We are anonymous, we are legion

Hate speech: ban or ignore?

praskrishna — 2013-02-13T09:40:37Z

The Social Network discusses the hate speeches: whether they should be banned or ignored. Why does the state take action against some and not against some others. This on a day when Togadia and Owaisi were simultaneously trending on the social media.

This discussion was aired on NDTV on February 5, 2013

Pranesh Prakash, Policy Director, Centre for Internet and Society, and Shivam Vij of Kafila.com joined NDTV in the studio while actor and standup comic Sanjay Rajoura joined via webcam.

Pranesh said that the talk of banning these videos is foolish. He added, I don't think that is a solution. But the issue is one of criminal prosecution – whether that should happen or not, and with regard to the interesting dichotomy that Shivam pointed out some people are calling for somethings to be banned but not others. I think that kind of hypocrisy should be pointed out. I am happy that these small incidents of hate mongering are actually being blown out of proportion on social media because it actually gets people to react...to say wait a second...that is not right I might have a certain leanings towards Hindutva but that kind of speech is not what I support, or I might have a certain leanings towards what is called "pseudo-secularism" but that kind of speech is not what I support. So getting out that discussion out is important.

If we were on one hand a society where we had communal peace and then social media were focusing on these small kinds of incidents and blowing it out of proportion then that would be a problem.

Watch the full discussion aired on NDTV

For more details visit https://cis-india.org/news/ndtv-video-the-social-network-feb-5-2013-hate-speech-ban-or-ignore

HasGeek presents The Fifth Elephant

praskrishna — 2012-06-19T06:38:13Z

HasGeek and the Centre for Internet & Society invite you the Fifth Elephant at the NIMHANS Convention Centre, Bangalore on July 27 and 28, 2012.

Why The Fifth Elephant?

Modern technology with ubiquitous connectivity and cloud-hosted computing power is increasingly becoming important for making sense of data. The infrastructure, tools, processes and algorithms for storage, analytics and visualization shape the meanings and value that can be derived from the data. At the same time, these technologies are strongly intertwined i.e., the database infrastructure shapes how data is accessed for processing, as well as the tools you can (or cannot) use to represent the data in certain ways on the frontend. Similarly, the paradigms used for simplifying and storing data — MapReduce, NoSQL, RDBMS — variously enable the morphing of complex data into meaningful formats. Working with each one of them involves limitations and possibilities.

The Fifth Elephant is the first of its kind of events where you will meet different people working with different kinds of data. It is an opportunity for learning about new tools, technologies, platforms, processes and best practices, and engaging with business leaders, IT decision-makers, journalists, analysts and developers. It is also an opportunity to showcase data products, APIs, services and platforms.

A Conference? An Event?

The Fifth Elephant is not simply a series of lectures. It is a space for interactions with a diverse audience to serendipitously explore insights and solutions for your data problems, to understand how hidden meanings in data can be made manifest, and to learn how others are working with data. The event is open to data analysts and scientists, statisticians, geeks, enthusiasts, data-driven product managers and designers, enterprise architects, journalists, researchers, developers and database professionals.

The Agenda

The Fifth Elephant will be held on July 27 and 28, 2012 at the NIMHANS Convention Centre, Bangalore. Day 1 covers the technology track — big data infrastructure, analytics and visualization. Day 2 invites talks from business and industry — finance, retail, health, media, telecom — to showcase the nature of data in each of these sectors and how they are working (and not working) with the data.

Apart from demos, lectures and tutorials, there will be opportunities for open house discussions and presentations on Hadoop, NoSQL versus RDBMS paradigms, and legal and licensing frameworks for data sharing, among others. Hacker corners, a dedicated participant lounge and interactive sponsor booths will further the learning, showcasing and engagement at the event.

For submitting talks and speaking proposals, visit funnel.hasgeek.com/5el.
Corporate tickets available for company delegates and employees. For more information write to info@hasgeek.com
For sponsorship queries, write to zainab@hasgeek.com

For more details visit https://cis-india.org/internet-governance/has-geek-presents-the-fifth-elephant

Haryana Cops Say Internet Shutdowns Hurt Police Operations

praskrishna — 2018-09-18T15:57:12Z

India sees a very high number of Internet shutdowns, often to preserve law and order, but Haryana cops are arguing against the practice.

The article by Gopal Sathe was published by Huffington Post on September 19, 2018.

Ahead of a Haryana court verdict in a rape case against Dera Sacha Sauda (DSS) head Gurmeet Ram Rahim Singh, mobile Internet services were shut down in nearby areas such as Panchkula and Mohali. The Hindustan Times reported that SMSes, mobile Internet and all services apart from voice calls were suspended to keep the peace.

But as a result of the shutdown, police in Panchkula faced a challenge in estimating the size of crowds gathered at different locations. "We were until then sharing information and photos on WhatsApp to figure out the number of people pouring in the city from various points as it helped identify problem areas. DSS followers had started gathering August 22 onwards," Panchkula police commissioner Arshinder Singh Chawla has said, according to a report by Manoj Kumar first published by the Centre for Internet and Society.

This was a replay of events during the Jat agitation of 2016 as well—protestors were present in much greater numbers than police personnel, who were not aware of the scenario on the ground. The police also worried about sending messages asking for help over the radio, as this could have been tapped into by the protestors, according to the report.

The lack of mobile Internet during the DSS-related Internet shutdown also affected the use of technology such as drone cameras, Chawla said. And because the police could not communicate with security personnel at the court complex, the police inside had to scale walls to leave safely, as they could not ask their colleagues for backup.

The report points out that this is in stark contrast to what happened in Mumbai, where former police commissioner Rakesh Maria made use of WhatsApp and SMS messages to prevent a scuffle from turning into a riot during Eid celebrations in early 2015.

