We are anonymous, we are legion

Incident Response Requirements in Indian Law

vipul — 2016-12-28T01:19:28Z

Cyber incidents have serious consequences for societies, nations, and those who are victimised by them. The theft, exploitation, exposure or otherwise damage of private, financial, or other sensitive personal or commercial data and cyber attacks that damage computer systems are capable of causing lasting harm.

A recent example of such an attack that we have seen from India is the recent data breach involving an alleged 3.2 million debit cards in India.^[1] In the case of this hack the payment processing networks such as National Payments Corporation of India, Visa and Mastercard, informed the banks regarding the leaks, based on which the banks started the process of blocking and then reissuing the compromised cards. It has also been reported that the banks failed to report this incident to the Computer Emergency Response Team of India (CERT-In) even though they are required by law to do so.^[2] Such risks are increasingly faced by consumers, businesses, and governments. A person who is a victim of a cyber incident usually looks to receive assistance from the service provider and government agencies, which are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents. It is essential for an effective response to cyber incidents that authorities have as much knowledge regarding the incident as possible and have that knowledge as soon as possible. It is also critical that this information is communicated to the public. This underlines the importance of reporting cyber incidents as a tool in making the internet and digital infrastructure secure.. Like any other crime, an Internet-based crime should be reported to those law enforcement authorities assigned to tackle it at a local, state, national, or international level, depending on the nature and scope of the criminal act. This is the first in a series of blog posts highlighting the importance of incident reporting in the Indian regulatory context with a view to highlight the Indian regulations dealing with incident reporting and the ultimate objective of having a more robust incident reporting environment in India.

Incident Reporting under CERT Rules

In India, section 70-B of the Information Technology Act, 2000 (the “IT Act”) gives the Central Government the power to appoint an agency of the government to be called the Indian Computer Emergency Response Team. In pursuance of the said provision the Central Government issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT Rules”) which provide the location and manner of functioning of the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the CERT Rules gives every person, company or organisation the option to report cyber security incidents to the CERT-In. It also places an obligation on them to mandatorily report the following kinds of incidents as early as possible:

Targeted scanning/probing of critical networks/systems;
Compromise of critical systems/information;
Unauthorized access of IT systems/data;
Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;
Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;
Attacks on servers such as database, mail, and DNS and network devices such as routers;
Identity theft, spoofing and phishing attacks;
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;
Attacks on critical infrastructure, SCADA systems and wireless networks;
Attacks on applications such as e-governance, e-commerce, etc.

The CERT Rules also impose an obligation on service providers, intermediaries, data centres and body corporates to report cyber incidents within a reasonable time so that CERT-In may have scope for timely action. This mandatory obligation of reporting incidents casts a fairly wide net in terms of private sector entities, however it is notable that prima facie the provision does not impose any obligation on government entities to report cyber incidents unless they come under any of the expressions “service providers”, “data centres”, “intermediaries” or “body corporate”. This would mean that if the data kept with the Registrar General & Census Commissioner of India is hacked in a cyber incident, then there is no statutory obligation under the CERT Rules on it to report the incident. It is pertinent to mention here that although there is no obligation on a government department under law to report such an incident, such an obligation may be contained in its internal rules and guidelines, etc. which are not readily available.

It is pertinent to note that although the CERT Rules provide for a mandatory obligation to report the cyber incidents listed therein, the Rules themselves do not provide for any penalty for non compliance. However this does not mean that there are no consequences for non compliance, it just means that we have to look to the parent legislation i.e. the IT Act for the appropriate penalties for non compliance. Section 70B(6) gives the CERT-In the power to call for information and give directions for the purpose of carrying out its functions. Section 70B(7) provides that any service provider, intermediary, data center, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be liable to imprisonment for a period up to 1 (one) year or fine of up to 1 (one) lakh or both.

It is possible to argue here that sub-section (6) only talks about calls for information by CERT-In and the obligation under Rule 12 of the CERT Rules is an obligation placed by the central government and not CERT-In. It can also be argued that sub-section (6) is only meant for specific requests made by CERT-In for information and sub-section (7) only penalises those who do not respond to these specific requests. However, even if these arguments were to be accepted and we were to conclude that a violation of the obligation imposed under Rule 12 would not attract the penalty stipulated under sub-section (7) of section 70B, that does not mean that Rule 12 would be left toothless. Section 44(b) of the IT Act provides that where any person is required under any of the Rules or Regulations under the IT Act to furnish any information within a particular time and such person fails to do so, s/he may be liable to pay a penalty of upto Rs. 5,000/- for every day such failure continues. Further section 45 provides for a further penalty of Rs.25,000/- for any contravention of any of the rules or regulations under the Act for which no other penalty has been provided.

Incident Reporting under Intermediary Guidelines

Section 2(1)(w) of the IT Act defined the term “intermediary” in the following manner;

“intermediary” with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “Intermediary Guidelines”) also imposes an obligation on any intermediary to report any cyber incident and share information related to cyber security incidents with the CERT-In. Since neither the Intermediary Guidelines not the IT Act specifically provide for any penalty for non conformity with Rule 3(9) therefore any enforcement action against an intermediary failing to report a cyber security incident would have to be taken under section 45 of the IT Act containing a penalty of Rs. 25,000/-.

Incident Reporting under the Unified License

Clause 39.10(i) of the Unified License Agreement obliges the telecom company to create facilities for the monitoring of all intrusions, attacks and frauds on its technical facilities and provide reports on the same to the Department of Telecom (DoT). Further clause 39.11(ii) provides that for any breach or inadequate compliance with the terms of the license, the telecom company shall be liable to pay a penalty amount of Rs. 50 crores (Rs. 50,00,00,000) per breach.

Conclusion

It is clear from the above discussion that there is a legal obligation service providers to report cyber incidents to the CERT-In. Presently, the penalty prescribed under Indian law may not be enough to incentivise companies to adopt comprehensive and consistent incident response programmes. , except in cases of telecom companies under the Unified License Agreement. A fine of Rs. 25,000/- appears to be inconsequential when compared to the possible dangers and damages that may be caused due to a security breach of data containing, for example, credit card details.. Further, it is also imperative that apart from the obligation to report the cyber incident to the appropriate authorities (CERT-In) there should also be a legal obligation to report it to the data subjects whose data is stolen or is put at risk due to the said breach. A provision requiring notice to the data subjects could go a long way in ensuring that service providers, intermediaries, data centres and body corporates implement the best data security practices since a breach would then be known by general consumers leading to a flurry of bad publicity which could negatively impact the business of the data controller, and for a business entity an economic stimulus may be an effective way to ensure compliance.

As we continue to research incident response, the questions and areas we are exploring include the ecosystem of incidence response including what is reported, how, and when, appropriate incentives to companies and governments to report incidents, various forms of penalties, the role of cross border sharing of information and jurisdiction and best practices for incident reporting and citizen awareness.

Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document

^[1] http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/

^[2] http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025

For more details visit https://cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law

In Twitter India’s Arbitrary Suspensions, a Question of What Constitutes a Public Space

torsha — 2019-12-12T16:54:05Z

A discussion is underway about the way social media platforms may have to operate within the tenets of constitutional protections of free speech.

The article by Torsha Sarkar was published in the Wire on December 7, 2019.

On October, 26 2019, Twitter suspended the account of senior advocate Sanjay Hegde. The reason? He had previously put up the famous photo of August Landmesser refusing to do the Nazi salute in a sea of crowd in the Blohm Voss shipyard.

According to the social media platform, the image violated Twitter’s ‘hateful imagery’ guidelines, despite the photo being around for decades and usually being recognised as a sign of resistance against blind authoritarianism.

August Landmesser. Photo: Public Domain

Twitter briefly revoked the suspension on October 27, but promptly suspended Hegde’s account again. This time, the action was prompted by Hegde quote-tweeting parts of a poem by Gorakh Pandey, titled ‘Hang him’, which was written in protest of the first death penalties given to two peasant revolutionaries in an independent India. This time, Hegde was informed that his account would not be restored.

Spurred by what he believed was Twitter’s arbitrary exercise of power, he proceeded to file a legal notice with Twitter, and asked the Ministry of Electronics and Information Technology (MeitY) to intervene in the matter. It is the subject matter of this ask that becomes of interest.

