We are anonymous, we are legion

India Trilateral Forum

Admin — 2018-04-10T15:09:21Z

Sunil Abraham was a panelist in the session "The Promise and Peril of Technology" at the 14th edition of India Trilateral Forum organized by the German Marshall Fund of the United States, Observer Research Foundation and Ministry of Foreign Affairs, Government of Sweden in Goa from March 22 - 23, 2018.

The Promise and Peril of Technology

The emergence of new technologies create possibilities for change, yet also carry risks of the emergence of “soft wars,” privacy issues, ethical challenges, among others. With global military spending on the rise, we may now be on the cusp of a series of new technological innovations that will fundamentally change the way we conduct warfare. The rise of low-cost real-time satellite surveillance has the potential for privacy violation, intrusive controls, and hacking. Many credit the digital revolution with creating new possibilities for democratic engagement, because information technology has made institutions like mass media less hierarchical. There are hidden costs to the digital revolution and the transformative technologies, which needs to be carefully understood. The panel discussed the deeper layers of opportunities and risks associated with transformative technologies on war and peace and discuss whether the U.S., India, and Europe are falling behind China in this crucial area.

For more details visit https://cis-india.org/internet-governance/news/india-trilateral-forum

India tops list of content restrictions requests, says Facebook

praskrishna — 2015-04-03T17:01:53Z

India has again topped the list of content restriction requests in the second half of 2014 with over 5,800 requests recorded in Facebook's Government Requests Report released on Sunday.

The article by Neha Alawadhi was published in the Economic Times on March 17, 2015. Pranesh Prakash gave his inputs.

"Overall, we continue to see an increase in government requests for data and content restrictions. The amount of content restricted for violating local law increased by 11% over the previous half, to 9,707 pieces of content restricted, up from 8,774," said Monika Bickert, Facebook's head of global policy management, and Chris Sonderby, deputy general counsel, in a statement on the social networking website.

Facebook saw a rise in content restriction requests from countries like Turkey and Russia, while requests from countries like Pakistan came down. The number of content restriction requests from Pakistan came down to 54 in the second half of 2014 from 1,773 in the first half. The number of content restriction requests from India rose to 5,832 from 4,960 in the first half.

India has been the top requestor for content restrictions in the past one and a half years, and the number of these requests and for user account data from the country have consistently been on the rise.

Facebook said that while the number of government requests for user account data remained relatively flat in the six-month period, there was an increase in data requests from "governments such as India, and decline in requests from countries such as the United States and Germany".

India made 5,473 requests for user account data in the six months ending December 2014, second only to the United States, which made 14,274 requests in the same period. About 45% of the requests made by India led to Facebook producing some data, according to the report, while 79% of the requests made by the US were complied with.

"Of course, the figures are alarming... But it would have been better if Facebook had also given us more information on the kind of data that was being asked for. Now we only have consolidated figures. So what kind of data was asked for, that would have been more useful," said counsel for the Software Freedom Law Centre.

India is the second largest market for Facebook, with 112 million users until last year, second only to the United States. According to Pranesh Prakash, policy director at the Centre for Internet and Society, "the number of content restriction requests are not only high on an absolute number, but even on a per-user basis".

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-17-2015-neha-alawadhi-india-tops-list-of-content-restrictions-requests-says-facebook

India Today Conclave Next 2017: Aadhaar was rushed, says MP Rajeev Chandrashekhar

praskrishna — 2017-11-26T06:41:07Z

Talking at the ongoing India Today Conclave Next 2017, MP Rajeev Chandrashekhar said that Aadhaar was rushed and foisted on the country by authorities that fail to first create a proper ecosystem. Chandrashekhar gave his comments at a keynote titled Privacy -- The Fundamental Right for the Digital Citizen.

The article by Priya Pathak was published by India Today on November 8, 2017.

Chandrashekhar, who has been vocal on the issues like data protection, privacy and net neutrality, said that the government should have created a proper ecosystem for Aadhaar by bringing norms and laws around data protection and privacy before asking people to sign up for the unique ID.

The MP talked about India's journey from being a largest unconnected world to becoming the largest connected world. But Chandrashekhar criticised the "flawed" Aadhaar and said that it was a classic example of how a government system would push for technology in governance without addressing key bits of the ecosystem around the citizen and the consumer.

"If that (Aadhaar) wasn't enough, the IT act and section 66A and its language and its vagueness and its potential for misuse was another example of the faults of a bureaucracy or a political system trying to legislate or create solutions in the digital world, " he said.

At the same time, he lauded the recent Supreme Court order that held all Indians had fundamental right to privacy. "The latest finding of Supreme Court of Privacy as fundamental right is a big deal and it will alter number of things going forward," he said. He added that there should be more debate and discussion on data privacy as there is an attempt to characterise data privacy as some of kind of elitist issue in India which it's not.

Privacy, especially for the digital world, currently is one of the most debated topics in India. The country in the past few years has seen a number of instances where a government or a private entity has knowingly or unknowingly compromised the data of its users. Recently a study published by Centre for Internet and Society, a Bengaluru-based organisation, revealed that private data of more 130 million Aadhaar card holders were leaked from four government websites.

The Supreme Court in August this year declared privacy as a fundamental right. A nine-judge Constitution bench headed by Chief Justice J S Khehar has declared that "right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution".

The move has been praised by many including Rajeev Chadrashekhar who has said that it is a big welcome step. "It is clear that Aadhaar and all other legislations existing and proposed will have to meet the test of privacy being a fundamental right," he recently said.

For more details visit https://cis-india.org/internet-governance/news/india-today-priya-pathak-november-8-2017-india-today-conclave-next-2017-aadhaar-was-rushed-says-mp-rajeev-chandrashekhar

India To Let Private Companies Access Citizens’ Biometric Data

praskrishna — 2017-02-27T15:09:16Z

India, home to the world’s largest national biometric registry, plans to begin sharing citizens’ data with the country’s private companies and startups.

The blog post by Joshua Kopstein was published by Vocativ on February 21, 2017. Sunil Abraham was quoted.

