We are anonymous, we are legion

WGIG+8: Stock-Taking, Mapping, and Going Forward

pranesh — 2013-04-04T06:49:31Z

On February 27, 2013, the Centre for Internet and Society conducted a workshop on the Working Group on Internet Governance report, titled "WGIG+8: Stock-Taking, Mapping, and Going Forward" at the World Summit on the Information Society (WSIS) + 10 meeting at Fontenoy Building, conference room # 7, UNESCO Headquarters, Paris from 9.30 a.m. to 11.00 a.m.

Details of the event were published on the UNESCO website.

Session Personnel

Pranesh Prakash was the moderator for the session. There were about 10-15 participants along with 5 remote participants.

There were four speakers:

William Drake, International Fellow and Lecturer, Media Change & Innovation Division, IPMZ at the University of Zurich
Carlos Afonso, Executive Director of the Núcleo de Pesquisas, Estudos e Formação (NUPEF) institute
Avri Doria, Dotgay LLC, Association for Progressive Communications, International School for Internet Governance
Désirée Miloshevic, International Affairs and Policy Adviser, Afilias

Summary of the Discussion

Speakers Summaries

William Drake:
Mr. Drake argued that the WGIG process demonstrated the benefits of multistakeholder collaboration, and facilitated the WSIS negotiations, and the multistakeholder process that WGIG embodied promoted public engagement in the Internet governance debate. The working definition of “Internet governance” that the WGIG came up with demystified the nature and scope of Internet governance. One important outcome of the WGIG report was the proposal of the establishment of the Internet Governance Forum. The WGIG began the holistic assessment of “horizontal issues,” including development, and made some broad but useful recommendations on key “vertical issues”. And lastly, the WGIG offered four models for the oversight of core resources that helped to focus the global debate on the governance of the Internet’s core resources.

Carlos Afonso:
Mr. Afonso commented on the issue of international interconnection costs, and pointed out that they continue to be complex and involve complicated cost accounting. Mr. Afonso then pointed out that the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) could be doing more in the context of IPv6, in the way of stimulating backbone operators to ensure IPv6 visibility of the networks below them — many are already IPv6-ready but upstream providers do not provide corresponding transit. He also drew attention to “enhanced cooperation” as an issue that had not been anticipated at the time of the report, but had since become an important issue; similarly, he identified social networking and (in response to a question) military uses of the Internet, etc., as other such issues. He opined that the WGIG report needed to be elaborated upon in the present context.

Avri Doria:
Ms. Doria argued that while the report was reluctantly accepted after having been first rejected by the governments, it has proven to be highly useful. She praised the report for its working definition of IG, as it is still being used, and because the report made a clear distinction between governments and the governance of the Internet. She then argued that the definition of roles and responsibilities of stakeholders is very loose in the WGIG report and that these definitions are something that needs further study as they do not take into account the full role and responsibilities of all stakeholders. She also argued that the National Telecommunications and Information Administration is transferring some of its oversight powers over technical governance of the domain name system, to multistakeholder processes as can be seen from the “Affirmation of Commitments” which has replaced the earlier “Memorandum of Understanding” it had with ICANN." She argued that the Affirmation of Commitment based review teams are an important experiment that should be followed with interest.

Désirée Miloshevic:
Ms. Miloshevic pointed out that outside the meta issue of keeping the Internet open for innovation, issues relating to freedom of speech and human rights were the most important challenges facing Internet governance today. She highlighted that several issues, such as economic benefits, consumer protection, freedom to connect and education are issues that have either not been addressed or have been addressed inadequately in the report. She then went on to argue that the IGF, which is an outcome of the WGIG report has had a tangible impact on IG, particularly on clarifying IG as a multi-stakeholder process rather than describing mere institutional regulation models. For example, the IGF allows for newly identified public policy issues to continue to feature as topics in the IGF as emerging issues, such as open data, etc. Ms. Miloshevic also emphasised the need for stakeholders to increase the development of capacity in dealing with IG issues at the global level.

Summary of General Discussion

Overall, it was agreed by all panelists that the WGIG 2005 report and the WSIS process have had a large impact on Internet Governance (IG), particularly in terms of an increase in public awareness and participation in IG as well as in framing of IG as involving multiple stakeholders and not just governments. This has in turn led to a shifting of power equations as well as an increase in openness and transparency. The report has helped create the distinction between governments and governance of the Internet, and framed, through the working definition of IG that was later incorporated in the WSIS Tunis Agenda, the non-technical aspects of IG as a core part of IG. Further, the identification and mapping of issues associated with IG and the generation of institutional governance models were important outcomes of the report. The report was also seen as instrumental in the creation of the Internet Governance Forum (IGF).

Panellists also noted the changed context and the progress (and in many cases, lack of progress) since the WGIG report. Issues were raised around the lack of progress in implementing the specific recommendations made by the report. Inadequate capacity-building of actors in the global South, and efforts of the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) with respect to IPv6 were used as examples. It was also pointed out that a number of concerns have materialized that had not been anticipated at the time of the report, including 'enhanced cooperation', the emergence of social networking, and military uses of the Internet.

Moderator's summary

The WGIG and its report, the background report and the book that followed from that report, have proven to be crucial in defining the formulation and direction of Internet governance for the past 8 years, and have resulted in a multi-stakeholder governance model for the Internet and the IGF, and have set many norms that have shifted power equations. However, many significant issues that weren't central to Internet governance during the formulation of the WGIG report have since emerged, the majority of the recommendations made in the WGIG report haven't seen much progress, the capacity of actors in the global South to engage in IG issues has not increased greatly, and the IGF needs to gain greater credibility and centrality. Transnational private corporations are emerging as increasingly powerful actors in Internet governance and are slowly shifting the balance, a development that was unforeseen in 2005 when governments were seen as the most powerful actors.

Any agreed recommendations from the session

The panelists recommended the production of an analytical report that would explore the current status of the issues and recommendations laid in the original report issues as well as identify any new concerns that have arisen since 2005. An important aspect of this report would be an emphasis on the benefits of the IGF and the role of the WGIG process and report in underscoring the significance of multi-stakeholder processes. Further recommendations included the continued advancement of Internet rights and principles and enhanced cooperation, as these are two focus areas that have emerged since the WGIG report, and the strengthening of the IGF.

For more details visit https://cis-india.org/internet-governance/blog/wgig-8-stock-taking-mapping-and-going-forward

Webinar on the draft Intermediary Guidelines Amendment Rules

Admin — 2019-01-18T02:13:23Z

CCAOI and the ISOC Delhi Chapter organised a webinar on January 10 to discuss the draft "The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018". Gurshabad Grover was a discussant in the panel.

The agenda of the discussion was:

A brief introduction to the draft highlighting the key issues[Shashank Mishra]
Invited experts sharing their view on the paper and questions asked [Nehaa Chaudhari, Paul Brooks, Arjun Sinha, Gurshabad Grover]
Open Discussion Q&A
Summarizing the session

A recording of the session can be accessed here

For more details visit https://cis-india.org/internet-governance/news/webinar-on-the-draft-intermediary-guidelines-amendment-rules

Webinar on counter-comments to the draft Intermediary Guidelines

Admin — 2019-02-22T01:51:19Z

CCAOI and the ISOC Delhi Chapter organised a webinar on February 11 to discuss the comments submitted to the Information Technology [Intermediary Guidelines (Amendment) Rules] 2018, and counter-comments that were due by February 14.

The agenda of the discussion was:

A brief introduction to the counter comment process [Shashank Mishra]
Invited stakeholders comment on key issues and perspectives on the submissions and the points to be countered.

The following people participated:

Amba Kak, Mozilla
Rajesh Chharia, ISPAI
Gurshabad Grover, CIS
Priyanka Chaudhari, SFLC
Divij Joshi, Vidhi Centre for Legal Policy

For more details visit https://cis-india.org/internet-governance/news/webinar-on-counter-comments-to-the-draft-intermediary-guidelines

Web of Sameness

nishant — 2013-01-18T06:17:29Z

The social Web has been an ominous space at the start of 2013. It has been awash with horror, pain and grief. The recent gang rape and death of a medical student in Delhi prevents one from being too optimistic about the year to come. My live feeds on various social networks are filled with rue and rage at the gruesome incident and the seeming depravity of our society.

