A few days later, the government did a flip-flop and revoked the ban partially.

The Centre for Internet and Society (CIS) had subsequently released the list online. Now, the government has refused to provide information on websites banned in the country.

Department tangle

The department of electronics and IT decided on the ban, but it was the department of telecom which served the order to the internet companies because it is the supervising authority for them. The RTI can be filed with the department of telecom as it issues guidelines for and notices to internet service providers. The same application could also have been filed with the department of electronics and information technology. This department might have replied to the application or forwarded it to the telecom department.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-september-3-2015-harjeet-inder-singh-sahi-hiding-behind-rules-on-naming-sites-it-banned-govt-reveals-fears

Government may tieup with global police, Interpol to fight child pornography

praskrishna — 2015-09-27T10:25:44Z

International partnerships, including with the global police network Interpol, could be the basis for India's strategy to counter child pornography after the government's move to ban websites peddling smut backfired last month.

The article by Surabhi Agarwal was published in the Economic Times on September 3, 2015. Sunil Abraham was quoted.

The new approach by the ministry of communications and information technology mirrors the system adopted by developed countries, government officials said, representing a targetted attack on child pornography instead of the recent fiasco when the authorities backtracked in the face of protests after banning 857 websites.

Once it comes on board as a partner, the International Criminal Police Organization will alert India about production, distribution or broadcast of child pornographic content regularly. India will also have access to an Interpol database known as the 'worst of ' list of domains with content containing child sexual abuse.

"The country is not divided on the issue of child pornography and the government has made a policy statement that it will deal with the problem firmly. So that will be guiding the entire action," a senior government official said. The person said that the government is still studying the model and a call will be taken soon.

A partnership with the UK-based Internet Watch Foundation, which maintains a database on child pornography and collaborates with the British government, is also being considered.

Interpol manages a database which uses sophisticated image comparison software to make connections between victims and places. The foundation also maintains a similar database which is constantly updated. It sends alerts to members twice each day.

"That's the global best practice," said Sunil Abraham, executive director of Bangalore based advocacy group Centre for Internet and Society. "There is no reason for us to reinvent anything; we should just adopt the best practice with some improvements." For a long time, the government and Internet service providers have been passing the buck to each other on this issue, arguing that they don't have the wherewithal to create a database on such content and block it. "This is because as per the Indian laws, anyone who looks at such content even with the motive of blocking it is committing a punishable offense," said Abraham. In August the government said it was banning 857 pornographic websites, only to backtrack amidst widespread criticism and a rap from the Supreme Court. Almost all the websites have been unblocked now with the exception of a few which allegedly contain child pornographic content.

During the hearing in the Supreme Court, the Internet Service Providers Association of India (ISPAI) said that it is impossible for an ISP to block pornographic sites without orders from the court or department of telecom and that the task of identifying such websites should not be the domain of internet service providers. A decision on the issue will work in the government's favour since the next hearing in the matter is slated for October. "Once the country has access to some list which is authentic and verified, regular action can be taken," a government official said.

As per initial discussions, the dominant point of view is for ISPAI to be the point of contact between the government and international organisations. It will be tasked with vetting the list and receiving blocking orders from the telecom department so that further action can be taken.

For more details visit https://cis-india.org/internet-governance/news/economic-times-september-3-2015-surabhi-agarwal-govt-tie-up-with-global-police-interpol-to-fight-child-pornography

Does this click with you?

praskrishna — 2015-09-27T10:07:00Z

While the web caters to customers who purchase basic lifestyle products, the app is ideal to make impulsive shopping decisions.

The article by Parshathy J. Nath was published in the Hindu on September 1, 2015. Sunil Abraham was quoted.

Netizens were caught by surprise when online retail giant Flipkart announced that they were going the app-only way. Some grumbled and a few rejoiced. There were debates on its pros and cons. However, a few days ago, Flipkart revoked the decision because it wanted to assess the impact of this move on sales in big-ticket categories. But the debate continues.