The government-backed program, called “India Stack,” will allow the second most populous country on Earth to share nearly all of its 1.3 billion citizens’ fingerprints, iris scans, and more, potentially creating unprecedented security and privacy risks in the name of convenience and digital commerce.

India Stack will open up the country’s troves of biometric data to Indian software developers, health care providers, and any other business interested in using the government’s identification records in their apps and services. The Indian government hopes the move will spur innovation, jumpstarting its effort to create a centralized system of digital commerce where citizens can purchase goods, apply for health insurance, or even qualify for a loan using the biometric sensors on their smartphones.

Opponents, however, warn that the sharing scheme opens a Pandora’s box of security and privacy problems, dramatically increasing the likelihood of data breaches and abuse.

“It’s the worst time for privacy policy in the country,” Sunil Abraham, the executive director of the Bangalore-based Centre for Internet and Society, told the Wall Street Journal. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”

The dangers aren’t just hypothetical. In 2015, an unprecedented breach at the U.S. Office of Personnel Management allowed hackers to steal the fingerprints of 5.6 million federal employees. Researchers have found that stolen fingerprints can be used to commit fraud and identity theft, and even replicated and used to unlock smartphones and other personal devices. Worst of all, unlike passwords and social security numbers, biometric identifiers like fingerprints can never be changed, meaning that any breach is virtually guaranteed to have long-term consequences.

The India Stack program is the latest in several recent schemes to push the country toward a fully-digitized and cashless economy. As of December 2016, the Unique Identification Authority of India had registered more than 91% of the population into a centralized system called Aadhaar, which integrates with banks and allows citizens to complete transactions and access government services using their fingerprints. The country has also temporarily withdrawn its higher-denomination bank notes from circulation in an effort to bolster digital payment systems.

“While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns,” the Centre For Internet and Society wrote in a paper outlining the privacy risks of India’s digital identity system. “Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.”

India’s program has already gone far beyond other countries’ biometric data collection schemes, which have mostly been limited to passports and border control. But law enforcement officials’ smaller, more piecemeal efforts to collect biometric information have also raised alarm over their potential for abuse. Thanks to the cooperation of 16 state DMVs, one in two Americans currently has their photo registered to a law enforcement face recognition database – regardless of whether they’ve been charged or even suspected of a crime. Local police in several U.S. states have also begun collecting iris scans and DNA swabs from people randomly stopped on the street, in some cases specifically targeting African American children.

For more details visit https://cis-india.org/internet-governance/news/vocativ-joshua-kopstein-india-private-companies-citizens-biometric-data

India To Introduce Virtual ID For Aadhaar To Strengthen Privacy

Admin — 2018-01-17T00:11:13Z

The government will introduce a virtual identification number for Aadhaar to help strengthen privacy following several instances of data leaks.

The blog post was published by Bloomberg Quint on January 11, 2018.

The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.

The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.

Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.

This takes into account concerns of third-party databases being combined without the consent of the individual but fails to address issues of government surveillance, exclusion and cybersecurity, he added.

The move comes barely a week after The Tribune, a Chandigarh-based newspaper, reported that it could access the Aadhaar database by paying Rs 500, raising privacy concerns. Petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for everything from bank accounts to mobile services are pending in the Supreme Court.

As of now, citizens are required to share their Aadhaar number for authentication to avail certain services. With the introduction of the virtual ID that would change.

It would be a randomly generated 16-digit number that'd be digitally linked to a person's Aadhaar number. This ID would be temporary and revocable. There can be only one active and valid virtual ID for an Aadhaar number at any given point in time. Aadhaar holders will be able to use the virtual ID whenever authentication is required.

Virtual ID, by design being temporary, cannot be used by agencies for duplication.
UIDAI Circular

Only Aadhaar holders themselves can generate a virtual ID and set a minimum validity period for that after which it will have to be replaced by a new one. The virtual IDs can be changed through UIDAI's portal, at an Aadhaar enrolment centre or using the mAadhaar mobile application, the circular said.

Who Can Store Your Aadhaar Data?

The UIDAI will limit the number of agencies that can access and store your Aadhaar number. For this purpose, it will divide the agencies that seek to use Aadhaar authentication for services into two categories—global and local.

Global authentication agencies will be allowed to "securely" store the Aadhaar number, while local agencies won't. The latter would be the ones that’d use the virtual IDs and a unique token for authentication.

The Aadhaar-issuing body has not clearly defined what would classify as a global agency. It has only said that it will "from time to time" evaluate authentication agencies "based on the laws governing them and categorise them" as global agencies. Any authentication agency that is not classified as global would be local.

Transition To New System

UIDAI has told all agencies that use Aadhaar authentication to update their applications and processes for accepting virtual IDs instead of the Aadhaar number and allow authentication using the UID token. This has to be done by June 1.

If an agency fails to migrate to the new system by then, their authentication services "may be discontinued" and a penalty may be imposed, UIDAI said.

UIDAI will release the updated tools and protocols required for building the authentication software by March 1. All authentication agencies would also receive technical documents, workshops and training session to ensure smooth implementation.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy

India threatens action against Twitter for ethnic violence 'rumors'

praskrishna — 2012-08-27T02:52:55Z

India threatened to take action on Thursday against Twitter over content alleged to have inflamed ethnic tensions, as leaked documents revealed the government scrambling to censor online material.

Published in the China Post on August 24, 2012. CIS is quoted.

More than 309 orders have been issued demanding the removal of posts, images and links on websites including Facebook and Twitter as well as Australian news channel ABC, broadcaster Al-Jazeera and London's The Daily Telegraph newspaper.

The government has blamed Internet sites for spreading rumors that Muslims would attack students and workers who have migrated from the northeast to live in Bangalore and other southern cities.

Tens of thousands of people fled back to India's remote northeast region last week, fearing an outbreak of violence.

The government has demanded that Twitter and other social network sites remove “inflammatory and harmful” material. It has also banned bulk text messages.

“If Twitter fails to respond to our request, we will take appropriate action,” senior home ministry official R.K. Singh said in the Times of India newspaper. “We have asked the information technology ministry to serve them a notice.”

The paper added that the government had set a deadline of Thursday for Twitter to respond.