In his complaint, Hegde first outlines how the content shared by him did not violate any of Twitter’s community guidelines. He then goes on to highlight how his fundamental right of dissemination and receipt of information under Article 19(1)(a) were obstructed by the action of Twitter. Here, he places reliance to several key decisions of the Indian and the US Supreme court on media freedom, which provided thrust to his argument that a citizen’s right to free speech is meaningless if control was concentrated in the hands of a few private parties.

Vertical or horizontal?

One of the first things we learn about fundamental rights is that they are enforceable against the government, and that they allow the individual to have a remedy against the excesses of the all-powerful state. This understanding of fundamental rights is usually called the ‘vertical’ approach – where the state, or the allied public authority is at the top and the individual, a non-public entity is at the bottom.

However, there is another, albeit underdeveloped, thread of constitutional jurisprudence that argues that in certain circumstances these rights can be claimed against another private entity. This is called the ‘horizontal’ application of fundamental rights.

In that note, Hegde’s contention essentially becomes this – claiming an enforceable remedy against the private entity for supposedly violating his fundamental right. This is clearly an ask for the Centre to consider a horizontal application of Article 19(1)(a) against large social media companies.

What could this mean?

Lawyer Gautam Bhatia has argued that there are several ways in which a fundamental right can be enforced against another private entity. It must be noted that he derives this classification on the touchstone of existing judicial decisions, which is different from seeking an executive intervention. Nevertheless, it is interesting to consider the logic of his arguments as a thought exercise. Bhatia points out that one of the ways in which fundamental rights can be applied to a private entity is by assimilating the concerned entity as a ‘state’ as per Article 12.

There is a considerable amount of jurisprudence on the nature of the test to determine whether the assailed entity is state. In 2002, the Supreme Court held that for an entity to be deemed state, it must be ‘functionally, financially and administratively dominated by or under the control of the Government’. If we go by this test, then a social media platform would most probably not come within the ambit of Article 12.

However, there is a thread of recent developments that might be interesting to consider. Earlier this year, a federal court of appeals in the US ruled that the First Amendment prohibits President Donald Trump, who used his Twitter for government purposes, from blocking his critics. The court further held that when a public official uses their account for official purposes, then the account ceases to be a mere private account. This judgment has a sharp bearing in the current discussion, and the way social media platforms may have to operate within the tenets of constitutional protections of free speech.

Although the opinion of the federal court clearly noted that they did not concern themselves with the application of the First Amendment rights to the social media platforms, one cannot help but wonder – if the court rules that certain spaces in a social media account are ‘public’ by default, and that politicians cannot exclude critiques from those spaces, then can the company itself block or impede certain messages? If the company does it, can an enforceable remedy then be made against them?

A US court ruled that Donald Trump cannot block people on his Twitter account. Photo: Reuters

What can be done?

Of course, there is no straight answer to this question. On one hand, social media platforms, owing to the enormous concentration of power and opaque moderating policies, have become gatekeepers of online speech to a large extent. If such power is left unchecked, then, as Hegde’s request demonstrates, a citizen’s free speech rights are meaningless.

On the other hand, if we definitively agree that in certain circumstances, citizens should be allowed to claim remedies against these companies’ arbitrary exercise of power, then are we setting ourselves for a slippery slope? Would we make exceptions to the nature of spaces in the social media based on who is using it? If we do, then what would be the extent to which we would limit the company’s power of regulating speech in such space? How would such limitation work in consonance with the company’s need to protect public officials from targeted harassment?

At this juncture, given the novelty of the situation, our decisions should also be measured. One way of addressing this obvious paradigm shift is by considering the idea of oversight structures more seriously.

I have previously written about the possibility of having an independent regulator as a compromise between overtly stern government regulation and allowing social media companies to have free reign over the things that go on their platforms. In light of the recent events, this might be a useful alternative to consider.

Hegde had also asked the MeitY to issue guidelines to ensure that any censorship of speech in these social media platforms is to be done in accordance with the principles of Article 19.

If we presume that certain social media platforms are large and powerful enough to be treated akin to public spaces, then having an oversight authority to arbitrate and ensure the enforcement of constitutional principles for future disputes may just be the first step towards more evidence-based policymaking.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-torsha-sarkar-december-7-2019-twitter-arbitrary-suspension-public-space

In the Right Circle

praskrishna — 2011-08-23T07:40:57Z

I’ve been on Google Plus for a few weeks now. In the beginning, it felt like showing up early at a much-talked-up party. There was a small scatter of people, poking around, examining the place, making preliminary conversation with the few others they knew. Most of the talk was, unsurprisingly, about Google Plus.

Unlike the crash-bang disaster of Google Buzz, its awkward attempt at social networking that alienated most users by publicly exposing their contact list, and then proceeded from error to error, Google Plus has been a low-key, careful affair.

In the first two weeks, Google calibrated entry, depending on its capacity — letting early adopters and "power users" examine the platform and tell them what’s missing, and what works.

Google Plus mimics the real world, where people interact in clusters, and relate outwards in concentric circles of trust, rather than Facebook’s megaphone model. You drag and drop people into different circles, and can either mark individual posts to specific circles and combinations (‘family’ ‘college buddies’, ‘artsy types’), or make them public to everyone. You can catch up on these circles separately, and toggle between your many worlds, or choose to read the great river of updates on your “public" stream. Google Plus shows you a civilised way of arranging your acquaintances, avoiding that playground-level, plaintive, Facebook question: "why am I in your limited profile?"

In concept, Facebook also lets you slice your social world with friend lists, but it’s a tedious labour that few have undertaken. Design is everything — and Facebook was clearly not built for such fine-grained customisation, because everything about its default settings pointed the other way. In fact, its young CEO Mark Zuckerberg seemed to think an attachment to privacy was some faintly embarrassing, vestigial trait — the sooner we accept its obsolescence, the better.

Facebook has a remarkably flat view of friendship. If your Facebook friends are too wide and various, it can make you clam up, conscious of what a few people might think. Most people, as social media scholar danah boyd has noted, tend to focus on a part of their network, mentally blocking out the rest.

"I’d like to have separate interactions with my mother, my friends, my students and my university colleagues without bombarding my colleagues with my vacation pictures or boring my mother with research chatter," says Mallesh Pai, an academic who works on the economics of the internet. "Plus actually lets me do that."

Facebook works with the fiction that there is a single self you present to the world – while, in fact, you are a posse of selves. You might be the naïve seeker in some contexts, the voice of authority in others. In the real world, you read others by their voice and expression, factor in their situations, and modulate your own speech accordingly. But in Facebookland, you talk at an invisible audience. The problem of “collapsed contexts”, and the anxiety of audience is Facebook’s most obvious flaw, and Google Plus has focused squarely on that aspect. It obviously works best for those who are acutely aware of social role-play and judgment. Many people may claim not to care about finessing their personalities to different audiences, or see the point of migrating to a new platform —but once you wrap your head around the rich, real-world aspect of Google Plus, it’s hard to imagine why you’d want to stay on Facebook.

But it’s not just Facebook that Plus directly takes on — Twitter could also take a direct hit. The “following” circle lets you add people you don’t know personally, and see all their public posts. “Sometimes, it’s weird to realise you’re being followed by so many people you don’t know, but like on Twitter, it seems like too much effort to edit the list. Thankfully, there aren’t any spambots on Plus yet,” says Pranesh Prakash, a lawyer and policy advocate at the Bangalore-based Centre for Internet and Society. There’s no arbitrary 140-character limit, and there are coherent threads of conversation — in fact, the level of visible engagement on Plus makes Twitter look like “a boring RSS reader”, as someone observed.

Apart from the Facebook and Twitter-type uses, Google Plus comes with a standout feature that’s all its own: Hangouts, spontaneous video chatting with up to 10 people. You start a hangout, and anyone may drop in to talk for a bit. “It’s trying to replicate the sort of gathering you have in a coffee shop, just drop in and chat about the news or whatever,” says Pai. It’s so obviously useful that Dell is reportedly considering dropping traditional customer service calls and choosing to hang out with Google instead. Yes, Facebook has recently teamed up with Skype in a self-declared "awesome" move — but Skype still makes you pay for multi-way video conferencing, and doesn’t offer the serendipitous pleasures of Hangout yet.

