We are anonymous, we are legion

We the goondas

praskrishna — 2014-08-04T15:06:18Z

You can now be arrested in Karnataka even before you commit an offence under the IT Act. You could be in jail under the Goonda Act even if not guilty under the Indian Copyright Act. If govt thinks you are planning to send a 'lascivious' photo to a WhatsApp group, or forwarding a copyrighted song, you can be arrested.

The article by Shyam Prasad was published in the Bangalore Mirror on August 4, 2014. Sunil Abraham gave his inputs.

Have a smartphone? Run for cover. Bizarre as this might sound, the cops are going to come after you if you so much as forward a song to a friend. Forget actually doing it, any plans to do so could land you in serious trouble too. You could be labelled a 'goonda' in the eyes of the State and find yourself behind bars.

In a completely unfathomable move, Karnataka has brought most offences under the Information Technology Act, 2000, and Indian Copyright Act, 1957, under the ambit of the Goonda Act. Until now, people with a history of offences like bootlegging, drug offences and immoral trafficking could be taken into preventive custody. But the government, in its enthusiasm, while adding acid attackers and sexual predators to the law, has also added 'digital offenders'. While it was thought to be against audio and video pirates, Bangalore Mirror has found it could be directed at all those who frequent FB, Twitter and the online world, posting casual comments and reactions to events unfolding around them.

So if you are planning a digital 'offence' — which could be an innocuous opinion like the young girls' in Mumbai after the bandh declared on Bal Thackeray's death — that could attract the provisions of the Information Technology Act. You can even be taken into preventive custody like a 'goonda'. Even those given exceptions under the Indian Copyright Act can find themselves in jail for a year without being presented before a magistrate. Technically, if you are even planning to forward 'lascivious' memes and images to a WhatsApp group or forwarding a song or 'copyrighted' PDF book, you can be punished under the Goondas Act.

The law-makers clearly did not dwell much on the implications while bringing the majority of the populace within the ambit of this law. On July 28, the Karnataka Legislature passed (it took barely a minute from tabling to voice vote), 'The Karnataka Prevention of Dangerous Activities of Bootleggers, Drug-offenders, Gamblers, Goondas, Immoral Traffic Offenders, Slum-grabbers and Video or Audio Pirates, (Amendment) Bill, 2014'. The amendment adds, "Acid attackers, Depradator of Environment, Digital Offenders, Money Launderers and Sexual Predators", to the title. In common parlance, this law is known as the 'Goonda Act'.

The move has come as a shock to the legal community which has slammed it, terming it an attempt by the state to usurp central powers. The government had earlier included 'piracy' under the Goonda Act. But it was applicable only to those pirating film DVDs. Now, this will include books, film songs, music, software or anything big corporates and multinationals claim they have copyright on.

Sunil Abraham, executive director, Centre for Internet and Society, is left in no doubt that the new law is "a terrible thing". "It is a sad development. It is not just bringing the provisions of the IT Act, but also the Copyright Act, that will hurt the common man," he said.

'Digital Offenders' means "any person who knowingly or deliberately violates, for commercial purposes, any copyright law in relation to any book, music, film, software, artistic or scientific work and also includes any person who illegally enters through the identity of another user and illegally uses any computer or digital network for pecuniary gain for himself or any other person or commits any of the offences specified under sections 67, 68, 69, 70, 71, 72, 73, 74 and 75 of the Information Technology Act, 2000."

Section 67 of the IT Act will be the most dangerous for the common man with a smartphone in hand now. The section, "Publishing of information which is obscene in electronic form," includes "any material which is lascivious or appeal to the prurient interest." This could have a very broad interpretation.

Advocate Nagendra Naik says, "The Goonda Act provides for preventive arrest. In the Information Technology Act and The Copyright Act, you have to commit the offence to be arrested. But here, you can be taken into preventive custody even before you commit the said offences. In normal arrests, you can straightaway apply for bail. But under the Goonda Act, you cannot. There is a long process of review and you will be in custody at least till then. The third impact is, you can have a history sheet started against you by the police. Technically, your slips on WhatsApp will attract the Goonda Act against you."

Supreme Court advocate KV Dhananjay said the Goonda Act is a draconian piece of legislation and it necessarily mocks at the institution of courts and lawyers. "After the passage of the various amendments to the Goonda Act, Karnataka now looks like a mini North Korea where police mood swings will decide whether the ordinary citizen has any right at all," he said.

Advocate Shyam Sundar, says, "What if your smartphone has a list of repeated material sent out over days or weeks. Most people do not even know if their phones are affected by viruses which could be sending out such material. Another example is of Facebook. There are so many FB pages with pornographic content. If someone who has subscribed to such a page sends you a friend request and you accept it, that content will surface on your page. It will have a history of repetition. The amendment clearly opens up huge problems for the common people. There is no doubt of the law being grossly misused and the amendment to include provisions of the IT Act has been done without application of mind. What is lascivious appeal in the first place? A porn star has been made a film star in India. Is this not lust? Are there enough filters in place to secure your smartphone from online abuse?"

The new law will in all probability create more corruption than anything else, say experts. Dhananjay says, "Until last week, police postings in Bangalore and other bigger cities were selling for tens of lakhs. Thanks to these amendments, some postings that enforce the Goonda Act will now sell for a couple of crores. The public will not feel safe due to this draconian legislation. Those who enforce the Goonda Act, however, will become richer through corruption, thanks to the fear created by these new amendments."

One year in jail for the innocent too

Sunil Abraham gives two examples by which the amended Goonda Act will become a ruthless piece of legislation. "If I publish an image of a naked body as part of a scientific article about the human body, is it obscene or not? It will not be obscene and, if I am arrested under the IT Act, I will be produced before the magistrate within 24 hours and can explain it to him. But now, I will be arrested under the Goonda Act and need not be produced before a magistrate for 90 days. It can be extended to one year. So for one year, I will be in jail even if I have not committed any wrong. Another example pertains to bringing offences under the Copyright Act under the Goonda Act. In the Copyright Act, there is an exception for reporting, research, educational and people with disability. A visually impaired person, for example, can, without paying royalty, convert a book into another format like Braille or audio and share it with another visually impaired person on a non-profit basis. But if he is arrested under Goonda Act, he will be in jail for one year, even before he does it."

HAVE THEY READ STATUTE?
Supreme Court advocate KV Dhananjay says, "The definition of a 'digital offender' is simply laughable. I do not think that whoever asked the state government to include 'digital offence' under the Goonda Act has carefully read the Constitution of India. Under the Constitution, both copyright and telecommunications are exclusive central subjects. This means that states simply cannot make any law on these subjects." Dhananjay gives the example of payment of income tax. "You know already that only the central government can demand and collect your income taxes. Can any state government say that it will create a new law to punish its resident who defaults in payment of income tax? You would simply laugh at any such law. This new definition of 'digital offender' is no less amusing. Offences under the Information Technology Act, 2000, are exclusively punishable by the central government only. State governments have no power to say that an Act shall become an offence when it does not even have the power to regulate such an Act."

CRIMINAL LAW EXPERTS SAY
Senior designate advocate, MT Nanaiah: "This law will be too harsh. There are MLAs who do not know the meaning of cyber crime. We (advocates) will be kept busy at the cost of innocent people because of this step. It provides for arresting anyone who would allegedly be planning to do something. Finding him guilty or otherwise comes later. What happens if your phone is lost or somebody sends something from your phone without your knowledge? For the first few years, innocents will go to jail. Then the courts will probably intervene and call for modifying what is at best a bad law. A similar situation arose with Section 498(A) of IPC and Sections 3 and 4 of Dowry Prohibition Act. It was misused to such an extent that courts had to step in." Senior designate advocate and former State Public Prosecutor HS Chandramouli : "Even social legislations have been misused. And, in this case, most people are illiterate about what cyber crime is. It is mostly teenagers and college students who will feel the heat. These are the people who mostly forward material considered obscene. It is necessary to educate people through discussions, workshops in the bar associations, law college and with experts. The amendment has been passed in the Legislature without discussion, which is a tragedy. At least now, before it is gazetted, people should be warned about what is being brought into the Goonda Act. I do not know how fair adding 'digital offenders' in the Goonda Act will be to the public, but the chances of misuse are more. There are no riders or prosecution for misuse. And how many policemen know about cyber crimes? During the infamous 'kidney' case (where people were cheated and their kidneys removed) many policemen did not know the difference between kidneys and testicles."