A study by the Software Freedom Law Centre stated that India has already over 100 Internet shutdowns in 2018, Medianama reported. The five states with the most shutdowns are Jammu and Kashmir, Rajasthan, Uttar Pradesh, Maharashtra and Bihar. This has been criticised by many, including the UN, and as the Haryana police's experience show, the shutdowns are not just harming citizens, but are counter-productive to maintaining order as well.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-september-17-2018-haryana-cops-say-internet-shutdowsn-hurt-police-operations

Hard to broad ban!

praskrishna — 2016-03-22T17:00:07Z

The provisions under the Telegraph Act are wispy and can’t be convincingly invoked to exercise a jurisdiction on the internet world.

The article by Taru Bhatia was published by Governance Now on March 9, 2016. Pranesh Prakash was quoted.

The Haryana government on February 19 suspended mobile internet services in the districts affected by the agitation caused by the Jat community over reservation. The ban was imposed under section 144 of criminal procedure code (CrPC) to control the situation from being fanned by rumours or inflammatory messages.Similar ban was imposed in Gujarat last year during violent protests stirred by Hardik Patel over reservation of Patel community. In a similar manner internet connectivity was snapped in Nagaland, Rajasthan and Jammu and Kashmir last year under section 144 in order to contain law and order situation.

The CrPC section allows an official authorised by the state government to “direct any person to abstain from a certain act or to take certain order” which is “likely to prevent, or tends to prevent, obstruction, annoyance or injury to any person lawfully employed or danger to human life, health or safety, or a disturbance of the public tranquility, or a riot, of an affray”. “An order under this section may, in cases of emergency or in cases where the circumstances do not admit of the serving in due time of a notice upon the person against whom the order is directed, be passed ex parte,” the section states.

However, the civil rights lawyers claim that section 144 is a general law. “Section 144 is a means to curb apprehended danger and nuisance in emergencies, but its use to ban internet access for a region is an excessive and arbitrary use of powers granted to the state government under this provision,” says Mishi Choudhary, legal director, software freedom law centre (SFLC).

They, moreover, believe that the above section is not specific and contextual in cases of communication ban. So what is the correct law that comes in disposal of state authorities during emergencies that call for an urgent step? It’s section 5 of the Indian Telegraph Act, 1885. The act specifically deals with blocking web domains or web pages or blanket ban. Section 5(2) says that states or central government can prevent transmission of any message(s) that cause incitement to unlawful situation. Looking carefully, this section focuses only on blocking of inflammatory message(s), not a blanket ban.

In the case of Gujarat, for example, Hardik Patel, leading the agitation, used WhatsApp to spread the word for Bharat bandh, which consequently caused a blanket ban on data services by the state authorities. Under section 5(2), the authorities could have gone ahead only with banning social media websites and messaging application, instead of a blanket ban.

Section 5(2) of the telegraph Act also allows the authorities to lawfully intercept messages during public emergency. The central government has laid out clear guidelines in 2014, defining circumstances that demands phone tapping and in what manner. Similar guidelines are not there for suspending internet services under same law, however.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services. It will also make authorities answerable, limiting the misuse of power under the section 144 of the CrPC.

The civil rights lawyers cite example of section 69 A of the IT Act, 2000, which grants power to the central government to direct notice to intermediaries (for example, Facebook and Twitter), to block public access to any information that could stir violence in the country. In this case the government formulated blocking rules in 2009, providing for examination of complaints. The authority to employ this power however lies with the central government, and so, a state not using this law for taking down any message or domain from public view is understandable, during riot-like situation.

For states to legitimately use their power, it is essential to have similar blocking rules for section 5(2) of telegraph act.

Is blanket ban needed, anyway?

“Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” says Pranesh Prakash, policy director, Centre for Internet and Society (CIS).

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he says.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015. A similar approach could have been taken by state authorities in the case of Gujarat or Haryana; countering miscreants, informing public about the truth and emergency help details.

“Instead of doing that, we saw that in Gujarat, the police themselves engaged in acts of violent vandalism (caught on CCTV cameras), and in Manipur the police shot dead nine Manipuri tribals, including a 11-year-old child,” retorts Pranesh.

Blocking internet should be used as a last resort, and taking a balanced approach that considers interest of every stakeholder in a society is essential, argue civil rights lawyers. It is also imperative on the part of the government to formulate guidelines or a rule book to tackle the arbitrariness exercised by the states and security forces.

For more details visit https://cis-india.org/internet-governance/news/governance-now-march-9-2016-taru-bhatia-hard-to-broad-ban

Haphazard censorship? Leaked list of blocked websites in India

praskrishna — 2012-08-23T06:18:45Z

An analysis of a leaked list of the websites blocked by Indian Internet Service Providers (ISPs) on directions from the Department of Telecom bring to light the inconsistencies in India's online censorship efforts.

Published in IBNLive on August 23, 2012. Pranesh Prakash is quoted.

Pranesh Prakash, programme manager at the Centre for Internet and Society (CIS), analysed the 309 specific items that were asked to be censored from August 18, till August 21, 2012 by the Indian government following the recent incidents of communal violence and the mass exodus of North East Indians from Bangalore.

"It is clear that the list was not compiled with sufficient care," Prakash writes in a post on the CIS website that reveals several egregious errors in the censorship process.

While the government put on its censor gear to apparently stop rumours from spreading, Prakash discovered that "people and posts debunking rumours have been blocked." Also there are some items on the list that do not even exist online.

The 309 items that were ordered to be blocked include URLs, Twitter accounts, img tags, blog posts, blogs, and a few websites.

Prakash, a graduate of the National Law School of India University, Bangalore, also raises the questions on the legal standing of the government's actions. "The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed," he says.

Indian ISPs are also known to go overboard in their efforts to comply with any government order. There have been numerous incidents in the past when ISPs were asked to block a specific URL and they ended up blocking entire domains. The latest round of censorship is also no different. There have been reports of Airtel blocking the entire YouTube short URL youtu.be in some cities.