Then there is Sparks, Google Plus’s attempt to push the right content at you – you pick from a variety of interests, and Google supplies a steady scroll of interesting links. Given how much info the company has on people, Sparks could become eerily spot-on.

In fact, the chief problem with Google Plus may be that it tries to cram in too much, leaving users overwhelmed. The bewildering array of buttons and options may put off some, and right now, it’s difficult to control the signal-to-noise ratio. “It’s definitely not as over-complicated as Google Wave, which nobody could really figure out” says Pai. “And honestly, it would be difficult to imagine the kind of functionality that Plus provides being delivered in any other way.” Then there are some who are sceptical of Circles — saying that greater granularity isn’t going to take away the dilemmas of talking to a group. They predict that once the novelty wears off and Google Plus expands, you’ll be struggling to edit and divide your circles, and to pitch yourself right.

So will Google Plus lure 750 million-plus Facebook and Twitter users away? "Don’t underestimate Facebook’s network benefits," says Prakash. “When I first went online in 1996, the first thing to do was to create an email address. Now the first thing that people do to mark an online entry is to create a Facebook account”.

Besides, Google may not want to supplant Facebook as much as master an arena it has so far sucked at – the social world. As Pranesh Prakash says, “it’s not about competition with Facebook, as much as trying to improve Google’s own services, bring them together into a seamless whole and better understand its users.” Making social life machine-readable would obviously be the next big jackpot for Google, and it appears determined to invest the time, resources and effort to getting it exactly right. As Shimrit Ben-Yair, product manager of the social graph at Google told Wired magazine’s Stephen Levy, Google Plus could be a revolutionary service if it hits the sweet spot between Facebook oversharing and Twitter undersharing.

Besides, most would agree that a spot of vigorous competition would be good for Facebook, which has played fast and loose with privacy policy — changing its defaults, and then reacting to the outcry that follows. "For too long, it was the only game in town. Facebook has innovated more in the three weeks that Plus has been around, than in a lon time," says Pai.

So far, Google Plus has been extra-solicitous of privacy, and adjusted on the fly to field testers’ feedback. It has jumped to attend to mistakes – like responding to complaints that a user’s gender should not be publicly available. When someone pointed out that even limited posts could be reshared by others, that technical hole was immediately plugged. "It’s very heartening to see that they’ve learnt from the mistakes of Facebook and Buzz," says Prakash. Unlike Facebook’s possessiveness about your information and pictures, Google’s Data Liberation policy is explicitly committed to letting you erase all personal traces whenever you want, and free yourself from any product.

But as Prakash cautions, "Google may not have a coherent view of privacy across all its products — for all Google Plus’s delicacy and tact, Google Street View may have different ideas about what is acceptable." There are many who find it unnerving that a revenue-driven, publicly traded company should be the master switch of our information economy. Given Google’s girth and dominance, competitors can’t realistically wrest attention away, after a certain point.

"Google is bigger because it’s better and better because it’s bigger", writes Siva Vaidyanathan in The Googlization of Everything. Google Plus, then, marks another large advance in the company’s stated mission to organise the world’s information. Even Pai admits that “if a new mail application came along, it would have to offer so much more than Google for me to consider shifting – given how Gmail does everything, syncs my calendar, knows my friends." But then again, he says, “Let’s judge Google not on what we think it is, but what it does. Everything that’s too big in a bad way, even those considered invincible, gets stopped eventually. Right now, I’m reading about Murdoch’s undoing with great glee – a few weeks back, who would have imagined that?"

This article by Amulya Gopalakrishnan was published in the Indian Express on July 24, 2011. The original story can be read here

For more details visit https://cis-india.org/news/right-circle

In The Biggest Data Leak, Info Of 13 Crore Aadhaar Card Holders Has Been Compromised And Is Available Online

praskrishna — 2017-05-12T15:59:31Z

The Modi government has been trying to make Aadhaar mandatory for everything from Income Tax return, buying a SIM card, bank transaction, train ticket, air travel, mid-day meal government subsidies etc.

The blog post by Bobins Abraham was published by India Times on May 3, 2017.

While the government claims that the move will increase security and ensure that the benefits are reaching to real people and not syphoned off. But security experts have been pointing out the possibility of security breach in the system resulting in the sensitive biometric data reaching in the hands of those, who could misuse them.

A study by Bengaluru-based think tank, Centre for Internet and Society has once again cemented these concerns. According to its report titled, "Information Security Practices of Aadhaar (or lack thereof): A documentation of the public availability of Aadhaar Numbers with sensitive personal financial information," Aadhaar data of as many as 13.5 crore card holders have already leaked online.

The study revealed that the mass data leak happened due to security flaws in four government websites:

National Social Assistance Programme
National Rural Employment Guarantee Act (NREGA)
Daily Online Payment Reports under NREGA (Govt. of Andhra Pradesh)
Chandranna Bima Scheme run by Government of Andhra Pradesh

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report said.

The report was published even as the government continue to defend Aadhaar in the Supreme Court saying that the move to link Aadhaar with PAN cards was meant to put a stop on the number of individuals in possession of multiple PAN cards by putting a robust identification system in place. Attorney General Mukul Rohatgi said that this will help in curbing money laundering, the flow of black money and controlling the funding of terror.

For more details visit https://cis-india.org/internet-governance/news/india-times-bobin-abraham-may-3-2017-in-the-biggest-data-leak-info-of-13-crore-aadhaar-card-holders-has-been-compromised-and-is-available-online

In Parts of India, Internet Shutdowns Are a Fact of Life

Megha Bahree — 2019-05-27T15:43:53Z

Fears of a censored internet are rising, as the government cites fake news and unlawful content in blocking internet access.

The article by Megha Bahree was published in Top10 VPN on May 21, 2019. Gurshabad Grover was quoted.

In 2017, Faakirah Suraiya Irfan, a lawyer and mental health counselor in the northern Indian state of Kashmir, was online with a patient when the internet went down. In the restive state the government frequently, and without any warning, shuts down the internet, so it was not an unusual occurrence. But for Irfan, who was employed by women’s career networking platform Sheroes to offer online counseling services to its members, the interruption couldn’t have come at a worse time. She was in the midst of talking a patient out of suicidal thoughts.

“At that point when you lose the network, you just lose the person,” said Irfan. “I’m talking, and I’m in a flow and trying to get them to open up but then in the middle of that the internet is shut down.”

Irfan quit her job after a year because “the work was through the internet and [owing to the frequent network shutdowns] it just wasn’t working.”

Internet, interrupted

In the last couple of years India has seen a phenomenal increase in the number of people coming online thanks to an explosion of cheap data and affordable smartphones. With more than 500 million people online, it has the second largest number of internet users in the world, after China.

But that growth has been accompanied by the usual sins of abuse, including a rise in online trolls and the spread of fake news. New Delhi has responded with a heavy hand. It has implemented internet shutdowns, banned apps and blocked hundreds of websites. Unsurprisingly, all of this has led to increasing fears of censorship in the world’s largest democracy.

India leads the world in the number of internet shutdowns, with over 100 reported incidents in 2018 alone, according to the latest Freedom On The Net report. The study tracks internet freedom in 65 countries, covering 87 percent of the world’s internet users, and addresses internet access, freedom of expression, and privacy issues. The report followed events between June 2017 and May 2018 and India came in as “partly free” with a score of 43 out of 100.

“There’s a censorship process underway in India,” said Apar Gupta, a lawyer and executive director of Internet Freedom Foundation (IFF), an organization that works to defend net neutrality, freedom and privacy. “There’s a complete lack of transparency on what’s being done, why and who’s doing this.”

Shutdown throughout elections

India has just concluded the world’s largest general election with over 900 million people eligible to vote. But ongoing internet shutdowns prevented many people from accessing information as they prepared to cast their ballot.

Over the voting period of April 11 to May 19, the states of Rajasthan, West Bengal and Kashmir reported mobile internet shutdowns. News agency UNI reported that in April, authorities in parts of north Kashmir suspended internet services of all cellular providers in the region as it went to poll. This came two days after a shutdown in another region in Kashmir. The Software Freedom Law Center (SFLC), a legal services organization that aims to protect digital freedom and which tracks internet shutdowns across the country, found there have been 30 shutdowns in the state so far this year, and 40 across the country.