ONE YEAR IN JAIL WITHOUT CHANCE OF BAIL FOR..

Forwarding a song from your phone
Forwarding an e-book from your email
A nude photo which the govt thinks is obscene
Any software that a company says it owns
A movie which a company says it has copyright on

For more details visit https://cis-india.org/news/bangalore-mirror-shyam-prasad-august-4-2014-we-the-goondas

We need a better AI vision

basu — 2019-10-14T13:55:59Z

Artificial intelligence conjures up a wondrous world of autonomous processes but dystopia is inevitable unless rights and privacy are protected.

The blog post by Arindrajit Basu was published by Fountainink on October 12, 2019.

he dawn of Artificial Intelligence (AI) has policy-makers across the globe excited. In India, it is seen as a tool to overleap structural hurdles and better understand a range of organisational and management processes while improving the implementation of several government tasks. Notwithstanding the apparent enthusiasm in the government and private sectors, an adequate technological, infrastructural, and financial capacity to develop these models at scale is still in the works.

A number of policy documents with direct or indirect references to India’s AI future—to be powered by vast troves of data—have been released in the past year and a half. These include the National Strategy for Artificial Intelligence (which I will refer to as National Strategy) authored by NITI Aayog, the AI Taskforce Report, Chapter 4 of the Economic Survey, the Draft e-Commerce Bill and the Srikrishna Committee Report.

While they extol the virtues of data-driven analytics, references to the preservation or augmentation of India’s constitutional ethos through AI has been limited though it is crucial for safeguarding the rights and liberties of citizens while paving the way for the alleviation of societal oppression.

In this essay, I outline the variety of AI use cases that are in the works. I then highlight India’s AI vision by culling the relevant aspects of policy instruments that impact the AI ecosystem and identify lacunae that can be rectified. Finally, I attempt to “constitutionalise AI policy” by grounding it in a framework of constitutional rights that guarantee protection to the most vulnerable sections of society.

In the manufacturing industry, AI adoption is not uniform across all sectors. But there has been a notable transformation in electronics, heavy electricals and automobiles.

It is crucial to note that these cases, still emerging in India, have been implemented at scale in other countries such as the United Kingdom, United States and China. Projects were rolled out to the detriment of ethical and legal considerations. Hindsight should make the Indian policy ecosystem much wiser. By closely studying the research produced in these diverse contexts, Indian policy-makers should try to find ways around the ethical and legal challenges that cropped up elsewhere and devise policy solutions that mitigate the concerns raised.

***

Before anything else we need to define AI—an endeavour fraught with multiple contestations. My colleagues and I at the Centre for Internet & Society ducked this hurdle when conducting our research by adopting a function-based approach. An AI system (as opposed to one that automates routine, cognitive or non-cognitive tasks) is a dynamic learning system that allows for the delegation of some level of human decision-making to the system. This definition allows us to capture some of the unique challenges and prospects that stem from the use of AI.

The research I contributed to at CIS identified key trends in the use of AI across India. In healthcare, it is used for descriptive and predictive purposes.

For example, the Manipal Group of Hospitals tied up with IBM’s Watson for Oncology to aid doctors in the diagnosis and treatment of seven types of cancer. It is also being used for analytical or diagnostic services. Niramai Health Analytix uses AI to detect early stage breast cancer and Adveniot Tecnosys detects tuberculosis through chest X-rays and acute infections using ultrasound images. In the manufacturing industry, AI adoption is not uniform across all sectors. But there has been a notable transformation in the electronics, heavy electricals and automobiles sector gradually adopting and integrating AI solutions into their products and processes.

It is also used in the burgeoning online lending segment in order to source credit score data. As many Indians have no credit scores, AI is used to aggregate data and generate scores for more than 80 per cent of the population who have no credit scores. This includes Credit Vidya, a Hyderabad-based data underwriting start-up that provides a credit score to first time loan-seekers and feeds this information to big players such as ICICI Bank and HDFC Bank, among others. It is also used by players such as Mastercard for fraud detection and risk management. In the finance world, companies such as Trade Rays are being used to provide user-friendly algorithmic trading services.

AI is also being increasingly used in the education sector for providing services to students such as decision-making assistance and also for student-progress monitoring.

The next big development is in law enforcement. Predictive policing is making great strides in various states, including Delhi, Punjab, Uttar Pradesh and Maharashtra. A brainchild of the Los Angeles Police Department, predictive policing is the use of analytical techniques such as Machine Learning to identify probable targets for intervention to prevent crime or to solve past crime through statistical predictions.

Conventional approaches to predictive policing start with the mapping of locations where crimes are concentrated (hot spots) by using algorithms to analyse aggregated data sets. Police in Uttar Pradesh and Delhi have partnered with the Indian Space Research Organisation (ISRO) in a Memorandum of Understanding to allow ISRO’s Advanced Data Processing Research Institute to map, visualise and compile reports about crime-related incidents.

There are aggressive developments also on the facial recognition front. Punjab Police, in association with Gurugram-based start-up Staqu has started implementing the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on the suspected criminal. At the national level, on June 28, the National Crime Records Bureau (NCRB) called for tenders to implement a centralised Automated Facial Recognition System (AFRS), defining the scope of work in broad terms as the “supply, installation and commissioning of hardware and software at NCRB.”

AI is also being increasingly used in the education sector for providing services to students such as decision-making assistance and also for student-progress monitoring. The Andhra Pradesh government had started collecting information from a range of databases and processes the information through Microsoft’s Machine Learning Platform to monitor children and devote student focussed attention on identifying and curbing school drop-outs.

In Andhra Pradesh, Microsoft collaborated with the International Crop Institute for Semi-Arid Tropics (ICRISAT) to develop an AI Sowing App powered by Microsoft’s Cortana Intelligence Suite. It aggregated data using Machine Learning and sent advisories to farmers regarding optimal dates to sow. This was done via text messages on feature phones after ground research revealed that not many farmers owned or were able to use smart phones. The NITI Aayog AI Strategy specifically cited this use case and reported that this resulted in a 10-30 per cent increase in crop yield. The government of Karnataka has entered into a similar arrangement with Microsoft.

Finally, in the defence sector, our research found enthusiasm for AI in intelligence, surveillance and reconnaissance (ISR) functions, cyber defence, robot soldiers, risk terrain analysis and moving towards autonomous weapons systems. These projects are being developed by the Defence Research and Development Organisation but the level of trust and support in AI-driven processes reposed by the wings of the armed forces is yet to be publicly clarified. India also had the privilege of leading the global debate on Lethal Autonomous Weapons Systems (LAWS) with Amandeep Singh Gill chairing the United Nations Group of Governmental Experts (UN-GGE) on the issue. However, ‘lethal’ autonomous weapons systems at this stage appear to be a speck in the distant horizon.

***

Along with the range of use cases described above, a patchwork of policy imperatives is emerging to support this ecosystem. The umbrella document is the National Strategy for Artificial Intelligence published by the NITI Aayog in June 2018. Despite certain lacunae in its scope, the existence of a cohesive and robust document that lends a semblance of certainty and predictability to a rapidly emerging sphere is in itself a boon. The document focuses on how India can leverage AI for both economic growth and social inclusion. The contents of the document can be divided into a few themes, many of which have also found their way into multiple other instruments.

NITI Aayog provides over 30 policy recommendations on investment in scientific research, reskilling, training and enabling the speedy adoption of AI across value chains. The flagship research initiative is a two-tiered endeavour to boost AI research in India. First, new centres of research excellence (COREs) will develop fundamental research. The COREs will act as feeders for international centres for transformational AI which will focus on creating AI-based applications across sectors.

This is an impressive theoretical objective but questions surrounding implementation and structures of operation remain to be answered. China has not only conceptualised an ecosystem but through the Three Year Action Plan to Promote the Development of New Generation Artificial Intelligence Industry, it has also taken a whole-of-government approach to propelling the private sector to an e-leadership position. It has partnered with national tech companies and set clear goals for funding, such as the $2.1 billion technology park for AI research in Beijing.

