We are anonymous, we are legion

If you thought India is a country where freedom of speech and expression are fundamental rights, think twice!

praskrishna — 2015-04-04T15:52:42Z

Having contributed significantly in growing pollution and corruption indices, there's one place where India seems to hold the top spot is: imposing restrictions on social media contents. There have been over 5,800 restriction requests recorded in the second half of 2014, as per Facebook's Government Requests Report.

The article was published in Business Insider on March 17, 2015. Pranesh Prakash was quoted.

Economic Times has reported that data and content restrictions across the globe are on the rise and India seems to have topped the list. The content restrictions from India have been constantly on the rise—it rose to 5,832 from 4,960 in the first half.

Things are not any different across the globe. "The amount of content restricted for violating local law increased by 11% over the previous half, to 9,707 pieces of content restricted, up from 8,774," said Monika Bickert, Facebook's head of global policy management, and Chris Sonderby, deputy general counsel, in a statement on the social networking website.

Other countries from where Facebook has observed an increased number of content restrictions requests are Turkey and Russia. Surprisingly, FET reported that the number of content restriction requests from Pakistan came down to 54 in the second half of 2014 from 1,773 in the first half.

It is worth noting that India is the second largest market for Facebook, with 112 million users until last year, second only to the United States. While these figures are alarming, counsel for the Software Freedom Law Centre told ET , "...it would have been better if Facebook had also given us more information on the kind of data that was being asked for. Now we only have consolidated figures. So what kind of data was asked for, that would have been more useful."

Pranesh Prakash, policy director at the Centre for Internet and Society, on the other hand, feels that the number of content restriction requests is not only high on an absolute number, but even on a per-user basis.

For more details visit https://cis-india.org/internet-governance/news/business-insider-march-17-2015-if-you-thought-india-is-a-country-where-freedom-of-speech-and-expression-are-fundamental-rights-think-twice

If the DIDP Did Its Job

asvatha — 2016-11-07T12:57:18Z

Over the course of two years, the Centre for Internet and Society sent 28 requests to ICANN under its Documentary Information Disclosure Policy (DIDP). A part of ICANN’s accountability initiatives, DIDP is “intended to ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”

Through the DIDP, any member of the public can request information contained in documents from ICANN. We’ve written about the process here, here and here. As a civil society group that does research on internet governance related topics, CIS had a variety of questions for ICANN. The 28 DIDP requests we have sent cover a range of subjects: from revenue and financial information, to ICANN’s relationships with its contracted parties, its contractual compliance audits, harassment policies and the diversity of participants in its public forum. We have blogged about each DIDP request where we have summarized ICANN’s responses.

Here are the DIDP requests we sent in:

Dec 2014	Jan/Feb 2015	Aug/Sept 2015	Nov 2015	Apr/May 2016
ICANN meeting expenditure	Revenue from gTLD auction	Implementation of NETmundial principles	IANA transition postponement	Board Governance Committee Reports
Granular revenue statements	Globalisation Advisory Groups	Raw data - Granular income data	Presumptive renewal of registries	Diversity Analysis
ICANN cyber attacks	Organogram	Compliance audits - registries	ICANN-RIR relationship	Compliance audits
Implementation of NETmundial outcome document	Involvement in NETmundial Initiative	Compliance audits - registrars		Harassment policy
Complaints to ICANN ombudsman	RIR contract fees	Registrar abuse contact		DIDP statistics *
		Verisign Contractual violations		gTLD applicant support program
		Contractual auditors		Root Zone Maintenance agreements
		Internal website

ICANN’s responses were analyzed and rated between 0-4 based on the amount of information disclosed. The reasons given for the lack of full disclosure were also studied.

DIDP response rating
0	No relevant information disclosed
1	Very little information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
2	Partial information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
3	Adequate information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
4	All information disclosed

ICANN has defined a set of preconditions under which they are not obligated to answer a request. These preconditions are generously used by ICANN to justify their lack of a comprehensive answer. The wording of the policy also allows ICANN to dodge answering a request if it doesn’t have the relevant documents already in its possession. The responses were also classified by the number of times a particular DIDP condition for non-disclosure was invoked. We will see why these weaken ICANN’s accountability initiatives.