Bangalore-based techie Diljeet Kaur feels the app makes shopping a lot easier. “I shop on the app for everything — from mobile chargers, laptop, mobile covers and kitchen appliances to books and even water bottles. In case I am not happy, I click on the return option. They call up immediately, pick up the item within 48 hours and refund the amount to my account. What more can one ask for?”

Rachna Binani, who owns a toy store in Madurai, also says shopping has become faster with the app. “A mobile phone is with you for 18 hours a day. But, you can’t lug a laptop around everywhere you go.” Prasannan B., an HR General Manager in Madurai, agrees. “A year ago, I would not have chosen a mobile app over a website, because it was not as advanced. But, now things have changed.”

But, some prefer the website to the app. Like Paulami Guha Biswas, an avid online book shopper from Hyderabad, who says, “Browsing becomes difficult when you are shopping through an app. On a website, you can open multiple tabs and compare prices and discount rates in peace. The screen is also bigger.”

While the web caters to customers who purchase basic lifestyle products, the app is ideal to make impulsive shopping decisions. Says Jaishree S. Santhosh, CEO of a Coimbatore-based educational institution, “I prefer to do random window shopping through a website and stick to apps when it comes to my regular Flipkart and Amazon shopping. Because when I use apps, I need to log in and share my personal information. I would prefer to do that only with two or three sites and not every virtual shopping platform.”

However, apps are redefining our shopping culture and experience. With efficient data-tracking systems, these apps record the customer’s buys. “The app keeps throwing images of products that interest you, based on your purchase history. This can be a little creepy at times,” says Jaishree. “It seems like it can read your mind. I do not like it getting too personal with me. Moreover, it tempts me to buy things that I otherwise would not have thought of buying.”

The personalised shopping experience can be both a boon and bane. According to Sunil Abraham, Executive Director of the Centre for Internet and Society, a Bangalore-based research organisation, “It is a terrible development from the perspective of the online user’s rights. Apps violate user privacy. Moreover, they waste your phone’s memory, storage and battery.”

Even though mobiles and apps are popular among the youth, young entrepreneurs from the online world are still hesitant to venture into the app domain. Nilisha Bhimani, a 28-year-old online entrepreneur who runs www.stayfabulous.com, says she cannot even imagine making her portal app-only. “Mine is a fashion portal. And with fashion shopping, one would want to open multiple windows and compare products. It is difficult to do this on our phones.”

However, Nilisha thinks that it is a good move from Flipkart to have sparked off this debate. “It sounds like a well-thought-out strategy. More so, since surveys point out that there are increasingly more people doing mobile transactions.”

According to an article published in Business Insider on August 24, a study conducted by Internet & Mobile Association of India and KPMG found out that India is projected to have 236 million mobile Internet users by 2016. Flipkart’s move could be a response to the large influx of smart phones into the Indian mobile market, feels Ashish Jhalani, founder of eTailing India, an e-commerce knowledge platform and advisory. “We will be the second-largest smartphone market in the world soon, but that does not mean we are ready for an app-only strategy. Our consumer base is still getting used to shopping online and to ask them to use only one interface to shop is a little premature. I believe, in the long term, this strategy will work, but there is still some time for that.”

And, how will elders in the society, who also constitute a large section of online customers, cope with change? Suchi Dalmia, a business woman from Coimbatore, says that even though her mother shops online, she is still not comfortable with it. “And on top of it, if we open up an app-only shopping system, it is going to hit her hard. A retail giant like Flipkart stands the risk of losing a big chunk of their clientele with this move.”