“There’s a complete lack of transparency on what’s being done, why and who’s doing this.” – Apar Gupta

Shutdowns have a couple of provisions in law, says Gupta. One was passedin 2017 and empowers both the federal and the state government to suspend telecom services, and by extension, internet services. The other – which prohibits public gatherings – dates back to when the British ruled the country. The law was initially used to prevent Mohandas Karamchand Gandhi, the leader of India’s independence struggle, from organizing protest marches and now is regularly used to restrict internet access. The latter is more frequently used as it allows even local authorities to issue orders for shutdowns without a review process, says Mishi Choudhary, legal director of SFLC.

IFF’s Gupta says these shutdowns “disturb the constitutional protection for free expression.” He adds: “Such a disproportionate action beyond legal doctrine practically disrupts daily life to a severe degree and causes immense hardship. It provokes anxiety among families who talk to each, causes business losses and reduces the political freedom in a country.”

History of services suspended

In India, internet shutdowns began somewhere around 2012, picked up pace from 2015 and peaked in 2018. According to the New Delhi think tank Indian Council for Research on International Economic Relations, the internet was shut down for a total of 16,315 hours between 2012 and 2017, costing the economy approximately $3.04 billion.

Shutdowns can be partial—when a specific class of websites are blocked, like all internet messaging sites—or complete when the entire internet is cut off. Kashmir has the dubious honor of the highest number of shutdowns at 155 to date, according to the SFLC.

The longest shutdown in the country occurred in Kashmir in the summer of 2016 after a local rebel was killed that July. Mobile internet services were suspended for 133 days. While internet services on postpaid connections were restored by November, users with prepaid connections got their internet access back only in January 2017, nearly six months after they had been cut off.

The second longest suspension of internet services took place in Darjeeling in eastern India in June 2017 during a local secessionist agitation. Initially, just the mobile internet services were shut off but within a couple of days, the broadband services were cut off as well, according to SFLC’s tracker. Ultimately there were no internet services in Darjeeling for a total of one hundred days.

In both cases, it wasn’t clear who ordered the shutdown, as reflected in local media reports. Typically, shutdowns happen without any warning and in most cases the only explanation offered is that services were suspended “as a precautionary measure to maintain law and order”.

In a country where internet usage has risen dramatically in the last few years, the shutdowns have been “a blunt instrument to bring the digital economy to its knees and deprive the citizens the freedom to communicate,” says Choudhary.

In the summer of 2016, mobile internet in Kashmir was shut off for four months.

India’s data explosion

It was a new telecom entrant that drastically changed the dynamics of the country’s internet access, and brought vast numbers of people online.

In September 2016, Reliance Industries, which is owned by India’s richest man, Mukesh Ambani, launched 4G network Jio. The network allowed subscribers to use internet plans to make calls, send text messages or browse the internet, and it jump-started the business by offering its services for free initially. Once it started charging for data, its rates were incredibly cheap. A year later it offered low-cost 4G handsets for a refundable security deposit of $22. In 2018 it offered a 4G phone for a third of that price. The strategy helped it gain millions of users, and encouraged the transition from feature phones to smartphones, giving users easy access to the internet.

“The internet shutdowns are a blunt instrument to bring the digital economy to its knees.” – Mishi Choudhary

Rajakumari Dayamenti, a native of Sabantongba village in the north eastern state of Manipur, was one such user. Before Jio set up a cellphone tower in her village, Dayamenti plugged a 10-meter-long USB extension cord into a Huawei modem that she stuck on her rooftop, creating her own mini tower to get online.

Cheap data and the millions of new users also ensured the rise of apps, with entertainment becoming one of the biggest drivers. Users in the big Indian cities have flocked to the same apps as their peers across the globe, including Apple Music, Spotify, TikTok, YouTube, Facebook and WhatsApp. In the smaller cities, however, consumers have turned to more local and regional social networking apps like ShareChat and to apps that offer free content like Wynk, Gaana and Hotstar, Star India’s mobile and digital entertainment platform. For news, users turn to Facebook as well as UC News and Dailyhunt.

Disrupting daily life

Lateef Mushtaq, a native of Kashmir who is pursuing an undergraduate degree in technology in Delhi, has experienced internet disruptions countless times, he says. Mushtaq was on a two-week internship in Kashmir last July with state-owned telecom company BSNL to measure internet speeds in different areas when the internet was shut down. The company had to extend the internship to six weeks so he could complete the project.

More recently in February he was home and was scheduled to take an exam online when a suicide bomber blew up a convoy of vehicles carrying security personnel, killing at least 40 in an area called Pulwama. India blamed archenemy and the neighboring state of Pakistan, which denied the allegations.

In the midst of escalating tensions between the two nuclear armed neighbors, the internet speed in Mushtaq’s area was reduced to 2G. But he still had to take his exam, a frustrating experience as he found that the same page was being reloaded after he would submit his responses instead of moving forward to the next set of questions.

“I was submitting my answers, but it kept going back to the previous page,” he says. “I kept answering the same questions again and again.” Mushtaq couldn’t finish the paper and scored 63 percent on it. He says he could’ve done much better.

“In Delhi the internet is never shut down so when it happens to me now, I feel like I’m locked down in a single room without access to the world,” he says.

Finding any available network

While mobile phone services are disrupted frequently, the government occasionally spares the state-run BSNL as the armed forces also use this service. Mushtaq has in the past tried to get a BSNL broadband connection but without success. These connections are prized possessions and Kashmiri teenagers develop hacking skills early in an effort to ride on any broadband network when the government shuts their mobile services down.

“If we hear about a house with broadband, we try to crack the password,” admits Mushtaq. Networks that are secured on WiFi Protected Access (WPA) security standard are easy to crack and there are several apps on the Google play store that help with that, says Mushtaq.

When it’s just some sites or apps have been blocked, Mushtaq and his friends have turned to virtual private networks (VPNs) or proxy services to find a way around the blocks, he says.

Internet shutdowns have cost India’s economy approximately $3.04 billion

But during a complete shutdown none of these workarounds do the trick, as Musthtaq found last year. He had to drive to another part of Kashmir where the internet was still working to check his score for an important entrance exam. Once he got the signal on his phone, he pulled up and sat on the roadside waiting for the website to load.

Similarly, during the 100-day shutdown in Darjeeling, Nirmal Tamang drove his daughter on his motorcycle more than 40 miles to another city where the internet was working so she could fill forms online to apply for undergraduate studies.

Battling ‘unlawful’ content

Rumors or provocative messaging on social media and instant messaging platforms have often been cited as reasons to order internet restrictions.

One critical issue involved the spate of mob attacks in India in the past couple years, fueled by widely circulated messages such as reports of strangers abducting children.

According to an analysis by IndiaSpend, a data journalism website, between January 1, 2017, and July 5, 2018 33 people were killed and at least 99 injured in 69 reported cases of mobs attacking people they suspected were planning to abduct children. In all the cases, the charges turned out to be baseless, with 77 percent of the reports based on fake news that had spread through social media.

With at least 200 million users in India, WhatsApp was one of the mediums through which these rumors spread, and in the aftermath of the violence, came to be a poster child for fake news.

New Delhi responded by asking the platform to take responsibility for the messages circulating on it, stating: “Such a platform cannot evade accountability and responsibility especially when good technological inventions are abused by some miscreants who resort to provocative messages which lead to spread of violence.” It added, “WhatsApp must take immediate action to end this menace and ensure that their platform is not used for such mala fide activities.” (In response, last July WhatsApp introduced a limit in India on the number of times a user could forward a message to five. It has now imposed that limit on the rest of the world as well.)

Since then, the Indian government has proposed rules that would force internet companies to remove content from their platforms. In late December, it issued a draft policy of rules intended to curb the misuse of social media and stop the spreading of fake news.

Apar Gupta likens the government’s proposal to “Chinese style censorship that would weaken free expression”

Under the policy, the government has proposed an amendment to Section 79 of India’s IT Act, which would require internet companies to take down content deemed inappropriate by authorities. And if a company receives a complaint from a law enforcement agency, it would be required to trace and report it within 72 hours and to disable that user’s access within 24 hours. Should this amendment go through, it would effectively break the end-to-end encryption that secures user communications on platforms like WhatsApp.

