We are anonymous, we are legion

Firms find wealth in your data

Admin — 2018-07-25T16:06:30Z

Data collection and theft is quite prevalent and there is little an individual can do right now.

Data protection and privacy are the new buzzwords in the corridors of power in India. While a Ministry of Electronics and Technology committee led by retired Supreme Court Justice B N Srikrishna is working on a draft Data Protection Bill, the Telecom Regulatory Authority of India (TRAI) has come out with its own recommendations regarding privacy, security, and ownership of data in the telecom sector.

How is your data collected?

Every minute you spend online leads to your data being generated, collected and collated somewhere. “There is data that we volunteer. If I create an account for myself on any website I will provide my name, age, banking and so on,” says Amber Sinha, senior programme manager, Centre for Internet and Society.

“Then there is data which gets collected by telecom companies and companies which provide OTT (Over-The-Top) services, like Google Chrome. Much of this data is collected automatically — my browsing history, what links were open, what ads did I click on in Facebook etc. Most websites use trackers and cookies that continue working in the background. Even when you have closed the link and move on to another website, they still continue to collect data about you,” he adds.

What is the method behind this?

“In order to provide a service, there is some data that they need to collect. For example, a cab aggregator has to get my location in order to connect me to nearest cabs. Yet most companies collect data beyond what might be needed. Suppose you are availing an online service which involves a payment aspect. For authentication, an OTP is sent in the form of a text message. The online services will seek permission to read our messages so that they can automatically pull the OTP, saving us the trouble of having to key it in manually. But the system is designed in such a way that the permission they seek is for my entire message box,” explains Amber.

Read the complete article by Rajitha Menon in Deccan Herald published on July 20, 2018. Amber Sinha has been quoted.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-july-20-2018-rajitha-menon-firms-find-wealth-in-your-data

FinTech in India: A Study of Privacy and Security Commitments

Aayush Rathi and Shweta Mohandas — 2019-05-02T11:20:30Z

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. This report studies the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.

Access the full report: Download (PDF)

The report by Aayush Rathi and Shweta Mohandas was edited by Elonnai Hickok. Privacy policy testing was done by Anupriya Nair and visualisations were done by Saumyaa Naidu. The project is supported by the William and Flora Hewlett Foundation.

In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.In India, the Information Technology (Reasonable Security Practices andProcedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.

The objective of this study is to understand privacy commitments undertaken by fintech companies operating in India as documented in their public facing privacy policies. This exercise will be useful to understand what standards of privacy and security protection fintech companies are committing to via their organisational privacy policies. The research will do so by aiming to understand the alignment of the privacy policies with the requirements mandated under the SPD/I Rules. Contingent on the learnings from this exercise, trends observed in fintech companies’ privacy and security commitments will be culled out.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-shweta-mohandas-april-30-2019-fintech-in-india-a-study-of-privacy-and-security-commitments

FinFisher in India and the Myth of Harmless Metadata

maria — 2013-08-13T11:30:15Z

In this article, Maria Xynou argues that metadata is anything but harmless, especially since FinFisher — one of the world's most controversial types of spyware — uses metadata to target individuals.

In light of PRISM, the Central Monitoring System (CMS) and other such surveillance projects in India and around the world, the question of whether the collection of metadata is “harmless” has arisen.[1] In order to examine this question, FinFisher[2] — surveillance spyware — has been chosen as a case study to briefly examine to what extent the collection and surveillance of metadata can potentially violate the right to privacy and other human rights. FinFisher has been selected as a case study not only because its servers have been recently found in India[3] but also because its “remote monitoring solutions” appear to be very pervasive even on the mere grounds of metadata.

FinFisher in India

FinFisher is spyware which has the ability to take control of target computers and capture even encrypted data and communications. The software is designed to evade detection by anti-virus software and has versions which work on mobile phones of all major brands.[4] In many cases, the surveillance suite is installed after the target accepts installation of a fake update to commonly used software.[5] Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox.[6]

FinFisher is a line of remote intrusion and surveillance software developed by Munich-based Gamma International. FinFisher products are sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group.[7] A few months ago, it was reported that command and control servers for FinSpy backdoors, part of Gamma International´s FinFisher “remote monitoring solutions”, were found in a total of 25 countries, including India.[8]

The following map, published by the Citizen Lab, shows the 25 countries in which FinFisher servers have been found.[9]


The above map shows the results of scanning for characteristics of FinFisher command and control servers.