CIS hasn't published the complete list of the blocked items given "the sensitivity of the issue" but has posted a list of domains from which specific items have been asked to be blocked. The list follows:

ABC.net.au
AlJazeera.com
AllVoices.com
WN.com
AtjehCyber.net
BDCBurma.org
Bhaskar.com
Blogspot.com
Blogspot.in
Catholic.org
CentreRight.in
ColumnPK.com
Defence.pk
EthioMuslimsMedia.com
Facebook.com
Farazahmed.com
Firstpost.com
HaindavaKerelam.com
HiddenHarmonies.org
HinduJagruti.org
Hotklix.com
HumanRights-Iran.ir
Intichat.com
Irrawady.org
IslamabadTimesOnline.com
Issuu.com
JafriaNews.com
JihadWatch.org
KavkazCenter
MwmJawan.com
My.Opera.com
Njuice.com
OnIslam.net
PakAlertPress.com
Plus.Google.com
Reddit.com
Rina.in
SandeepWeb.com
SEAYouthSaySo.com
Sheikyermami.com
StormFront.org
Telegraph.co.uk
TheDailyNewsEgypt.com
TheFaultLines.com
ThePetitionSite.com
TheUnity.org
TimesofIndia.Indiatimes.com
TimesOfUmmah.com
Tribune.com.pk
Twitter.com
TwoCircles.net
Typepad.com
Vidiov.info
Wikipedia.org
Wordpress.com
YouTube.com
YouTu.be

For more details visit https://cis-india.org/news/www-ibnlive-in-com-haphazard-censorship-leaked-list-of-blocked-sites

Hammered government offers Virtual ID firewall to protect your Aadhaar

Admin — 2018-01-16T23:34:12Z

Days after reports surfaced claiming security breaches, the Unique Identification Authority of India (UIDAI) on Wednesday announced the implementation of a new security protocol that would remove the need to divulge Aadhaar numbers during authentication processes and limit third-party access to KYC details.

The article was published in New Indian Express on January 11, 2018.

Admitting that the “collection and storage of Aadhaar numbers by various entities has heightened privacy concerns”, the UIDAI circular said Authentication User Agencies (AUAs) providing Aadhaar services have to be ready to implement the protocol from March 1, 2018. From June 1 use of Virtual ID for authentication would be mandatory.

The linchpin of the new protocol will be the virtual ID (VID) — a “temporary, revocable 16-digit random number” that can be used instead of Aadhaar to verify or link services. VIDs will have a limited validity and can be generated only by the Aadhaar holder. “UIDAI will provide various options to generate, retrieve and replace VIDs… these will be made available via UIDAI’s resident portal, Aadhaar Enrolment Centre, mAadhaar mobile application, etc.,” it said. While only one VID per Aadhaar number will be valid at a time, users can revoke and generate new VIDs as many times as desired.

UIDAI will also limit KYC details accessible by AUAs by classifying them as Global AUAs, which are required to use Aadhaar e-KYC by law, and Local AUAs. Only the former will have full access to e-KYC details and can store Aadhaar numbers. Local AUAs will only have access to limited KYC details and be prohibited from storing Aadhaar numbers. UIDAI will also generate UID tokens which will be used to identify customers within agencies’ systems, but these will not be usable by other AUAs.

However, cybersecurity experts say that even if the new “patch” is effective, verification processes will have to be redone to prevent misuse of already-leaked Aadhaar numbers. “The concept is attractive, but the devil is in the details,” observed Pavan Duggal, cyberlaw expert, adding that the new system does not address those who have already gained unauthorised access to Aadhaar numbers. Sunil Abraham, executive director, Centre for Internet and Society, was more categorical. “If it has to be effective, they will have to redo (Aadhaar-KYC) from scratch.”

For more details visit https://cis-india.org/internet-governance/news/indian-express-january-11-2018-

Hakon 2016

praskrishna — 2016-10-15T10:04:41Z

Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project.

Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at http://www.hakonindia.org/ for further details, including a look at past editions of the conference.

The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for Chuck Easttom Williams, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.

For more details visit https://cis-india.org/internet-governance/news/hakon-2016

Hacking without borders: The future of artificial intelligence and surveillance

maria — 2013-07-12T15:30:27Z

In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.

Combat Zones That See (CTS)

Source: swanksalot on flickr

Ten years ago DARPA started funding the Combat Zones That See (CTS) project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.

Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that 40 million surveillance cameras were already in use around the world by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. Police in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.

However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.

Mind´s Eye

Source: watchingfrogsboil on flickr

A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a thinking camera. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with ´visual intelligence´. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to predict future human activities and situations.

Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. General James Cartwright, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying operationally significant activity and predicting outcomes.

Mounting these smart cameras on drones is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?

SyNAPSE

Source: A Health Blog on flickr

The Terminator could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) programme. Is DARPA funding the creation of the Terminator? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.

SyNAPSE is a programme which aims to develop electronic neuromorphic machine technology which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received $102.6 million in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create biological neural systems which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s cognitive computers would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.

Although this original type of computational device could be beneficial to predict natural disasters and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.

Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.

Brain-Computer Interface (BCI)

Remember Orwell's ´Thought Police´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in 1984. Unlike the ´Thought Police´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can literally read our thoughts.

Once again, DARPA appears to be funding one of the world´s most innovative projects: the Brain-Computer Interface (BCI). The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph - an EEG) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely thinking of the action.

Ten years ago it was reported that the brains of rats and monkeys could control robot arms through the use of such technologies. A few years later brainstem implants were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as to control robotic limbs with their thoughts. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally thinking about them, while using a BCI.

Brain-controlled robotic limbs could change the lives of disabled persons, but ethical concerns have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out sensitive data, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the P300 response, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to DARPA:

´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´

This constitutes the human brain as a new warfighting domain of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.

Security expert, Barnaby Jack, of IOActive demonstrated the vulnerability of biotechnological systems, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.

Will BCI be used in the future to interrogate terrorists and suspects? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our thoughts - can potentially be hacked? Human rights are essential because they protect us from those in power; but the privacy of our thoughts is even more important, because without it, we can have no human rights, no individuality.

Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.

Apparently, anyone can buy Emotiv or Neurosky BCI online to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.