The Bangalore-based Centre for Internet and Society (CIS) research group published analysis of the blocking orders sent by the Department of Telecommunications to domestic Internet services providers from August 18-21.

The CIS said that of the 309 separate items that the government ordered the providers to be blocked, the most affected sites were Facebook, YouTube, Twitter and Blogspot.

Content on websites for ABC, Al-Jazeera, The Times of India, The Daily Telegraph and online Catholic portal www.catholic.org were also targeted by the orders, though details of the contentious material are not known.

Twitter representatives were not available to comment, but both Facebook and Google this week said they were in communication with Indian authorities and already had policies banning content that incited violence.

The government has complained it was not receiving timely cooperation from social network groups over its attempts to ban “hateful” content.

On Thursday it said Twitter had agreed to remove six fake accounts pretending to be postings by Indian Prime Minister Manmohan Singh.

“Officials at Twitter have told us they are reviewing our request ... and they intend to cooperate,” Pankaj Pachauri, the premier's spokesman, told AFP.

For more details visit https://cis-india.org/news/www-china-post-aug-24-2012-india-threatens-action-against-twitter-for-ethnic-violence-rumors

India takes its first serious step toward privacy regulation – but it may be misguided

praskrishna — 2013-04-15T06:39:05Z

The world’s second-most populous nation may be on the cusp of embracing privacy legislation. After several false starts the Indian government appears ready to accept the need for some form of regulation.

This blog post by Simon Davies was published in the Privacy Surgeon on April 9, 2013. The Centre for Internet and Society recently published a draft Citizens privacy bill which is mentioned in this post.

Well, maybe this is a slightly optimistic view. A more accurate portrayal might be “the Indian government appears ready to accept the principle of some form of regulation”.

There is actually no agreed policy position across government on the question of privacy and data protection, but the Planning Commission last year established an Expert Group under the chairmanship of the former Chief Justice of the Delhi High Court, A.P.Shah. Justice Shah’s subsequent report is being considered and a draft Bill has been created.

Shah’s report provided a convincing body of evidence – both at the domestic and the international level – for the creation of national regulation.

It called for the formation of a regulatory framework and set out nine principles that could form a foundation for the next stage. These principles – reflecting the basis of law in other countries – have been generally accepted by Indian stakeholders as a sound frame of reference for progress.

However although the nine principles are supported, the precise nature of any possible regulation is still very much in flux.

There’s a long way to go before consensus is established on a overall type of regulatory framework. Having said that, India is closer than ever to seeing real legislation – and the international community needs to put its weight behind the activity.

Debate over the merits of data protection and privacy law stretch back beyond a decade but reform was constantly hampered by perceptions that regulation would stifle economic growth.

Some industry lobbies have been as keen as government to ensure that privacy proposals are stillborn.

Even with the nine principles as a bedrock the path to privacy law must overcome two extremely difficult hurdles.

The first of these is that a substantial number of Indian opinion leaders continue to express an instinctive view that there is no cultural history for respect of privacy in India. That is, people don’t want or expect privacy protection and Western notions of privacy are alien to Indian society.

In support of this assertion these critics often cite an analogy about conversation on Indian trains. It is well known that many Indians will disclose their life story to strangers on the Indian rail network, discussing their personal affairs with people they have never before met. This trait is construed as evidence that Indians do not value their privacy.

I spoke last week at an important meeting in New Delhi where this exact point was repeatedly made. The meeting, organised by the Data Security Council of India and ICOMP India was well attended by industry, government, academics and NGOs. Speakers made constant reference to the matter of public disclosure of personal information.

In response, noted commentator Vickram Crishna expressed the view that the train anecdote had no relevance and was a convenient ruse for people who for their own self interest opposed privacy regulation.

“In reality this circumstance is like Vegas”, he said. “What happens on Indian trains, stays on Indian trains. People will talk about their lives because they will never see these passengers again and there is no record of the disclosures.”

“What we are dealing with in the online world is a completely different matter. There is no correlation between the two environments”.

A substantial opinion poll published earlier this year also debunked the myth that Indians don’t care about privacy. Levels of concern expressed by respondents was roughly the same as the level of concern identified in other parts of the world.

A second hurdle facing privacy legislation is the perception - particularly prevalent in the United States – that legislation will be a burden on industry and people do not want yet another cumbersome and costly government structure.

There are perhaps some grounds for considering this perspective, given the vast scale and complexity of India’s economy.

Government intervention does not enjoy a history of consistent success in the marketplace, though in many instances intervention has been the only means to bring industry into compliance with basic safeguards.

I made the point at the meeting that support for a purist model of industry self regulation was simplistic and misguided. Most systems of a similar nature fail unless someone is mandated to ensure compliance, transparency, enforceability and consistency. It’s a question of finding a way to embed accountability in industry self regulation – and this is where legislation and government could help.

Justice Shah’s report reflected this widespread concern by recommending a co-regulatory framework in which a privacy commissioner would oversee industry self regulation. However – as last week’s meeting exemplified – even this compromise solution is not acceptable to many industry players. They oppose the idea of an appointed commissioner and believe that industry self regulation alone will be sufficient.

This is an influential view that cannot be brushed aside. However in a special programme aired on19th April on India’s main parliamentary television network – RSTV – I repeatedly make the point that such a view, if successful, would put Indian industry in danger of winning the battle but losing the war. Europe is unlikely to accept a model of sole industry regulation, and the crucial flow of data between the two regions could be imperiled.

Conscious of all these challenges the influential NGO Centre for Internet and Society has published a draft Citizens privacy bill and has commenced a series of consultation meetings across the country. These initiatives will provide important input for the emerging legislation.

This is an important moment for privacy in India, and one that will require careful thought and sensitive implementation. However no-one in India should be in any doubt that the current unregulated situation is unsustainable in a global environment where nations are expected to protect both their citizens and the safety of data on their systems.

For more details visit https://cis-india.org/news/privacy-surgeon-simon-davies-april-9-2013-india-takes-its-first-serious-step-toward-privacy-regulation

India Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed

maria — 2013-11-06T10:20:46Z

As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most!

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was cross-posted in Medianama on 24th June 2013.

¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, Ron Wyden, asked James Clapper, the director of national intelligence a few months ago. “No sir”, replied Clapper.