FinFisher spyware was not found in the countries coloured blue, while the colour green is used for countries not responding. The countries using FinFisher range from shades of orange to shades of red, with the lightest shade of orange ranging to the darkest shade of red on a scale of 1-6, and with 1 representing the least active servers and 6 representing the most active servers in regards to the use of FinFisher. On a scale of 1-6, India is marked a 3 in terms of actively using FinFisher.[10]

Research published by the Citizen Lab reveals that FinSpy servers were recently found in India, which indicates that Indian law enforcement agencies may have bought this spyware from Gamma Group and might be using it to target individuals in India.[11] According to the Citizen Lab, FinSpy servers in India have been detected through the HostGator operator and the first digits of the IP address are: 119.18.xxx.xxx. Releasing complete IP addresses in the past has not proven useful, as the servers are quickly shut down and relocated, which is why only the first two octets of the IP address are revealed.[12]

The Citizen Lab's research reveals that FinFisher “remote monitoring solutions” were found in India, which, according to Gamma Group's brochures, include the following:

FinSpy: hardware or software which monitors targets that regularly change location, use encrypted and anonymous communications channels and reside in foreign countries. FinSpy can remotely monitor computers and encrypted communications, regardless of where in the world the target is based. FinSpy is capable of bypassing 40 regularly tested antivirus systems, of monitoring the calls, chats, file transfers, videos and contact lists on Skype, of conducting live surveillance through a webcam and microphone, of silently extracting files from a hard disk, and of conducting a live remote forensics on target systems. FinSpy is hidden from the public through anonymous proxies.[13]

FinSpy Mobile: hardware or software which remotely monitors mobile phones. FinSpy Mobile enables the interception of mobile communications in areas without a network, and offers access to encrypted communications, as well as to data stored on the devices that is not transmitted. Some key features of FinSpy Mobile include the recording of common communications like voice calls, SMS/MMS and emails, the live surveillance through silent calls, the download of files, the country tracing of targets and the full recording of all BlackBerry Messenger communications. FinSpy Mobile is hidden from the public through anonymous proxies.[14]

FinFly USB: hardware which is inserted into a computer and which can automatically install the configured software with little or no user-interaction and does not require IT-trained agents when being used in operations. The FinFly USB can be used against multiple systems before being returned to the headquarters and its functionality can be concealed by placing regular files like music, video and office documents on the device. As the hardware is a common, non-suspicious USB device, it can also be used to infect a target system even if it is switched off.[15]

FinFly LAN: software which can deploy a remote monitoring solution on a target system in a local area network (LAN). Some of the major challenges law enforcement faces are mobile targets, as well as targets who do not open any infected files that have been sent via email to their accounts. FinFly LAN is not only able to deploy a remote monitoring solution on a target´s system in local area networks, but it is also able to infect files that are downloaded by the target, by sending fake software updates for popular software or to infect the target by injecting the payload into visited websites. Some key features of the FinFly LAN include: discovering all computer systems connected to LANs, working in both wired and wireless networks, and remotely installing monitoring solutions through websites visited by the target. FinFly LAN has been used in public hotspots, such as coffee shops, and in the hotels of targets.[16]

FinFly Web: software which can deploy remote monitoring solutions on a target system through websites. FinFly Web is designed to provide remote and covert infection of a target system by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the agent to easily create a custom infection code according to selected modules. It provides fully-customizable web modules, it can be covertly installed into every website and it can install the remote monitoring system even if only the email address is known.[17]

FinFly ISP: hardware or software which deploys a remote monitoring solution on a target system through an ISP network. FinFly ISP can be installed inside the Internet Service Provider Network, it can handle all common protocols and it can select targets based on their IP address or Radius Logon Name. Furthermore, it can hide remote monitoring solutions in downloads by targets, it can inject remote monitoring solutions as software updates and it can remotely install monitoring solutions through websites visited by the target.[18]