Of the 28 DIDP requests, only 14% were answered fully, without the use of the DIDP conditions of non-disclosure. Seven out of 28 or 40% of the DIDPs received a 0-rated answer which reflects extremely poorly on the DIDP mechanism itself. Of the 7 responses that received 0-rating, 4 were related to complaints and contractual compliance. We had asked for details on the complaints received by the ombudsman, details on contractual violations by Verisign and abuse contacts maintained by registrars for filing complaints. We received no relevant information.

We have earlier written about the extensive and broad nature of the 12 conditions of non-disclosure that ICANN uses. These conditions were used in 24 responses out of 28. ICANN was able to dodge from fully answering 85% of the DIDP requests that they got from CIS. This is alarming especially for an organization that claims to be fully transparent and accountable. The conditions for non-disclosure have been listed in this document and can be referred to while reading the following graph.

On reading the conditions for non-disclosure, it seems like ICANN can refuse to answer any DIDP request if it so wished. These exclusions are numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain: Correspondence, internal information, information related to ICANN’s relationship with governments, information derived from deliberations among ICANN constituents, information provided to ICANN by private parties and the kicker - information that would be too burdensome for ICANN to collect and disseminate.

As we can see from the graph, the most used condition under which ICANN can refuse to answer a DIDP request is F. Predictably, this is the most vaguely worded DIDP condition of the lot: “Confidential business information and/or internal policies and procedures.” It is up to ICANN to decide what information is confidential with no justification needed or provided for it. ICANN has used this condition 11 times in responding to our 28 requests.

It is also necessary to pay attention to condition L which allow ICANN to reject “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.” This is perhaps the weakest point in the entire list due its subjective nature. Firstly, on whose standards must this information request be reasonable? If the point of a transparency mechanism is to make sure that information sought by the public is disseminated, should they be allowed to obfuscate information because it is too burdensome to collect? Even if this is fair given the time constraints of the DIDP mechanism, it must not be used as liberally as has been happening. The last sub point is perhaps the most subjective. If a staff member dislikes a particular requestor, this point would justify their refusal to answer a request regardless of its validity. This hardly seems fair or transparent. This condition has been used 9 times in our 28 requests.

Besides the DIDP non-disclosure conditions, ICANN also has an excuse built into the definition of DIDP. Since it is not obliged to create or summarize documents under the DIDP process, it can simply claim to not have the specific document we request and thus negate its responsibility to our request. This is what ICANN did with one of our requests for raw financial data. For our research, we required raw data from ICANN specifically with regard to its expenditure on staff and board members for their travel and attendance at meetings. As an organization that is answerable to multiple stakeholders including governments and the public, it is justified to expect that they have financial records of such items in a systematic manner. However, we were surprised to learn that ICANN does not in fact have these stored in a manner that they can send as attachments or publish. Instead they directed us to the audited financial reports which did little for our research. However, in response to our later request for granular data on revenue from domain names, ICANN explained that while they do not have such a document in their possession, they would create one. This distinction between the two requests seems arbitrary to us since we consider both to be important to public.

Nevertheless, there were some interesting outcomes from our experience filing DIDPs. We learnt that there has been no substantive work done to inculcate the NETmundial principles at ICANN, that ICANN has no idea which regional internet registry contributes the most to its budget, and that it does not store (or is not willing to reveal) any raw financial data. These outcomes do not contribute to a sense of confidence in the organization.

ICANN has an opportunity to reform this particular transparency mechanism at its Workstream 2 discussions. ICANN must make use of this opportunity to listen and work with people who have used the DIDP process in order to make it useful, effective and efficient. To that effect, we have some recommendations from our experience with the DIDP process.

That ICANN does not currently possess a particular document is not an excuse if it has the ability to create one. In its response to our questions on the IANA transition, ICANN indicated that it does not have the necessary documents as the multi stakeholder body that it set up is the one conducting the transition. This is somewhat justified. However, in response to our request for financial details, ICANN must not be able to give the excuse that it does not have a document in its possession. It and it alone has the ability to create the document and in response to a request from the public, it should.

ICANN must also revamp its conditions for non-disclosure and make it tighter. It must reduce the number of exclusions to its disclosure policy and make sure that the exclusion is not done arbitrarily. Specifically with respect to condition F, ICANN must clarify how information was classified as confidential and why that is different from everything else on the list of conditions.