Nishant Shah's column was published in the Indian Express on January 18, 2013.

As I contemplate the event, I see that the Web has become a space for coping with pain and mitigating the horror of our lives. I feel comforted, when I go online, and see people grieving for a woman they never knew, and demanding better conditions for all. As I look at these resolves for change, battle cries demanding justice, and angry responses directed at imagined and imaginary perpetrators of these crimes, I realise that I have heard it all before, over and over again.

“Not Again!” has been the refrain of the year. If life were a musical, this would have been the persistent chorus line of 2012. From fighting against censorship and violation of privacy by government and corporations to acts of hatred, or from ridiculing the map glitches on the iPhone to seeing the growing stronghold of authoritarian forces over the social Web, we have repeatedly rolled our digital sleeves, gnashed our fingers on the keyboards and shouted in political solidarity, “Not Again!”. While this show of protest, this robust expression of change holds a promise of how things will change for the better, it is also a refrain that has lost its bite. What does it mean, this ability to repeatedly say “Not Again!” only to experience these horrors in despairing cyclic patterns?

I want to see how the social Web and the new public spheres online might offer us outlets for emotions but not necessarily platforms for action. Some of the earliest critiques of the Web expressed the fear that given the extreme customisation of social networks, we might soon reside only in digital echo chambers. In the heavily informatised ages that we live in, it is not uncommon to set up specific groups that we belong to, identify friends that we talk with, mark people we follow, set up circles we share in, and configure filters that help us receive information that is tailor-made to suit our personalised preferences. Unfortunately, this quest for selective information sampling often means that we separate the digital spaces of life from the physical ones, without even realising it. We might be seamlessly navigating these two spaces, not really caring for the distinctions of “virtual reality” and “real life”, but in instances like these, it is easy to see how we shroud ourselves in echo chambers, never allowing voices to translate into the world of action.

You are sure to have been bombarded with tweets that have insightfully analysed the conditions of safety in our public spaces. And in all of this, like me, you must have been comforted thinking that there is still hope. But for every “like” you received on your status update, for every time your tweet got favourited or retweeted, for every time you found yourself agreeing with the social experts, you also separated yourself from the reality. Because the people who gave your opinions the attention, are actually people just like you. They are already on your side of things. Talking to them, exchanging ideas with them, calling for change side-by-side is like preaching to the choir, but it gives us a sense of having reached out. The voices in an echo chamber are not just repeated ad nauseum, but they are also not heard by anybody else on the outside, thus stifling the energy and passions that might have resulted in real change.

The Web also offers an easy separation of us versus them. As coping mechanisms and as a way of distancing ourselves from these events, the Web offers us a clear disavowal of guilt. The young man, who shot those children in the school, was mentally unstable. The laws that allowed him to purchase guns are because of the politicians and the arms industry. The student, who got raped in a bus, is the responsibility of the ‘rape capital’ Delhi. If we were in charge, these things would not have happened this way. But now they have happened, and so we will be angry, we will be shocked, we will tweet “Not Again!” and then quickly shift our ever-expanding attention to the burgeoning space of information online.

And then we will wait, for the next incident to happen — oh, not the same, but similar — and we will go through this process once again.

If I have to look into the future and hope that 2013 shall be the year of change, then I am hoping that the change will be from “Not Again” to a “Never Again”. We will have to learn how to use the energy, the power of the Web, the influence of the digital crowds on the digital commons, to produce a change that goes beyond the social network feeds.

I hope that the social Web matures. We have to make sure that the promise of change that the digital social network offers, does not die as armchair clicktivism that witnesses but does nothing to change the act that affects us.

For more details visit https://cis-india.org/internet-governance/blog/indianexpress-nishant-shah-january-12-2013-web-of-sameness

We Truly are the Product being Sold

vidushi — 2016-09-01T02:08:37Z

WhatsApp has announced it will begin sharing user data such as names, phone numbers, and other analytics with its parent company, Facebook, and with the Facebook family of companies. This change to its terms of service was effected in order to enable users to “communicate with businesses that matter” to them. How does this have anything to do with Facebook?

The article was published in the Hindustan Times on August 31, 2016.

WhatsApp clarifies in its blog post, “... by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them.”

WhatsApp’s further clarifies that it will not post your number on Facebook or share this data with advertisers. This means little because it will share your number with Facebook for advertisement. It is simply doing indirectly, what it has said it won’t do directly. This new development also leads to the collapsing of different personae of a user, even making public their private life that they have so far chosen not to share online. Last week, Facebook published a list of 98 data points it collects on users. These data points combined with your WhatsApp phone number, profile picture, status message, last seen status, frequency of conversation with other users, and the names of these users (and their data) could lead to a severely uncomfortable invasion of privacy.

Consider a situation where you have spoken to a divorce lawyer in confidence over WhatsApp’s encrypted channel, and are then flooded with advertisements for marriage counselling and divorce attorneys when you next log in to Facebook at home. Or, you are desperately seeking loans and get in touch with several loan officers; and when you log in to Facebook at work, colleagues notice your News Feed flooded with ads for loans, articles on financial management, and support groups for people in debt.

It is no secret that Facebook makes money off interactions on its platform, and the more information that is shared and consumed, the more Facebook is benefitted. However, the company’s complete disregard for user consent in its efforts to grow is worrying, particularly because Facebook is a monopoly. In order for one to talk to friends and family and keep in touch, Facebook is the obvious, if not the only, choice. It is also increasingly becoming the most accessible way to engage with government agencies. For example, Indian embassies around the world have recently set up Facebook portals, the Bangalore Traffic Police is most easily contacted through Facebook, and heads of states are also turning to the platform to engage with people. It is crucial that such private and collective interactions of citizens with their respective government agencies are protected from becoming data points to which market researchers have access.

Given Facebook’s proclivity for unilaterally compromising user privacy, the Federal Trade Commission (FTC) in 2011 charged the company for deceiving consumers by misleading them about the privacy of their information. Following these charges, Facebook reached an agreement to give consumers clear notice and obtain consumers’ express consent before extending privacy settings that they had established. The latest modification to WhatsApp’s terms of service seems to amount to a clear violation of this agreement and brings out the grave need to treat user consent more seriously.

There is a way to opt out of sharing data for Facebook ads targeting that is outlined by WhatsApp on its blog, which is the best example for a case of invasion-of-privacy-by-design. WhatsApp plans to ask the users to untick a small green arrow, and then click on a large green button that says “Agree” (which is the only button) so as to indicate that they are opting-out. The interface of the notice seems to be consciously designed to confuse users by using the power of default option. For most users, agreeing to terms and conditions is a hasty click on a box and the last part of an installation process. Predictably, most users choose to go with default options, and this specific design of the opt-out option is not meaningful at all.

In 2005, Facebook’s default profile settings were such that anyone on Facebook could see your name, profile picture, gender and network. Your photos, wall posts and friends list were viewable by people in your network. Your contact information, birthday and other data could be seen by friends and only you could view the posts that you liked. Fast forward to 2010, and the entire internet, not just all Facebook users, can see your name, profile picture, gender, network, wall posts, photos, likes, friends list and other profile data. There hasn’t been a comprehensive study since 2010, but one can safely assume that Facebook’s privacy settings will only get progressively worse for users, and exponentially better for Facebook’s revenues. The service is free and we truly are the product being sold.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-vidushi-marda-august-31-2016-we-truly-are-the-product-being-sold

We the goondas

praskrishna — 2014-08-04T15:06:18Z

You can now be arrested in Karnataka even before you commit an offence under the IT Act. You could be in jail under the Goonda Act even if not guilty under the Indian Copyright Act. If govt thinks you are planning to send a 'lascivious' photo to a WhatsApp group, or forwarding a copyrighted song, you can be arrested.

The article by Shyam Prasad was published in the Bangalore Mirror on August 4, 2014. Sunil Abraham gave his inputs.