The contents of the NITI document can be divided into a few themes, many of which have also found their way into multiple other instruments. First, it proposes an “AI+X” approach that captures the long-term vision for AI in India. Instead of replacing the processes in their entirety, AI is understood as an enabler of efficiency in processes that already exist. NITI Aayog therefore looks at the process of deploying AI-driven technologies as taking an existing process (X) and adding AI to them (AI+X). This is a crucial recommendation all AI projects should heed. Instead of waving AI as an all-encompassing magic wand across sectors, it is necessary to identify specific gaps AI can seek to remedy and then devise the process underpinning this implementation.

A cacophony of policy instruments by multiple government departments seeks to reconceptualise data to construct a theoretical framework that allows for its exploitation for AI-driven analytics.

The AI-driven intervention to develop sowing apps for farmers in Karnataka and Andhra Pradesh are examples of effective implementation of this approach. Instead of other knee-jerk reactions to agrarian woes such as a hasty raising of Minimum Support Price, effective research was done in this use-case to identify a lack of predictability in weather patterns as a key factor in productive crop yields. They realised that aggregation of data through AI could provide farmers with better information on weather patterns. As internet penetration was relatively low in rural Karnataka, text messages to feature phones that had a far wider presence was indispensable to the end game.

***

This is in contrast to the ill-conceived path adopted by the Union ministry of electronics and information technology in guidelines for regulating social media platforms that host content (“intermediaries”). Rule 3(9) of the Draft of the Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 mandates intermediaries to use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”.

Proposed in light of the fake news menace and the unbridled spread of “extremist” content online, the use of the phrase “automated tools or appropriate mechanisms” is reflective of an attitude that fails to consider ground realities that confront companies and users alike. They ignore, for instance, the cost of automated tools: whether automated content moderation techniques developed in the West can be applied to Indic languages or grievance redress mechanisms users can avail of if their online speech is unduly restricted. This is thus a clear case of the “AI” mantra being drawn out of a hat without studying the “X” it is supposed to remedy.

The second focus of the National Strategy that has since morphed into a technology policy mainstay across instruments is on data governance, access and utilisation. The document says the major hurdle to the large scale adoption of AI in India is the difficulty in accessing structured data. It recommends developing big annotated data sets to “democratise data and multi-stakeholder marketplaces across the AI value chain”. It argues that at present only one per cent of data can be analysed as it exists in various unconnected silos. Through the creation of a formal market for data, aggregators such as diagnostic centres in the healthcare sector would curate datasets and place them in the market, with appropriate permissions and safeguards. AI firms could use available datasets rather than wasting effort sourcing and curating the sets themselves.

A cacophony of policy instruments by multiple government departments seeks to reconceptualise data to construct a theoretical framework that allows for its exploitation for AI-driven analytics.The first is “community data” and appears both in the Srikrishna Report that accompanied the draft Data Protection Bill in 2018 and the draft e-commerce policy.

But there appears to be some conflict between its usage in the two. Srikrishna endorses a collective protection of privacy by protecting an identifiable community that has contributed to community data. This requires the fulfilment of three key conditions: first, the data belong to an identifiable community; second, individuals in the community consent to being a part of it, and third, the community as a whole consents to its data being treated as community data. On the other hand, the Department of Promotion of Industry and Internal Trade’s (DPIIT) draft e-commerce policy looks at community data as “societal commons” or a “national resource” that gives the community the right to access it but government has ultimate and overriding control of the data. This configuration of community data brings into question the consent framework in the Srikrishna Bill.

The government’s attempt to harness data as a national resource for the development of AI-based solutions may be well-intentioned but is fraught with core problems in implementation.

The matter is further confused by treating “data as a public good”. This is projected in Chapter 4 of the 2019 Economic Survey published by the Ministry of Finance. It explicitly states that any configuration needs to be deferential to privacy norms and the upcoming privacy law. The “personal data” of an individual in the custody of a government is also a “public good” once the datasets are anonymised. At the same time, it pushes for the creation of a government database that links several individual databases, which leads to the “triangulation” problem, where matching different datasets together allows for individuals to be identified despite their anonymisation in seemingly disparate databases.

“Building an AI ecosystem” was also one of the ostensible reasons for data localisation—the government’s gambit to mandate that foreign companies store the data of Indian citizens within national borders. In addition to a few other policy instruments with similar mandates, Section 40 of the Draft Personal Data Protection Bill mandates that all “critical data” (this is to be notified by the government) be stored exclusively in India. All other data should have a live, serving copy stored in India even if transfer abroad is allowed. This was an attempt to ensure foreign data processors are not the sole beneficiaries of AI-driven insights.

The government’s attempt to harness data as a national resource for the development of AI-based solutions may be well intentioned but is fraught with core problems in implementation. First, the notion of data as a national resource or as a public good walks a tightrope with constitutionally guaranteed protections around privacy, which will be codified in the upcoming Personal Data Protection Bill. My concerns are not quite so grave in the case of genuine “public data” like traffic signal data or pollution data. However, the Economic Survey manages to crudely amalgamate personal data into the mix.

It also states that personal data in the custody of a government is a public good once the datasets are anonymised. This includes transactions data in the User Payments Interface (UPI), administrative data including birth and death records, and institutional data including data in public hospitals or schools on pupils or patients. At the same time, it pushes for a government database that will lead to the triangulation problem outlined above. The chapter also suggests that said data may be sold to private firms (unclear if this includes foreign or domestic firms). This not only contradicts the notion of public good but is also a serious threat to the confidentiality and security of personal data.

***

Therefore, along with the concerted endeavour to create data marketplaces, it is crucial for policy-makers to differentiate between public data and personal data individuals may consent to be made public. The parameters for clearly defining free and informed consent, as codified in the Draft Personal Data Protection Bill need to be strictly followed as there is a risk of de-anonymisation of data once it finds its way into the marketplace. Second, it is crucial for policy-makers to define clearly a community and parameters for what constitutes individual consent to be part of a community. Finally, along with technical work on setting up a national data marketplace, there must be protracted efforts to guarantee greater security and standards of anonymisation.

The National Strategy mentions that India should position itself as a “garage” for AI in emerging economies. This could mean Indian citizens are used as guinea pigs for AI-driven solutions at the cost of their rights.

Assuming that a constitutionally valid paradigm may be created, the excessive focus on data access by tech players dodges the question of the capabilities of analytic firms to process this data and derive meaningful insights from the information. Scholars on China, arguably the poster-child of data-driven economic growth, have sent mixed messages. Ding argues that despite having half the technical capabilities of the US, easy access to data gives China a competitive edge in global AI competition. On the contrary, Andrew Ng has argued that operationalising a sufficient number of relevant datasets still remains a challenge. Ng’s views are backed up by insiders at Chinese tech giant Tencent who say the company still finds it difficult to integrate data streams due to technical hurdles. NITI Aayog’s idea of a multi-stream data marketplace may theoretically be a solution to these potential hurdles but requires sustained funding and research innovation to be converted into reality.

The National Strategy suggests that government should create a multi-disciplinary committee to set up this marketplace and explore levers for its implementation. This is certainly the need of the hour. It also rightly highlights the importance of research partnerships between academia and the private sector, and the need to support start-ups. There is therefore an urgent need for innovative allied policy instruments that support the burgeoning start-up sector. Proposals such as data localisation may hurt smaller players as they will have to bear the increased fixed costs of setting up or renting data centres.

The National Strategy also incongruously mentions that India should position itself as a “garage” for the use of AI in emerging economies. This could mean Indian citizens are used as guinea pigs for AI-driven solutions at the cost of their fundamental rights. It could also imply that India should occupy a leadership position and work with other emerging economies to frame the global rights based discourse to seek equitable solutions for the application of AI that works to improve the plight of the most vulnerable in society.

***

Our constitutional ethos places us in a unique position to develop a framework that enables the actualisation of this equitable vision—a goal the policy instruments put out thus far appear to have missed. While the National Strategy includes a section on privacy, security and ethical implications of AI, it stops short of rooting it in fundamental rights and constitutional principles. As a centralised policy instrument, the National Strategy deserves praise for identifying key levers in the future of India’s AI ecosystem and, with the exception of the concerns I outlined above, it is at par with the policy-making thought process in any other nation.