True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of Americans, Indians, Egyptians, Iranians, Pakistanis and others all around the world.

Leaked NSA surveillance

Verizon Court Order

Recently, the Guardian released a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.

USA Today reported in 2006 that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the April 25 top secret order is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes metadata such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.

Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. Privacy and human rights concerns rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives. Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.

PRISM

Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by The Washington Post. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to disclose the security requests they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.

Yet it appears that the PRISM online surveillance programme enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The Guardian reported that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.

James R. Clapper, the US Director of National Intelligence, stated:

“Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world.

Boundless Informant

And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data?

The Guardian released top secret documents about the NSA data mining tool, called Boundless Informant; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide.

The following “global heat map” reveals how much data is being collected by the NSA from around the world:

The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.

During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with 15% of all information being tapped by the NSA coming from India during February-March 2013.

Edward Snowden is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.

So what does this all mean for India?

In his keynote speech at the 29th Chaos Communications Congress, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have a history in spying on civilians, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?

By tapping into the servers of some of the biggest Internet companies in the world, such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial Boundless Informant data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?

India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches.

Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining.

Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, Bruce Schneier:

“Our data reflects our lives...and those who control our data, control our lives”.

How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in corporations seeking data request transparency, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since the larger the database, the larger the probability for error. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since technology is not infallible and data trails are not always accurate.

What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even murdered - remember the drones?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?

What can we do now?

Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.

Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.

As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:

What type of data is collected from India and which parties have access to it?
How long is such data retained for? Can the retention period be renewed and if so, for how long?
Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?

In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.

On an individual level, Indians can protect their data by using encryption, such as GPG encryption for their emails and OTR encryption for instant messaging. Tor is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.

To avoid surveillance, the use of HTTPS-Everywhere in the Tor Browser is recommended, as well as the use of combinations of additional software, such as TorBirdy and Enigmail, OTR and Diaspora. Tor hidden services are communication endpoints that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.

Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.

The principles formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these principles are:

Legality: Limitations to the right to privacy must be prescribed by law
Legitimate purpose: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose
Necessity: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases
Adequacy: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose
Competent authority: Authorities must be competent when making determinations relating to communications or communications metadata
Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis
Due process: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public
User notification: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request
Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public
Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests
Integrity of communications and systems: Service providers are responsible for the secure transmission and retention of communications data or communications metadata
Safeguards for international cooperation: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public
Safeguards against illegitimate access: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress
Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation

Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for everyone to fight for their right to be free.

Is a world without freedom worth living in?

For more details visit https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance

India Still Trying To Turn Optional Aadhaar Identification Number Into A Mandatory National Identity System

praskrishna — 2016-03-24T06:34:21Z

from the sliding-down-the-slippery-slope-to-disaster dept

The blog post was published by Tech Dirt on March 22, 2016. CIS research on Aadhaar was quoted.

Last year, we wrote about India's attempt to turn the use of its Aadhaar system, which assigns a unique 12-digit number to all Indian citizens, into a requirement for accessing government schemes. An article in the Hindustan Times shows that the Indian government is still pushing to turn Aadhaar into a mandatory national identity system. A Bill has just been passed by both houses of the country's parliament, which seeks to give statutory backing to the scheme -- in the teeth of opposition from India's Supreme Court:

There have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government's argument that Aadhaar is voluntary.

The article notes that in some respects, the new Bill brings improvements over a previous version:

It places stringent restrictions on when and how the UID [Unique Identification] Authority (UIDAI) can share the data, noting that biometric information -- fingerprint and iris scans -- will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But it also contains some huge loopholes:

The government will get sweeping power to access the data collected, ostensibly for "efficient, transparent, and targeted delivery of subsidies, benefits and services" as it pleases "in the interests of national security", thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The fact that an optional national numbering system now seems to be morphing into a way to monitor what people are doing will hardly come as a surprise to Techdirt readers, but this continued slide down the slippery slope is still troubling, as are other aspects of the new legislation. For example, it was introduced as a "Money Bill," which is normally reserved for matters related to taxation, not privacy. That suggests a desire to push it through without real scrutiny. What makes this attempt to give the Aadhaar number a much larger role in Indian society even more dangerous is the possibility that it won't work:

A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the [Centre for Internet and Society], shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

A mandatory national identity system that can't even uniquely identify people: sounds like a recipe for disaster.

For more details visit https://cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system

India steps up vigilance against WhatsApp abuse

Admin — 2018-08-27T15:22:23Z

Delhi wants firm to open local office, appoint grievance officer as misinformation spreads.

The article by Debashree Dasgupta was published by Straits Times on August 24, 2018. Sunil Abraham was quoted.

In one of its strongest directives yet to WhatsApp, the Indian government has asked the California-based messaging service firm to set up an office and appoint a grievance officer in India.

Indian Information Technology Minister Ravi Shankar Prasad conveyed the request to WhatsApp chief executive Chris Daniels during a meeting on Tuesday. It came against the backdrop of the growing misuse of the messaging app to disseminate misinformation.

"I requested WhatsApp chief executive Chris Daniels to set up a grievance officer in India, establish a corporate entity in India, comply with Indian laws. He assured me that #WhatsApp will soon take steps on all these counts," Mr Prasad tweeted after the meeting.

"I further asked WhatsApp CEO... to work closely with law enforcement agencies of India and create public awareness campaign to prevent misuse of WhatsApp. He assured me that #WhatsApp will undertake these initiatives," he added in another tweet.

The firm has not yet provided a confirmation of these claims.

The spread of misinformation about child kidnappings through WhatsApp has been linked to a series of mob lynchings that have led to the deaths of least 28 people across India since April.

TAKING RESPONSIBILITY

When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter, face consequent legal action.

INDIA'S MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY

There are also concerns that the spread of fake news via the application could gather further momentum ahead of next year's general elections in India. The firm has more than 200 million active monthly users in India - its biggest market and a sizeable chunk of its 1.5 billion global user base.

WhatsApp, the most widely used messaging app in India, has struggled to control the spread of misinformation in India on its platform.