Have a smartphone? Run for cover. Bizarre as this might sound, the cops are going to come after you if you so much as forward a song to a friend. Forget actually doing it, any plans to do so could land you in serious trouble too. You could be labelled a 'goonda' in the eyes of the State and find yourself behind bars.

In a completely unfathomable move, Karnataka has brought most offences under the Information Technology Act, 2000, and Indian Copyright Act, 1957, under the ambit of the Goonda Act. Until now, people with a history of offences like bootlegging, drug offences and immoral trafficking could be taken into preventive custody. But the government, in its enthusiasm, while adding acid attackers and sexual predators to the law, has also added 'digital offenders'. While it was thought to be against audio and video pirates, Bangalore Mirror has found it could be directed at all those who frequent FB, Twitter and the online world, posting casual comments and reactions to events unfolding around them.

So if you are planning a digital 'offence' — which could be an innocuous opinion like the young girls' in Mumbai after the bandh declared on Bal Thackeray's death — that could attract the provisions of the Information Technology Act. You can even be taken into preventive custody like a 'goonda'. Even those given exceptions under the Indian Copyright Act can find themselves in jail for a year without being presented before a magistrate. Technically, if you are even planning to forward 'lascivious' memes and images to a WhatsApp group or forwarding a song or 'copyrighted' PDF book, you can be punished under the Goondas Act.

The law-makers clearly did not dwell much on the implications while bringing the majority of the populace within the ambit of this law. On July 28, the Karnataka Legislature passed (it took barely a minute from tabling to voice vote), 'The Karnataka Prevention of Dangerous Activities of Bootleggers, Drug-offenders, Gamblers, Goondas, Immoral Traffic Offenders, Slum-grabbers and Video or Audio Pirates, (Amendment) Bill, 2014'. The amendment adds, "Acid attackers, Depradator of Environment, Digital Offenders, Money Launderers and Sexual Predators", to the title. In common parlance, this law is known as the 'Goonda Act'.

The move has come as a shock to the legal community which has slammed it, terming it an attempt by the state to usurp central powers. The government had earlier included 'piracy' under the Goonda Act. But it was applicable only to those pirating film DVDs. Now, this will include books, film songs, music, software or anything big corporates and multinationals claim they have copyright on.

Sunil Abraham, executive director, Centre for Internet and Society, is left in no doubt that the new law is "a terrible thing". "It is a sad development. It is not just bringing the provisions of the IT Act, but also the Copyright Act, that will hurt the common man," he said.

'Digital Offenders' means "any person who knowingly or deliberately violates, for commercial purposes, any copyright law in relation to any book, music, film, software, artistic or scientific work and also includes any person who illegally enters through the identity of another user and illegally uses any computer or digital network for pecuniary gain for himself or any other person or commits any of the offences specified under sections 67, 68, 69, 70, 71, 72, 73, 74 and 75 of the Information Technology Act, 2000."

Section 67 of the IT Act will be the most dangerous for the common man with a smartphone in hand now. The section, "Publishing of information which is obscene in electronic form," includes "any material which is lascivious or appeal to the prurient interest." This could have a very broad interpretation.

Advocate Nagendra Naik says, "The Goonda Act provides for preventive arrest. In the Information Technology Act and The Copyright Act, you have to commit the offence to be arrested. But here, you can be taken into preventive custody even before you commit the said offences. In normal arrests, you can straightaway apply for bail. But under the Goonda Act, you cannot. There is a long process of review and you will be in custody at least till then. The third impact is, you can have a history sheet started against you by the police. Technically, your slips on WhatsApp will attract the Goonda Act against you."

Supreme Court advocate KV Dhananjay said the Goonda Act is a draconian piece of legislation and it necessarily mocks at the institution of courts and lawyers. "After the passage of the various amendments to the Goonda Act, Karnataka now looks like a mini North Korea where police mood swings will decide whether the ordinary citizen has any right at all," he said.

Advocate Shyam Sundar, says, "What if your smartphone has a list of repeated material sent out over days or weeks. Most people do not even know if their phones are affected by viruses which could be sending out such material. Another example is of Facebook. There are so many FB pages with pornographic content. If someone who has subscribed to such a page sends you a friend request and you accept it, that content will surface on your page. It will have a history of repetition. The amendment clearly opens up huge problems for the common people. There is no doubt of the law being grossly misused and the amendment to include provisions of the IT Act has been done without application of mind. What is lascivious appeal in the first place? A porn star has been made a film star in India. Is this not lust? Are there enough filters in place to secure your smartphone from online abuse?"

The new law will in all probability create more corruption than anything else, say experts. Dhananjay says, "Until last week, police postings in Bangalore and other bigger cities were selling for tens of lakhs. Thanks to these amendments, some postings that enforce the Goonda Act will now sell for a couple of crores. The public will not feel safe due to this draconian legislation. Those who enforce the Goonda Act, however, will become richer through corruption, thanks to the fear created by these new amendments."

One year in jail for the innocent too

Sunil Abraham gives two examples by which the amended Goonda Act will become a ruthless piece of legislation. "If I publish an image of a naked body as part of a scientific article about the human body, is it obscene or not? It will not be obscene and, if I am arrested under the IT Act, I will be produced before the magistrate within 24 hours and can explain it to him. But now, I will be arrested under the Goonda Act and need not be produced before a magistrate for 90 days. It can be extended to one year. So for one year, I will be in jail even if I have not committed any wrong. Another example pertains to bringing offences under the Copyright Act under the Goonda Act. In the Copyright Act, there is an exception for reporting, research, educational and people with disability. A visually impaired person, for example, can, without paying royalty, convert a book into another format like Braille or audio and share it with another visually impaired person on a non-profit basis. But if he is arrested under Goonda Act, he will be in jail for one year, even before he does it."

HAVE THEY READ STATUTE?
Supreme Court advocate KV Dhananjay says, "The definition of a 'digital offender' is simply laughable. I do not think that whoever asked the state government to include 'digital offence' under the Goonda Act has carefully read the Constitution of India. Under the Constitution, both copyright and telecommunications are exclusive central subjects. This means that states simply cannot make any law on these subjects." Dhananjay gives the example of payment of income tax. "You know already that only the central government can demand and collect your income taxes. Can any state government say that it will create a new law to punish its resident who defaults in payment of income tax? You would simply laugh at any such law. This new definition of 'digital offender' is no less amusing. Offences under the Information Technology Act, 2000, are exclusively punishable by the central government only. State governments have no power to say that an Act shall become an offence when it does not even have the power to regulate such an Act."

CRIMINAL LAW EXPERTS SAY
Senior designate advocate, MT Nanaiah: "This law will be too harsh. There are MLAs who do not know the meaning of cyber crime. We (advocates) will be kept busy at the cost of innocent people because of this step. It provides for arresting anyone who would allegedly be planning to do something. Finding him guilty or otherwise comes later. What happens if your phone is lost or somebody sends something from your phone without your knowledge? For the first few years, innocents will go to jail. Then the courts will probably intervene and call for modifying what is at best a bad law. A similar situation arose with Section 498(A) of IPC and Sections 3 and 4 of Dowry Prohibition Act. It was misused to such an extent that courts had to step in." Senior designate advocate and former State Public Prosecutor HS Chandramouli : "Even social legislations have been misused. And, in this case, most people are illiterate about what cyber crime is. It is mostly teenagers and college students who will feel the heat. These are the people who mostly forward material considered obscene. It is necessary to educate people through discussions, workshops in the bar associations, law college and with experts. The amendment has been passed in the Legislature without discussion, which is a tragedy. At least now, before it is gazetted, people should be warned about what is being brought into the Goonda Act. I do not know how fair adding 'digital offenders' in the Goonda Act will be to the public, but the chances of misuse are more. There are no riders or prosecution for misuse. And how many policemen know about cyber crimes? During the infamous 'kidney' case (where people were cheated and their kidneys removed) many policemen did not know the difference between kidneys and testicles."

ONE YEAR IN JAIL WITHOUT CHANCE OF BAIL FOR..