When we start the process of using constitutional principles for AI governance, we must remember that as per Article 12, an individual can file a writ against the state for violation of a fundamental right if the action is taken under the aegis of a “public function”. To combat discrimination by private actors, the state can enact legislation compelling private actors to comply with constitutional mandates. In July, Rajeev Chandrashekhar, a Rajya Sabha MP, suggested a law to combat algorithmic discrimination along the lines of the Algorithmic Accountability Bill proposed in the US Senate. There are three core constitutional questions along the lines of the “golden triangle” of the Indian Constitution any such legislation will need to answer—those of accountability and transparency, algorithmic discrimination and the guarantee of freedom of expression and individual privacy.

Algorithms are developed by human beings who have their own cognitive biases. This means ostensibly neutral algorithms can have an unintentional disparate impact on certain, often traditionally disenfranchised groups.

In the MIT Technology Review, Karen Hao explains three stages at which bias might creep in. The first stage is the framing of the problem itself. As soon as computer scientists create a deep-learning model, they decide what they want the model to finally achieve. However, frequently desired outcomes such as “profitability”, “creditworthiness” or “recruitability” are subjective and imprecise concepts subject to human cognitive bias. This makes it difficult to devise screening algorithms that fairly portray society and the complex medley of identities, attributes and structures of power that define it.

The second stage Hao mentions is the data collection phase. Training data could lead to bias if it is unrepresentative of reality or represents entrenched prejudice or structural inequality. For example, most Natural Language Processing systems used for Parts of Speech (POS) tagging in the US are trained on the readily available data sets from the Wall Street Journal. Accuracy would naturally decrease when the algorithm is applied to individuals—largely ethnic minorities—who do not mimic the speech of the Journal.

According to Hao, the final stage for algorithmic bias is data preparation, which involves selecting parameters the developer wants the algorithm to consider. For example, when determining the “risk-profile” of car owners seeking insurance premiums, geographical location could be one parameter. This could be justified by the ostensibly neutral argument that those residing in inner-city areas with narrower roads are more likely to have scratches on their vehicles. But as inner cities in the US have a disproportionately high number of ethnic minorities or other vulnerable socio-economic groups, “pin code” becomes a facially neutral proxy for race or class-based discrimination.

***

The right to equality has been carved into multiple international human rights instruments and into the Equality Code in Articles 14-18 of the Indian Constitution. The dominant approach to interpreting the right to equality by the Supreme Court has been to focus on “grounds” of discrimination under Article 15(1), thus resulting in a lack of recognition of unintentional discrimination and disparate impact.

A notable exception, as constitutional scholar Gautam Bhatia points out, is the case of N.M. Thomas which pertained to reservation in promotions. Justice Mathew argued that the test for inequality in Article 16(4) is an effects-oriented test independent of the formal motivation underlying a specific act. Justice Krishna Iyer and Mathew also articulated a grander vision wherein they saw the Equality Code as transcending the embedded individual disabilities in class driven social hierarchies. This understanding is crucial for governing data driven decision-making that impacts vulnerable communities. Any law or policy on AI-related discrimination must also include disparate impact within its definition of “discrimination” to ensure that developers think about the adverse consequences even of well-intentioned decisions.

AI driven assessments have been challenged on grounds of constitutional violations in other jurisdictions. In 2016, the Wisconsin Supreme Court considered the legality of using risk assessment tools such as COMPAS for sentencing criminals. It affirmed the trial court’s findings and held that using COMPAS did not violate constitutional due process standards. Eric Loomis had argued that using COMPAS infringed both his right to an individualised sentence and to accurate information as COMPAS provided data for specific groups and kept the methodology used to prepare the report a trade secret. He additionally argued that the court used unconstitutional gendered assessments as the tool used gender as one of the parameters.

The Wisconsin Supreme Court disagreed with Loomis arguing that COMPAS only used publicly available data and data provided by the defendant, which apparently meant Loomis could have verified any information contained in the report. On the question of individualisation, the court argued that COMPAS provided only aggregate data for groups similarly placed to the offender. However, it went on to argue as the report was not the sole basis for a decision by the judge, a COMPAS assessment would be sufficiently individualised as courts retained the discretion and information necessary to disagree.

By assuming that Loomis could have genuinely verified all the data collected about similarly placed groups and that judges would exercise discretion to prevent the entrenchment of inequalities through COMPAS’s decision-making patterns, the judges ignored social realities. Algorithmic decision-making systems are an extension of unequal decision-making that re-entrenches prevailing societal perceptions around identity and behaviour. An instance of discrimination cannot be looked at as a single instance but as one in a menagerie of production systems that define, modulate and regulate social existence.

The policy-making ecosystem needs, therefore, to galvanise the “transformative” vision of India’s democratic fibre and study existing systems and power structures AI could re-entrench or mitigate. For example, in the matter of bank loans there is a presumption against the credit-worthiness of those working in the informal sector. The use of aggregated decision-making may lead to more equitable outcomes given that there is concrete thought on the organisational structures making these decisions and the constitutional safeguards provided.

Most case studies on algorithmic discrimination in Virgina Eubanks’ Automating Inequality or Safiya Noble’s Algorithms of Oppression are based on western contexts. There is an urgent need for publicly available empirical studies on pilot cases in India to understand the contours of discrimination. Primary research questions should explore three related subjects. Are specified ostensibly neutral variables being used to exclude certain communities from accessing opportunities and resources or having a disproportionate impact on their civil liberties? Is there diversity in the identities of the coders themselves? Are the training data sets used representative and diverse and, finally, what role does data driven decision-making play in furthering the battle against embedded structural hierarchies?

***

A key feature of AI-driven solutions is the “black box” that processes inputs and generates actionable outputs behind a veil of opacity to the human operator. Essentially, the black box denotes that aspect of the human neural decision-making function that has been delegated to the machine. A lack of transparency or understanding could lead to what Frank Pasquale terms a “Black Box Society” where algorithms define the trajectories of daily existence unless “the values and prerogatives of the encoded rules hidden within black boxes” are challenged.

Ex-post facto assessment is often insufficient for arriving at genuine accountability. For example, the success of predictive policing in the US was drawn from the fact that police have indeed found more crimes in areas deemed “high risk”. But this assessment does not account for the fact that this is a product of a vicious cycle through which more crime is detected in an area simply because more policemen are deployed. Here, the National Strategy rightly identifies that simply opening up code may not deconstruct the black box as not all stakeholders impacted by AI solutions may understand the code. The constant aim should be explicability which means the human developer should be able to explain how certain factors may be used to arrive at a certain cluster of outcomes in a given set of situations.

The requirement of accountability stems from the Right to Life provision under Article 21. As stated in the seven-judge bench in Maneka Gandhi vs. Union of India, any procedure established by law must be seen to be “fair, just and reasonable” and not “fanciful, oppressive or arbitrary.”

The Right to Privacy was recognised as a fundamental right by the nine-judge bench in K.S. Puttaswamy (Retd.) vs. Union of India. Mass surveillance can lead to the alteration of behavioural patterns which may in turn be used for the suppression of dissent by the State. Pulling vast tracts of data on all suspected criminals—as in facial recognition systems like PAIS—create a “presumption of criminality” that can have a chilling effect on democratic values.

Therefore, any use, particularly by law enforcement would need to satisfy the requirements for infringing on the right to privacy: the existence of a law, necessity—a clearly defined state objective—and proportionality between the state object and the means used restricting fundamental rights the least. Along with centralised policy instruments such as the National Strategy, all initiatives taken in pursuance of India’s AI agenda must pay heed to the democratic virtues of privacy and free speech and their interlinkages.

India needs a law to regulate the impact of Artificial Intelligence and enable its development without restricting fundamental rights. However, regulation should not adopt a “one-size-fits-all” approach that views all uses with the same level of rigidity. Regulatory intervention should be based on questions around power asymmetries and the likelihood of the use case adversely affronting human dignity captured by India’s constitutional ethos.

As an aspiring leader in global discourse, India can lay the rules of the road for other emerging economies not only by incubating, innovating and implementing AI powered technologies but by grounding it in a lattice of rich constitutional jurisprudence that empowers the individual.