Further, ICANN should not be able to use condition L to outright reject a DIDP request. Instead, there must be a way for the requester and ICANN to come to terms about the request. This could happen by an extension of the 1 month deadline, financial compensation by requester for any expenditure on ICANN’s part to answer the request or by a compromise between the requester and ICANN on the terms of the request. The sub point about requests made “by a vexatious or querulous individual” must be removed from condition L or at least be separated from the condition so that it is clear why the request for disclosure was denied.

ICANN should also set up a redressal mechanism specific to DIDP. While ICANN has the Reconsideration Requests process to rectify any wrongdoing on the part of staff or board members, this is not adequate to identify whether a DIDP was rejected on justifiable grounds. A separate mechanism that deals only with DIDP requests and wrongful use of the non-disclosure conditions would be helpful. According to the icann bylaws, in addition to Requests for Reconsideration, ICANN has also established an independent third party review of allegations against the board and/or staff members. A similar mechanism solely for reviewing whether ICANN’s refusal to answer a DIDP request is justified would be extremely useful.

A strong transparency mechanism must make sure that its objective are to provide answers, not to find ways to justify its lack of answers. With this in mind, we hope that the revamp of transparency mechanisms after workstream 2 discussions leads to a better DIDP process than we are used to.

For more details visit https://cis-india.org/internet-governance/blog/if-the-didp-did-its-job

If MNCs make early inroads, they will keep market share: Sunil Abraham, CIS

praskrishna — 2014-10-24T15:03:03Z

The article by J. Anand was published in the Financial Express on October 23, 2014. Sunil Abraham gave his inputs.

The recent visits of the high-profile CEOs of internet/technology companies have made it clear that India, with its 200-million internet users, is increasingly becoming important for the multinational corporations (MNCs). Bangalore-based Centre for Internet and Society (CIS) is a bit skeptical and feels some of these companies are trying to influence the internet policy-making of the country. Sunil Abraham, executive director of CIS, talks to FE’s Anand J regarding the government’s use of social media, the regulations and the plan for a Digital India. Edited excerpts:

We see a heightened interest in India from technology/internet companies, with their top CEOs visiting the country. What do you think is the reason?

In India, with little domestic competition, if these companies make early inroads, they will be able to keep the market share. The other reason is, the Indian government has made several proposals such as data localisation, mandatory data routing and so on, which have been demonised by the West as something that will balkanise the internet. Because India represents a big market, companies might be indulging in some amount of tokenism in the form of data centres. This is to show the government that they are willing to listen and lead the conversation to an agenda item that they are comfortable with and block some of the more dramatic proposals. The third reason could be that internet penetration might grow dramatically in the country and if the policy levers are moved appropriately, it will grow even more.

What is your stand on the government proposals?

In some ways, I agree with MNCs that some of the government proposals could break the architecture of internet. But then there are other proposals that are completely kosher. The domestic routing of an email if it travels within India is good as it will be difficult for the NSA to intercept then. From an internet design perspective, more fibre is good.

Data localisation though will result in balkanisation and might not yield desirable results. For instance, if you are watching a YouTube video, all the information about the user is stored by Google and all of that is stored outside the country. They might store some of this information as cache in a Google server temporarily. From a surveillance perspective, this user data called metadata is what the NSA might want. Even when it is collected in a local server, it might still be sent upstream.

What about the Indian government doing surveillance then?

There are different views on the surveillance capabilities of the Indian government. Some think that today the Indian government has the capability of engaging in mass surveillance. Others like me think that it can only do targeted surveillance and not mass surveillance. It does not have the infrastructure to pull that off and if it is doing targeted surveillance, it is mostly in compliance with the local laws.

Is the increasing use of social media by the government for its communication with citizens a concern?

If the government uses this private infrastructure to communicate with its citizens, there could be a variety of challenges and complications. First, all of these government communications must be mirrored on the government infrastructure as well. Otherwise, there is a concern around data retention. The government needs to have a copy in case a person goes to RTI for all the government communications to citizens. Secondly, the government is unwittingly becoming the salesperson for these global corporations.

Mark Zuckerberg has said that internet is a human right. Do you agree?

Internet is not a human right according to the UN. TV and Radio were never rights. All the basic human rights are to be protected irrespective of the communication medium of choice and will be legitimate even 100 years from now. The success of telecommunication and internet is market generated. If it becomes a human right, the companies are not delivering a service, but a human right and this complicates the issue. There will be new demands from citizens and litigations by citizens. If everybody demands 1GB every month, state does not have those resources.

India is a phone internet market. Indian internet is tied to Google now. Does the Android dominance — with a market share of around 90% — concern you?