(With inputs from Soma Basu, Shilpa Sebastian R. and Nikhil Varma)

For more details visit https://cis-india.org/internet-governance/news/the-hindu-september-1-2015-parshathy-nath-does-this-click-with-you

Ahead of hosting Modi, Facebook rebrands internet.org as Free Basics

praskrishna — 2015-10-18T14:21:52Z

Hinting at what could be vital points of discussion when Prime Minister Narendra Modi visits Facebook founder Mark Zuckerberg on Sunday, the social media giant has rebranded its internet access enabling platform Internet.org as Free Basics.

The article was published by Business Standard on September 26, 2015. Pranesh Prakash was quoted.

This was announced by Chris Daniels, vice-president of Internet.org, at a press meet in Menlo Park on Friday. Zuckerberg confirmed the same and wrote on his Facebook wall.

Facebook has opened up its Free Basics platform, which means any app developer can now include their services on it. “This gives people the power to choose what apps they want to use.” Zuckerberg in his post also said the company has improved the security and privacy of Internet.org, which will support HTTPS web services as well. “Connectivity isn't an end in itself. It’s what people do with it that matters. We hope the improvements we've made help even more people get connected — so that our whole global community can benefit together,” Zuckerberg said in his post, in which he quoted the example of a soybean farmer from Maharashtra, Asif Mujhawar, who uses parenting app BabyCenter for free through Internet.org.

This is a significant move by Facebook, considering the backlash it had from various quarters in India following debates on net neutrality. Internet.org is an open platform by Facebook across 19 developing countries, including India, to enable easy access of selected apps and app-based services to people at zero cost. In India, it had partnered with Reliance Communications to offer free access to about 30 websites.

“One of the concerns was calling the service ‘Internet.org’, despite it representing only a tiny sliver of the Internet,” said Pranesh Prakash, policy director at the centre for Internet and Society, a nonprofit entity to promote safe internet access in the country.

He said by removing the Internet word, Facebook is now talking of its own larger internet affordability project and allowing app developers to build apps and host it on the Free Basic platform. “This gives people the power to choose what apps they want to use,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-26-2015-ahead-of-hosting-modi-facebook-rebrands-internet-dot-org-as-free-basics

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Open Governance and Privacy in a Post-Snowden World : Webinar

vanya — 2015-10-04T11:09:12Z

On 10th September 2015, the OGP Support Unit, the Open Government Guide, and the World Bank held a webinar on “Open Governance and Privacy in a Post-Snowden World” presented by Carly Nyst, Independent consultant and former Legal Director of Privacy International and Javier Ruiz, Policy Director of Open Rights Group. This is a summary of the key issues that were discussed by the speakers and the participants.

See Open Governance and Privacy in a Post-Snowden World

Summary

The webinar discussed how Government surveillance has become an important and key issue in the 21^st century, thanks to Edward Snowden. The main concern raised was with respect to what a democracy should look like in the present day. Should the states’ use of technology enable state surveillance or an open government? Typically, there is a balance that must be achieved between the privacy of an individual and the security of the state – particularly as the former is primarily about social rights and collective interest of citizens.

At the international level, the right to privacy has been recognized as a basic human right and an enabler of other individual freedoms. This right encapsulates protection of personal data where citizens have the authority to choose whether to share or reveal their personal data or not. Due to technological advancement that has enabled collection, storage and sharing of personal data, the right to privacy and data protection frameworks have become of utmost importance and relevance with regard to open government efforts. Therefore, it is important for Governments to be transparent in handling sensitive data that they collect and use.

Many countries have also introduced laws to balance the right to privacy and right to information. The role of the private sector and NGOs involved in enabling an open and transparent government must also be duly addressed at a national level.

Key Questions:

Why should the government release information?

There are multiple reasons for doing so including:

For the purposes of research and public policy (which relates to healthcare, social issues, economics, national statistics, census, etc.)

Transparency and accountability (politicians, registers, public expenses, subsidies, fraud, court records, education)

Public participation and public services (budgets, anti-corruption, engagement, and e-governance).