The High Level Task Force on Artificial Intelligence (AI HLEG) set up by the European Commission in June 2018 published a report on “Ethical Guidelines for Trustworthy AI” earlier this year. They feature seven core requirements which include human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non-discrimination and fairness; societal and environmental well-being; and accountability. While the principles are comprehensive, this document stops short of referencing any domestic or international constitutional law that helps cement these values. The Indian Constitution can help define and concretise each of these principles and could be used as a vehicle to foster genuine social inclusion and mitigation of structural injustice through AI.

At the centre of the vision must be the inherent rights of the individual. The constitutional moment for data driven decision-making emerges therefore when we conceptualise a way through which AI can be utilised to preserve and improve the enforcement of rights while also ensuring that data does not become a further avenue for exploitation.

National vision transcends the boundaries of policy and to misuse Peter Drucker, “eats strategy for breakfast”. As an aspiring leader in global discourse, India can lay the rules of the road for other emerging economies not only by incubating, innovating and implementing AI powered technologies but by grounding it in a lattice of rich constitutional jurisprudence that empowers the individual, particularly the vulnerable in society. While the multiple policy instruments and the National Strategy are important cogs in the wheel, the long-term vision can only be framed by how the plethora of actors, interest groups and stakeholders engage with the notion of an AI-powered Indian society.

For more details visit https://cis-india.org/internet-governance/blog/fountain-ink-october-12-2019-arindrajit-basu-we-need-a-better-ai-vision

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit https://cis-india.org/internet-governance/blog/online-anonymity

Way to watch

chinmayi — 2013-07-01T10:17:27Z

The domestic surveillance regime in India lacks adequate safeguards.

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Watch out for fettered speech

praskrishna — 2012-09-02T09:30:50Z

The constant attempts at censorship in the name of national security should give all right-thinking Indians pause.

This article by Rohit Pradhan was published in the Business Standard on September 1, 2012. Pranesh Prakash is quoted.

It was always predictable. That the Indian government’s war against social media “hate mongers” would turn farcical and begin targeting all and sundry: from random parodies of Prime Minister Manmohan Singh’s Twitter account to prominent journalists like Kanchan Gupta and Shiv Aroor. And then Communication Minister Milind Deora discovered that his own Twitter account had been blocked.

The government blames social media for hosting objectionable content and rumour-mongering that allegedly contributed to the exodus of people of northeastern origin from cities like Bangalore and Hyderabad. Despite its best attempts, the government argues, it was unable to control the mass hysteria and was left with little alternative but to block 300 websites as well as ask Twitter and Facebook to delete “objectionable” content.

It is hardly the first time that social media has been blamed for facilitating riots. The role of BlackBerry’s instant messenger during the London riots of 2011 was constantly highlighted and there was even talk of banning the popular service before saner heads prevailed. Clearly, while rumours and doctored images have always been part of riots, the instantaneous nature of social media and the relative anonymity it affords offer additional challenges.

Nevertheless, the government’s constant attempts at censorship in the name of social harmony and national security should give all right-thinking Indians pause. Four simple reasons.

First, it is astounding how quickly the attention has shifted away from the governance failures that were largely responsible for the Assam riots and the mass departure of people of northeastern origin from India’s major metropolitan centres. The local government’s laggardly response to the initial bursts of violence allowed the riots to rage for days while the government dithered over calling the army. Social media had little, if any, role to play. And while panic is admittedly difficult to control, it is the poor record of the Indian state in responding to politically motivated violence that contributed to the panic-stricken reaction of people of northeastern origin. What should worry the Indian state are not the ravings of some anonymous Twitter account but the utter lack of faith in its ability to secure the safety of some of its most vulnerable citizens.

Second, while all governments wish to control the flow of information, the track record of the Indian state in the matter of free speech has been spectacularly poor. At the slightest allegation of “hurting religious sentiments”, books are banned, movies censored, and violence is threatened. Lacking an explicit First Amendment protection, Indian citizens are virtually powerless when the government wishes to quell free speech. The draconian Information Technology Act, 2008, orders internet providers to immediately remove content that may be “grossly harmful”, “blasphemous”, “obscene”, or even disparaging with little oversight and virtually no due process of law. As the Centre for Internet and Society’s Pranesh Prakash has demonstrated, internet providers are ready to remove “objectionable” content even in the case of frivolous complaints originating from ordinary citizens. What is particularly disconcerting is that the disregard for free speech extends even to some of India’s most prominent media personalities who can often be heard exhorting the government to regulate the internet or scrub off “hate mongers”. Given this history and the government’s demonstrated contempt for free speech, its attempts at censorship should be strongly scrutinised and vigorously resisted except in the most extenuating of circumstances.

Third, the Luddites in the Indian government may not yet comprehend it, but the internet is virtually impossible to police. The government may be able to threaten giant companies like Facebook and Twitter into cooperating, but that simply means the “objectionable” content would move to darker corners of the Net. Indeed, it is surprising that the government has not considered using technology to counter malicious rumours or to reach a mass audience with a message of reassurance. Technology can be a powerful tool for doing good and it is high time the government properly harnessed its potential. As a first step, the government has to recognise that the days when it had a monopoly on information are long gone and it has to compete for people’s attention.

Finally, even the most ardent supporter of free speech should have no qualms about admitting that it can offer a platform to the bigoted or can indirectly lead to social unrest. That may be especially true for a country like India where passions run high and an ambivalent attitude towards political violence prevails. That, however, is simply the price of liberty. Yes, a society that lacks free speech may be more stable, but it would lack the spirit of rambunctious discussion, criticism and argument — the hallmarks of a liberal democracy.

India can adopt a China-lite model, which emphasises social stability over freedom. Or India can go down the path of other liberal democracies and understand that freedom – of speech, thought and behaviour – is an ideal worth cherishing and protecting. As a constitutional republic with genuine claims of being a liberal democracy, it is clear which path India should embrace.

The writer is a fellow at the Takshashila Institution. These views are personal.

For more details visit https://cis-india.org/news/www-business-standard-rohit-pradhan-sep-1-2012-watch-out-for-fettered-speech

Watch out for cyber bullies

praskrishna — 2012-06-05T06:08:19Z

It's time to take a closer look at this form of cyber crime in India, writes KV Kurmanath in an article published in the Hindu Business Line on June 4, 2012.

The suicide of Tyler Clementi, the 18-year-old New Jersey student in 2010, had triggered a strong debate on invasion of privacy in the cyber age.

His roommate, an Indian student, captured the boy kissing another man in their hostel using his web camera.

The boy jumped into a river unable to take the humiliation, when the former tried to circulate the clip. Though the court refused to link the recording with the death, it sentenced the Indian youth to 30 days in prison last month.

What Clementi was subjected to is cyber bullying, argued those who campaigned for the Indian student's deportation.

Along with other cyber crimes, cyber bullying is on the rise in India too. The fledgling cyber police wings in different states are being flooded with complaints of invasion of privacy, blackmail and circulating electronic messages that cause annoyance.

Ms Aparna (name changed) was aghast when a close friend called her up about a nude picture of her being circulated on the web. A quick check pointed the needle of suspicion at a friend who she had just spurned. Angered by her rejection, the boy morphed her picture, checked into her email account and sent it to all the people in the contact list.

After finding Facebook not so amusing, Sujatha (name changed) decided to close her account and discussed this with a few friends too. A few days later, she found both her FB and gmail accounts compromised. She also found obscene pictures posted on the same.

Legal Issues

Incidents like these are growing sharply with poor knowledge among users abut how to protect accounts. Sharing one's passwords with others too is proving dangerous.

Prof. Madabhushi Sridhar, a cyber laws expert at NALSAR University, says the crimes cited above come under the bracket of invasion of privacy.

He says Section 66A in the amended IT Act deals with these crimes. Sending any message (through a computer or a communication device) that is grossly offensive or has menacing character; any communication which he knows to be false, but for the purpose of causing insult, annoyance, criminal intimidation comes under this section. This crime, he says, is punishable up to three years with a fine.

Prof. Sridhar, who has just completed a book on cyber laws, feels that punishments under the IT Act are insufficient. "They should be read with the Indian Penal Code. This will be an effective method to check cyber crimes," he says.

Prof. Sridhar also represents the Institute of Global Internet Governance and Advocacy (GIGA) at the Law University. GIGA conducts research on the Internet and takes up advocacy and training programmes on Internet Governance.

"We already have anti-voyeurism provisions in the IT Act under Sec. 66E," Mr Sunil Abraham, Executive Director of Centre for Internet and Security, says.