It is hugely worrisome and yet another monopoly. It is not “free” software. From a privacy and national security perspective, it is a terrible development. Considering that it is based on Linux, there should have been several national and international competitors.

Has the era of hetergeneous internet with a million websites passed?

Internet is no longer decentralised; 80% of users’ time is now spent on a few products. And anywhere on internet, ad networks are tracking you. We ended up with the world’s biggest surveillance machine and surveillance is the business model of internet. It is very difficult to change this as we face the inertia of user behaviour.

What do you think of the government’s Digital India plan?

The government can use the billions from the Universal Service Obligation fund for broadband connectivity. The markets cannot handle back haul infrastructure and in most countries, some amount of state investment is necessary. Some of the open access details have to be worked out. The government seems to have a monopoly position in execution. We agree with the vision that every Indian should have a smartphone by 2019 and have a broadband connection too.

What are the regulations you want to see in place in India?

Internet users are currently overregulated with restrictions on what you can say. Let what is illegal offline be illegal online too. And government needs to think of enforceability.

The regulatory infrastructure for the government is limited. We want powerful companies to be regulated and follow global norms. The regulatory best practices are emerging from Europe in terms of competition, privacy, data protection, etc, and we need to follow them.

For more details visit https://cis-india.org/internet-governance/news/financial-express-october-23-2014-j-anand-if-mncs-make-early-inroads-they-will-keep-market-share

If data is the new oil, how much does an Indian citizen lose?

Admin — 2018-04-03T15:42:31Z

Surveillance capitalism is the business model of the Internet, so what exactly are we talking about here?

The article by Saurya Sengupta was published in the Hindu on March 31, 2018. Sunil Abraham was quoted.

“We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” That was the former executive chairman of Google, Eric Schmidt, trying to convince users that the tech giants did care about their privacy, ironically enough. But that was in 2010.

Fast forward eight years, and a lot has changed. The world has been rattled by revelations that the personally identifiable data of about 50 million Facebook users was breached by an analytics firm. Since then, the skeletons haven’t stopped tumbling out, with the news that the NaMo app asks for as many as 22 permissions from users, and that the official Congress app, since deleted, was vulnerable to data breach.

Bruce Schneier, an American security technologist and fellow at Harvard University’s Berkman Klein Center for Internet & Society, in his book Data and Goliath, says: “Google knows what kind of porn each of us searches for, which old lovers we still think about, our shames, our concerns, and our secrets.”

So, what does any of this mean for us, the lay users?

It may be helpful to start by asking what this ‘data’ is. “Whenever you use any service on your phone or browser, you end up giving a lot more information than you consciously recall. This includes not just the content of your interactions, but also metadata and so on,” says Nayantara Ranganathan, manager of the Internet Democracy Project’s Freedom of Expression programme. Metadata is, simply put, data about your data. So, for example, your location information, what time you were home, how many times you made calls to a certain number, and so on.

“This is known as behavioural data,” says Sunil Abraham, executive director of The Centre for Internet & Society, “which includes how fast or slow you scrolled, how long you stayed on a page, how many times you went to a particular part of a website, and so on.”

Bhajan or you?

This is not just data gathered by the large Facebook and Gmail apps, but also by a lot of the smaller ones. An app that plays bhajans, for example, may mine your data and share it. And what do the third parties do with this? Well, the idea is to simply embed you further in a consumerist panopticon.

To FB or not to be

As #DeleteFacebook gets louder, users agonise about leaving Facebook on Facebook, irony be damned
Truth is, quitting FB won't help. Because it's also about Google Photos and Maps and Candy Crush and Which Disney Villain Are You
In the absence of laws, you've no control of what apps can do with your data. Even after you've 'deleted' it
Facebook doesn't take responsibility for data collected by apps, and refers users to app developers instead
Quitting FB and other apps might be a privilege and not an option for most

“Surveillance capitalism is the business model of the Internet, and all social media apps make their money collecting data on users and monetising that,” says Schneier.

“Lots of apps have no revenue generation. Their only benefit is data,” says Manan Shah, founder and CEO of Avalance Global Solutions, a cyber security firm. In fact, he says, apps like WhatsApp are the obvious suspects while the smaller ones, like the bhajan one, slip under the radar.