For more details visit https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance

Hacking of SIM card by spy agencies raises fears of sensitive documents being leaked

praskrishna — 2015-03-09T01:31:39Z

The hacking of SIM-card and digital security services provider Gemalto by American and British spy agencies has raised fears that sensitive communications, by the Indian government and hundreds of domestic companies, may have been at the risk of being spied on.

The article by PK Jayadevan and Neha Alawadhi was published in the Economic Times on February 25, 2015. Pranesh Prakash and Sunil Abraham were quoted.

The Netherlands-based Gemalto was jointly hacked by the US National Security Agency and Britain's Government Communications Headquarters, and encryption keys were stolen to monitor mobile communications, according to a news report published last week.

India's largest telecom vendors including Airtel, Vodafone and Idea Cellular use SIM cards supplied by Gemalto, the world's biggest maker of mobile-phone chips and provider of secure devices such as smart cards and tokens. Online publisher The Intercept in its report named Idea Cellular as one of the networks from which the spy agencies accessed encryption keys.

"Phone calls and text messages by military, government, diplomats, spy corporations and by ordinary citizen of India - all of those get affected by this hack," said Pranesh Prakash, Policy Director at research and advocacy firm Centre for Internet and Society.

The Intercept, which accessed top secret documents provided by NSA whistleblower Edward Snowden, said American and British spies dug into the private communications of Gemalto engineers and other employees to steal encryption keys.

Gemalto provides security services such as two-factor authentication and access management, and has hundreds of clients in India. The company in 2012 said it provided 25 million e-driver's licences and vehicle registration certificates in India that let the government "consolidate driver and vehicle registration information across the population in a central repository".

"We believe that the biggest risk stands for the large number of Vodafone users in the country as the company has deployed Gemalto's Near Field Communication services solutions to provide secure and convenient 'wave and pay' contactless transactions via mobile phone," said Sanchit Vir Gogia, Chief Analyst and Group CEO, Greyhound Research.

"We have no further details of these allegations, which are industry-wide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations," said a Vodafone spokesperson in an email response.

Emails to Idea and Airtel were unanswered till the time of going to Press.

"Indian operators typically go for cheaper Chinese vendors that are anyway low on security. Among the European SIM vendors, Gemalto has the largest share in India," said a senior mobile services executive, requesting anonymity.

The report on the hack comes at a time when Gemalto was looking to tap the Indian market, including e-governance initiatives. The company in a recent email to ET said it had plans to expand its center of excellence in India to develop multiple products, offer tech support and provide security solutions for the domestic market.

"We take this (breach) very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated attacks to obtain SIM card data," a Gemalto spokesperson said. "The target was not Gemalto, per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible."

Initial investigations indicate that SIM products as well as banking cards, passports and other products and platforms are secure, the company said. Gemalto is expected to announce the results of its investigation on Wednesday. British and US spy agencies have been under fire for hacking and spying on citizens after Snowden in mid-2013 began leaking documents that revealed massive surveillance programmes by the two governments. At the time, the Indian government said the NSA was only collecting meta-data and had no access to the actual contents of phone calls or text messages.

Experts suggest a multinational consensus or treaty that strikes a balance between national security concerns and privacy.

"Governments will have to debate this in the United Nations and some kind of rules for surveillance, maybe treaties, are relevant in the future," said Kamlesh Bajaj, Chief Executive at Data Security Council of India. "They shall have to have some kind of a limit to surveillance. They can't be vacuuming all data in the name of finding a needle in the haystack."

Sunil Abraham, Executive Director at Center for Internet and Society, suggested the Indian government should replace proprietary operating systems and Android on phones with pure free software projects, use of virtual private network on phones to carry voice and data traffic, and encrypt voice and data payloads separately.

"When it comes to all the other services provided by Gemalto, the India government should insist that they will do key management on their own. This will also mitigate the compromise of Gemalto's enterprise networks by the NSA," he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-jayadevan-pk-neha-alawadhi-february-25-2015-hacking-of-sim-card-by-spy-agencies-raises-fears-of-sensitive-documents-being-leaked

Hackers Take Protest to Indian Streets and Cyberspace

praskrishna — 2012-06-18T04:02:21Z

First there was self-styled Gandhian activist Anna Hazare who took to the streets to protest corruption. Now a group agitating against censorship on the Internet has arrived in India.

This article by Shreya Shah was published in the Wall Street Journal on June 8, 2012 Pranesh Prakash is quoted in this article.

Only this time, the location is cyberspace and their modus operandi hacking.

In the last few months, Anonymous –a group of hackers, or hacktivists as they like to call themselves –has gone after Web sites of political parties, government sites and Internet service providers, the latest being MTNL, to protest censorship on the Internet.

The group says they are opposing laws including the 2008 Information Technology (Amendment) Act and the Information Technology (Intermediaries Guidelines) Rules of 2011, which they say unfairly restrict Internet freedom.

On Saturday, the hackers will take their protest to the streets, with an Occupy Wall Street-style march called ”Operation Occupy India” planned in 17 cities including Mumbai, Delhi, Indore in Madhya Pradesh, Nagpur in Maharashtra and Kundapur in Karnataka. The group has requested all protestors to wear Guy Fawkes masks, the symbol of Anonymous.

“This time the common man wants to help us,” an “anon,” which is what members of the group call themselves, told India Real Time.

Anonymous, which has a global presence, catapulted to fame with its attacks on Visa, Mastercard and Paypal.

This is how the group attacks Web sites: It overwhelms them with thousands of requests from different computer systems simultaneously. The Web site is unable to handle the load and crashes.

The group intensified its attacks after Internet Service Providers like Reliance, MTNL and Airtel temporarily blocked file sharing sites like Vimeo, Dailymotion, Patebin and Pirate bay, citing a Court order.

But many question the method used by Anonymous.

“I don’t believe in defacing or hacking government Web sites to prove a point,” says Ankit Fadia, a cyber security expert. “You can’t hold the government ransom,” he adds.