Another recommendation in the draft policy says that internet companies will have to purge their platforms of “unlawful” content. However, the policy doesn’t clearly define what makes something “unlawful”, raising concerns that the clause could be easily abused by authorities to remove any content they wish.

Internet companies and privacy advocates say the new measures, if implemented, pose a threat to free speech and would encourage censorship.

It’s “plainly unconstitutional,” says Gurshabad Grover, policy officer at the Centre for Internet and Society, a nonprofit organization. “By mandating online platforms to detect and remove “unlawful content” through automation, the draft rules shift the burden of judging whether content is legal from the state to private organizations. They will only lead to a great chilling effect on speech, and a regime of online censorship regulated by private parties,” he says.

IFF’s Gupta likens the proposal to “Chinese style censorship that would weaken free expression standards” and his organization has asked for a complete rollback of the proposal.

Website censorship on the rise

Large-scale disruptions and intentional slowdowns are not the only tools employed by the government to exert control over the internet. Specific websites and apps are also sporadically blocked.

In April 2017, in the wake of massive student protests in Kashmir, the state government banned access to 22 social media apps including Facebook, WhatsApp, Twitter, Snapchat, Skype, Telegram and WeChat, for a month.

Two experts at the United Nations Human Rights Office of the High Commissioner said the restrictions had “a significantly disproportionate impact on the fundamental rights of everyone in Kashmir,” and that they “fail to meet the standards required under international human rights law to limit freedom of expression.”

Another crackdown targeted the country’s 827 porn websites. In India it is not illegal to watch porn privately and the country has the dubious honor of being the world’s third-biggest porn watching country. Unsurprisingly, the ban didn’t fully succeed.

Within days of the government order, Pornhub, one of the biggest adult content sites, had launched a mirror website for India with an altered web address. Other workarounds in use included VPN or proxy services such as hide.me, hidester, and whoer.net. As per a TorrentFreak report, the search for VPNs shot up in the days after the ban. Users also switched to different browsers such as Alibaba’s UC Browser or the Opera browser where the banned sites could still be accessed.

Privacy advocates say the government’s amends to internet policy, if implemented, would encourage censorship.

Most recently, an Indian court banned China’s Beijing Bytedance Technology Co.-owned music and video app TikTok which had been downloaded by nearly 300 million users in India.

The ban came on the heels of a handful of incidences—a 24-year-old man in the southern city of Chennai reportedly committed suicide on being harassed for posting videos of himself dressed as a woman. Soon after, a member of a local political party of Chennai’s home state of Tamil Nadu declared that the younger generation was hooked on TikTok and getting pushed onto the path of cultural degradation. In response, a state minister promised to seek the federal government’s help to ban the app.

A Tamil Nadu court then banned downloads of the app and forbade the media from showing videos from the app, stating: “The dangerous aspect is that inappropriate contents including language and pornography are being posted in the TikTok App. There is a possibility of children contacting strangers directly […] Without understanding the dangers involved in these kinds of Mobile Apps, it is unfortunate that our children are testing with these Apps.”

After TikTok responded that it was experiencing a daily financial loss of $500,000 and 250 jobs had been put at risk, the ban was eventually lifted, at which point the app’s downloads surged.

No reason for some blocks

However, not all website and app bans are justified, explained or commented upon by the government. In August 2018, for example, the country’s telecom minister informed parliament that since January 2016, the Department of Telecom had asked internet service providers to ban 11,045 websites, news agency Press Trust of India reported. Yet the minister didn’t offer any explanations on why these websites had been targeted.

One site that has been blocked on multiple occasions is the Internet Archive, also known as the Wayback Machine. In the past few months, other sites that have been banned include audio streaming site SoundCloud, encrypted messaging service Telegram, and graphic design website Behance, among others. According to IFF’s Gupta, the reasons for the blocks are not disclosed.

Internet service providers have become the de facto enforcers of the government’s digital concerns.

In January, IFF received several complaints from users that they couldn’t access Reddit. The IFF then invited users to fill an online form to share the list of sites and VPNs that they were unable to access. By late March it had received nearly 200 responses from across the country. Reddit frequently appeared, as did several other major platforms including Spotify, Alexa.com, SoundCloud, Telegram and several VPNs. The largest number of complaints came from those who were Reliance Jio customers, followed by Airtel.

An Airtel Spokesperson said that the company “supports an open internet and does not block any content on its network unless directed by the authorities/court in accordance with the applicable law.”

A Jio spokesperson declined to comment.

To save India’s open internet

Gupta calls these “core net neutrality violations,” as internet service providers are legally obliged to provide equal access to all internet content. This, he says, “ultimately results in a very different version of the internet from the global commons and allows the ISPs, even sometimes political interests, to become gatekeepers to access of information.”

While India has net neutrality rules in place – thanks to a massive campaign in 2015 called Save the Internet – the problem, says Gupta, is a lack of enforcement. “A policy fix is required to enforce net neutrality rules,” he says.

In March, IFF relaunched a campaign for an open internet, asking users to report net neutrality violations and sign a petition asking the Department of Telecom and the country’s telecom regulator to introduce a clear enforcement mechanism. Some of these efforts are showing signs of success already, says Gupta, as the regulator is considering issuing a consultation paper on enforcing net neutrality.

Internet service providers have become the de facto enforcers of the government’s digital concerns.

Kushal Das, an India-based member of the Tor Project and a developer at the Freedom of the Press Foundation, says telecom companies like Jio block all VPNs so they retain insights into users’ browsing preferences that can be useful for advertisers.

“If you use a VPN, Jio will not know your taste in food, et cetera,” says Das. But Tor software can bypass these blocks and the number of Tor users in India has shot up three times since October 2017 to roughly 60,000 now, says Das.

“We should be able to ask people in power why blockades are being implemented,” says Das.

Policy points to restrictions

However, the Narendra Modi-led government has been keen to bring in rules for greater control over data and the internet.

In February, the government proposed a draft national e-commerce policy that sees data as “a collective resource” or a “national asset” that the government holds in trust but which can be auctioned off, like a coal mine. The draft also cautioned that this belongs to Indians and cannot be extended to foreigners.

IFF’s Gupta says the fact that the very framework of its drafting has not been made sufficiently public is worrying. “It may all seem very dull and dry but … any platform changes, any changes to government policy in India will reflect in demand in Europe and America eventually,” he says, due the large internet user base in India.

For now, in the days after a general election, all these policy proposals are on hold and it’s not clear how soon a new government would turn its attention to internet policies.

The one thing that activists can take some relief in is the fact that the government has acknowledged at least some of the internet shutdowns in the country were implemented without sufficient cause. In December, the Department of Telecom, in response to a request for information filed by IFF, said that “frequent internet suspension orders were being issued by various State governments… even in situations where it is not warranted.” It added that it had asked all state governments to “sensitize concerned officials/agencies” against such actions.

It’s anyone’s guess how long that pause will last.

For more details visit https://cis-india.org/internet-governance/news/top-10-vpn-megha-bahree-may-21-2019-in-parts-of-india-internet-shutdowns-are-a-fact-of-life

In our anxiety about the Blue Whale Challenge, are we missing the elephant in the room?

Admin — 2018-01-03T02:09:11Z

In the beginning, the Blue Whale Challenge seemed like it had all the hallmarks of an urban legend: an online self-harm game that instructed victims to commit increasing degrees of violence upon themselves, finally convincing them to commit suicide. While it was whispered about in schools, college corridors and Reddit forums, reporters found it difficult to trace.

The blog post by Karishma Attari was published by Scroll on September 9, 2017.

But since then, it appears to be accruing a body count: multiple suicides and suicide attempts in Russia, Kenya, Brazil, China, Spain, Italy, Chile and India have been attributed to people signing up for the challenge. The stories are often accompanied by images of a blue whale carved onto the victim’s skin or a last selfie taken before committing suicide.

The latest incident in India involves the last-minute rescue of a teenager in Jodhpur who attempted suicide twice – first by jumping into Kalina Lake on September 4, and then by overdosing on sleeping pills – within the same week. The teenager had carved the shape of a whale on her arm, and when interviewed, revealed that unless she completed the last task of the challenge, she believed that her mother would die.

Most victims of the Blue Whale Challenge across the world appear to have a few things in common – they are young and vulnerable to abuse online, and their connection with the game is hard to substantiate. While the stories speak to our wariness of technology-dependence, and send our parenting instincts into nervous overdrive, there is very little evidence on ground that the game even exists.