This offence is punishable with ‘imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.'

Repeated harassment aka cyber bullying can be addressed using the already over-broad provisions under Sec. 66A. Unfortunately this Section goes too far and can be used to censor legitimate speech.

"Security and privacy awareness in India is very poor. It would be very useful if both the government and civil society was more aggressive in awareness raising and triggering change in behaviour. Unfortunately this is a bit like smoking - even though people are aware of the issues - they engage in risky behaviour online," he says.

Lack of Data

Mr.Pavan Duggal, Chairman of Cyber Law Committee and Cyber laws expert, said there is no specific data on cyber crime in India and the data available with the NCRB (National Crimes Records Bureau) of around 900 cases for overall cybercrime is also doubtful.

"The solution is to make cyber laws more strict as current law under IT Act 2000 is a bailable offence with three years imprisonment and a fine," he points out.

"IT Act 2000 has to be re-amended to specific provisions pertaining to cyber bullying. Further, cyber bullying needs to be made a serious offence with minimum five years imprisonment and a fine of Rs 10 lakh. Unless you have deterrence in law it will be a continuing offence," he observes.

Fortunately, there are some safeguards which can help prevent such acts of cyber offences. In most cases, the acts of bullying or blackmailing are done by someone close to the victims. People should make it a point to keep their Internet identities very safe.

One should not disclose their identities such as passwords or hint questions to anyone – no matter how close they are. Parents should keep an eye on their children who are addicted to the Internet. They should inform and educate their children on the clear and present dangers that lurk on the Net.

They should also teach the importance of respecting others' privacy apart from taking precautions to keep their private space very safe.

(with inputs from Ronendra Singh)

Click to read the original published in the Hindu Business Line. Sunil Abraham is qouted in this article.

For more details visit https://cis-india.org/news/watch-out-for-cyber-bullies

Was there an Unofficial Internet Shutdown in BHU & NTPC?

Saurabh Sharma — 2017-12-19T16:05:58Z

Strap: In Varanasi and Raebareli, residents allege internet bans, while govt denies it all.

Varanasi/ Rae Bareli: , Uttar Pradesh: During the student-led protests at Banaras Hindu University in September, anger over how the university handled a sexual harassment complaint was exacerbated by the police brutality that rained down the protesting female students. Amidst this chaos, many students inexplicably found that they unable to communicate with their parents and peers because they couldn’t connect online.

Shraddha Singh, a second-year fine arts student at BHU, had to walk three kilometres to reserve her train ticket home and couldn’t call her mother to talk about the injuries she sustained during the lathi-charge on September 23. The 21-year-old student said, “First, the police came into the hostel to beat us up. Then the internet was blocked. Neither was the hostel WiFi working, nor the mobile internet. Forget about booking tickets, we weren’t even able to make calls.” She felt this was a deliberate attempt to disrupt the protest by those who were “afraid” of where it would lead.

Worse still, the hostel warden had asked the girls to vacate their dorms immediately, and the students were cast into the streets without access to the Internet. Tanjim Haroom, a Bangladeshi political science student at the university, found herself stranded in Varanasi like many of her classmates. "I go home only once in a year but this time, I was forced to vacate the hostel and I could not get in touch with any of my relatives or family due to this sudden shutdown of internet and phone services. I was helpless in this city and just had some Rs 700 ($11) with me. I finally got shelter at the Mumukshu Ashram and was able to contact my family from their landline phone.”

Predictably, officials from the university insisted that there wasn’t any clampdown on the internet. The then vice-chancellor, Professor Girish Chandra Tripathi, when asked about this unofficial shutdown, said that there was none. "There could have been a network issue because the internet was working fine in our office. I cannot say what the students have alleged. Making allegations is very easy," he said over the phone to 101reporters. Varanasi district magistrate Yogeshwar Ram Mishra also denied that internet or phone services were suspended during the protests.

But a worrying number of first-person accounts do prove otherwise. According to Avinash Ojha, a first-year post-graduate student at the university, internet and phone services were restricted in the varsity campus soon after the lathi-charge on the students. They weren’t able to get online from the night of September 23 to 25.

The students had to go to Assi Ghat or other far-flung places to talk to their families and make travel arrangements out of the city. Ojha also suspected the hand of the university’s vice-chancellor behind this move.

Another case of suspected unofficial shutdown might have occurred on November 1, when a boiler explosion occurred at the National Thermal Power Corporation plant in Rae Bareili, that has since killed 34 people.

A senior officer of NTPC, on the condition of anonymity, told 101reporters that Reliance Jio was asked to cap their services in the area until things settled down. "I had heard my seniors discussing the need for this in order to avoid panic. There are a large number of Jio users here, so that specific service was asked to restrict its internet speed and calling facility for a while.”

Here too, there is evidence that the outage affected several people in the area. Amresh Singh, a property dealer hailing from Baiswara area of Rae Bareli was in Unchahar when the explosion occurred. He discovered that his phone network was not working. "There was no internet on my mobile phone after 4pm. I was able to access internet only after reaching Jagatpur, which is around 10 kilometres away from Unchahar," said Singh. “It felt like the phone lines were deliberately disrupted. I initially thought something was wrong with my phone, but the people with me were also not able to use their phones. Maybe the government quietly shut down the network to prevent panic.”

Mantu Baruah, a labourer from Jharkhand working at the NTPC, had a near-identical experience. His Jio network stopped working after 4pm that day, and he was unable to contact his family on WhatsApp to tell them that he was safe. "I tried many times, maybe over a hundred times, to send an image but it didn’t work. Jio network was down. Neither video calls nor phone calls were working. The authorities had made this happen so people outside wouldn’t know what was going on here.”

But Ruchi Ratna, AGM (HR) at NTPC’s North Zone office in Lucknow, tells us that there was a network congestion that day, not a shutdown. "Even we were unable to talk to our officers and were getting our information through the media," she said. Sanjay Kumar Khatri, Rae Bareily's district magistrate said over the phone, "There is no question of an 'unofficial shutdown'. I myself faced issues in sending messages on WhatsApp but my BSNL mobile was working fine and even journalists here were sending images and videos real time.”

However, a senior communication manager at Reliance Jio's Vibhuti Khand office in Lucknow revealed to this reporter that the internet was indeed restricted in both these instances for 12 hours each. "This was only done on the order of the government. I do not hold any written information, but it must be with the head office," the communication manager said. At the time of publishing, our requests for comments from the official spokespeople of Jio had not received a response.

Arvind Kumar, principal secretary (Home), Uttar Pradesh government, said that there were no restrictions or shutdowns during either incident. "There could have been network issues. The government did not ask any service provider to restrict its services. I will look into the matter, about where the orders to restrict Jio were issued from, but it did not come from the Uttar Pradesh government," he said.

While activists have roundly criticised the Temporary Suspension of Telecom Services (Public Emergency of Public Safety) Rules, notified in August without public consultation, there is now a better-defined (albeit still vague) protocol for implementation of internet blackouts. For instance, only the central or state home secretary can issue the orders. Prior to this, internet restrictions were issued by various authorities, along with section 144 of the Criminal Procedure Code, aimed at preventing “obstruction, annoyance or injury”. This wide berth has allowed the administration to quietly get away with short-term internet bans without proper explanation. In fact, those monitoring these shutdowns are only able to maintain such records by tracking media reports; no official records are available to the public. Without official transparency, often, if there is no news story, it is like there was no internet ban.

Saurabh Sharma is a Lucknow-based freelance writer and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/was-there-an-unofficial-internet-shutdown-in-bhu-ntpc

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016

Vox Pol Workshop on the Role of Social Media and Internet Companies in Responding to Violent Online Extremism

praskrishna — 2015-04-03T15:51:08Z

On March 5-6, 2015, the VOX-Pol network convened a workshop at Central European University in Budapest on the role of social media and internet companies in responding to violent online political extremism and the impacts on freedom of expression.

Elonnai Hickok attended the workshop. More details can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/vox-pol-workshop-on-the-role-of-social-media-and-internet-companies-in-responding-to-violent-online-extremism-5-6-march-budapest

Vote: Will Social Media Impact the Election?

praskrishna — 2013-04-15T08:30:59Z

As India enters election mode, social media has become one of many platforms where possible prime ministerial candidates are being scrutinized.