In an open letter to the government, Anonymous India defended its actions. It wrote that traditional ways of protesting are losing meaning and this is a new method to pressure the politicians.

Members of the group say that like a regular protest on the street, they too block the infrastructure of their opponents. Except in this case, the infrastructure is located in cyberspace.

This is a “geek method of attacking,” said the anon who spoke to India Real Time. The group does not plan to attacks sites like that of the Indian railways, for instance, which is used by the masses, he explained.

But not everyone is convinced.

The group attacked the Web site of India’s Supreme Court even when it says it does not attack Web sites used by the common man, says Pranesh Prakash, Program Director of the Center for Internet and Society.

The IT Act is another reason Anonymous is protesting. The Act gives the government the power to remove content it finds offensive. The government can also restrict public access to a Web site.

Anonymous is also protesting the Intermediary Guidelines of 2011. According to this Act, a site that hosts offensive content will have to remove it within 36 hours of a complaint against it.

As a result, Web sites like Google and Facebook are facing criminal cases for hosting objectionable content on their site.

“This government does not stand for censorship; this government does not stand for infringement of free speech. Indeed, this government does not stand for regulation of free speech,” Kapil Sibal, the Communications and Information Technology Minister told the Rajya Sabha, or the upper house of the Indian Parliament, last month.

Pranesh Prakash, of the Center for Internet and Society told India Real Time that he does not believe that Anonymous will influence policy makers. He says that the main aim of a protest is to get media attention, and in turn get the attention of the people.

But he agrees that India’s cyber laws are “hopelessly flawed” and create a framework by which not only the government but everyone can censor.

He adds, “The laws are a greater threat than Anonymous.”

Photo Source: Joel Saget/Agence France-Presse/Getty Images

For more details visit https://cis-india.org/news/hackers-take-protest-to-indian-streets-and-cyberspace

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Hack Night in CIS ― A Meeting of Java Script Hackers

Tom Dane — 2011-10-27T11:36:26Z

CIS hosted a hack night in conjunction with the tech-event organizers HasGeek at its office on 24 September 2011. The event brought together local java script hackers on a common platform. Tom Dane and Kiran Jonnalagadda participated in the event.

The idea behind hosting the event was to have fun building cool stuff. The participants met in the afternoon to decide on projects and group into teams, and then Sudar Muthu gave an explanation of node.js and its usage for the hack. There were also some very cool free t-shirts. Much code was written and caffeine shared until the morning when the projects were uploaded online.

One project was a game allowing players to pass a ball between computers. The source code is available here on GitHub. Aditya Yadav also worked on the beautiful jsFoo website during the night. Our friends from HasGeek made a short video showing a snippet of the event:

Below is the full list of participants:

Kiran Jonnalagadda
Aditya Yadav
Ritesh Kadmawala
MS Prakas Kumar Chakka
Amarjit Singh
Arun Kumar
Sudar Muthu
Aravinda VK
Ciju Cherian and
Pradip Caulagi

If you feel sad missing an event like this, be excited because HasGeek is hosting Droidcon India next month.
About Hasgeek
HasGeek is a developer-led initiative, and has been un-organising the unconference scene since 2010. HasGeek is an attempt to solve the problem of insipid conferences organised around buzzwords by uninterested, soulless corporate entities who pitch them as company training events or as places for companies to pick up hot developers.

For more info on Hasgeek, click here
For info on jsFoo, click here

For more details visit https://cis-india.org/internet-governance/hacking-cis

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

Habeas Data in India

Vipul Kharbanda and edited by Elonnai Hickok — 2016-12-10T04:01:40Z

Habeas Data is a latin word which can be loosely translated to mean “have the data”. The right has been primarily conceptualized, designed, ratified, and implemented by various nation-states in the background of a shared common history of decades of torture, terror, and other repressive practices under military juntas and other fascist regimes.

Download the Paper (PDF)

Introduction

The writ of habeas data was a distinct response to these recent histories which provided individuals with basic rights to access personal information collected by the state (and sometimes byprivate agencies of a public nature) and to challenge and correct such data, requiring the state to safeguard the privacy and accuracy of people's personal data.[1]

The origins of Habeas Data are traced back, unsurprisingly, to the European legal regime since Europe is considered as the fountainhead of modern data protection laws. The inspiration for Habeas Data is often considered to be the Council of Europe's 108th Convention on Data Protection of 1981.[2] The purpose of the Convention was to secure the privacy of individuals regarding the automated processing of personal data. For this purpose, individuals were granted several rights including a right to access their personal data held in an automated database.[3]

Another source or inspiration behind Habeas Data is considered to be the German legal system where a constitutional right to information self-determination was created by the German Constitutional Tribunal by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.[4]

Habeas Data is essentially a right or mechanism for an individual complaint presented to a constitutional court, to protect the image, privacy, honour, information self-determination and freedom of information of a person. [5]

A Habeas Data complaint can be filed by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public.[6]

Habeas Data in different jurisdictions

Habeas Data does not have any one specific definition and has different characteristics in different jurisdictions. Therefore, in order to better understand the right, it will be useful to describe the scope of Habeas Data as it has been incorporated in certain jurisdictions in order to better understand what the right entails:[7]

Brazil

The Constitution of Brazil grants its citizens the right to get a habeas data “a. to assure knowledge of personal information about the petitioner contained in records or data banks of government agencies or entities of a public character; b. to correct data whenever the petitioner prefers not to do so through confidential judicial or administrative proceedings;[8]

The place or tribunal where the Habeas Data action is to be filed changes depending on who is it presented against, which creates a complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:

The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
The Superior Justice Tribunal for actions against Ministers or itself;
The regional federal judges for actions against federal authorities;
State tribunals according to each state law;
State judges for all other cases.[9]

Paraguay
The Constitution of Paraguay grants a similar right of habeas data in its constitution which states:

"All persons may access the information and the data that about themselves, or about their assets, [that] is [obren] in official or private registries of a public character, as well as to know the use made of the same and of their end. [All persons] may request before the competent magistrate the updating, the rectification or the destruction of these, if they were wrong or illegitimately affected their rights."[10]

Compared to the right granted in Brazil, the text of the Paraguay Constitution specifically recognises that the citizen also has the right to know the use his/her data is being put to.