Ever since the challenge was first reported on a Russian news portal, news reports have debunked its existence, raising questions about the media’s responsibility in spreading unsubstantiated rumours and the manner in which the issue is being used to argue against the influence of the internet and promote panic. Much of the coverage regarding the challenge’s possible influence, begs the question: how can teens be raised in a way that makes them safe from the internet?

The Blue Whale Challenge in India

Cyber-lawyer Karnika Seth, who authored the book Protection of Children on Internet, admits that it is impossible to generate the kind of surveillance required to nip perceived online threats – both on account of privacy laws and the sheer scale of effort such an exercise would require. She calls the unregulated internet in India a “mammoth problem that cannot be overlooked anymore”.

While there is no specific law to be applied to a situation like the alleged Blue Whale Challenge, Seth pointed to acts relating to the cyber space like the IT Act and the Protection of Children from Sexual Offences Act, along with inbuilt provisions within the Indian Penal Code, such as Act 305, that could be applied.

There have been approximately 10 reported cases of suicide in India, which are believed to be related to the Blue Whale Challenge. Google Trends show that Indian interest in the phenomenon has been overwhelming – the most common searched phrases have been “Download Blue Whale Game”, which might suggest that people are keen to inflict self-harm, or just morbidly curious (particularly in Kochi and Calcutta).

Timely intervention appears to have saved at least a few lives, such as the case of an engineering student in Kolkata who claimed that having completed several levels of the game, he was pulled back from the brink of suicide by his teacher, parents and a CID officer who counselled him. He was quoted as saying: “My message to whoever is in this game is stop before it is too late. It is not a game…they give you challenges and they take you to places you cannot come back from. They drive you to suicide.”

But despite this, the police in India have found no direct link between the suicides and the existence of any virtual moderator, who according to the Blue Whale legend, instructs victims to inflict self-harm. A lot of the so-called links have been proved to be hearsay and hysteria as seen in the case of a 12-year-old from Indore, whose mother clarified that while he had admitted to “playing games”, he had never heard of Blue Whale.

A disturbing trend

Pranesh Prakash, Policy Director at the Centre for Internet and Society, concluded: “All the available evidence points to this being a hoax, including those situations where teenagers have actually engaged in self-harm by carving a whale on their arm and have blamed the ‘Blue Whale app’ and a stranger threatening them. The children have subsequently been found to be lying through hard evidence, for instance the mobile operator finds no records of any messages or calls at those timings to the child’s number.”

While the first suicide linked to the alleged challenge emerged in Russia in 2015, Prakash added: “[E]ven the Russian police haven’t revealed any evidence in their possession in the arrests they have made related to the Blue Whale Challenge, nor have those cases gone to trial. How else can one explain the fact that there hasn’t been evidence of a ‘tutor’ in even a single one of the cases reported in India?”

There is, however, a huge problem regardless of whether the game exists: “The harm caused by the media sensationalism is quite real thanks to what is known as the Werther effect, leading to copycat suicides,” Prakash said.

Authorities in most countries where victims have appeared have treated these claims seriously. In May, the Russian Duma or parliament made it an act of criminal responsibility to create a pro-suicide group on social media. Authorities in China and other countries are monitoring mentions of the game on forums and live broadcasts. The Delhi Police have issued an advisory after a cyber cell spotted related hashtags and messages on social networking sites. In India, the Ministry of Electronics and Information Technology directed several internet companies such as Google, Facebook, Instagram, WhatApp, Microsoft and Yahoo to remove all links which direct users to the Blue Whale Challenge.

The real problem

Teenage suicide is a growing concern worldwide and India has one of the world’s highest suicide rates for youth aged between 15 and 29. In the US, suicide is documented as the second leading cause of death for young people. The Netflix original series 13 Reasons Why was banned in several countries over accusations that it glamourised teen depressives and suicides.

The real conversation we need to be having with the youth is about their reasons for choosing self-harm – about mental health and depression. Dr Depeak Raheja, a senior psychiatrist and vice-president of the Delhi Psychiatric Society, suggested that parents who suspect their child might have suicidal urges should address not just the issue of the game, “but also the underlying causative factors – isolation, low self-worth, hopelessness and underlying or active depression”.

One way in which this is already happening is through online mental health support groups which are promoted as alternatives to the Blue Whale Challenge. In Brazil, a designer has created a viral counter movement called the Pink Whale (Baleia Rosa), which relies on the collaboration of hundreds of volunteers and is based on positive tasks that combat depression. The British YouTuber HiggyPop has also set up an email service that sends daily Pink Whale challenges to participants. In the United States, a site called Blue Whale Challenge uses fifty days of tasks to promote mental health and well-being, while the Green Whale Challenge is a humorous version of the game in Argentina.

The fear and anxiety around the Blue Whale Challenge shows our willingness to project our fears of an unregulated internet onto anything that fits the profile, even as we override all evidence to the contrary. Instead, parents in particular must treat the tragic aftermath of popular suicide games as an opportunity to have a necessary, if belated, conversation about depression and mental health. The Blue Whale challenge may well turn out to be a hoax, but the challenge of keeping teenagers safe and healthy is a very real one.

Karishma Attari is the author of I See You and Don’t Look Down. She runs a workshop series called Shakespeare for Dummies and is currently writing a novel titled The Want Diaries. Her Twitter handle is @KarishmaWrites.

For more details visit https://cis-india.org/internet-governance/news/scroll-karishma-attari-september-9-2017-in-our-anxiety-about-the-blue-whale-challenge-are-we-missing-the-elephant-in-the-room

In new Facebook features, a comeback for community

praskrishna — 2011-04-02T09:58:34Z

Nearly 750 tweets bombard the web every second. Internet traffic is growing by 40 per cent a year. People post 2.5 billion photos on Facebook every month. Every minute, 24 hours of video is uploaded on YouTube. But who owns all that data? Until now, big business was in complete control and used the data to monetise operations. But all that is set to change. With Facebook launching two new features, ‘Groups' and a ‘Download your information,' the community is making a comeback.

More control over data

If Facebook CEO Mark Zuckerberg is to be believed, users now have more control over who sees their data and how much. They can also bundle up their entire social graph (as a zip file) and walk away to another service.

‘Groups' tries to tackle one of Facebook's long-standing problems. On Facebook, everyone, from your boss to your long-lost school friend, is a “friend.” And this means annoying, sometimes embarrassing situations.

An easy way to form small private groups on a social network, as we do in real life, is the “biggest problem in social networking,” Mr. Zuckerberg told journalists after the announcement.

The Groups feature allows you to form small circles of friends. Up to 300 Groups per user are allowed, and the tool also allows Group chat and emails. The groups can be open, closed, or secret, depending on the privacy settings.

Gaurav Mishra, Director (Digital and Social Media), MS&L Group, Asia-Pacific, says this step is important for Facebook, given the rising competition in social networking.

With alternatives on the horizon, such as Diaspora, which is being designed as an open-source, privacy-conscious social network, and Google's plans to integrate social networking elements into its services through ‘Google Me,' Facebook has to take up this “strategic pre-emptive move,” says Mr. Mishra.

But the Groups feature comes with its own baggage. It is not ‘opt in.' A friend can add you to the Group, and you get to decide whether you want to be in it or not. It appears that in the trade-off between giving the user more control and encouraging use, Facebook has chosen the latter.

Users will also have to be prepared for more noise as the new features offer a mirage of secure conversation space that will encourage them to share more personal details.

“The amount of sharing will go up massively and will be completely addictive,” Mr. Zuckerberg predicted.

Sunil Abraham, Executive Director, Centre for Internet and Society, says: “Facebook has always taken a more promiscuous approach to configuring our social behaviour online, the primary motivation being the maximisation of user transactions and consequently profits.”

According to him, the logic of adding a user to a group without seeking permission first makes a lot of assumptions, including that you check your account regularly to do early damage control and that your friends follow best security practices.

“I would warn people not to do anything on a Facebook group — open, closed or secret — that they would not do on email.”

Read the original in the Hindu

For more details visit https://cis-india.org/news/new-facebook-features

In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights

shweta — 2019-07-31T02:21:40Z

A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.

The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was published in the Wire on July 30, 2019.