However, all these have certain risks and privacy implications:

Risk of identification of individual: Any individual whose information is released has the risk of identification, followed by issues like identity theft, discrimination, stigmatization or repression. Normally, the solution for this would be anonymization of the data; however, this is not an absolute solution. Privacy laws can generally cope with such risks, but with pseudonymous data it becomes difficult in preventing identification.
Profiling of social categories which can lead to discrimination: In such a situation, policies and other legislations regulating the use of data and providing remedy for violations can help.
Exploitation and unfair/unethical use of information: When understanding the potential exploitation of information it is useful to consider who is going to benefit from the release of information. For example, in UK, with respect to release of Health Data, the main concern is that people and companies will benefit commercially from the information released, despite of the result potentially being improved drugs and treatment.

What are the Solutions?

The webinar also discussed potential solutions to the questions and challenges posed. For example, when commitments of Open Government Data Partnership are considered, privacy legislations must also be proposed. Further, key stakeholders must make commitments to take pro-active measures to reduce informational asymmetries between the state and citizens. To reduce the risks, measures must be taken to publish what information the State has or what the Government knows about the citizens. For example, in UK, within the civil society network, it is being duly considered in the national plan that the government will publicize how it will share data and have a centralized view on the process of information handling and usage of the data.

The Open Government Guide provides for Illustrative Commitments like enactment of data protection legislation, establishing programmes for awareness and assessment of their impact, giving citizens control of their personal information and the right to redress when that information is misused, etc.

Surveillance

The issue of surveillance and the role of privacy in an open government context was also discussed. The need for creating a balance between the legitimate interest of national security and the privacy of individuals was emphasized. With the rise of digital technologies, many governmental measures pertaining to surveillance intervene in individual privacy. There are many forms of surveillance and this has serious privacy implications, especially in developing countries. For example:

Communications surveillance
Visual surveillance
Travel surveillance

This raises the question: When is surveillance legitimate and when must it be allowed?

The International Principles on the Application of Human Rights to Communications Surveillance acts as a soft law and tries to set out what a good surveillance system looks like by ensuring that governments are in compliance with international human rights law.

In essence surveillance does not violate privacy, however, there must be a clear and foreseeable legal framework laying circumstances when the government has the power to collect data and when individuals might be able to foresee when they might be under surveillance.

Also, a competent judicial authority must be established to oversee surveillance and keep a check on executive power by placing restrictions on privacy invasions. The actions of the government must be proportionate and the benefits must not outweigh harm caused by surveillance.

Role of openness in a “mass surveillance” state

Surveillance measures that are being undertaken by governments are increasingly secretive. The European court of Human Rights has held that Secret surveillance may undermine democracy under the cloak of protecting it. Hence, open government and openness will work towards protecting privacy and not undermining it.

To balance the measure of government surveillance with privacy, there is a need to publish laws regulating such powers; publish transparency reports about surveillance, interception and access to communications data; reform legislations relating to surveillance by state agencies to ensure it complies with human rights and establish safeguards to ensure that new technologies used for surveillance and interception respect the right to privacy.

Conclusion

The conclusion one can draw is that Privacy concerns have gained importance in today’s data driven world. The main question that needs to be answered is whether Government’s should adopt surveillance measures or adopt an Open Government?

Considering equal importance of national security and privacy of individuals, it is required that a balance must be crafted between the two. This could be possibly done by enacting foreseeable and clear laws outlining scope of surveillance by the Government on one hand, and informing citizens about such measures on the other. Establishment of a competent judicial authority to keep a check on Government actions is also suggested to work out the delicate balance between surveillance and privacy.

For more details visit https://cis-india.org/internet-governance/blog/open-governance-and-privacy-in-a-post-snowden-world-webinar

Govt presses 'undo' button on draft encryption policy

praskrishna — 2015-09-25T01:55:57Z

The decision came a day before PM embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla.

The article was published in Business Standard on September 23, 2015. Sunil Abraham gave inputs.