All of it is part of ‘lead generation’ — the process of identifying potential customers for a service or business. “A call-centre is useless without data,” Shah says. “If I want to sell you an antivirus, for instance, a company will identify filters — who owns a computer, who has already purchased an antivirus, and so on. I can then target that user. This filtered data is often your full name, bank details, data about your debit and credit cards. Abraham says there is another fairly obvious purpose for all this data collection – to get you to spend as much time on the said platform as possible.

This explains why, for example, when you Google something, the suggested searches are often tailored in an eerie manner. If you search for a word, the second search suggestion will offer to get that word translated into the local language. So if you’re in Chennai, Tamil, or into Marathi if you’re in Mumbai.

This a product of profiling your location data as well as behavioural data. “Imagine the kind of insights your location information over the course of a month can expose: your residence, where you spend your mornings, your route to work, your loved one’s residence, and more,” says Ranganathan.

“Users are often not aware that they’ve given their consent to sharing this data,” says Nikhil Pahwa, digital rights activist. “The terms and conditions of every app are so complicated and voluminous that often you have no way of knowing what something is being used for and what you’ve given your permission to. That’s a failure of the kind of consent we have today,” he says. If an app developer, quips Pahwa, puts in a condition saying the user will name their first child after the app, the user is more than likely to click on ‘I agree’.

While the failure to make consent transparent is illegal, data collection in itself is a grey area. And what constitutes ‘misuse’ of data is murky because of the lack of regulations and clear outlines. “What if a salon has your phone number and sends an SMS saying your haircut is due,” asks S. Anand, CEO of data science firm Gramener. “Would you consider that misuse?”

It gets more ominous.

We’ll use it some day

At present, India has no law to stop apps from sharing your data with data brokers or data analytics firms. “The tendency has been to collect as much data as you can, even if it isn't relevant to your business today, because it might be some day or, better still, it might be valuable to others,” says Amba Kak, a Mozilla technology policy fellow. “This is why we need a law to say — collect what you need, not what you want.”

As an Indian citizen, your data today is breached, misused or sold, there is little you can do about it. “At most, users can be more vigilant about the apps they download, what permissions they give, and evaluate whether there are better alternatives,” says Ranganathan.

“One can approach a court and seek redress under the IT Act,” says Abraham, “but only if you have suffered a loss of property or money. If your data has been breached or leaked, and you haven’t suffered a monetary or property loss, there’s nothing you can do.”

The Justice Srikrishna committee, set up in July, is right now working on a draft data protection bill. The committee published a white paper last November, and a final report is expected by end of May. “The white paper itself looks fantastic,” Abraham tells me.

An ideal data protection law, says Kak, “will reflect the Supreme Court’s recent decision that all interference with the right to privacy must be necessary and proportionate.”

If data sharing is inevitable in the digital age, then it could be made illegal, for instance, to share data that can identify individuals. Anand says, “This could be done by replacing all names with a new random name or by aggregating total purchases by store and product rather than by individual purchase.”

So in an era where we have been casually asked to accept that ‘data is the new oil’, who is the biggest loser? “Framing 'data' as the new oil is dangerous,” says Ranganathan. Kak agrees: “This is a tired analogy that doesn't seem to get us anywhere except to recognise that data is a source of profit for the private sector.” She would rather go with Turkish sociologist Zeynep Tufekci’s definition where we think of data privacy like clean air or safe drinking water. “It is a public good that we need to safeguard as a collective through laws that make controllers of data accountable,” says Kak.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-march-31-2018-saurya-sengupta-if-data-is-new-oil-how-much-an-indian-citizen-lose

If all goes well, Indian IT Act may enter 21st century

praskrishna — 2016-10-06T16:49:12Z

The government is aiming to refresh the main law governing information technology by giving it a revamp which it hopes will bring it in tune with the times and address criticisms about its weaknesses, a senior official said on condition of anonymity.

The article by Surabhi Agarwal was published in the Economic Times on October 6, 2016. Sunil Abraham was quoted.

The move is triggered by the realisation that the Information Technology Act passed in 2000 and last amended eight years ago may be wanting in many respects due to advances in technology and its ubiquitousness in nearly every aspect of life.

The government will take a first step by constituting a committee whose job will be to make suggestions to refresh the law. The magnitude of fraud, terrorism, bullying and stalking in cyber space has grown along with advances in technology and its adoption, and these are some of the areas where the law could do with an update.