Although FinFisher is supposed to be used for “lawful interception”, it has gained notoriety for targeting human rights activists.[19] According to Morgan Marquis-Boire, a security researcher and technical advisor at the Munk School and a security engineer at Google, FinSpy has been used in Ethiopia to target an opposition group called Ginbot.[20] Researchers have argued that FinFisher has been sold to Bahrain's government to target activists, and such allegations were based on an examination of malicious software which was emailed to Bahraini activists.[21] Privacy International has argued that FinFisher has been deployed in Turkmenistan, possibly to target activists and political dissidents.[22]

Many questions revolving around the use of FinFisher and its “remote monitoring solutions” remain vague, as there is currently inadquate proof of whether this spyware is being used to target individuals by law enforcement agencies in the countries where command and control servers have been found, such as India.[23] However, FinFisher's brochures which were circulated in the ISS world trade shows and leaked by WikiLeaks do reveal some confirmed facts: Gamma International claims that its FinFisher products are capable of taking control of target computers, of capturing encrypted data and of evading mainstream anti-virus software.[24] Such products are exhibited in the world's largest surveillance trade show and probably sold to law enforcement agencies around the world.[25] This alone unveils a concerning fact: spyware which is so sofisticated that it even evades encryption and anti-virus software is currently in the market and law enforcement agencies can potentially use it to target activists and anyone who does not comply with social conventions.[26] A few months ago, two Indian women were arrested after having questioned the shutdown of Mumbai for Shiv Sena patriarch Bal Thackeray's funeral.[27] Thus, it remains unclear what type of behaviour is targeted by law enforcement agencies and whether spyware, such as FinFisher, would be used in India to track individuals without a legally specified purpose.

Furthermore, India lacks privacy legislation which could safeguard individuals from potential abuse, while sections 66A and 69 of the Information Technology (Amendment) Act, 2008, empower Indian authorities with extensive surveillance capabilites.[28] While it remains unclear if Indian law enforcement agencies are using FinFisher spy products to unlawfully target individuals, it is a fact that FinFisher control and command servers have been found in India and that, if used, they could potentially have severe consequences on individuals' right to privacy and other human rights.[29]

The Myth of Harmless Metadata

Over the last months, it has been reported that the Central Monitoring System (CMS) is being implemented in India, through which all telecommunications and Internet communications in the country are being centrally intercepted by Indian authorities. This mass surveillance of communications in India is enabled by the omission of privacy legislation and Indian authorities are currently capturing the metadata of communications.[30]

Last month, Edward Snowden leaked confidential U.S documents on PRISM, the top-secret National Security Agency (NSA) surveillance programme that collects metadata through telecommunications and Intenet communications. It has been reported that through PRISM, the NSA has tapped into the servers of nine leading Internet companies: Microsoft, Google, Yahoo, Skype, Facebook, YouTube, PalTalk, AOL and Apple.[31] While the extent to which the NSA is actually tapping into these servers remains unclear, it is certain that the NSA has collected metadata on a global level.[32] Yet, the question of whether the collection of metadata is “harmful” remains ambiguous.

According to the National Information Standards Organization (NISO), the term “metadata” is defined as “structured information that describes, explains, locates or otherwise makes it easier to retrieve, use or manage an information resource”. NISO claims that metadata is “data about data” or “information about information”.[33] Furthermore, metadata is considered valuable due to its following functions:

Resource discovery
Organizing electronic resources
Interoperability
Digital Identification
Archiving and preservation

Metadata can be used to find resources by relevant criteria, to identify resources, to bring similar resources together, to distinguish dissimilar resources and to give location information. Electronic resources can be organized through the use of various software tools which can automatically extract and reformat information for Web applications. Interoperability is promoted through metadata, as describing a resource with metadata allows it to be understood by both humans and machines, which means that data can automatically be processed more effectively. Digital identification is enabled through metadata, as most metadata schemes include standard numbers for unique identification. Moreover, metadata enables the archival and preservation of large volumes of digital data.[34]