With the government demanding greater accountability from it, the firm has made it more difficult for users to forward content by removing shortcuts. It has limited to five the number of people a message can be forwarded to each time, and introduced a "forwarded" label for such messages.

But the authorities have found this inadequate given the enormity of the challenge and rampant abuse.

Last month, the Indian Ministry of Electronics and Information Technology said: "There is a need for bringing in traceability and accountability when a provocative/inflammatory message is detected, and a request is made by law enforcement agencies.

"When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter, face consequent legal action."

Mr Prasad, speaking to the media after the meeting, said: "I have said in the past that it does not take rocket science to locate a message being circulated in hundreds and thousands... You must have a mechanism to find a solution."

The Indian government's demand for WhatsApp to set up a local office is not unprecedented.

The European Union General Data Protection Regulation says a foreign firm that processes personal data of individuals in the EU "may be required" to appoint a representative in an EU state. However, calls by the government to detect messages and track down senders have prompted concerns over privacy violation, and pose a technical challenge.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based nonprofit organisation, said: "Application-wide blocking of the same content is not possible on WhatsApp because it uses end-to-end cryptography, and there is no way WhatsApp can determine which messages are being forwarded."

But there are potential remedies that are less controversial, and easier to achieve.

Mr Abraham suggested that WhatsApp fund a large network of fact checkers and provide a "fact check this" button along with all forwarded messages. "This button could then transmit the suspicious message to a common database that is managed by the network for fact checkers," he added.

Last month, the Ministry of Electronics and Information Technology raised concerns on the expected roll-out of WhatsApp Payments, which lets users make financial transactions via the application. It has sought clarity on whether the service adheres to the Reserve Bank of India's security and privacy rules.

For more details visit https://cis-india.org/internet-governance/news/the-straits-times-august-24-2018-debarshi-dasgupta-india-steps-up-vigilance-against-whatsapp-abuse

India slowly gets to grips with ecommerce

praskrishna — 2011-04-04T06:46:27Z

Growth in computer use and Internet penetration will help e-commerce.

Vipul Modi is a busy high court lawyer in India's financial capital Mumbai. Like many people, he uses the Internet to buy rail and airline tickets as well as pay his utility bills. Yet when it comes to buying other products online, the 44-year-old has misgivings, particularly about the security of his bank account details and other personal data.

"Online shopping is not something that we feel comfortable with... because the responsibility of something being misused is on the consumer compared with the United States, where it's on the credit card companies," he told AFP.

"And I'd still not buy some things online because I still like to go and see what it is."

From books to groceries, Internet shopping has become popular in many Western countries for people with disposable income, busy lifestyles and unpredictable working hours.

As Indian society, particularly in big cities such as Mumbai and the capital New Delhi, changes along similar lines on the back of the country's economic expansion, retailers are now looking to follow suit.

Gift shop chain The Bombay Store last month became the latest outlet to launch an online facility, following in the footsteps of major retailers such as Big Bazaar, Pantaloons and shopping portals on websites like www.rediff.com.

"Online shopping in India is on the cusp of taking off," said Deepa Thomas, a senior manager at the online auction site www.ebay.in, which has 2.5 million registered users in nearly 2,500 locations across the country.

"But when it comes to things like product shopping there's still a fairly long way to go."

For a country with 1.1 billion people, India's use of computers and the Internet is still low, despite being a major player in global information technology and outsourcing.

At present only eight percent of Indian households have access to a personal computer, the country's IT and communications minister, Sachin Pilot, said on a visit to Washington in March.

Of India's estimated 60 million Internet users, about six million shop online, with the ecommerce market thought to be worth about 100 billion rupees (2.2 billion dollars) and expanding at about 30 percent a year, Thomas said.

At present, social networking, email and accessing news and sports sites remain the mainstay of computer use for most Indians.

Pilot has predicted an "exponential growth" in computer use and Internet penetration in the coming years, as the government works to extend broadband access into 250,000 out of India's more than 600,000 villages.

Industry analysts such as Nishant Shah, director of research at the Centre for Internet and Society in the southern city of Bangalore, India's IT hub, said that can only help develop ecommerce.

"The countries where Internet shopping has been on the upswing are countries with highly developed broadband infrastructure which allows for quick, easy and secure connections," Shah said in an email interview.

"The lack of strong digital infrastructure means that the Internet is still used by a large majority of people for 'functional' things - jobs, retrieving information, communication, social networking."

Unlike other countries, India's half-a-billion mobile phone subscribers could drive the sector's expansion, he added.

The government is currently auctioning 3G licences, which would enable more users to access data at high-speed, instead of having to rely on slow, dial-up connections at places such as public cyber cafes, making transactions easier.

Thomas said eBay was launching a mobile phone application for buying and selling by the end of June, predicting that "mobile web is going to become a big part of developing the market".

For Asim Dalal, managing director of The Bombay Store, going online makes business sense in the global economy as it expands the company's reach beyond India's borders.

"International visitors comprise approximately 25 percent of our sales," he said in a statement. "Since they mostly are on visit or tour to India, their repeat purchases for gifting or home were restricted."

But if and how quickly Indian consumers will change habits is hard to tell, with a preference for cash transactions and personal contact with suppliers, particularly for food and clothing at bustling markets.

Read the original article in the Independent

For more details visit https://cis-india.org/news/India-gets-to-grips-with-ecommerce

India Shut Down Kashmir’s Internet Access. Now, ‘We Cannot Do Anything.’

Vindu Goel, Karan Deep Singh and Sameer Yasir — 2019-08-22T01:20:47Z

Masroor Nazir, a pharmacist in Kashmir’s biggest city, Srinagar, has some advice for people in the region: Do not get sick, because he may not have any medicine left to help.

The article by Vindu Goel, Karan Deep Singh and Sameer was published in New York Times on August 14, 2019. Gurshabad Grover was quoted.

“Shutting down the internet has become the first go-to the moment the police think there will be any kind of disturbance,” said Mishi Choudhary, founder of SFLC.in, a legal advocacy group in New Delhi that has tracked the sharp rise in web shutdowns in India since 2012.