The government's massive push on Digital India is also leading to significant digitisation of government services and records. In 2000, when the Act was first passed, there were a mere 5 million internet users in the country. India has surpassed the US to become the second-largest Internet market with 436 million users as of June 2016.

"It has been realised that we need more provisions on things such as mobile security, internet of things," the official said. "The last amendment came in 2008, so almost a decade has passed." This person said that there is confusion among various law enforcement agencies regarding the ambit of the IT Act.

Fresh provisions are also required in fields such as how long agencies – both state as well as private – should hold citizens' information, which has been shared by them, for any kind of authentication through means such as emails. Supreme Court advocate and cyber security expert Pavan Duggal called the IT Act an "outdated" piece of legislation.

"The Act and the amendments are in the pre-social media era. Current realities, challenges and the policy aspects of cyberspace have not been addressed," he said. There are no provisions, for instance, for mandatory reporting of cyber-crime and cyber-security breaches, he said. Besides, there are the challenges posed by the dark net where everything from weapons to drugs are being peddled.

"Cyber bullying is the number one problem in Indian schools and universities which is not addressed in the Act. There have been no convictions for cyber stalking which is extremely prevalent in India," Duggal said, suggesting measures such as the setting up of special courts for cyber crime and terror.

In the past couple of years, the government has come under fire for several attempts to bring in laws on encryption, contain pornography and the spread of obscene material online. The Internet and Mobile Association of India (IAMAI) said that while the move to change the Act is welcome, it should be done in an "inclusive" manner with the "widest possible public consultation" and not by a committee which consists only of government representatives.

Subho Ray, president of IAMAI said that while the definition of intermediaries needs to be reviewed and the list expanded, citizens' fundamental rights need to kept in mind while trying to bring back a modified form of Section 66A (it dealt with offences on the internet), which was struck down by the Supreme Court as unconstitutional.

The ministry of electronics and IT is currently trying to form a committee with experts from the private sector, the source said, and cautioned about the prospect of a "long-haul" before changes come about. Sunil Abraham, director of the Centre for Internet and Society (CIS) said that India's data protection laws under Section 43A of the IT Act must be upgraded and this would help Indian companies which export IT-enabled services.

"We also need to apply the principle of equivalence more clearly, which says that if something is illegal offline, it should also be illegal online," said Abraham.

For more details visit https://cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-october-6-2016-if-all-goes-well-indian-it-act-may-enter-twenty-first-century

IETF106

Admin — 2019-12-15T06:14:02Z

Gurshabad Grover participated at IETF106, which was held in Singapore 16-22 November, 2019.

In the meeting of the Human Rights Protocol Considerations (hrpc) research group, I presented an update to draft-irtf-hrpc-guidelines-03 (Guidelines for Human Rights Protocol and Architecture Considerations), which is an Internet Draft adopted by the hrpc rg that he is co-editing with Niels ten Oever. More info here.

Among other working/research group meetings, I participated theTransport Layer Security (tls) and the Privacy Enhancements and Assessments research group (pearg) sessions. I also participated inseveral side meetings, including the Public Interest Technology Group(pitg) meeting.

Agenda for the IETF and the different WGs/RG can be found on the IETF website.

For more details visit https://cis-india.org/internet-governance/news/ietf106

IETF Indian Community Meetup: RFCs We Love (IoT edition)

Admin — 2018-05-26T00:46:05Z

On May 19, 2018, Gurshabad Grover and Sandeep Kumar attended a 'RFCs We Love Meetup' of the Indian IETF Community held at Zoomcar's office in Bangalore. This meetup was dedicated to discussing IETF RFCs/Active Internet Drafts meant for Internet of Things (IoT) devices.

The agenda of the meeting was:

State of compression in IoT; Related RFCs: 6282, 6775, 8138 (Speaker: Rahul Arvind Jadhav, Huawei)
IoT Mesh Networks; Related RFCs: 6550, 3561, and draft-ietf-roll-efficient-npdao (Speaker: Rabi Sahoo, Huawei)
IoT protocols in moving Vehicles (Speaker: Vinayak Hegde, Zoomcar)
Update from IETF101

All the presentations used by the speakers, and the video recordings of the discussions can be found at this blog post by Dhruv Dhody, one of the attendees,

For more details visit https://cis-india.org/internet-governance/news/ietf-indian-community-meetup-rfcs-we-love-iot-edition

IETF 105

Admin — 2019-08-13T01:38:36Z

Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.