The article by R. Jai Krishna was published in the Wall Street Journal on April 15, 2013. Sunil Abraham is quoted.

On top of the list are Rahul Gandhi and Narendra Modi, who recently acquired the Twitter monikers #Pappu (“naïve”) and #Feku (“boastful”), respectively, following a string of public appearances observers saw as evidence they will be leading their respective parties in the upcoming national election.

A recent study found that social media could influence the electoral outcome in as many as 160 out of 543 seats in the Lok Sabha, the lower house of Parliament.

(These are constituencies where 10% of the voting population uses Facebook, or where the number of Facebook users is higher than the winning candidate’s margin of victory at the last election.)

	“No contestant can afford to ignore social media in the next Lok Sabha elections,” argued the study, put together by IRIS Knowledge Foundation, a Mumbai-based research group, and the Internet and Mobile Association of India, a trade body. Others are more skeptical. “The study assumes that users will behave homogenously, which isn’t true,” says Sunil Abraham, executive director at the Bangalore-based Centre for Internet and Society. While calling the study’s findings “ambitious,” Mr. Abraham said it was important to recognize the political power of Facebook, which could be used as a social platform but also to “plan a revolution.” But India’s Internet penetration is low: only 150 million people out a population of 1.2 billion go online, according to the IRIS-IAMAI study. The study estimates the number of social media users in the country is around 62 million, and that it may increase up to 80 million by time of national elections, which have to happen by May 2014.

“No contestant can afford to ignore social media in the next Lok Sabha elections,” argued the study, put together by IRIS Knowledge Foundation, a Mumbai-based research group, and the Internet and Mobile Association of India, a trade body.

Others are more skeptical. “The study assumes that users will behave homogenously, which isn’t true,” says Sunil Abraham, executive director at the Bangalore-based Centre for Internet and Society.

While calling the study’s findings “ambitious,” Mr. Abraham said it was important to recognize the political power of Facebook, which could be used as a social platform but also to “plan a revolution.”

But India’s Internet penetration is low: only 150 million people out a population of 1.2 billion go online, according to the IRIS-IAMAI study. The study estimates the number of social media users in the country is around 62 million, and that it may increase up to 80 million by time of national elections, which have to happen by May 2014.

Indian political parties have started wising up to the power of online campaigning. Ahead of state elections in Uttar Pradesh last year, for instance, parties including the winning Samajwadi Party, Congress and the Bharatiya Janata Party turned to social media ranging from Facebook to YouTube as well as to blogs and smartphone apps to promote their candidates and their agenda.

For more details visit https://cis-india.org/news/wall-street-journal-april-15-2013-r-jai-krishna-vote-will-social-media-impact-the-election

Vodafone Report Explains Government Access to Customer Data

joe — 2014-06-19T10:38:01Z

Vodafone Group PLC, the world’s second largest mobile carrier, released a report on Friday, June 6 2014 disclosing to what extent governments can request their customers’ data.

The Law Enforcement Disclosure Report, a section of a larger annual Sustainability Report began by asserting that Vodafone "customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws."

However, the report continues, Vodafone is incapable of fully protecting its customers right to privacy, because it is bound by the laws in the various countries in which it operates. "If we do not comply with a lawful demand for assistance, governments can remove our license to operate, preventing us from providing services to our customers," The report goes into detail about the laws in each of the 29 nations where the company operates.

Vodafone’s report is one of the first published by a multinational service provider. Compiling such a report was especially difficult, according to the report, for a few reasons. Because no comparable report had been published before, Vodafone had to figure out for themselves, the “complex task” of what information they could legally publish in each country. This difficulty was compounded by the fact that Vodafone operates physical infrastructure and thus sets up a business in each of the countries where it provides services. This means that Vodafone is subject to the laws and operating licenses of each nation where it operates, unlike as a search engine such as Google, which can provide services across international borders but still be subject to United States law – where it is incorporated.

The report is an important step forward for consumer privacy. First, the Report shows that the company is aware of the conflict of interest between government authorities and its customers, and the pivotal position that the company can play in honoring the privacy of its users by providing information regarding the same in all cases where it legally can. Additionally, providing the user insight into challenges that the company faces when addressing and responding to law enforcement requests, the Report provides a brief overview of the legal qualifications that must be met in each country to access customer data. Also, Vodafone’s report has encouraged other telecom companies to disclose similar information to the public. For instance, Deutsche Telekom AG, a large European and American telecommunications company, said Vodafone’s report had led it consider releasing a report of it’s own.

Direct Government Access

The report revealed that six countries had constructed secret wires or “pipes” which allowed them access to customers’ private data. This means that the governments of these six countries have immediate access to Vodafone’s network without any due process, oversight, or accountability for these opaque practices. Essentially, the report reveals, in order to operate in one of these jurisdictions, a communications company must ensure that authorities have, real time and direct access to all personal customer data at any time, without any specific justification. The report does not name these six nations for legal reasons.

"These pipes exist, the direct access model exists,” Vodafone's group privacy officer, Stephen Deadman, told the Guardian. “We are making a call to end direct access as a means of government agencies obtaining people's communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used."

Data Organization

Vodafone’s Report lists the aggregate number of content requests they received in each country where it operates, and groups these requests into two major categories. The first is Lawful Interceptions, which is when the government directly listens in or reads the content of a communication. In the past, this type of action has been called wiretapping, but now includes reading the content of text messages, emails, and other communications.

The second data point Vodafone provides for each country is the number of Communications Data requests they receive from each country. These are requests for the metadata associated with customer communications, such as the numbers they have been texting and the time stamps on all of their texts and calls.

It is worth noting that all of the numbers Vodafone reports are warrant statistics rather than target statistics. Vodafone, according to the report, has chosen to include the number of times a government sent a request to Vodafone to "intrude into the private affairs of its citizens, not the extent to which those warranted activities then range across an ever-expanding multiplicity of devices, accounts and apps."

Data Construction

However, in many cases, laws in the various companies in which Vodafone operates prohibit Vodafone from publishing all or part of the aforementioned data. In fact, this is the rule rather than the exception. The majority of countries, including India, prohibit Vodafone from releasing the number of data requests they receive. Other countries publish the numbers themselves, so Vodafone has chosen not to reprint their statistics either. This is because Vodafone wants to encourage governments to take responsibility for informing their citizens of the statistics themselves.

The report also makes note of the process Vodafone went through to determine the legality of publishing these statistics. It was not always straightforward. For example, in Germany, when Vodafone’s legal team went to examine the legislation governing whether or not they could publish statistics on government data requests, they concluded that the laws were unclear, and asked German authorities for advice on how to proceed. They were informed that publishing any such statistics would be illegal, so they did not include any German numbers in their report. However, since that time, other local carriers have released similar statistics, and thus the situation remains unresolved.

Other companies have also recently released reports. Twitter, a microblogging website, Facebook, a social networking website, and Google a search engine with social network capabilities have all released comparable reports, but their reports differ from Vodafone’s in a number of ways. While Twitter, Google, and Facebook all specified the percent of requests granted, Vodafone released no similar statistics. However, Vodafone prepared discussions of the various legal constraints that each country imposed on telecom companies, giving readers an understanding of what was required in each country for authorities to access their data, a component that was left out of other recent reports. Once again, Vodafone’s report differed from those of Google Facebook and Twitter because while Vodafone opens businesses in each of the countries where it operates and is subject to their laws, Google, Facebook, and Twitter are all Internet companies and so are only governed by United States law.

Google disclosed that it received 27,427 requests over a six-month period ending in December, 2013, and also noted that the number of requests has increased consistently each six-month period since data began being compiled in 2009, when fewer than half as many requests were being made. On the other hand Google said that the percentage of requests it complied with (64% over the most recent period) had declined significantly since 2010, when it complied with 76% of requests.

Google went into less detail when explaining the process non-American authorities had to go through to access data, but did note that a Mutual Legal Assistance Treaty was the primary way governments outside of the United States could force the release of user data. Such a treaty is an agreement between the United States and another government to help each other with legal proceedings. However, the report indicated that Google might disclose user information in situations when they were not legally compelled to, and did not go into detail about how or when it did that. Thus, given the difficulty of obtaining a Mutual Legal Assistance Treaty in addition to local warrants or subpoenas, it seems likely that Google complies with many more non-American data requests than it was legally forced to.