Forwarding a song from your phone
Forwarding an e-book from your email
A nude photo which the govt thinks is obscene
Any software that a company says it owns
A movie which a company says it has copyright on

For more details visit https://cis-india.org/news/bangalore-mirror-shyam-prasad-august-4-2014-we-the-goondas

We need a better AI vision

basu — 2019-10-14T13:55:59Z

Artificial intelligence conjures up a wondrous world of autonomous processes but dystopia is inevitable unless rights and privacy are protected.

The blog post by Arindrajit Basu was published by Fountainink on October 12, 2019.

he dawn of Artificial Intelligence (AI) has policy-makers across the globe excited. In India, it is seen as a tool to overleap structural hurdles and better understand a range of organisational and management processes while improving the implementation of several government tasks. Notwithstanding the apparent enthusiasm in the government and private sectors, an adequate technological, infrastructural, and financial capacity to develop these models at scale is still in the works.

A number of policy documents with direct or indirect references to India’s AI future—to be powered by vast troves of data—have been released in the past year and a half. These include the National Strategy for Artificial Intelligence (which I will refer to as National Strategy) authored by NITI Aayog, the AI Taskforce Report, Chapter 4 of the Economic Survey, the Draft e-Commerce Bill and the Srikrishna Committee Report.

While they extol the virtues of data-driven analytics, references to the preservation or augmentation of India’s constitutional ethos through AI has been limited though it is crucial for safeguarding the rights and liberties of citizens while paving the way for the alleviation of societal oppression.

In this essay, I outline the variety of AI use cases that are in the works. I then highlight India’s AI vision by culling the relevant aspects of policy instruments that impact the AI ecosystem and identify lacunae that can be rectified. Finally, I attempt to “constitutionalise AI policy” by grounding it in a framework of constitutional rights that guarantee protection to the most vulnerable sections of society.

In the manufacturing industry, AI adoption is not uniform across all sectors. But there has been a notable transformation in electronics, heavy electricals and automobiles.

It is crucial to note that these cases, still emerging in India, have been implemented at scale in other countries such as the United Kingdom, United States and China. Projects were rolled out to the detriment of ethical and legal considerations. Hindsight should make the Indian policy ecosystem much wiser. By closely studying the research produced in these diverse contexts, Indian policy-makers should try to find ways around the ethical and legal challenges that cropped up elsewhere and devise policy solutions that mitigate the concerns raised.

***

Before anything else we need to define AI—an endeavour fraught with multiple contestations. My colleagues and I at the Centre for Internet & Society ducked this hurdle when conducting our research by adopting a function-based approach. An AI system (as opposed to one that automates routine, cognitive or non-cognitive tasks) is a dynamic learning system that allows for the delegation of some level of human decision-making to the system. This definition allows us to capture some of the unique challenges and prospects that stem from the use of AI.

The research I contributed to at CIS identified key trends in the use of AI across India. In healthcare, it is used for descriptive and predictive purposes.

For example, the Manipal Group of Hospitals tied up with IBM’s Watson for Oncology to aid doctors in the diagnosis and treatment of seven types of cancer. It is also being used for analytical or diagnostic services. Niramai Health Analytix uses AI to detect early stage breast cancer and Adveniot Tecnosys detects tuberculosis through chest X-rays and acute infections using ultrasound images. In the manufacturing industry, AI adoption is not uniform across all sectors. But there has been a notable transformation in the electronics, heavy electricals and automobiles sector gradually adopting and integrating AI solutions into their products and processes.

It is also used in the burgeoning online lending segment in order to source credit score data. As many Indians have no credit scores, AI is used to aggregate data and generate scores for more than 80 per cent of the population who have no credit scores. This includes Credit Vidya, a Hyderabad-based data underwriting start-up that provides a credit score to first time loan-seekers and feeds this information to big players such as ICICI Bank and HDFC Bank, among others. It is also used by players such as Mastercard for fraud detection and risk management. In the finance world, companies such as Trade Rays are being used to provide user-friendly algorithmic trading services.

AI is also being increasingly used in the education sector for providing services to students such as decision-making assistance and also for student-progress monitoring.

The next big development is in law enforcement. Predictive policing is making great strides in various states, including Delhi, Punjab, Uttar Pradesh and Maharashtra. A brainchild of the Los Angeles Police Department, predictive policing is the use of analytical techniques such as Machine Learning to identify probable targets for intervention to prevent crime or to solve past crime through statistical predictions.

Conventional approaches to predictive policing start with the mapping of locations where crimes are concentrated (hot spots) by using algorithms to analyse aggregated data sets. Police in Uttar Pradesh and Delhi have partnered with the Indian Space Research Organisation (ISRO) in a Memorandum of Understanding to allow ISRO’s Advanced Data Processing Research Institute to map, visualise and compile reports about crime-related incidents.

There are aggressive developments also on the facial recognition front. Punjab Police, in association with Gurugram-based start-up Staqu has started implementing the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on the suspected criminal. At the national level, on June 28, the National Crime Records Bureau (NCRB) called for tenders to implement a centralised Automated Facial Recognition System (AFRS), defining the scope of work in broad terms as the “supply, installation and commissioning of hardware and software at NCRB.”

AI is also being increasingly used in the education sector for providing services to students such as decision-making assistance and also for student-progress monitoring. The Andhra Pradesh government had started collecting information from a range of databases and processes the information through Microsoft’s Machine Learning Platform to monitor children and devote student focussed attention on identifying and curbing school drop-outs.

In Andhra Pradesh, Microsoft collaborated with the International Crop Institute for Semi-Arid Tropics (ICRISAT) to develop an AI Sowing App powered by Microsoft’s Cortana Intelligence Suite. It aggregated data using Machine Learning and sent advisories to farmers regarding optimal dates to sow. This was done via text messages on feature phones after ground research revealed that not many farmers owned or were able to use smart phones. The NITI Aayog AI Strategy specifically cited this use case and reported that this resulted in a 10-30 per cent increase in crop yield. The government of Karnataka has entered into a similar arrangement with Microsoft.

Finally, in the defence sector, our research found enthusiasm for AI in intelligence, surveillance and reconnaissance (ISR) functions, cyber defence, robot soldiers, risk terrain analysis and moving towards autonomous weapons systems. These projects are being developed by the Defence Research and Development Organisation but the level of trust and support in AI-driven processes reposed by the wings of the armed forces is yet to be publicly clarified. India also had the privilege of leading the global debate on Lethal Autonomous Weapons Systems (LAWS) with Amandeep Singh Gill chairing the United Nations Group of Governmental Experts (UN-GGE) on the issue. However, ‘lethal’ autonomous weapons systems at this stage appear to be a speck in the distant horizon.

***

Along with the range of use cases described above, a patchwork of policy imperatives is emerging to support this ecosystem. The umbrella document is the National Strategy for Artificial Intelligence published by the NITI Aayog in June 2018. Despite certain lacunae in its scope, the existence of a cohesive and robust document that lends a semblance of certainty and predictability to a rapidly emerging sphere is in itself a boon. The document focuses on how India can leverage AI for both economic growth and social inclusion. The contents of the document can be divided into a few themes, many of which have also found their way into multiple other instruments.

NITI Aayog provides over 30 policy recommendations on investment in scientific research, reskilling, training and enabling the speedy adoption of AI across value chains. The flagship research initiative is a two-tiered endeavour to boost AI research in India. First, new centres of research excellence (COREs) will develop fundamental research. The COREs will act as feeders for international centres for transformational AI which will focus on creating AI-based applications across sectors.

This is an impressive theoretical objective but questions surrounding implementation and structures of operation remain to be answered. China has not only conceptualised an ecosystem but through the Three Year Action Plan to Promote the Development of New Generation Artificial Intelligence Industry, it has also taken a whole-of-government approach to propelling the private sector to an e-leadership position. It has partnered with national tech companies and set clear goals for funding, such as the $2.1 billion technology park for AI research in Beijing.