Argentina

Article 43 of the Constitution of Argentina grants the right of habeas data, though it has been included under the action of “amparo”,[11] the relevant portion of Article 43 states as follows:

"Any person may file an amparo action to find out and to learn the purpose of data about him which is on record in public registries or data banks, or in any private [registers or data banks] whose purpose is to provide information, and in case of falsity or discrimination, to demand the suppression, rectification, confidentiality, or updating of the same. The secrecy of journalistic information sources shall not be affected."[12]

The version of Habeas Data recognised in Argentina includes most of the protections seen in Brazil and Paraguay, such as the right to access the data, rectify it, update it or destroy it, etc. Nevertheless, the Argentinean constitution also includes certain other features such as the fact that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. Another feature of the Argentinean law is that it specifically excludes the press from the action, which may be considered as reasonable or unreasonable depending upon the context and country in which it is applied.[13]

Venezuela
Article 28 of the Constitution of Venezuela established the writ of habeas data, which expressly permits access to information stored in official and private registries. It states as follows:

"All individuals have a right to access information and data about themselves and about their property stored in official as well as private registries. Secondly, they are entitled to know the purpose of and the policy behind these registries. Thirdly, they have a right to request, before a competent tribunal, the updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements. The law shall establish exceptions to these principles. By the same token, any person shall have access to information that is of interest to communities and groups. The secrecy of the sources of newspapers-and of other entities or individuals as defined by law-shall be preserved."[14]

The Venezuelan writ of habeas data expressly provides that individuals "are entitled to know the purpose of and the policy behind these registries." Also, it expresses a right to "updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements." Article 28 also declares that the “secrecy of the sources of newspapers and of other entities or individuals as defined by law-shall be preserved."[15]

Philippines

It is not as if the remedy of Habeas Data is available only in Latin American jurisdictions, but even in Asia the writ of Habeas Data has been specifically granted by the Supreme Court of the Philippines vide its resolution dated January 22, 2008 which provides that “The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.” According to the Rule on Writ of Habeas Data, the petition is to be filed with the Regional Trial Court where the petitioner or respondent resides, or which has jurisdiction over the place where the data or information is gathered, collected or stored, at the option of the petitioner. The petition may also be filed with the Supreme Court or the Court of Appeals or the Sandiganbayan when the action concerns public data files of government offices.[16]

Two major distinctions are immediately visible between the Philippine right and that in the latin jurisdictions discussed above. One is the fact that in countries such as Bazil, Argentina and Paraguay, there does not appear to be a prerequisite to filing such an action asking for the information, whereas in Philippines it seems that such a petition can only be filed only if an individual’s “right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission”. This means that the Philippine concept of habeas data is much more limited in its scope and is available to the citizens only under certain specific conditions. On the other hand the scope of the Philippine right of Habeas Data is much wider in its applicability in the sense that this right is available even against private individual and entities who are “engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence”. In the Latin American jurisdictions discussed above, this writ appears to be available only against either public institutions or private institutions having some public character.

Main features of Habeas Data

Thus from the discussion above, the main features of the writ of habeas data, as it is applied in various jurisdictions can be culled out as follows: [17]

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[18]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

Since the writ of Habeas Data has been established and evolved primarily in Latin American countries, there is not too much literature on it available freely in the English language and that is a serious hurdle in researching this area. For example, this author did not find many article mentioning the scope of the writ of habeas data, for example whether it is an absolute right and on what grounds can it be denied. The Constitution of Venezuela, for example, specifies that the law shall establish exceptions to these principles and infact mentions the secrecy of sources for newspapers as an exception to this rule.[19]

Similarly in Argentina, there exists a public interest exception to the issuance of the writ of Habeas Data.[20]

That said, although little literature on the specific exceptions to habeas data is freely available in English, references can still be found to exceptions such as state security (Brazil), secrecy of newspaper sources (Argentina and Venezuela), or other entities defined by law (Venezuela).[21]

This suggests that the, as would be expected, the right to ask for the writ of habeas data is not an absolute right but would also be subject to certain exceptions and balanced against other needs such as state security and police investigations.

Habeas Data in the context of Privacy

Data protection legislation and mechanisms protect people against misuse of personal information by data controllers. Habeas Data, being a figure for use only by certain countries, gives the individuals the right to access, correct, and object to the processing of their information.

In general, privacy is the genus and data protection is the species, data protection is a right to personal privacy that people have against the possible use of their personal data by data controllers in an unauthorized manner or against the requirements of force. Habeas Data is an action that is brought before the courts to allow the protection of the individual’s image, privacy, honour, self-determination of information and freedom of information of a person. In that sense, the right of Habeas Data can be found within the broader ambit of data protection. It does not require data processors to ensure the protection of personal data processed but is a legal action requiring the person aggrieved, after filing a complaint with the courts of justice, the access and/or rectification to any personal data which may jeopardize their right to privacy.[22]

Habeas Data in the Indian Context

Although a number of judgments of the Apex Court in India have recognised the existence of a right to privacy by interpreting the fundamental rights to life and free movement in the Constitution of India,[23]

the writ of habeas data has no legal recognition under Indian law. However, as is evident from the discussion above, a writ of habeas data is very useful in protecting the right to privacy of individuals and it would be a very useful tool to have in the hands of the citizens. The fact that India has a fairly robust right to information legislation means that atleast some facets of the right of habeas data are available under Indian law. We shall now examine the Indian Right to Information Act, 2005 (RTI Act) to see what facets of habeas data are already available under this Act and what aspects are left wanting. As mentioned above, the writ of habeas data has the following main features:

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[24]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

We shall now take each of these features and analyse whether the RTI Act provides any similar rights and how they differ from each other.