The government on Tuesday scrapped a draft national encryption policy that mandated firms and individuals to allow authorities access to all encrypted information on email, apps, websites and business servers.

The decision came a day before Prime MinisterNarendra Modi embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla. Activists and executives from technology firms had expressed outrage on the draft policy, saying the move would have taken India a step back in technology adoption.

At a meeting of the Union Cabinet on Tuesday, Modi was livid at the controversy generated by the draft policy and directed officials to withdraw it ahead of his US trip, sources said.

The draft had global ramifications, as Facebook,Twitter and messaging apps such as WhatsApp were named in it.

Ravi Shankar Prasad, Union minister for communications and information technology, distanced the government from the draft hosted on the IT department site, but admitted it gave “uncalled-for misgivings”. He directed officials to rework the draft but did not set a timeframe for seeking feedback from the public.

“Yesterday (Monday), it was brought to our notice that the draft had been put in the public domain for, seeking comment. I read the draft. I understand that the manner in which it was written could lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded. I personally feel some of the expressions used in the draft are giving rise to uncalled-for misgivings,” Prasad said. “Experts had framed the draft policy. It is not the government’s final view.”

According to the original draft, the encryption policy sought every message sent by a user, be it through services such as WhatsApp, an SMS or an email, be mandatorily stored in plain text format for 90 days and made available on demand to security agencies. Failure to do so, it added, would draw legal action.

This was because typically, all messaging apps and services such as WhatsApp, Viber, Line, Google Chat and Yahoo! Messenger have high levels of encryption, which security agencies find hard to crack and intercept.

Early on Tuesday, before Prasad announced the withdrawal of the draft policy, the government had issued an addendum to keep social media and web applications such as WhatsApp, Twitter and Facebook out of its purview.

In a three-point clarification, the Department of Electronics and Information Technology (DeitY) said some encryption products were exempt. “Mass-use encryption products, currently being used in web applications, social media sites and social media applications, such as WhatsApp, Facebook and Twitter…SSL/TLS encryption products being used in internet banking and payment gateways, as directed by the Reserve Bank of India”, and SSL/TLS encryption products being used for e-commerce and password based transactions,” it said.

“Ideally, the new policy should only focus on two objectives: It should mandate encryption standards within the government, military, law enforcement and intelligence agencies. It shouldn’t regulate the use of encryption by the private sector; the private sector should be allowed to use whatever it believes is appropriate, as long as it is considered a reasonable security measure by courts, under section 43A of the IT Act,” said Sunil Abraham, director,Centre for Internet and Society (CIS).

Prasad reiterated the government, under the leadership of Prime Minister Narendra Modi, had promoted social media activism. “The right of articulation and freedom we fully respect. But at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.

Opposition parties slammed the Draft policy. Congress communications in-charge Randeep Surjewala said, “Subjugation of individual freedom, surveillance of the citizen and suppression of dissent have emerged as the DNA of the Narendra Modi-led BJP government. The draft policy on encryption, first circulated, then amended and now, withdrawn with a rider for re-issuing it, is a totalitarian, misconceived and a failed attempt of the Modi government to override all sense of individual freedom of speech and expression and encroach upon the right to privacy of communication…With 243.1 million internet users in India at the end of 2014 (173 million being mobile internet users), 112 million Facebook users, 80 million WhatsApp users, 22 million Twitter users and 950 million mobile connections, the intrusion of individual liberty is fraught with dangerous dimensions under the Modi government.”

Aam Aadmi Party spokesperson Raghav Chadha said, “Only a fascist government can bring such a policy. The draft policy was in violation of the right to personal liberty and the fundamental tenets of freedom of speech and expression…the draft policy was for snooping. It presupposes the 1.2 billion people of India are potential criminals. It reflects the inclination of the government and its intention to turn India into a totalitarian state.”