Surveillance projects, such as PRISM and India's CMS, collect large volumes of metadata, which include the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number, email addresses, IP addresses and browsed webpages.[35] However, the fact that such surveillance projects may not have access to content data might potentially create a false sense of security.[36] When Microsoft released its report on data requests by law enforcement agencies around the world in March 2013, it revealed that most of the disclosed data was metadata, while relatively very little content data was allegedly disclosed.[37]

imilarily, Google's transparency report reveals that the company disclosed large volumes of metadata to law enforcement agencies, while restricting its disclosure of content data.[38]

Such reports may potentially provide a sense of security to the public, as they reassure that the content of personal emails, for example, has not been shared with the government, but merely email addresses – which might be publicly available online anyway. However, is content data actually more “harmful” than metadata? Is metadata “harmless”? How much data does metadata actually reveal?

The Guardian recently published an article which includes an example of how individuals can be tracked through their metadata. In particular, the example explains how an individual is tracked – despite using an anonymous email account – by logging in from various hotels' public Wi-Fi and by leaving trails of metadata that include times and locations. This example illustrates how an individual can be tracked through metadata alone, even when anonymous accounts are being used.[39]

Wired published an article which states that metadata can potentially be more harmful than content data because “unlike our words, metadata doesn't lie”. In particular, content data shows what an individual says – which may be true or false – whereas metadata includes what an individual does. While the validity of the content within an email may potentially be debateable, it is undeniable that an individual logged into specific websites – if that is what that individuals' IP address shows. Metadata, such as the browsing habits of an individual, may potentially provide a more thorough and accurate profile of an individual than that individuals' email content, which is why metadata can potentially be more harmful than content data.[40]

Furthermore, voice content is hard to process and written content in an email or chat communication may not always be valid. Metadata, on the other hand, provides concrete patterns of an individuals' behaviour, interests and interactions. For example, metadata can potentially map out an individuals' political affiliation, interests, economic background, institution, location, habits and the people that individual interacts with. Such data can potentially be more valuable than content data, because while the validity of email content is debateable, metadata usually provides undeniable facts. Not only is metadata more accurate than content data, but it is also ideally suited to automated analysis by a computer. As most metadata includes numeric figures, it can easily be analysed by data mining software, whereas content data is more complicated.[41]

FinFisher products, such as FinFly LAN, FinFly Web and FinFly ISP, provide solid proof that the collection of metadata can potentially be “harmful”. In particular, FinFly LAN can be deployed in a target system in a local area network (LAN) by infecting files that are downloaded by the target, by sending fake software updates for popular software or by infecting the payload into visited websites. The fact that FinFly LAN can remotely install monitoring solutions through websites visited by the target indicates that metadata alone can be used to acquire other sensitive data.[42]

FinFly Web can deploy remote monitoring solutions on a target system through websites. Additionally, FinFly Web can be covertly installed into every website and it can install the remote monitoring system even if only the email address is known.[43] FinFly ISP can select targets based on their IP address or Radius Logon Name. Furthermore, FinFly ISP can remotely install monitoring solutions through websites visited by the target, as well as inject remote monitoring solutions as software updates.[44] In other words, FinFisher products, such as FinFly LAN, FinFly Web and FinFly ISP, can target individuals, take control of their computers and their data, and capture even encrypted data and communications with the help of metadata alone.

The example of FinFisher products illustrates that metadata can potentially be as “harmful” as content data, if acquired unlawfully and without individual consent.[45] Thus, surveillance schemes, such as PRISM and India's CMS, which capture metadata without individuals' consent can potentially pose a major threat to the right to privacy and other human rights.[46] Privacy can be defined as the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others.[47] Furthermore, privacy is at the core of human rights because it protects individuals from abuse by those in power.[48] The unlawful collection of metadata exposes individuals to the potential violation of their human rights, as it is not transparent who has access to their data, whether it is being shared with third parties or for how long it is being retained.

It is not clear if Indian law enforcement agencies are actually using FinFisher products, but the Citizen Lab did find FinFisher command and control servers in the country which indicates that there is a high probability that such spyware is being used.[49] This probability is highly concerning not only because the specific spy products have such advanced capabilities that they are even capable of capturing encrypted data, but also because India currently lacks privacy legislation which could safeguard individuals.