In Jammu and Kashmir, a Muslim-majority territory where security forces constantly worry about attacks by separatist militants, the internet has been blocked in at least part of the region 54 times this year, according to SFLC.in’s data. The authorities simply order internet service providers and phone companies to stop providing access to the web or to mobile networks.

But this latest shutdown has been far more sweeping than others, Kashmiris said.

“We used the internet for everything,” said Mr. Nazir, 28, whose pharmacy is near the city’s famed clock tower. He said he normally went online to order new drugs and to fulfill requests from other pharmacies in more rural parts of Kashmir Valley. But now, “we cannot do anything.”

As the Indian government’s shutdown of internet and phone service in the contested region enters its 11th day, Kashmir has become paralyzed.

Shopkeepers said that vital supplies like insulin and baby food, which they typically ordered online, were running out. Cash was scarce, as metal shutters covered the doors and windows of banks and A.T.M.s, which relied on the internet for every transaction. Doctors said they could not communicate with their patients.

Only a few government locations with landlines have been available for the public to make phone calls, with long waits to get a few minutes of access.

The information blockade was an integral part of India’s unilateral decision last week to wipe out the autonomy of Jammu and Kashmir, an area of 12.5 million people that is claimed by both India and Pakistan and has long been a source of tension. That has brought everyday transactions, family communications, online entertainment and the flow of money and information to a halt.

While Prime Minister Narendra Modi has promoted the rapid adoption of the internet, particularly on smartphones, to modernize India and bring it out of poverty, the country is also the world leader in shutting down the internet.

The country has increasingly deployed communications and internet stoppages to suppress potential protests, prevent rumors from spreading on WhatsApp, conduct elections and even stop students from cheating on exams. Last year, India blocked the internet 134 times, compared with 12 shutdowns in Pakistan, the No. 2 country, according to Access Now, a global digital rights group, which said its data understates the number of occurrences.

Umar Qayoom, who used to spend his days running around Srinagar signing up merchants for Paytm, a digital payments service, is now stuck in his house. He said he had not been able to contact his girlfriend since the shutdown began, and his smartphone — his primary source of entertainment, with its endless supply of videos and social media — is an inert hunk of metal.

“I don’t know when to sleep, when to wake up, what to do with my life,” he said during a rare foray outside on Monday evening for Eid al-Adha, the holiest festival in Islam. “There is no life without internet, even in Kashmir.”

Muheet Mehraj, founder and chief executive of Kashmir Box, a start-up that buys traditional handicrafts like pashmina shawls and pottery from local artisans and sells them online, said he could not check incoming orders or communicate with his suppliers. His 25 employees are idle. If the shutdown lingers, they will soon be out of work.

“We’ve seen more than 400 shutdowns,” he said. “This has been the worst of them all.”

No one knows how long the blackout will last. In 2016, the internet was blocked in Kashmir for more than four months. The unpredictable access wreaked havoc with students, businesses and even musicians, who had relied on YouTube, Instagram and other digital services to reach potential audiences.

At a hearing on Tuesday, India’s Supreme Court declined to lift any of the current restrictions, accepting the government’s argument that the shutdown was needed to maintain order and would be “settled soon.” The next day, the police indicated that most of the valley would remain on lockdown, including on Thursday, India’s Independence Day.

“Kashmir has become invisible even to itself,” said Gurshabad Grover, a senior policy officer at the Center for Internet and Society in Bangalore, quoting a recent line in The Indian Express. The center published a report last year on the social and economic toll of internet shutdowns across India.

The United Nations has repeatedly condemned government-ordered internet shutdowns as a violation of human rights.

But that has not deterred India from routinely using the tool. Under India’s laws, authorities at even the local level can easily shut down internet access in the name of ensuring “peace and tranquillity.”

“It helps in any kind of situation which can flare up the sentiments of people and flare up the bulk mobilization of people,” said Rahul Pandey, deputy superintendent of police in Darjeeling in northeastern India, where the internet was blocked for about 100 days in 2017.

Raman Jit Singh Chima, Asia Pacific policy director at Access Now, said that Indian officials have seen few negative consequences from shutdowns, so they keep using them. “It has become standard operating procedure among police,” he said.

But the true costs of such blockades are high. Internet shutdowns from 2012 to 2017 cost India’s economy more than $3 billion, the Indian Council for Research on International Economic Relations estimated last year. And the number of stoppages has spiked since then. The Darjeeling shutdown, one of the longest in the country, occurred after the state government decided it needed to quash a separatist movement that had clashed violently with security forces.

Darjeeling’s fabled tea industry, the lifeblood of the local economy, lost most of a year’s harvest as workers went on strike. Production was hurt the next year, too.

Many corporate tea buyers and traders sought tea elsewhere during the disruption and never came back, said Girish Sarda, director of Nathmulls, a tea exporter in the region.

“We lost many customers,” he said, estimating that the company’s revenue dropped more than 30 percent at the time. “Even when the internet is on, people think that this business is probably shut down.”

The government has argued that one reason for suppressing the internet in Kashmir was to stop the spread of false information.

But in the digital blackout, rumors have continued spreading the old-fashioned way: by word of mouth.

When thousands of protesters marched through Srinagar on Friday and security forces fired gunshots in response, word spread that there had been a massacre. Reporters who investigated found that at least seven people had been injured, but no one had died. Other unverified reports of people being killed by the police have also circulated.

The enforced idleness creates another risk, said Mr. Qayoom, the Paytm employee stuck at home. When young people have nothing else to do, leaving the house to protest — or throw stones at the police — looks a lot more appealing. “There is going to be bloodshed,” he said.

For more details visit https://cis-india.org/internet-governance/news/new-york-times-august-14-2019-vindu-goel-karan-deep-singh-and-sameer-yasir-india-shut-down-kashmir-internet-access-now-we-cannot-do-anything

India Should Watch Its Internet Watchmen

praskrishna — 2011-05-06T05:08:05Z

The month after terrorists attacked Mumbai in 2008, India's government initiated legislation enabling it to eavesdrop on electronic communication and block websites on grounds of national security. There was no public debate before the bill in question was introduced, and hardly any debate inside parliament itself before it passed in 2009. In the law, there were no guidelines about the extent to which an individual's right to privacy would be breached. And there was certainly no mention, and therefore, reassurance, that due process would be followed when it came to restricting access to websites. This article by Rahul Bhatia was published in the Wall Street Journal on March 28, 2011.