ABOUT THE NATIONAL ENCRYPTION POLICY

Five things the government draft policy wanted

Information security for individuals, businesses and government agencies
Development of indigenous encryption standards
Use of digital signatures to authenticate transactions
Legal interception and data retention
Service providers to register under appropriate government agency

Things that caused outrage

Regulation of private sector encryption
Storage of all encrypted communications for

90 days

Gaining backdoor into private communications of users

Amendment & withdrawal

Omission of mass encryption products such as those used by social networks
Withdrawal of draft policy following Ravi Shankar Prasad’s statement

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy

Open sesame

praskrishna — 2015-09-25T01:31:49Z

The government’s email is shockingly vulnerable.

The article was published in the Hindu on September 22, 2015. CIS research on private email accounts is mentioned.

As the Centre moves towards smart cities and a Digital India, some critics have cited the country’s increased vulnerability to cyber attacks. To be sure, cyber threat groups could disrupt our infrastructure by taking control of many systems. Such attacks could be quite damaging. Yes, they are rare today, but are much more likely to arise in conjunction with traditional armed conflicts. Cyber criminal groups target Indian organisations on a daily basis.

Almost two years ago, the IT minister’s office triggered national outrage when it used a public email service for official communication. There was much hand-wringing about security practices in a ministry responsible for setting the technology direction (secure email policy) for the country. Then in December 2013, the Centre for Internet and Society revealed that up to 90 per cent of Indian government officials used private email accounts for professional purposes.

A big deal

Between then and now, we’ve read about a new email policy and revelations of several cyber attacks on government officials. And FireEye revealed a decade-long cyber espionage operation by a group we call ‘APT30’, which is likely to be sponsored by China. How did they break in? By sending targeted ‘spear-phish’ emails with malware attached.

Email doesn’t sound like a big deal. Most of us have been using it for over a decade, and think we know how to use it right. But when you’re in a position of authority with access to sensitive information, you shouldn’t leave it to chance.

Today, state-sponsored attackers craft these spear-phishing emails after considerable research. APT30 carefully researched their targets and crafted mails which would appear extremely relevant, with interesting content. The moment a victim would open an attachment, an exploit would secretly install a backdoor. Through that backdoor, groups can compromise the employee’s entire network and extricate sensitive data. Groups bent on destruction can deploy malware to destroy the data. They could also take control of systems managing infrastructure or industrial processes and create havoc.

Spear-phishing has an open rate of 70 per cent, while regular mass emails had an open rate of just 3 per cent. Email is the front- door for today’s threat groups. That’s why governments around the world are improving the security of their email systems to fend off these spear-phishing threats.

Public concerns

When government employees use webmail for official business, they trade away their security for convenience. The emails they receive are no longer screened by cyber security solutions, which detect advanced targeted email attacks before they reach the inbox. In addition, because people typically retrieve their webmail in a browser, attackers have a larger attack surface to exploit when carrying out their attacks. For example, attackers can coax victims to click on a link to a website, which delivers an exploit via Adobe Flash.

Webmail opens the door to threats that would otherwise have been intercepted. When our government employees use webmail for official business, they leave the front door wide open to threats. One of the best steps we can take towards improving our government’s cyber security defences is abandoning public email services.

The writer is a software architect at the cyber security firm FireEye

For more details visit https://cis-india.org/internet-governance/news/the-hindu-september-22-2015-atul-kabra-open-sesame

Encryption policy would have affected emails, operating systems, WiFi

praskrishna — 2015-09-25T01:23:10Z

Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security, said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.

The article by Amrita Madhukalya was published in DNA on September 23, 2015.

The Draft National Policy on Encryption, withdrawn by the Department of Electronics and Information Technology (DeiTY) after it created a furore on privacy issues, would have had allowed the government access to any form of digital data that required encryption. Not limited to just WhatsApp or Viber data, it would have affected email services, WiFi, phone operating systems, etc.

"Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security," said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.

The government, criticised heavily for the policy, withdrew it on Tuesday afternoon. It said that a new policy will be brought in its place.