Right to seek his/her information contained with a data registry

Habeas data enables the individual to seek his or her information contained in any data registry. The RTI Act allows citizens to seek “information” which is under the control of or held by any public authority. The term information has been defined under the RTI Act to mean “any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force”.[25]

Further, the term “record” has been defined to include “(a) any document, manuscript and file; (b) any microfilm, microfiche and facsimile copy of a document; (c) any reproduction of image or images embodied in such microfilm (whether enlarged or not); and (d) any other material produced by a computer or any other device”. It is quite apparent that the meaning given to the term information is quite wide and can include various types of information within its fold. The term “information” as defined in the RTI Act has been further elaborated by the Supreme Court in the case of Central Board of Secondary Education v. Aditya Bandopadhyay,[26]

where the Court has held that a person’s evaluated answer sheet for the board exams held by the CBSE would come under the ambit of “information” and should be accessible to the person under the RTI Act.[27]

An illustrative list of items that have been considered to be “information” under the RTI Act would be helpful in further understanding the concept:

Asset declarations by Judges;[28]
Copy of inspection report prepared by the Reserve Bank of India about a Co-operative Bank;[29]
Information on the status of an enquiry;[30]
Information regarding cancellation of an appointment letter;[31]
Information regarding transfer of services;[32]
Information regarding donations given by the President of India out of public funds.[33]

The above list would indicate that any personal information relation to an individual that is available in a government registry would in all likelihood be considered as “information” under the RTI Act.

However, just because the information asked for is considered to come within the ambit of section 2(h) does not mean that the person will be granted access to such information if it falls under any of the exceptions listed in section 8 of the RTI Act. Section 8 provides that if the information asked falls into any of the categories specified below then such information shall not be released in an application under the RTI Act, the categories are:

"(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;
(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;
(c) information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;
(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;
(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;
(f) information received in confidence from foreign Government;
(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;
(h) information which would impede the process of investigation or apprehension or prosecution of offenders;
(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:
Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:
Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person."

The above mentioned exceptions seem fairly reasonable and infact are important since public records may contain information of a private nature which the data subject would not want revealed, and that is exactly why personal information is a specific exception mentioned under the RTI Act. When comparing this list to the recognised exceptions under habeas data, it must be remembered that a number of the exceptions listed above would not be relevant in a habeas data petition such as commercial secrets, personal information, etc. The exceptions which could be relevant for both the RTI Act as well as a habeas data writ would be (a) national security or sovereignty, (b) prohibition on publication by a court, (c) endangering the physical safety of a person, (d) hindrance in investigation of a crime. It is difficult to imagine a court (especially in India) granting a habeas data writ in violation of these four exceptions.

Certain other exceptions that may be relevant in a habeas data context but are not mentioned in the common list above are (a) information received in a fiduciary relationship; (b) breach of legislative privilege, (c) cabinet papers; and (d) information received in confidence from a foreign government. These four exceptions are not as immediately appealing as the others listed above because there are obviously competing interests involved here and different jurisdictions may take different points of view on these competing interests.[34]

Available only against public (government) entities or entities having public character.

A habeas corpus writ is maintainable in a court to ask for information relating to the petitioner held by either a public entity or a private entity having a public character. In India, the right to information as defined in the RTI Act means the right to information accessible under the Act held by or under the control of any public authority. The term "public authority" has been defined under the Act to mean “any authority or body or institution of self-government established or constituted—

(a) by or under the Constitution;
(b) by any other law made by Parliament;
(c) by any other law made by State Legislature;
(d) by notification issued or order made by the appropriate Government, and includes any— (i) body owned, controlled or substantially financed; (ii) non-Government organisation substantially financed, directly or indirectly by funds provided by the appropriate Government;"[35]

Therefore most government departments as well as statutory as well as government controlled corporations would come under the purview of the term "public authority". For the purposes of the RTI Act, either control or substantial financing by the government would be enough to bring an entity under the definition of public authority.[36]

The above interpretation is further bolstered by the fact that the preamble of the RTI Act contains the term “governments and their instrumentalities".[37]

Right to correct wrong information
While certain sectoral legislations such as the Representation of the People Act and the Collection of Statistics Act, etc. may provide for correction of inaccurate information, the RTI Act does not have any such provisions. This stands to reason because the RTI Act is not geared towards providing people with information about themselves but is instead a transparency law which is geared at dissemination of information, which may or may not relate to an individual.

Available upon approaching a single judicial forum
While the right of habeas data is available only upon approaching a judicial forum, the right to information under the RTI Act is realised entirely through the bureaucratic machinery. This also means that the individuals have to approach different entities in order to get the information that they need instead of approaching just one centralised entity.

Conclusion

There is no doubt that habeas data, by itself cannot end massive electronic surveillance of the kind that is being carried out by various governments in this day and age and the excessive collection of data by private sector companies, but providing the citizenry with the right to ask for such a writ would provide a critical check on such policies and practices of vast surveillance.[38]

An informed citizenry, armed with a right such as habeas data, would be better able to learn about the information being collected and kept on them under the garb of law and governance, to access such information, and to demand its correction or deletion when its retention by the government is not justified.

As we have discussed in this paper, under Indian law the RTI Act gives the citizens certain aspects of this right but with a few notable exceptions. Therefore, if a writ such as habeas data is to be effectuated in India, it might perhaps be a better idea to approach it by amending/tweaking the existing structure of the RTI Act to grant individuals the right to correct mistakes in the data along with creating a separate department/mechanism so that the applications demanding access to one’s own data do not have to be submitted in different departments but can be submitted at one central place. This approach may be more pragmatic rather than asking for a change in the Constitution to grant to the citizens the right to ask for a writ in the nature of habeas data.

There may be calls to also include private data processors within the ambit of the right to habeas data, but it could be challenging to enforce this right. This is because it is still feasible to assume that the government can put in place machinery to ensure that it can find out whether information about a particular individual is available with any of the government’s myriad departments and corporations, however it would be almost impossible for the government to track every single private database and then scan those databases to find out how many of them contain information about any specific individual. This also throws up the question whether a right such as habeas data, which originated in a specific context of government surveillance, is appropriate to protect the privacy of individuals in the private sector. Since under Indian law section 43A and the Rules thereunder, which regulate data protection, already provide for consent and notice as major bulwarks against unauthorised data collection, and limit the purpose for which such data can be utilised, privacy concerns in this context can perhaps be better addressed by strengthening these provisions rather than trying to extend the concept of habeas data to the private sector.