It's taken about two years for the first signs of misuse to show up. And there may be many more, as the government uses vague discretion instead of firm rules to police India's Internet. Various groups can exploit these discretionary powers to their own ends.

Earlier this month, the Indian Computer Emergency Response Team (CERT-In), the body appointed by the government to protect India's information infrastructure, blocked a text-message provider that sends out advertisements in bulk over mobile phone. It also blocked Typepad.com, a publishing platform used frequently by bloggers. Both restrictions have now been lifted.

Most contentiously, a Delhi court ordered CERT-In to block access to Zone-H.org, an Italian security giant that acts as a repository of hacked websites—that is, it collects screen grabs of sites that are infiltrated, which later proves valuable for studying the cyber crime in question. A representative of this website accused an Indian cyber security firm, E2 Labs, of using Zone-H's logo and images to promote its own cyber security school courses. E2 Labs dragged Zone-H to court in 2009 and, on grounds of defamation, had Zone-H's website blocked. What muddies the waters is that E2 Labs claims to work for the government.

Nobody knows what threat, if any, these websites posed to national security. Users who tried accessing them simply received a one-line message from their service providers that the sites had been blocked due to "instructions from the Department of Telecom." That message later disappeared, replaced by the standard error message: "Page Not Found."

Many bloggers immediately started comparing this case to the situation they found themselves in 2006, when the government banned Blogspot.com right after Mumbai's suburban train system was hit by bomb blasts. The Department of Telecom then did not offer an official reason, leaving people guessing that this was some kind of response to that terrorist attack.

That's happening again. The guidelines under which CERT-In operates say that all information related to website blocking is classified. Moreover, its mandate does not include communicating with the public. Which is why everyone is in the dark. Nobody even knows how widespread the blockade is. There's no hint of the process involved. There's no course for redress for those who own the affected sites.

Inquiries from journalists about the Department of Telecom's method of functioning have gone unanswered. When cornered by the press this month, India's Information Technology minister Kapil Sibal, who oversees this department, passed responsibility to the ministry of home affairs, which manages the nation's internal security.

Perhaps there are legitimate reasons for blocking these websites. India has faced its share of terrorist attacks that have, in the last decade, begun to affect the country's urban centers. Terrorists have gotten more sophisticated. The 2008 Mumbai assault especially put pressure on security personnel to be electronically vigilant, because the terrorists used satellite phones and internet technology to communicate. Since then, the government has ramped up its scrutiny of the Internet, including getting into a high-profile dispute last year with Blackberry-maker Research in Motion. Blogs are fair game, too, seeing as how terrorist groups have been known to use them for recruiting and communication. But if there are good reasons this time for blocking the sites in question, they're unknown and unexplained.

That lack of explanation is cause for alarm. First, there's the impact on businesses. Intermediary guidelines proposed by the Department of Information Technology put the onus on service providers to remove any material that, in addition to endangering national security, "causes inconvenience or annoyance," is "grossly offensive or menacing in nature," or "belongs to another person." These open-ended guidelines mean service providers have to spend a good chunk of their time dealing with government officials to determine, say, what is offensive.

The larger impact is on the rule of law. The clumsiness with which New Delhi has blocked these sites undermines any legitimacy the laws have. Lawyers I've spoken with already say that the guidelines, which are open to wide interpretation, violate the country's constitution.

This legal debacle has implications beyond any immediate security concerns. Despite being a democracy with a vigorous free press, India can't afford to take freedom of speech for granted. The concern here is that a statute intended to protect the country from terrorism may also give new legal cover to people trying to restrict speech for other reasons.

Already, thanks in part to the lack of political support for free speech, varied groups hijack cracks or loopholes in the legal framework to their populist ends. For instance, a colonial-era law against religious insults was used in 2007 to appease Hindu nationalists who wanted the government to punish Muslim painter M.F. Hussain for depicting "Mother India" in the nude. That case suggests that the new ill-considered and badly implemented rules for online policing could be exploited by political or business interests.

India undoubtedly faces a serious terrorism problem. But New Delhi needs to defend itself through laws that don't end up impinging on free speech in damaging, undemocratic ways.

Mr. Bhatia is a writer with Open Magazine in Mumbai.

Read the original story here

For more details visit https://cis-india.org/news/internet-watchmen

India should reconsider its proposed regulation of online content

gurshabad — 2019-01-24T16:59:07Z

The lack of technical considerations in the proposal is also apparent since implementing the proposal is infeasible for certain intermediaries. End-to-end encrypted messaging services cannot “identify” unlawful content since they cannot decrypt it. Presumably, the government’s intention is not to disallow end-to-end encryption so that intermediaries can monitor content.

The article was published in the Hindustan Times on January 24, 2019. The author would like to thank Akriti Bopanna and Aayush Rathi for their feedback.

Flowing from the Information Technology (IT) Act, India’s current intermediary liability regime roughly adheres to the “safe harbour” principle, i.e. intermediaries (online platforms and service providers) are not liable for the content they host or transmit if they act as mere conduits in the network, don’t abet illegal activity, and comply with requests from authorised government bodies and the judiciary. This paradigm allows intermediaries that primarily transmit user-generated content to provide their services without constant paranoia, and can be partly credited for the proliferation of online content. The law and IT minister shared the intent to change the rules this July when discussing concerns of online platforms being used “to spread incorrect facts projected as news and designed to instigate people to commit crime”.

On December 24, the government published and invited comments to the draft intermediary liability rules. The draft rules significantly expand “due diligence” intermediaries must observe to qualify as safe harbours: they mandate enabling “tracing” of the originator of information, taking down content in response to government and court orders within 24 hours, and responding to information requests and assisting investigations within 72 hours. Most problematically, the draft rules go much further than the stated intentions: draft Rule 3(9) mandates intermediaries to deploy automated tools for “proactively identifying and removing [...] unlawful information or content”.