Nikhil Pahwa of internet watchdog Medianama said that data about normal day-to-day activities would have to be stored if the policy was implemented. "The policy would have affected everyday business to consumer data.
This would mean that if a doctor or lawyer had your data digitised, they will be open to access, and would have to be kept for at least 90 days," said Pahwa.

However, he added that a robust encryption is needed. "It is believed that companies like Google, Facebook allow the NSA to access user data in the US, putting our personal security, and the national security largely, at risk," said Pahwa.

For more details visit https://cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi

Huge outcry forces India to backtrack on social media data proposal

praskrishna — 2015-10-01T01:31:55Z

Govt retracts move after strongly negative reaction to 90-day message-saving policy

The article was published by Today on September 24, 2015. Pranesh Prakash has been quoted.

Responding to a chorus of withering criticism, Indian officials have withdrawn a draft policy on encryption that would have required users of social media and messaging apps to save plain-text versions of their messages for 90 days so they could be shared with the police.

The proposal, which many condemned as both draconian and impractical, came as an embarrassment days before Prime Minister Narendra Modi travels to Silicon Valley to try to attract investment and promote India as an emerging market for digital technology.

Mr Modi is an avid user of social media and has mobilised large networks of online activists during his party’s campaigns.

The government issued a statement on Tuesday saying the draft proposing that users save messages for three months had been withdrawn, as officials hurried to distance themselves from the idea.

“I wish to make it clear that it is just a draft and not the view of the government,” said Mr Ravi Shankar Prasad, the Minister of Communications and Information Technology.

Internet policy activists discovered the draft on a government website late last week and began to lampoon it online as “absurd”. One offered the example of an iPhone, which automatically encrypts messages.

“They can’t intentionally want people to copy and paste every message a person gets on their iPhone on to another device,” said Mr Pranesh Prakash, a policy director at the Center for Internet and Society in Bangalore.

The draft, which was put forward by a committee of unidentified experts in the Department of Electronics and Information Technology, also overlooked the fact that most Indians use mobile phones with very little storage space, said Mr Nikhil Pahwa, the editor of MediaNama.com, which covers digital media issues in India.

“It is incomprehensible how they would have expected users to keep their messages in plain-text format,” he said. “And I don’t think that anyone can argue that keeping data in a plain-text format makes it secure.”

An official in the Communications Ministry, who spoke on the condition of anonymity because he was not authorised to talk to the media, said the expert committee had been convened to formulate a policy on the “phenomenal rise” in encrypted communication over the Internet.

He said the committee had intended to require social media platforms and messaging apps, such as WhatsApp and Viber, to save plain-text versions of messages and did not intend to impose that burden on individual users.

“It was interpreted by the netizens as ‘you and I’,” the official said. He added that interpretation was misleading.

But that version of the requirement would also be “outrageous,” Mr Prakash said. For example, WhatsApp uses “end-to-end” encryption and does not save communications between users or have access to plain text, he said.

Mr Prakash said that as officials revised the proposal, the government should reach out to “experts in cryptography and human rights”.

“This is a very crucial combination of three rights: the right to security, the right to freedom of expression, and the right to privacy,” he said.

On television, spokesmen for Mr Modi’s Bharatiya Janata Party (BJP) found themselves debating their counterparts from the opposition Indian National Congress Party, one of whom remarked that “tomorrow they will start demanding that you videograph what has been going on in your bedroom for the past 90 days.”

The BJP’s national spokeswoman, Shaina Nana Chudasama, responded with some exasperation. “I don’t know why we have to have this hue and cry,” she said.

“Our Prime Minister believes in absolute freedom on social media. There is no question of our trying to come down heavily on the freedom of the public at large.” THE NEW YORK TIMES

For more details visit https://cis-india.org/internet-governance/news/today-september-24-2015-huge-outcry-forces-india-backtrack-social-media-data-proposal