The contents of the NITI document can be divided into a few themes, many of which have also found their way into multiple other instruments. First, it proposes an “AI+X” approach that captures the long-term vision for AI in India. Instead of replacing the processes in their entirety, AI is understood as an enabler of efficiency in processes that already exist. NITI Aayog therefore looks at the process of deploying AI-driven technologies as taking an existing process (X) and adding AI to them (AI+X). This is a crucial recommendation all AI projects should heed. Instead of waving AI as an all-encompassing magic wand across sectors, it is necessary to identify specific gaps AI can seek to remedy and then devise the process underpinning this implementation.

A cacophony of policy instruments by multiple government departments seeks to reconceptualise data to construct a theoretical framework that allows for its exploitation for AI-driven analytics.

The AI-driven intervention to develop sowing apps for farmers in Karnataka and Andhra Pradesh are examples of effective implementation of this approach. Instead of other knee-jerk reactions to agrarian woes such as a hasty raising of Minimum Support Price, effective research was done in this use-case to identify a lack of predictability in weather patterns as a key factor in productive crop yields. They realised that aggregation of data through AI could provide farmers with better information on weather patterns. As internet penetration was relatively low in rural Karnataka, text messages to feature phones that had a far wider presence was indispensable to the end game.

***

This is in contrast to the ill-conceived path adopted by the Union ministry of electronics and information technology in guidelines for regulating social media platforms that host content (“intermediaries”). Rule 3(9) of the Draft of the Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 mandates intermediaries to use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”.

Proposed in light of the fake news menace and the unbridled spread of “extremist” content online, the use of the phrase “automated tools or appropriate mechanisms” is reflective of an attitude that fails to consider ground realities that confront companies and users alike. They ignore, for instance, the cost of automated tools: whether automated content moderation techniques developed in the West can be applied to Indic languages or grievance redress mechanisms users can avail of if their online speech is unduly restricted. This is thus a clear case of the “AI” mantra being drawn out of a hat without studying the “X” it is supposed to remedy.

The second focus of the National Strategy that has since morphed into a technology policy mainstay across instruments is on data governance, access and utilisation. The document says the major hurdle to the large scale adoption of AI in India is the difficulty in accessing structured data. It recommends developing big annotated data sets to “democratise data and multi-stakeholder marketplaces across the AI value chain”. It argues that at present only one per cent of data can be analysed as it exists in various unconnected silos. Through the creation of a formal market for data, aggregators such as diagnostic centres in the healthcare sector would curate datasets and place them in the market, with appropriate permissions and safeguards. AI firms could use available datasets rather than wasting effort sourcing and curating the sets themselves.

A cacophony of policy instruments by multiple government departments seeks to reconceptualise data to construct a theoretical framework that allows for its exploitation for AI-driven analytics.The first is “community data” and appears both in the Srikrishna Report that accompanied the draft Data Protection Bill in 2018 and the draft e-commerce policy.

But there appears to be some conflict between its usage in the two. Srikrishna endorses a collective protection of privacy by protecting an identifiable community that has contributed to community data. This requires the fulfilment of three key conditions: first, the data belong to an identifiable community; second, individuals in the community consent to being a part of it, and third, the community as a whole consents to its data being treated as community data. On the other hand, the Department of Promotion of Industry and Internal Trade’s (DPIIT) draft e-commerce policy looks at community data as “societal commons” or a “national resource” that gives the community the right to access it but government has ultimate and overriding control of the data. This configuration of community data brings into question the consent framework in the Srikrishna Bill.

The government’s attempt to harness data as a national resource for the development of AI-based solutions may be well-intentioned but is fraught with core problems in implementation.

The matter is further confused by treating “data as a public good”. This is projected in Chapter 4 of the 2019 Economic Survey published by the Ministry of Finance. It explicitly states that any configuration needs to be deferential to privacy norms and the upcoming privacy law. The “personal data” of an individual in the custody of a government is also a “public good” once the datasets are anonymised. At the same time, it pushes for the creation of a government database that links several individual databases, which leads to the “triangulation” problem, where matching different datasets together allows for individuals to be identified despite their anonymisation in seemingly disparate databases.

“Building an AI ecosystem” was also one of the ostensible reasons for data localisation—the government’s gambit to mandate that foreign companies store the data of Indian citizens within national borders. In addition to a few other policy instruments with similar mandates, Section 40 of the Draft Personal Data Protection Bill mandates that all “critical data” (this is to be notified by the government) be stored exclusively in India. All other data should have a live, serving copy stored in India even if transfer abroad is allowed. This was an attempt to ensure foreign data processors are not the sole beneficiaries of AI-driven insights.

The government’s attempt to harness data as a national resource for the development of AI-based solutions may be well intentioned but is fraught with core problems in implementation. First, the notion of data as a national resource or as a public good walks a tightrope with constitutionally guaranteed protections around privacy, which will be codified in the upcoming Personal Data Protection Bill. My concerns are not quite so grave in the case of genuine “public data” like traffic signal data or pollution data. However, the Economic Survey manages to crudely amalgamate personal data into the mix.

It also states that personal data in the custody of a government is a public good once the datasets are anonymised. This includes transactions data in the User Payments Interface (UPI), administrative data including birth and death records, and institutional data including data in public hospitals or schools on pupils or patients. At the same time, it pushes for a government database that will lead to the triangulation problem outlined above. The chapter also suggests that said data may be sold to private firms (unclear if this includes foreign or domestic firms). This not only contradicts the notion of public good but is also a serious threat to the confidentiality and security of personal data.

***

Therefore, along with the concerted endeavour to create data marketplaces, it is crucial for policy-makers to differentiate between public data and personal data individuals may consent to be made public. The parameters for clearly defining free and informed consent, as codified in the Draft Personal Data Protection Bill need to be strictly followed as there is a risk of de-anonymisation of data once it finds its way into the marketplace. Second, it is crucial for policy-makers to define clearly a community and parameters for what constitutes individual consent to be part of a community. Finally, along with technical work on setting up a national data marketplace, there must be protracted efforts to guarantee greater security and standards of anonymisation.

The National Strategy mentions that India should position itself as a “garage” for AI in emerging economies. This could mean Indian citizens are used as guinea pigs for AI-driven solutions at the cost of their rights.

Assuming that a constitutionally valid paradigm may be created, the excessive focus on data access by tech players dodges the question of the capabilities of analytic firms to process this data and derive meaningful insights from the information. Scholars on China, arguably the poster-child of data-driven economic growth, have sent mixed messages. Ding argues that despite having half the technical capabilities of the US, easy access to data gives China a competitive edge in global AI competition. On the contrary, Andrew Ng has argued that operationalising a sufficient number of relevant datasets still remains a challenge. Ng’s views are backed up by insiders at Chinese tech giant Tencent who say the company still finds it difficult to integrate data streams due to technical hurdles. NITI Aayog’s idea of a multi-stream data marketplace may theoretically be a solution to these potential hurdles but requires sustained funding and research innovation to be converted into reality.

The National Strategy suggests that government should create a multi-disciplinary committee to set up this marketplace and explore levers for its implementation. This is certainly the need of the hour. It also rightly highlights the importance of research partnerships between academia and the private sector, and the need to support start-ups. There is therefore an urgent need for innovative allied policy instruments that support the burgeoning start-up sector. Proposals such as data localisation may hurt smaller players as they will have to bear the increased fixed costs of setting up or renting data centres.

The National Strategy also incongruously mentions that India should position itself as a “garage” for the use of AI in emerging economies. This could mean Indian citizens are used as guinea pigs for AI-driven solutions at the cost of their fundamental rights. It could also imply that India should occupy a leadership position and work with other emerging economies to frame the global rights based discourse to seek equitable solutions for the application of AI that works to improve the plight of the most vulnerable in society.

***

Our constitutional ethos places us in a unique position to develop a framework that enables the actualisation of this equitable vision—a goal the policy instruments put out thus far appear to have missed. While the National Strategy includes a section on privacy, security and ethical implications of AI, it stops short of rooting it in fundamental rights and constitutional principles. As a centralised policy instrument, the National Strategy deserves praise for identifying key levers in the future of India’s AI ecosystem and, with the exception of the concerns I outlined above, it is at par with the policy-making thought process in any other nation.