Earlier this month, an investigation revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.

This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.

This is one of the many findings that we came across while analysing the privacy policies of 48 fintech companies that operate in India.

The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The IT Rules, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.

The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.

Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.

While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.

Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.

The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.

While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.

Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.

However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.

In local languages

The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.

With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.

Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.

They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).

With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of blanket consent, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.

In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights

In India, Prism-like Surveillance Slips Under the Radar

praskrishna — 2013-07-03T09:31:18Z

Prism, the contentious U.S. data-collection surveillance program, has captured the world’s attention ever since whistle-blower Edward Snowden leaked details of global spying to the Guardian and Washington Post.

The article by Anjan Trivedi was published in Time World on June 30, 2013. Sunil Abraham is quoted.

However, it turns out India, the world’s largest democracy, is building its own version to monitor internal communications in the name of national security. Yet India’s Central Monitoring System, or CMS, was not shrouded in secrecy — New Delhi announced its intentions to watch over its citizens, however mutedly, in 2011, and rollout is slated for August. And while reports that the American system collected 6.3 billion intelligence reports in India led to a lawsuit at the nation’s Supreme Court, comparable indignation has been conspicuously lacking with the domestic equivalent.

CMS is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. That means 900 million landline and cell-phone users and 125 million Internet users. The project, which is being implemented by the government’s Centre for Development of Telematics (C-DOT), is meant to help national law-enforcement agencies save time and avoid manual intervention, according to the Department of Telecommunications’ annual report. This has been in the works since 2008, when C-DOT started working on a proof-of-concept, according to an older report. The government set aside approximately $150 million for the system as part of its 12th five-year plan, although the Cabinet ultimately approved a higher amount.

Within the internal-security ministry though, the surveillance system remains a relatively “hush-hush” topic, a project official unauthorized to speak to the press tells TIME. In April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every state and union territory of India. The system requirements included “live listening, recording, storage, playback, analysis, postprocessing” and voice recognition.

Civil-liberties groups concede that states often need to undertake targeted-monitoring operations. However, the move toward extensive “surveillance capabilities enabled by digital communications,” suggests that governments are now “casting the net wide, enabling intrusions into private lives,” according to Meenakshi Ganguly, South Asia director for Human Rights Watch. This extensive communications surveillance through the likes of Prism and CMS are “out of the realm of judicial authorization and allow unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state,” a recent U.N. report stated.

India is no stranger to censorship and monitoring — tweets, blogs, books or songs are frequently blocked and banned. India ranked second only to the U.S. on Google’s list of user-data requests with 4,750 queries, up 52% from two years back, and removal requests from the government increased by 90% over the previous reporting period. While these were largely made through police or court orders, the new system will not require such a legal process. In recent times, India’s democratically elected government has barred access to certain websites and Twitter handles, restricted the number of outgoing text messages to five per person per day and arrested citizens for liking Facebook posts and tweeting. Historically too, censorship has been India’s preferred means of policing social unrest. “Freedom of expression, while broadly available in theory,” Ganguly tells TIME, “is endangered by abuse of various India laws.”

There is a growing discrepancy and power imbalance between citizens and the state, says Anja Kovacs of the Internet Democracy Project. And, in an environment like India where “no checks and balances [are] in place,” that is troubling. The potential for misuse and misunderstanding, Kovacs believes, is increasing enormously. Currently, India’s laws relevant to interception “disempower citizens by relying heavily on the executive to safeguard individuals’ constitutional rights,” a recent editorial noted. The power imbalance is often noticeable at public protests, as in the case of the New Delhi gang-rape incident in December, when the government shut down public transport near protest grounds and unlawfully detained demonstrators.

With an already sizeable and growing population of Internet users, the government’s worries too are on the rise. Netizens in India are set to triple to 330 million by 2016, according to a recent report. “As [governments] around the world grapple with the power of social media that can enable spontaneous street protests, there appears to be increasing surveillance,” Ganguly explains.

India’s junior minister for telecommunications attempted to explain the benefits of this system during a recent Google+ Hangout session. He acknowledged that CMS is something that “most people may not be aware of” because it’s “slightly technical.” A participant noted that the idea of such an intrusive system was worrying and he did not feel safe. The minister, though, insisted that it would “safeguard your privacy” and national security. Given the high-tech nature of CMS, he noted that telecom companies would no longer be part of the government’s surveillance process. India currently does not have formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the jurisdiction of the Indian Telegraph Act of 1885, which allows for monitoring communication in the “interest of public safety.”

The surveillance system is not only an “abuse of privacy rights and security-agency overreach,” critics say, but also counterproductive in terms of security. In the process of collecting data to monitor criminal activity, the data itself may become a target for terrorists and criminals — a “honeypot,” according to Sunil Abraham, executive director of India’s Centre for Internet and Society. Additionally, the wide-ranging tapping undermines financial markets, Abraham says, by compromising confidentiality, trade secrets and intellectual property. What’s more, vulnerabilities will have to be built into the existing cyberinfrastructure to make way for such a system. Whether the nation’s patchy infrastructure will be able to handle a complex web of surveillance and networks, no one can say. That, Abraham contends, is what attackers will target.

National security has widely been cited as the reason for this system, but no one can say whether it will actually help avert terrorist activity. India’s own 9/11 is a case in point: the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act. This is a “clear indication that having access to massive amounts of data is not necessarily going to make people safer,” Kovacs tells TIME. However, officers familiar with the new system say it will not increase surveillance or enhance intrusion beyond current levels; it will only strengthen the policy framework of privacy and increase operational efficiency. Spokespersons and officials in the internal-security and telecom departments did not respond to requests or declined to comment.

The government has been cagey about details on implementation and extent. This ability to act however the authorities deems fit “just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country,” Kovacs says. Indeed, India has seen that before — almost four decades ago, Indira Gandhi declared a state of emergency for 19 months, which suspended all civil liberties. Indians complaining about Prism may want to look a little closer to home.

For more details visit https://cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar

In India, Biometric Data Storage Sparks Demands for Privacy Laws

praskrishna — 2016-03-23T02:27:05Z

In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.

The article by Anjana Pasricha was published in Voice of America on March 18, 2016. Pranesh Prakash gave inputs.

The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.

Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.

The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.

The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.

Critics fear ‘police state’

Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.

Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number.

Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”

“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”

Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.

Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.

“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.

Fraud concerns

Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.

Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.

Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.

“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.

Nearly one billion biometric identity cards have been issued in India in the last six years.

For more details visit https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws

Improving Collective Intelligence

radha — 2011-04-05T04:19:02Z

CIS in collaboration with iMorph, Inc. and Program For the Future, is organizing a Tweetup on Dec 20th, 2009 at TERI from 4pm to 7pm.

The tweetup is to increase the awareness for "Improving Collective Intelligence".

Tools like Twitter and other social networks allow global participation of a large number of people in solving some of the World's pressing problems. This Tweetup is aimed at identifying some of these problems, brainstorming about ways to solve them and raise the awareness of the power of Collective Intelligence.

Specially, a Collective Intelligence Challenge organized by "The Program For The Future" will be the first step towards the effort. A description of the project (from the website - http://thetechvirtual.org/projects)

Develop a practical method, tool or technology that connects people so that they collectively act more intelligently. The challenge embraces all areas of human endeavor – not just technical domains like computing or engineering but also the arts, business, economics, education, government, health, law, philanthropy, science and other spheres. Winning entries will be displayed in the participating museums.

Participating museums: Tech Museum of Innovation, MIT Museum , Science Center Singapore, Citilab Barcelona, Global Women's Leadership Network

Indian Organizations - National Institute of Engineering, Mysore, Innovation Cell at KCG College of Technology

More Information

Contacts:
Dorai Thodla - dorait@gmail.com
Hrish Thota - dhempe@gmail.com

For more details visit https://cis-india.org/events/improving-collective-intelligence

Implications of post-Snowden Internet localization proposals

praskrishna — 2014-07-03T07:09:25Z

The Ninth Annual Internet Governance Forum (IGF) Meeting will be held in Istanbul, Turkey on 2-5 September 2014. The venue of the meeting is Lütfi Kirdar International Convention and Exhibition Center (ICEC).

Sunil Abraham will be speaking in this workshop organized by Internet Society and Center for Democracy and Technology at the IGF.