The first glaring problem is that “unlawful information or content” is not defined. A conservative reading of the draft rules will presume that the phrase means restrictions on free speech permissible under Article 19(2) of the Constitution, including that relate to national integrity, “defamation” and “incitement to an offence”.

Ambiguity aside, is mandating intermediaries to monitor for “unlawful content” a valid requirement under “due diligence”? To qualify as a safe harbour, if an intermediary must monitor for all unlawful content, then is it substantively different from an intermediary that has active control over its content and not a safe harbour? Clearly, the requirement of monitoring for all “unlawful content” is so onerous that it is contrary to the philosophy of safe harbours envisioned by the law.

By mandating automated detection and removal of unlawful content, the proposed rules shift the burden of appraising legality of content from the state to private entities. The rule may run afoul of the Supreme Court’s reasoning in Shreya Singhal v Union of India wherein it read down a similar provision because, among other reasons, it required an intermediary to “apply [...] its own mind to whether information should or should not be blocked”. “Actual knowledge” of illegal content, since then, has held to accrue to the intermediary only when it receives a court or government order.

Given the inconsistencies with legal precedence, the rules may not stand judicial scrutiny if notified in their current form.

The lack of technical considerations in the proposal is also apparent since implementing the proposal is infeasible for certain intermediaries. End-to-end encrypted messaging services cannot “identify” unlawful content since they cannot decrypt it. Internet service providers also qualify as safe harbours: how will they identify unlawful content when it passes encrypted through their network? Presumably, the government’s intention is not to disallow end-to-end encryption so that intermediaries can monitor content.

Intermediaries that can implement the rules, like social media platforms, will leave the task to algorithms that perform even specific tasks poorly. Just recently, Tumblr flagged its own examples of permitted nudity as pornography, and Youtube slapped a video of randomly-generated white noise with five copyright-infringement notices. Identifying more contextual expression, such as defamation or incitement to offences, is a much more complex problem. In the lack of accurate judgement, platforms will be happy to avoid liability by taking content down without verifying whether it violated law. Rule 3(9) also makes no distinction between large and small intermediaries, and has no requirement for an appeal system available to users whose content is taken down. Thus, the proposed rules set up an incentive structure entirely deleterious to the exercise of the right to freedom of expression. Given the wide amplitude and ambiguity of India’s restrictions on free speech, online platforms will end up removing swathes of content to avoid liability if the draft rules are notified.

The use of draconian laws to quell dissent plays a recurring role in the history of the Indian state. The draft rules follow India’s proclivity to join the ignominious company of authoritarian nations when it comes to disrespecting protections for freedom of expression. To add insult to injury, the draft rules are abstruse, ignore legal precedence, and betray a poor technological understanding. The government should reconsider the proposed regulation and the stance which inspired it, both of which are unsuited for a democratic republic.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-gurshabad-grover-january-24-2019-india-should-reconsider-its-proposed-regulation-of-online-content

India Sets Strict New Net Neutrality Rules

praskrishna — 2016-02-11T01:53:19Z

In India, advocates of net neutrality have welcomed new rules by the telecom regulator that have blocked efforts by Facebook to offer free but limited access to the web in the country’s fast growing Internet market.

The article by Anjana Pasricha was published in Voice of America on February 9, 2016. Sunil Abraham was quoted.

In a widely awaited ruling, the Telecom Regulator Authority of India (TRAI) said on Monday that “no service provider shall charge differential pricing on the basis of application, platforms or websites or sources." It will impose penalties of $735 a day if the regulations are broken.

Kiran Jonnalagadda, who was among a group of 10 that launched an impassioned campaign called Save the Internet, says they have won a “fabulous” victory against large corporations to ensure equal web access for millions.

“We were up against the most powerful companies in the world, we had no chance of fighting Airtel last year, we had no chance of fighting Facebook. I think the only reason it worked is that we were on the side of facts, the opposition was not,” says Jonnalagadda.

Debate on Airtel

The campaign on net neutrality snowballed into a nationwide public debate after an Indian telecom company, Airtel, launched a marketing platform last April on which it planned to offer customers access with no data charges to certain Internet services and sites.

In recent weeks, the focus turned to “Free Basics”, a service being offered by Facebook on mobile phones to a handful of sites in areas such as communication, healthcare, and education.

Saying it wanted to vastly expand Internet access in poor, rural areas, Facebook had launched a massive advertising campaign in support of the platform. Only about 300 million in the country of 1.2 billion people have access to the net, many just through mobile devices.

But campaigners slammed Free Basics as “poor Internet for poor people” and said it would create a “walled garden” in which Facebook would control the content it offered users. Leading Indian technology entrepreneurs and university professors also called on the government to guard against attempts by Internet giants to turn the country into a “digital colony.”

Many of them have applauded the regulator’s move to strengthen net neutrality.

Ban on differential pricing

However, some are raising questions about the the complete ban on differential pricing announced by the regulator. That includes the Bangalore-based Center for Internet and Society research group, which says India has put in place the most stringent net neutrality regulations across the world. Its executive director, Sunil Abraham, says TRAI cited the examples of the Netherlands and Chile, but the ban on differential pricing in those countries is not as absolute as the one notified in India.

“We think that if proper technological safeguards and other market safeguards are put in place, it would be possible to have both — to have rapid growth in Internet access and reduced harm that emerge[s] from network neutrality violations,” says Abraham.

Indeed, the last word may not have been said on net neutrality in India as big telecom operators are expected to mount legal challenges to the regulator’s ruling in the coming months.

Expressing disappointment with India’s ruling, the Cellular Operators Association of India has called the ban on differential pricing a “welfare reducing measure” that could block an avenue for “less advantaged citizens to move to increased economic growth and prosperity by harnessing the power of the Internet.”

In a statement, Facebook has said “we will continue our efforts to eliminate barriers and give the unconnected an easier path to the Internet.”

But after having tasted victory, the volunteers at Save the Internet, who have grown from about 10 to 100 in the last year, have already set their sights on another aspect of net neutrality besides differential pricing.

“The campaign is not going to retire because this is not the end of it. There is also discrimination on the basis of speed, which the regulator has not taken up yet,” says Jonnalagadda.

For more details visit https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-february-9-2016-india-sets-strict-new-net-neutrality-rules