[1]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[2]. Article 8 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981, available at https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37

[3]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[4]. Id.

[5]. Speech by Chief Justice Reynato Puno, Supreme Court of Philippines delivered at the UNESCO Policy Forum and Organizational Meeting of the Information for all Program (IFAP), Philippine National Committee, on November 19, 2007, available at http://jlp-law.com/blog/writ-of-habeas-data-by-chief-justice-reynato-puno/

[6]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[7]. The author does not purport to be an expert on the laws of these jurisdictions and the analysis in this paper has been based on a reading of the actual text or interpretations given in the papers that have been cited as the sources. The views in this paper should be viewed keeping this context in mind.

[8]. Article 5, LXXII of the Constitution of Brazil, available at https://www.constituteproject.org/constitution/Brazil_2014.pdf

[9]. Guadamuz A, 'Habeas Data vs the European Data Protection Directive', Refereed article, 2001 (3) The Journal of Information, Law and Technology (JILT).

[10]. Article 135 of the Constitution of Paraguay, available at https://www.constituteproject.org/constitution/Paraguay_2011.pdf?lang=en

[11]. The petition for a writ of amparo is a remedy available to any person whose right to life, liberty and security is violated or threatened with violation by an unlawful act or omission of a public official or employee, or of a private individual or entity.

[12]. Article 43 of the Constitution of Argentina, available at https://www.constituteproject.org/constitution/Argentina_1994.pdf?lang=en

[13]. https://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_3/guadamuz/

[14]. Article 28 of the Venezuelan Constitution, available at http://www.venezuelaemb.or.kr/english/ConstitutionoftheBolivarianingles.pdf

[15]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[16]. Rule on the Writ of Habeas Data Resolution, available at http://hrlibrary.umn.edu/research/Philippines/Rule%20on%20Habeas%20Data.pdf

[17]. The characteristics of habeas data culled out in this paper are by no means exhaustive and based only on the analysis of the jurisdictions discussed in this paper. This author does not claim to have done an exhaustive analysis of every jurisdiction where Habeas Data is available and the views in this paper should be viewed in that context.

[18]. Except in the case of the Philippines and Venezeula. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[19]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[20]. The case of Ganora v. Estado Nacional, Supreme Court of Argentina, September 16, 1999, cf.http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-Argentin.html

[21]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[22]. http://www.oas.org/dil/data_protection_privacy_habeas_data.htm

[23]. Even the scope of the right to privacy is currently under review in the Supreme Court of India. See “Right to Privacy in Peril”, http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[24]. Except in the case of the Philippines. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[25]. Section 2(f) of the Right to Information Act, 2005.

[26]. 2011 (106) AIC 187 (SC), also available at http://judis.nic.in/supremecourt/imgst.aspx?filename=38344

[27]. The exact words of the Court were: “The definition of `information' in section 2(f) of the RTI Act refers to any material in any form which includes records, documents, opinions, papers among several other enumerated items. The term `record' is defined in section 2(i) of the said Act as including any document, manuscript or file among others. When a candidate participates in an examination and writes his answers in an answer-book and submits it to the examining body for evaluation and declaration of the result, the answer-book is a document or record. When the answer-book is evaluated by an examiner appointed by the examining body, the evaluated answer-book becomes a record containing the `opinion' of the examiner. Therefore the evaluated answer-book is also an `information' under the RTI Act.”

[28]. Secretary General, Supreme Court of India v. Subhash Chandra Agarwal, AIR 2010 Del 159, available at https://indiankanoon.org/doc/1342199/

[29]. Ravi Ronchodlal Patel v. Reserve Bank of India, Central Information Commission, dated 6-9-2006.

[30]. Anurag Mittal v. National Institute of Health and Family Welfare, Central Information Commission, dated 29-6-2006.

[31]. Sandeep Bansal v. Army Headquarters, Ministry of Defence, Central Information Commission, dated 10-11-2008.

[32]. M.M. Kalra v. DDA, Central Information Commission, dated 20-11-2008.

[33]. Nitesh Kumar Tripathi v. CPIO, Central Information Commission, dated 4-5-2012.

[34]. A similar logic may apply to the exceptions of (i) cabinet papers, and (ii) parliamentary privilege.

[35]. Section 2 (h) of the Right to Information Act, 2005.

[36]. M.P. Verghese v. Mahatma Gandhi University, 2007 (58) AIC 663 (Ker), available at https://indiankanoon.org/doc/1189278/

[37]. Principal, M.D. Sanatan Dharam Girls College, Ambala City v. State Information Commissioner, AIR 2008 P&H 101, available at https://indiankanoon.org/doc/1672120/

[38]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

For more details visit https://cis-india.org/internet-governance/blog/habeas-data-in-india

Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India

praskrishna — 2013-08-28T10:19:23Z

The Research Center of Media and Communication at the University of Hamburg organized the Summer School 2013 at Hamburg, Germany from July 29 to August 2, 2013. Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".

The Summer School Book of Abstracts/Information brochure can be downloaded here

This year’s Summer School offered by the Research Center of Media and Communication at the University of Hamburg picked up upon a crucial issue for current media development – a topic relevant to academia, media practice and media policy. In the age of digitisation, the landscape of media and communications is being increasingly influenced by phenomena that can be viewed as reappropriations of previously published media communications. The Summer School pursued central questions about the kinds of reappropriated media communications that were being developed and the relationship between ‘old’ and ‘new’ shaping them. This repurposing was analysed from four different perspectives: repurposing as recombination, as reactualisation, as piracy and as plagiarism.

For more details visit https://cis-india.org/news/repeat-remix-remediate-summer-school-2013