Facebook has only released two such reports so far, for the two six month periods in 2013, but they too indicated an increasing number of requests, from roughly 26,000 to 28,147. Facebook plans to continue issuing reports every six months.

Twitter has also seen an increase of 22% in government requests between this and the previous reporting period, six months ago. Twitter attributes this increase in requests to an increase in users internationally, and it does seem that the website has a similarly growing user base, according to charts released by Twitter. It is worth noting that while large nations such as the United States and India are responsible for the majority of government requests, smaller nations such as Bulgaria and Ecuador also order telecom and Internet companies to turn over data.

Vodaphone’s Statistics

Though Vodafone’s report didn’t print statistics for the majority of the countries the report covered, looking at the few numbers they did publish can shed some light on the behavior of governments in countries where publishing such statistics is illegal. For the countries where Vodafone does release data, the numbers of government requests for Vodafone data were much higher than for Google data. For instance, Italy requested Vodafone data 605,601 times, while requesting Google data only 896 times. This suggests that other countries such as India could be looking at many more customers’ data through telecom companies like Vodafone than Internet companies like Google.

Vodafone stressed that they were not the only telecom company that was being forced to share customers’ data, sometimes without warrants. In fact, such access was the norm in countries where authorities demanded it.

India and the Reports

India is one of the most proliferate requesters of data, second only to the United States in number of requests for data from Facebook and fourth after the United States, France and Germany in number of requests for data from Google. In the most recent six-month period, India requested data from Google 2,513 times, Facebook 3,598 times, and Twitter 19 times. The percentage of requests granted varies widely from country. For example, while Facebook complies with 79% of United States authorities’ requests, it only grants 50% of India’s requests. Google responds to 83% of US requests but only 66% of India’s.

Facebook also provides data on the number of content restrictions each country requests. A content restriction request is where an authority asks Facebook to take down a particular status, photo, video, or other web content and no longer display it on their site. India, with 4,765 requests, is the country that most often asks Facebook to remove content.

While Vodafone’s report publishes no statistics on Indian data requests, because such disclosure would be illegal, it does discuss the legal considerations they are faced with. In India, the report explains, several laws govern Internet communications. The Information Technology Act (ITA) of 2000 is the parent legislation governing information technology in India. The ITA allows certain members of Indian national or state governments order an interception of a phone call or other communication in real time, for a number of reasons. According to the report, an interception can be ordered “if the official in question believes that it is necessary to do so in the: (a) interest of sovereignty and integrity of India; (b) the security of the State; (c) friendly relations with foreign states; (d) public order; or (e) the prevention of incitement of offences.” In short, it is fairly easy for a high-ranking official to order a wiretapping in India.

The report goes on to detail Indian authorities’ abilities to request other customer data beyond a lawful interception. The Code of Criminal Procedure allows a court or police officer to ask Vodafone and other telecom companies to produce “any document or other thing” that the officer believes is necessary for any investigation. The ITA extends this ability to any information stored in any computer, and requires service providers to extend their full assistance to the government. Thus, it is not only legally simple to order a wiretapping in India; it is also very easy for authorities to obtain customer web or communication data at any time.

It is clear that Indian laws governing communication have very little protections in place for consumer privacy. However, many in India hope to change this reality. The Group of Experts chaired by Justice AP Shah, the Department of Personnel and Training, along with other concerned groups have been working towards the drafting of a privacy legislation for India. According to the Report of the Group of Experts on Privacy, the legislation would fix the 50 or so privacy laws in India that are outdated and unable to protect citizen’s privacy when they use modern technology.

On the other hand, the Indian government is moving forward with a number of plans to further infringe the privacy of civilians. For example, the Central Monitoring System, a clandestine electronic surveillance program, gives India’s security agencies and income tax officials direct access to communications data in the country. The program began in 2007 and was announced publicly in 2009 to little fanfare and muted public debate. The system became operational in 2013.

Conclusion

Vodafone’s report indicates that it is concerned about protecting its customer’s privacy, and Vodafone’s disclosure report is an important step forward for consumer web and communication privacy. The report stresses that company practice and government policy need to come together to protect citizen’s privacy and –businesses cannot do it alone. However, the report reveals what companies can do to effect privacy reform. By challenging authorities abilities to access customer data, as well as publishing information about these powers, they bring the issue to the government’s attention and open it up to public debate. Through Vodafone’s report, the public can see why their governments are making surveillance decisions. Yet, in India, there is still little adoption of transparent business practices such as these. Perhaps if more companies were transparent about the level of government surveillance their customers were being subjected to, their practices and policies for responding to requests from law enforcement, and the laws and regulations that they are subject to - the public would press the government for stronger privacy safeguards and protections.

For more details visit https://cis-india.org/internet-governance/blog/vodafone-report-explains-govt-access-to-customer-data

Virtual Aadhaar ID: too little, too late?

Admin — 2018-01-16T23:59:21Z

Problems persist as many have already shared their 12-digit number with various entities, say experts

The article by Yuthika Bhargava was published in the Hindu on January 11, 2018

The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.

“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.

“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.

The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.

Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.

“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.

Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”

Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.

Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”

For more details visit https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late

Violence call key to 'sedition'

praskrishna — 2016-02-28T03:06:47Z

Words, whether spoken or shouted, that question or even malign the government cannot be labelled as sedition, unless they specifically incite violence, lawyers and human rights experts familiar with fundamental rights and sedition laws have said.

The article was published in the Telegraph on February 18, 2016

The experts say courts hearing allegations of sedition would be expected to analyse the context and intent to determine whether actions claimed by the prosecution as sedition fit its definition under the Indian Penal Code#(IPC) and various Supreme Court rulings.

Under Section 124A of the IPC, "whoever by words.... or by signs or visible representation or otherwise brings or attempts to bring into hatred, contempt or excites or attempts to excite disaffection towards the government established by law in India" may be punished. The section defines disaffection as "disloyalty and all feelings of enmity", but clarifies that comments that express even strong disapproval of government actions through lawful means without exciting or attempting to excite hatred, contempt, or disaffection are not an offence.

"It is not the actions alone that count, they have to be seen along with the mental ingredients behind those actions - it is the motive that determines the character of the actions," N.R. Madhava Menon, honorary professor at Bangalore's National Law School, told The Telegraph.

"The court would be expected to examine the facts and the evidence presented," he said. "It would ask questions such as, is there evidence for a conspiracy, who was behind the actions, was it an organised event, was it intended to subvert a legally established government?"

Experts say Supreme Court rulings over the decades have narrowed the scope of the sedition law. In a 1995 judgment, the court held that casual raising of slogans by individuals cannot be held as exciting or attempting to excite hatred or disaffection towards the government.

The court has ruled that only speeches intended to create disorder or disturbance or call for resorting to violence could be punishable under the section, said Ravi Nair, executive director of the South Asia Human Rights Documentation Centre, New Delhi.

In a 1962 judgment, the Supreme Court had limited the scope of Section 124A to incitement to violence or fostering public disorder, Gautam Bhatia, a Delhi-based lawyer and author of Offend, Shock, or Disturb, a book on free speech under the Indian Constitution has pointed out.

In a report for the non-government Centre for Internet and Society, Bhatia said other Supreme Court rulings had clarified#that that there needed to be a "direct and imminent degree of proximity" between the speech and expression and the breach of public order, and that the relation between the two should be like a "spark in a powder keg".

"Something the court has clearly rejected is the argument that it is permissible to criminalise speech and expression simply because its content might lower the authority of the government in the eyes of the public which, in turn, could foster a disrespect for law and the state, and lead to breaches of public order," Bhatia wrote.Human rights analysts point out historical episodes in other countries where citizens have expressed intense opposition to government actions, without having charges of sedition filed against them.

"The protests in the US against the Vietnam War during the late 1960s and protests in the UK against the Falkland War in 1982 or more recently British involvement in the Gulf war are examples," Nair said. "Supreme Court rulings in India have narrowed the scope of the section on sedition to cover only actions that actually call for violence."

Nair said sedition should be seen as an anachronism in any mature democracy. India's sedition law was written during British rule, but the UK abolished its own sedition and seditious libel law in 2009.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-february-18-2016-violence-call-key-to-sedition