Gurshabad participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, click here

For more details visit https://cis-india.org/internet-governance/news/ietf-105

IETF 104 Prague

Admin — 2019-04-12T01:04:47Z

Karan Saini and Gurshabad Grover participated in IETF 104 organized by IETF in Prague from 23rd March to 29th March 2019.

Karan Saini:

Attended and scribed for the Privacy Enhancements and Assessments Proposed Research Group (PEARG) session.
Attended and made interventions in the Stopping Malware and Researching Threats (SMART RG) research group session.
Attended: DNS Over HTTPS (DOH), Domain Name System Operations (DNSOP), Transport Layer Security (TLS) and Authentication and Authorization for Constrained Environments (ACE WG) group sessions
Attended side meetings: Public Interest Technology (PITG) and Web Packaging (webpack)

Gurshabad Grover:

Attended and made interventions in the Captive Portals (capport) and Registration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC) research group, I presented an update to draft-irtf-hrpc-guidelines ('Guidelines for Human Rights Protocol and Architecture Considerations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy for privacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.
Attended and made interventions in the Captive Portals (capport) andRegistration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC)research group, I presented an update to draft-irtf-hrpc-guidelines('Guidelines for Human Rights Protocol and ArchitectureConsiderations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy forprivacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.

For more information visit IETF website

For more details visit https://cis-india.org/internet-governance/news/ietf-104-prague

IETF 102 Montreal

Admin — 2018-08-01T22:42:31Z

The Internet Engineering Task Force (IETF) organized IETF 102 Montreal at Fairmont Queen Elizabeth Montreal in Canada from July 14 - 20, 2018. Gurshabad Grover participated remotely in the meetings of several Working Groups.

Meeting agenda of IETF102: https://datatracker.ietf.org/meeting/agenda

On July 19, in the meeting of the Human Rights Protocol Considerations (HRPC) Research Group, Gurshabad presented a review of the human rights considerations in the drafts of the Software Update for IoT Devices (SUIT) Working Group. His presentation was based on the review written by him and Sandeep Kumar, which is archived here.

Agenda of the HRPC session @ IETF102: https://datatracker.ietf.org/meeting/102/materials/agenda-102-hrpc-05

For more details visit https://cis-india.org/internet-governance/news/ietf-102-montreal

IEEE-SA InDITA Conference 2018

Admin — 2018-08-01T23:04:18Z

Gurshabad Grover participated in the IEEE-SA InDITA Conference 2018 organized by IEEE Standards Association held IIIT-Bangalore on July 10 and 11, 2018.

Gurshabad gave a brief presentation on how we could apply or reject 'Trust Through Technology' principles in the design of public biometric authentication. The agenda for the event can be accessed here. More details on event website here.

For more details visit https://cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018

IDEX Impact Assessment Workshop

praskrishna — 2013-11-14T05:48:51Z

The Centre for Internet and Society is hosting a workshop organised by IDEX at its office in Bangalore on Saturday, November 16, 2013 from 11.30 a.m. to 6.30 p.m.

The IDEX Impact Assessment Workshop will provide a comprehensive and interactive intro and overview of all facets of Impact Assessment, with a specific focus on the Social Enterprise sector. The workshop will be conducted by Andy Bhanot of WeStat (bio below) and will be divided into two portions:

11.30 - 14.30: Impact Assessment Crash Course (Intro to IA, Types of IA, Designing IA, etc)

15.30 - 18.30: Interactive Group Projects + Presentations (Applying IA to Specific Sectors / Projects)*

*The focus of this group work will be based upon projects that the IDEX fellows have been working on over the past few months, across various sectors (Water, Livelihoods, Youth, etc)

Andy Bhanot, MBA

Andy Bhanot is a communications and marketing research expert with extensive experience in both the private and development sectors. Mr. Bhanot's areas of expertise include market research analysis and strategy formulation, business development, and leadership and team management.

Mr. Bhanot is an expert in conducting knowledge, attitude, and practice surveys, formative research, pretesting studies, and monitoring and impact evaluation studies. These studies have ranged from HIV/AIDS prevention and care, condom promotion, maternal and child health and governance to gender empowerment, water and environmental sanitation, education, and disaster risk reduction.