When we start the process of using constitutional principles for AI governance, we must remember that as per Article 12, an individual can file a writ against the state for violation of a fundamental right if the action is taken under the aegis of a “public function”. To combat discrimination by private actors, the state can enact legislation compelling private actors to comply with constitutional mandates. In July, Rajeev Chandrashekhar, a Rajya Sabha MP, suggested a law to combat algorithmic discrimination along the lines of the Algorithmic Accountability Bill proposed in the US Senate. There are three core constitutional questions along the lines of the “golden triangle” of the Indian Constitution any such legislation will need to answer—those of accountability and transparency, algorithmic discrimination and the guarantee of freedom of expression and individual privacy.

Algorithms are developed by human beings who have their own cognitive biases. This means ostensibly neutral algorithms can have an unintentional disparate impact on certain, often traditionally disenfranchised groups.

In the MIT Technology Review, Karen Hao explains three stages at which bias might creep in. The first stage is the framing of the problem itself. As soon as computer scientists create a deep-learning model, they decide what they want the model to finally achieve. However, frequently desired outcomes such as “profitability”, “creditworthiness” or “recruitability” are subjective and imprecise concepts subject to human cognitive bias. This makes it difficult to devise screening algorithms that fairly portray society and the complex medley of identities, attributes and structures of power that define it.

The second stage Hao mentions is the data collection phase. Training data could lead to bias if it is unrepresentative of reality or represents entrenched prejudice or structural inequality. For example, most Natural Language Processing systems used for Parts of Speech (POS) tagging in the US are trained on the readily available data sets from the Wall Street Journal. Accuracy would naturally decrease when the algorithm is applied to individuals—largely ethnic minorities—who do not mimic the speech of the Journal.

According to Hao, the final stage for algorithmic bias is data preparation, which involves selecting parameters the developer wants the algorithm to consider. For example, when determining the “risk-profile” of car owners seeking insurance premiums, geographical location could be one parameter. This could be justified by the ostensibly neutral argument that those residing in inner-city areas with narrower roads are more likely to have scratches on their vehicles. But as inner cities in the US have a disproportionately high number of ethnic minorities or other vulnerable socio-economic groups, “pin code” becomes a facially neutral proxy for race or class-based discrimination.

***

The right to equality has been carved into multiple international human rights instruments and into the Equality Code in Articles 14-18 of the Indian Constitution. The dominant approach to interpreting the right to equality by the Supreme Court has been to focus on “grounds” of discrimination under Article 15(1), thus resulting in a lack of recognition of unintentional discrimination and disparate impact.

A notable exception, as constitutional scholar Gautam Bhatia points out, is the case of N.M. Thomas which pertained to reservation in promotions. Justice Mathew argued that the test for inequality in Article 16(4) is an effects-oriented test independent of the formal motivation underlying a specific act. Justice Krishna Iyer and Mathew also articulated a grander vision wherein they saw the Equality Code as transcending the embedded individual disabilities in class driven social hierarchies. This understanding is crucial for governing data driven decision-making that impacts vulnerable communities. Any law or policy on AI-related discrimination must also include disparate impact within its definition of “discrimination” to ensure that developers think about the adverse consequences even of well-intentioned decisions.

AI driven assessments have been challenged on grounds of constitutional violations in other jurisdictions. In 2016, the Wisconsin Supreme Court considered the legality of using risk assessment tools such as COMPAS for sentencing criminals. It affirmed the trial court’s findings and held that using COMPAS did not violate constitutional due process standards. Eric Loomis had argued that using COMPAS infringed both his right to an individualised sentence and to accurate information as COMPAS provided data for specific groups and kept the methodology used to prepare the report a trade secret. He additionally argued that the court used unconstitutional gendered assessments as the tool used gender as one of the parameters.

The Wisconsin Supreme Court disagreed with Loomis arguing that COMPAS only used publicly available data and data provided by the defendant, which apparently meant Loomis could have verified any information contained in the report. On the question of individualisation, the court argued that COMPAS provided only aggregate data for groups similarly placed to the offender. However, it went on to argue as the report was not the sole basis for a decision by the judge, a COMPAS assessment would be sufficiently individualised as courts retained the discretion and information necessary to disagree.

By assuming that Loomis could have genuinely verified all the data collected about similarly placed groups and that judges would exercise discretion to prevent the entrenchment of inequalities through COMPAS’s decision-making patterns, the judges ignored social realities. Algorithmic decision-making systems are an extension of unequal decision-making that re-entrenches prevailing societal perceptions around identity and behaviour. An instance of discrimination cannot be looked at as a single instance but as one in a menagerie of production systems that define, modulate and regulate social existence.

The policy-making ecosystem needs, therefore, to galvanise the “transformative” vision of India’s democratic fibre and study existing systems and power structures AI could re-entrench or mitigate. For example, in the matter of bank loans there is a presumption against the credit-worthiness of those working in the informal sector. The use of aggregated decision-making may lead to more equitable outcomes given that there is concrete thought on the organisational structures making these decisions and the constitutional safeguards provided.

Most case studies on algorithmic discrimination in Virgina Eubanks’ Automating Inequality or Safiya Noble’s Algorithms of Oppression are based on western contexts. There is an urgent need for publicly available empirical studies on pilot cases in India to understand the contours of discrimination. Primary research questions should explore three related subjects. Are specified ostensibly neutral variables being used to exclude certain communities from accessing opportunities and resources or having a disproportionate impact on their civil liberties? Is there diversity in the identities of the coders themselves? Are the training data sets used representative and diverse and, finally, what role does data driven decision-making play in furthering the battle against embedded structural hierarchies?

***

A key feature of AI-driven solutions is the “black box” that processes inputs and generates actionable outputs behind a veil of opacity to the human operator. Essentially, the black box denotes that aspect of the human neural decision-making function that has been delegated to the machine. A lack of transparency or understanding could lead to what Frank Pasquale terms a “Black Box Society” where algorithms define the trajectories of daily existence unless “the values and prerogatives of the encoded rules hidden within black boxes” are challenged.

Ex-post facto assessment is often insufficient for arriving at genuine accountability. For example, the success of predictive policing in the US was drawn from the fact that police have indeed found more crimes in areas deemed “high risk”. But this assessment does not account for the fact that this is a product of a vicious cycle through which more crime is detected in an area simply because more policemen are deployed. Here, the National Strategy rightly identifies that simply opening up code may not deconstruct the black box as not all stakeholders impacted by AI solutions may understand the code. The constant aim should be explicability which means the human developer should be able to explain how certain factors may be used to arrive at a certain cluster of outcomes in a given set of situations.

The requirement of accountability stems from the Right to Life provision under Article 21. As stated in the seven-judge bench in Maneka Gandhi vs. Union of India, any procedure established by law must be seen to be “fair, just and reasonable” and not “fanciful, oppressive or arbitrary.”

The Right to Privacy was recognised as a fundamental right by the nine-judge bench in K.S. Puttaswamy (Retd.) vs. Union of India. Mass surveillance can lead to the alteration of behavioural patterns which may in turn be used for the suppression of dissent by the State. Pulling vast tracts of data on all suspected criminals—as in facial recognition systems like PAIS—create a “presumption of criminality” that can have a chilling effect on democratic values.

Therefore, any use, particularly by law enforcement would need to satisfy the requirements for infringing on the right to privacy: the existence of a law, necessity—a clearly defined state objective—and proportionality between the state object and the means used restricting fundamental rights the least. Along with centralised policy instruments such as the National Strategy, all initiatives taken in pursuance of India’s AI agenda must pay heed to the democratic virtues of privacy and free speech and their interlinkages.

India needs a law to regulate the impact of Artificial Intelligence and enable its development without restricting fundamental rights. However, regulation should not adopt a “one-size-fits-all” approach that views all uses with the same level of rigidity. Regulatory intervention should be based on questions around power asymmetries and the likelihood of the use case adversely affronting human dignity captured by India’s constitutional ethos.

As an aspiring leader in global discourse, India can lay the rules of the road for other emerging economies not only by incubating, innovating and implementing AI powered technologies but by grounding it in a lattice of rich constitutional jurisprudence that empowers the individual.