Examples include mandatory storage of citizens' data within country, mandatory location of servers within country (e.g. Google, Facebook), launching state-run services (e.g. email services), restricted transborder Internet traffic routes, investment in alternate backbone infrastructure (e.g. submarine cables, IXPs), etc.

Localization of data and traffic routing strategies can be powerful tools for improving Internet experience for end-users, especially when done in response to Internet development needs. On the other hand, done uniquely in response to external factors (e.g. foreign surveillance), less optimal choices may be made in reactive moves.

How can we judge between Internet-useful versus Internet-harmful localisation and traffic routing approaches? What are the promises of data localization from the personal, community and business perspectives? What are the potential drawbacks? What are implications for innovation, user choice and the availability of online services in the global economy? What impact might they have on a global and interoperable Internet? What impact (if any) might these proposals have on user trust and expectations of privacy?

The objective of the session is to gather diverse perspectives and experiences to better understand the technical, social and economic implications of these proposals.

Name(s) and stakeholder and organizational affiliation(s) of institutional co-organizer(s)

Organizer:
Nicolas Seidler, Policy advisor
Technical community
Internet Society
Co-organizer:
Matthew Shears
Civil society
Center for Democracy and Technology

Names and affiliations (stakeholder group, organization) of speakers the proposer is planning to invite

Mr. Chris Riley, Senior Policy Engineer, Mozilla Corporation, Private sector (CONFIRMED)
Mr. Jari Arkko, Chair of the Internet Engineering Task Force, Technical community (CONFIRMED)
Mr. Christian Kaufmann, Director Network Architecture at Akamai Technologies, Private sector (CONFIRMED)
Ms. Emma Llanso, Director of Free Expression Project, Center for Democracy and Technology, Civil Society (CONFIRMED)
Mr. Sunil Abraham, Executive Director, Center for Internet and Society, India, Civil Society (CONFIRMED)
Mr. Thomas Schneider, Deputy head of international affairs, Swiss Federal Office of Communication (OFCOM), Government (CONFIRMED)

Name of Moderator(s)

Nicolas Seidler, Policy advisor, Internet Society

Name of Remote Moderator(s)

Konstantinos Komaitis

For more details visit https://cis-india.org/news/igf-2014-session-post-snowden-localisation

Implications of post-Snowden Internet Localization Proposals

praskrishna — 2014-10-05T08:59:27Z

Sunil Abraham was a speaker in this workshop organized by Center for Democracy and Technology on September 2, 2014.

Following the 2013-2014 disclosures of large-scale pervasive surveillance of Internet traffic, various proposals to "localize" Internet users' data and change the path that Internet traffic would take have started to emerge.

Examples include mandatory storage of citizens' data within country, mandatory location of servers within country (e.g. Google, Facebook), launching state-run services (e.g. email services), restricted transborder Internet traffic routes, investment in alternate backbone infrastructure (e.g. submarine cables, IXPs), etc.

Localization of data and traffic routing strategies can be powerful tools for improving Internet experience for end-users, especially when done in response to Internet development needs. On the other hand, done uniquely in response to external factors (e.g. foreign surveillance), less optimal choices may be made in reactive moves.

How can we judge between Internet-useful versus Internet-harmful localisation and traffic routing approaches? What are the promises of data localization from the personal, community and business perspectives? What are the potential drawbacks? What are implications for innovation, user choice and the availability of online services in the global economy? What impact might they have on a global and interoperable Internet? What impact (if any) might these proposals have on user trust and expectations of privacy?

The objective of the session is to gather diverse perspectives and experiences to better understand the technical, social and economic implications of these proposals.

For full details see the IGF website.

For more details visit https://cis-india.org/internet-governance/news/implications-of-post-snowden-internet-localization-proposals

Implementing Indian languages in feature phones will be difficult

praskrishna — 2016-08-10T15:51:44Z

A recent government standard requiring support for inputting text in any one Indian language in mobile phones - along with Hindi and English - has manufacturers worried. The companies argue that the well-intentioned move may be difficult to implement, especially in the case of feature phones, because inventory and logistics will have to be planned for each state.

The article by Gulveen Aulakh and Neha Alawadhi was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

The Bureau of Indian Standards (BIS) said in June that all mobile phones must support the ability to type messages in English, Hindi and at least one additional Indian official language. It also requires message readability for all 22 Indian official languages. The objective is to enable widespread communication in local languages, especially for people who may not use English or Hindi with as much ease.

Handset makers said while such changes, which are yet to be notified, can be done easily through software in smartphones, it would be a big challenge for feature phones because of screen and keypad limitations, apart from managing supplies.

"It will be nightmarish to do planning for the number of models (with different languages) to be sold in each state, and plan inventory and logistics around that, so it's very challenging," said Gaurav Nigam, product head of Lava International, which has a phone with message-reading ability in all 22 Indian official languages.

Nigam said the BIS standard does not mandate the printing of vernacular languages on keypads, which would have created a massive hurdle for mobile phone manufacturers. "I might end up over-stocking in some states and lesser inventory in some states, which might lead to loss of sales since I won't be able to divert a Kerala-printed stock to Punjab or any other state," Nigam said. However, the government is hopeful of compliance.

An official said logistical and supply-chain issues can be addressed by companies. "We are talking to them and we are open to giving them a leeway of nine to 12 months to implement the order," said the official, requesting anonymity.

The official said although the government had started consultations on the premise that the third language should be imprinted on the keypad, it was felt in due course that other technologies could also be used. "Some lanFeature phones account for 65 per cent of the total mobile phone user base of about 700 million in India and are popular in rural areas and smaller towns. Sales of feature phones in the country declined to 150 million last year from 179-180 million, according to International Data Corporation, a US market research company.

The Indian Cellular Association, which represents mobile phone makers in India including Apple, Samsung Electronics, Micromax Informatics and Intex, said that it was talking to the BIS and the Department of Electronics and Information Technology on excluding the imprinting of vernacular language characters on keypads from the standard and allowing handset makers to develop solutions for local language input capability in phones.

"A formal communication or notification is expected soon from DeitY on implementing the rules," said Pravin Gondane, associate director at ICA. The department is expected to hold consultations with the industry by the month-end before it comes out with a notification that mandates the standard.

Sunil Abraham, executive director of the Centre for Internet and Society, suggested a middle ground where the government could map all reasonably popular input standards and document them so that customers can pick a phone they are comfortable with.

While awaiting the notification, the association has internally sent notices to all companies stating that printing on keypads may not be necessary, even for feature phones, Gondane said. Alternative solutions could include a keypad cover that lists vernacular language characters for text input and inputting of text through a virtual keypad.

While a task force set up by DeitY admits it's a challenge to implement this rule for feature phones because the number of keys is limited, it suggested that a common minimum framework to assign characters on 12 keys should follow international standards and incorporate Indian languages requirement on the same. The taskforce has issued best practices for designing Indian language text-entry mechanisms for phones with 12 keys, rather than lay out a standard for keypads.

Smartphones have touchscreens, making language reading and inputting changes a software requirement that's easy to implement. Samsung smartphones and feature phones are enabled with typing, reading and changing user interface in 14 local languages, said Manu Sharma, the company's VP of mobile business.guages can be easily printed on the keyboard, while others can be enabled through typing on the screen," the official said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-gulveen-aulakh-neha-alawadhi-implementing-indian-languages-in-feature-phones-will-be-difficult

Impact of Industrial Revolution 4.0 - IT and Automotive Sector in India by the Dialogue and FES

Admin — 2019-08-27T00:13:32Z

On August 21, 2019, Aayush Rathi, attended a report launch event and focus group discussion on the "Impact of Industrial Revolution 4.0 - IT and Automotive Sector in India". Research conducted by the Dialogue in collaboration with the Friedrich-Ebert-Stiftung (FES) were being presented.

At CIS, we have previously produced research on the future of work in these sectors. Aayush attended the event to understand how other researchers are approaching the subject of the future of work in terms of the methodological approach and the questions being asked and policy responses being proposed. In what may be treated as validation of our research design, FES and the Dialogue have addressed similar questions and adopted an empirical+desk based approach to do so as well.

For more details visit https://cis-india.org/internet-governance/news/impact-of-industrial-revolution-4-0-it-and-automotive-sector-in-india-by-the-dialogue-and-fes