He is well versed in both quantitative and qualitative research methods having directed large national surveys, telephonic interviews, rapid feedback studies, focus group discussions, in-depth and key informant interviews, observations, participatory rural appraisals, and ethnographic immersions with urban and rural audiences. Studies included many difficult-to-reach populations: commercial sex workers, men having sex with men, hijras/ transgenders, injecting drug users, truck drivers, migrant workers, gate keepers in the commercial sex trade, employers of bonded labourers, and people living with HIV/AIDS.

Mr. Bhanot has conducted numerous usage and attitude studies, brand health trackers, and concept and new product tests. He also has expertise in segmentation and positioning studies, advertising and media studies, customer satisfaction studies, and distribution studies for a wide range of clients (Pfizer, Colgate, Unilever, Coca-Cola, Barclays Bank, Shell, BAT, Wrigley's, Glaxo Smithkline, Cadburys, Nestle, Delmonte, East Africa Breweries, and Tetra Pac).

Mr. Bhanot has worked and travelled extensively across India, Bangladesh, Nepal, Afghanistan, Myanmar, Cambodia, Vietnam, Kenya, Uganda, Tanzania, Ethiopia, Eritrea, Djibouti, Somaliland, and South Africa. He has presented and published research papers, and has contributed marketing research case studies to books by prominent authors.

For more details visit https://cis-india.org/internet-governance/events/idex-impact-assessment-workshop

Identity of the Aadhaar Act: Supreme Court and the Money Bill Question

Vanya Rakesh and Sumandro Chattapadhyay — 2016-05-09T11:52:44Z

A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view. It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation. Vanya Rakesh and Sumandro Chattapadhyay wrote this article on The Wire.

Published by and cross-posted from The Wire.

The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, faced opposition ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.

It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.

The money bill question

M.R. Madhavan has argued that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta calls this a subversion of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, expressed concern about the attempts to pass off financial bills like Aadhaar as money bills as a means to circumvent and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is an unconstitutional act.

Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:

imposition and regulation of any tax,
financial obligations undertaken by Indian Government,
payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,
appropriation of money and expenditure charged on the CFI or receipt, and
custody, issue or audit of money into CFI or public account of India.

However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.

A case of procedural irregularity?

The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is conclusive for all purposes under section 3 of the Parliament Act 1911, the speaker is required to consult two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.

Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of procedural irregularity.

There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in Kihoto Hollohan vs Zachillhu and Ors. (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.

Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In Ramdas Athawale vs Union of India (2010), the case of Keshav Singh vs Speaker, Legislative Assembly (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under Article 32, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in Mohd. Saeed Siddiqui vs State of Uttar Pradesh (2014) and Yogendra Kumar Jaiswal vs State of Bihar (2016).

Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.

National implications demand public deliberation

As the provisions of the Aadhaar Act have far reaching implications for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.

The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As Smarika Kumar argues, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as Arvind Datar notes, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.

Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the Standing Committee on Finance, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations passed in the Rajya Sabha recently. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from marriages to the guaranteed work programme should also be addressed and responses sought from the Union government.

Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.

For more details visit https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question

Identity and Databases

praskrishna — 2014-08-07T08:32:16Z

The Centre for Internet and Society (CIS) and the Say No to UID Campaign invite you to a discussion identity, databases and facilitating technologies that explores the use of personal identifiers across databases and the potential violations of privacy on August 9, 2014 (10.30 a.m. to 1.00 p.m.) at the CIS office in Bangalore.

The discussions will specifically focus on the UID and the NPR and seek to answer:

What information is being collected and databased by each scheme?
What type of technology is needed to collect and database this information?
How and where is this information being databased?
What are the potential risks to the databasing of this information?
Are there legal safeguards protecting against misuse of this information, and if not, what safeguards are needed?
Is there a difference between the state collecting, storing, and using this information and a private entity?

For more details visit https://cis-india.org/events/identity-and-databases

Identities Research

praskrishna — 2017-04-12T13:54:53Z

Caribou Digital organized an identity research event in Bengaluru at TERI on April 6, 2017. A total of 16 participants attended the event. Sunil Abraham and Pranesh Prakash represented CIS at the event.

The Identities research project explores user experiences of identity technology, brought to you by Caribou Digital, Omidyar Network and the International Institute of Information Technology, Bangalore (IIITB). The need for user-centered research in “digital identity” arose out of concerns around top-down identity systems and lack of insights on how these are being understood and used, particularly amongst lower income populations. For more information on the event and viewing the episode videos click here.

For more details visit https://cis-india.org/internet-governance/news/identities-research