The High Level Task Force on Artificial Intelligence (AI HLEG) set up by the European Commission in June 2018 published a report on “Ethical Guidelines for Trustworthy AI” earlier this year. They feature seven core requirements which include human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non-discrimination and fairness; societal and environmental well-being; and accountability. While the principles are comprehensive, this document stops short of referencing any domestic or international constitutional law that helps cement these values. The Indian Constitution can help define and concretise each of these principles and could be used as a vehicle to foster genuine social inclusion and mitigation of structural injustice through AI.

At the centre of the vision must be the inherent rights of the individual. The constitutional moment for data driven decision-making emerges therefore when we conceptualise a way through which AI can be utilised to preserve and improve the enforcement of rights while also ensuring that data does not become a further avenue for exploitation.

National vision transcends the boundaries of policy and to misuse Peter Drucker, “eats strategy for breakfast”. As an aspiring leader in global discourse, India can lay the rules of the road for other emerging economies not only by incubating, innovating and implementing AI powered technologies but by grounding it in a lattice of rich constitutional jurisprudence that empowers the individual, particularly the vulnerable in society. While the multiple policy instruments and the National Strategy are important cogs in the wheel, the long-term vision can only be framed by how the plethora of actors, interest groups and stakeholders engage with the notion of an AI-powered Indian society.

For more details visit https://cis-india.org/internet-governance/blog/fountain-ink-october-12-2019-arindrajit-basu-we-need-a-better-ai-vision

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit https://cis-india.org/internet-governance/blog/online-anonymity

Way to watch

chinmayi — 2013-07-01T10:17:27Z

The domestic surveillance regime in India lacks adequate safeguards.

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Watch out for fettered speech

praskrishna — 2012-09-02T09:30:50Z

The constant attempts at censorship in the name of national security should give all right-thinking Indians pause.

This article by Rohit Pradhan was published in the Business Standard on September 1, 2012. Pranesh Prakash is quoted.

It was always predictable. That the Indian government’s war against social media “hate mongers” would turn farcical and begin targeting all and sundry: from random parodies of Prime Minister Manmohan Singh’s Twitter account to prominent journalists like Kanchan Gupta and Shiv Aroor. And then Communication Minister Milind Deora discovered that his own Twitter account had been blocked.

The government blames social media for hosting objectionable content and rumour-mongering that allegedly contributed to the exodus of people of northeastern origin from cities like Bangalore and Hyderabad. Despite its best attempts, the government argues, it was unable to control the mass hysteria and was left with little alternative but to block 300 websites as well as ask Twitter and Facebook to delete “objectionable” content.

It is hardly the first time that social media has been blamed for facilitating riots. The role of BlackBerry’s instant messenger during the London riots of 2011 was constantly highlighted and there was even talk of banning the popular service before saner heads prevailed. Clearly, while rumours and doctored images have always been part of riots, the instantaneous nature of social media and the relative anonymity it affords offer additional challenges.

Nevertheless, the government’s constant attempts at censorship in the name of social harmony and national security should give all right-thinking Indians pause. Four simple reasons.

First, it is astounding how quickly the attention has shifted away from the governance failures that were largely responsible for the Assam riots and the mass departure of people of northeastern origin from India’s major metropolitan centres. The local government’s laggardly response to the initial bursts of violence allowed the riots to rage for days while the government dithered over calling the army. Social media had little, if any, role to play. And while panic is admittedly difficult to control, it is the poor record of the Indian state in responding to politically motivated violence that contributed to the panic-stricken reaction of people of northeastern origin. What should worry the Indian state are not the ravings of some anonymous Twitter account but the utter lack of faith in its ability to secure the safety of some of its most vulnerable citizens.

Second, while all governments wish to control the flow of information, the track record of the Indian state in the matter of free speech has been spectacularly poor. At the slightest allegation of “hurting religious sentiments”, books are banned, movies censored, and violence is threatened. Lacking an explicit First Amendment protection, Indian citizens are virtually powerless when the government wishes to quell free speech. The draconian Information Technology Act, 2008, orders internet providers to immediately remove content that may be “grossly harmful”, “blasphemous”, “obscene”, or even disparaging with little oversight and virtually no due process of law. As the Centre for Internet and Society’s Pranesh Prakash has demonstrated, internet providers are ready to remove “objectionable” content even in the case of frivolous complaints originating from ordinary citizens. What is particularly disconcerting is that the disregard for free speech extends even to some of India’s most prominent media personalities who can often be heard exhorting the government to regulate the internet or scrub off “hate mongers”. Given this history and the government’s demonstrated contempt for free speech, its attempts at censorship should be strongly scrutinised and vigorously resisted except in the most extenuating of circumstances.

Third, the Luddites in the Indian government may not yet comprehend it, but the internet is virtually impossible to police. The government may be able to threaten giant companies like Facebook and Twitter into cooperating, but that simply means the “objectionable” content would move to darker corners of the Net. Indeed, it is surprising that the government has not considered using technology to counter malicious rumours or to reach a mass audience with a message of reassurance. Technology can be a powerful tool for doing good and it is high time the government properly harnessed its potential. As a first step, the government has to recognise that the days when it had a monopoly on information are long gone and it has to compete for people’s attention.

Finally, even the most ardent supporter of free speech should have no qualms about admitting that it can offer a platform to the bigoted or can indirectly lead to social unrest. That may be especially true for a country like India where passions run high and an ambivalent attitude towards political violence prevails. That, however, is simply the price of liberty. Yes, a society that lacks free speech may be more stable, but it would lack the spirit of rambunctious discussion, criticism and argument — the hallmarks of a liberal democracy.

India can adopt a China-lite model, which emphasises social stability over freedom. Or India can go down the path of other liberal democracies and understand that freedom – of speech, thought and behaviour – is an ideal worth cherishing and protecting. As a constitutional republic with genuine claims of being a liberal democracy, it is clear which path India should embrace.

The writer is a fellow at the Takshashila Institution. These views are personal.

For more details visit https://cis-india.org/news/www-business-standard-rohit-pradhan-sep-1-2012-watch-out-for-fettered-speech

Watch out for cyber bullies

praskrishna — 2012-06-05T06:08:19Z

It's time to take a closer look at this form of cyber crime in India, writes KV Kurmanath in an article published in the Hindu Business Line on June 4, 2012.

The suicide of Tyler Clementi, the 18-year-old New Jersey student in 2010, had triggered a strong debate on invasion of privacy in the cyber age.

His roommate, an Indian student, captured the boy kissing another man in their hostel using his web camera.

The boy jumped into a river unable to take the humiliation, when the former tried to circulate the clip. Though the court refused to link the recording with the death, it sentenced the Indian youth to 30 days in prison last month.

What Clementi was subjected to is cyber bullying, argued those who campaigned for the Indian student's deportation.

Along with other cyber crimes, cyber bullying is on the rise in India too. The fledgling cyber police wings in different states are being flooded with complaints of invasion of privacy, blackmail and circulating electronic messages that cause annoyance.

Ms Aparna (name changed) was aghast when a close friend called her up about a nude picture of her being circulated on the web. A quick check pointed the needle of suspicion at a friend who she had just spurned. Angered by her rejection, the boy morphed her picture, checked into her email account and sent it to all the people in the contact list.

After finding Facebook not so amusing, Sujatha (name changed) decided to close her account and discussed this with a few friends too. A few days later, she found both her FB and gmail accounts compromised. She also found obscene pictures posted on the same.

Legal Issues

Incidents like these are growing sharply with poor knowledge among users abut how to protect accounts. Sharing one's passwords with others too is proving dangerous.

Prof. Madabhushi Sridhar, a cyber laws expert at NALSAR University, says the crimes cited above come under the bracket of invasion of privacy.

He says Section 66A in the amended IT Act deals with these crimes. Sending any message (through a computer or a communication device) that is grossly offensive or has menacing character; any communication which he knows to be false, but for the purpose of causing insult, annoyance, criminal intimidation comes under this section. This crime, he says, is punishable up to three years with a fine.

Prof. Sridhar, who has just completed a book on cyber laws, feels that punishments under the IT Act are insufficient. "They should be read with the Indian Penal Code. This will be an effective method to check cyber crimes," he says.

Prof. Sridhar also represents the Institute of Global Internet Governance and Advocacy (GIGA) at the Law University. GIGA conducts research on the Internet and takes up advocacy and training programmes on Internet Governance.

"We already have anti-voyeurism provisions in the IT Act under Sec. 66E," Mr Sunil Abraham, Executive Director of Centre for Internet and Security, says.

This offence is punishable with ‘imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.'

Repeated harassment aka cyber bullying can be addressed using the already over-broad provisions under Sec. 66A. Unfortunately this Section goes too far and can be used to censor legitimate speech.

"Security and privacy awareness in India is very poor. It would be very useful if both the government and civil society was more aggressive in awareness raising and triggering change in behaviour. Unfortunately this is a bit like smoking - even though people are aware of the issues - they engage in risky behaviour online," he says.

Lack of Data

Mr.Pavan Duggal, Chairman of Cyber Law Committee and Cyber laws expert, said there is no specific data on cyber crime in India and the data available with the NCRB (National Crimes Records Bureau) of around 900 cases for overall cybercrime is also doubtful.

"The solution is to make cyber laws more strict as current law under IT Act 2000 is a bailable offence with three years imprisonment and a fine," he points out.

"IT Act 2000 has to be re-amended to specific provisions pertaining to cyber bullying. Further, cyber bullying needs to be made a serious offence with minimum five years imprisonment and a fine of Rs 10 lakh. Unless you have deterrence in law it will be a continuing offence," he observes.

Fortunately, there are some safeguards which can help prevent such acts of cyber offences. In most cases, the acts of bullying or blackmailing are done by someone close to the victims. People should make it a point to keep their Internet identities very safe.

One should not disclose their identities such as passwords or hint questions to anyone – no matter how close they are. Parents should keep an eye on their children who are addicted to the Internet. They should inform and educate their children on the clear and present dangers that lurk on the Net.

They should also teach the importance of respecting others' privacy apart from taking precautions to keep their private space very safe.

(with inputs from Ronendra Singh)

Click to read the original published in the Hindu Business Line. Sunil Abraham is qouted in this article.

For more details visit https://cis-india.org/news/watch-out-for-cyber-bullies

Was there an Unofficial Internet Shutdown in BHU & NTPC?

Saurabh Sharma — 2017-12-19T16:05:58Z

Strap: In Varanasi and Raebareli, residents allege internet bans, while govt denies it all.

Varanasi/ Rae Bareli: , Uttar Pradesh: During the student-led protests at Banaras Hindu University in September, anger over how the university handled a sexual harassment complaint was exacerbated by the police brutality that rained down the protesting female students. Amidst this chaos, many students inexplicably found that they unable to communicate with their parents and peers because they couldn’t connect online.

Shraddha Singh, a second-year fine arts student at BHU, had to walk three kilometres to reserve her train ticket home and couldn’t call her mother to talk about the injuries she sustained during the lathi-charge on September 23. The 21-year-old student said, “First, the police came into the hostel to beat us up. Then the internet was blocked. Neither was the hostel WiFi working, nor the mobile internet. Forget about booking tickets, we weren’t even able to make calls.” She felt this was a deliberate attempt to disrupt the protest by those who were “afraid” of where it would lead.

Worse still, the hostel warden had asked the girls to vacate their dorms immediately, and the students were cast into the streets without access to the Internet. Tanjim Haroom, a Bangladeshi political science student at the university, found herself stranded in Varanasi like many of her classmates. "I go home only once in a year but this time, I was forced to vacate the hostel and I could not get in touch with any of my relatives or family due to this sudden shutdown of internet and phone services. I was helpless in this city and just had some Rs 700 ($11) with me. I finally got shelter at the Mumukshu Ashram and was able to contact my family from their landline phone.”

Predictably, officials from the university insisted that there wasn’t any clampdown on the internet. The then vice-chancellor, Professor Girish Chandra Tripathi, when asked about this unofficial shutdown, said that there was none. "There could have been a network issue because the internet was working fine in our office. I cannot say what the students have alleged. Making allegations is very easy," he said over the phone to 101reporters. Varanasi district magistrate Yogeshwar Ram Mishra also denied that internet or phone services were suspended during the protests.

But a worrying number of first-person accounts do prove otherwise. According to Avinash Ojha, a first-year post-graduate student at the university, internet and phone services were restricted in the varsity campus soon after the lathi-charge on the students. They weren’t able to get online from the night of September 23 to 25.

The students had to go to Assi Ghat or other far-flung places to talk to their families and make travel arrangements out of the city. Ojha also suspected the hand of the university’s vice-chancellor behind this move.

Another case of suspected unofficial shutdown might have occurred on November 1, when a boiler explosion occurred at the National Thermal Power Corporation plant in Rae Bareili, that has since killed 34 people.

A senior officer of NTPC, on the condition of anonymity, told 101reporters that Reliance Jio was asked to cap their services in the area until things settled down. "I had heard my seniors discussing the need for this in order to avoid panic. There are a large number of Jio users here, so that specific service was asked to restrict its internet speed and calling facility for a while.”

Here too, there is evidence that the outage affected several people in the area. Amresh Singh, a property dealer hailing from Baiswara area of Rae Bareli was in Unchahar when the explosion occurred. He discovered that his phone network was not working. "There was no internet on my mobile phone after 4pm. I was able to access internet only after reaching Jagatpur, which is around 10 kilometres away from Unchahar," said Singh. “It felt like the phone lines were deliberately disrupted. I initially thought something was wrong with my phone, but the people with me were also not able to use their phones. Maybe the government quietly shut down the network to prevent panic.”

Mantu Baruah, a labourer from Jharkhand working at the NTPC, had a near-identical experience. His Jio network stopped working after 4pm that day, and he was unable to contact his family on WhatsApp to tell them that he was safe. "I tried many times, maybe over a hundred times, to send an image but it didn’t work. Jio network was down. Neither video calls nor phone calls were working. The authorities had made this happen so people outside wouldn’t know what was going on here.”

But Ruchi Ratna, AGM (HR) at NTPC’s North Zone office in Lucknow, tells us that there was a network congestion that day, not a shutdown. "Even we were unable to talk to our officers and were getting our information through the media," she said. Sanjay Kumar Khatri, Rae Bareily's district magistrate said over the phone, "There is no question of an 'unofficial shutdown'. I myself faced issues in sending messages on WhatsApp but my BSNL mobile was working fine and even journalists here were sending images and videos real time.”

However, a senior communication manager at Reliance Jio's Vibhuti Khand office in Lucknow revealed to this reporter that the internet was indeed restricted in both these instances for 12 hours each. "This was only done on the order of the government. I do not hold any written information, but it must be with the head office," the communication manager said. At the time of publishing, our requests for comments from the official spokespeople of Jio had not received a response.

Arvind Kumar, principal secretary (Home), Uttar Pradesh government, said that there were no restrictions or shutdowns during either incident. "There could have been network issues. The government did not ask any service provider to restrict its services. I will look into the matter, about where the orders to restrict Jio were issued from, but it did not come from the Uttar Pradesh government," he said.

While activists have roundly criticised the Temporary Suspension of Telecom Services (Public Emergency of Public Safety) Rules, notified in August without public consultation, there is now a better-defined (albeit still vague) protocol for implementation of internet blackouts. For instance, only the central or state home secretary can issue the orders. Prior to this, internet restrictions were issued by various authorities, along with section 144 of the Criminal Procedure Code, aimed at preventing “obstruction, annoyance or injury”. This wide berth has allowed the administration to quietly get away with short-term internet bans without proper explanation. In fact, those monitoring these shutdowns are only able to maintain such records by tracking media reports; no official records are available to the public. Without official transparency, often, if there is no news story, it is like there was no internet ban.

Saurabh Sharma is a Lucknow-based freelance writer and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/was-there-an-unofficial-internet-shutdown-in-bhu-ntpc

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016