Thus, it is recommended that Indian law enforcement agencies are transparent and accountable if they are using spyware which can potentially breach their citizens' human rights and that privacy legislation is enacted into law. Lastly, it is recommended that all surveillance technologies are strictly regulated with regards to the protection of human rights and that Indian authorities adopt the principles on communication surveillance formulated by the Electronic Frontier Foundation and Privacy International.[50] The above could provide a decisive first step in ensuring that India is the democracy it claims to be.

[1]. Robert Anderson (2013), “Wondering What Harmless 'Metadata' Can Actually Reveal? Using Own Data, German Politician Shows Us”, The CSIA Foundation, http://bit.ly/1cIhu7G

[2]. Gamma Group, FinFisher IT Intrusion, http://bit.ly/fnkGF3

[3]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[4]. Michael Lewis, “FinFisher Surveillance Spyware Spreads to Smartphones”, The Star: Business, 30 August 2012, http://bit.ly/14sF2IQ

[5]. Marcel Rosenbach, “Troublesome Trojans: Firm Sought to Install Spyware Via Faked iTunes Updates”, Der Spiegel, 22 November 2011, http://bit.ly/14sETVV

[6]. Intercept Review, Mozilla to Gamma: stop disguising your FinSpy as Firefox, 02 May 2013, http://bit.ly/131aakT

[7]. Intercept Review, LI Companies Review (3) – Gamma, 05 April 2012, http://bit.ly/Hof9CL

[8]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[9]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[10]. Ibid.

[11]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[12]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[13]. Gamma Group, FinFisher IT Intrusion, FinSpy: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/zaknq5

[14]. Gamma Group, FinFisher IT Intrusion, FinSpy Mobile: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/19pPObx

[15]. Gamma Group, FinFisher IT Intrusion, FinFly USB: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/1cJSu4h

[16]. Gamma Group, FinFisher IT Intrusion, FinFly LAN: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/14J70Hi

[17]. Gamma Group, FinFisher IT Intrusion, FinFly Web: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/19fn9m0

[18]. Gamma Group, FinFisher IT Intrusion, FinFly ISP: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/13gMblF

[19]. Gerry Smith, “FinSpy Software Used To Surveil Activists Around The World, Reports Says”, The Huffington Post, 13 March 2013, http://huff.to/YmmhXI

[20]. Jeremy Kirk, “FinFisher Spyware seen Targeting Victims in Vietnam, Ethiopia”, Computerworld: IDG News, 14 March 2013, http://bit.ly/14J8BwW

[21]. Reporters without Borders: For Freedom of Information (2012), The Enemies of the Internet: Special Edition: Surveillance, http://bit.ly/10FoTnq

[22]. Privacy International, FinFisher Report, http://bit.ly/QlxYL0

[23]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[24]. Gamma Group, FinFisher IT Intrusion, FinSpy: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/zaknq5

[25]. Adi Robertson, “Paranoia Thrives at the ISS World Cybersurveillance Trade Show”, The Verge, 28 December 2011, http://bit.ly/tZvFhw

[26]. Gerry Smith, “FinSpy Software Used To Surveil Activists Around The World, Reports Says”, The Huffington Post, 13 March 2013, http://huff.to/YmmhXI

[27]. BBC News, “India arrests over Facebook post criticising Mumbai shutdown”, 19 November 2012, http://bbc.in/WoSXkA

[28]. Indian Ministry of Law, Justice and Company Affairs, The Information Technology (Amendment) Act, 2008, http://bit.ly/19pOO7t

[29]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[30]. Phil Muncaster, “India introduces Central Monitoring System”, The Register, 08 May 2013, http://bit.ly/ZOvxpP

[31]. Glenn Greenwald & Ewen MacAskill, “NSA PRISM program taps in to user data of Apple, Google and others”, The Guardian, 07 June 2013, http://bit.ly/1baaUGj

[32]. BBC News, “Google, Facebook and Microsoft seek data request transparency”, 12 June 2013, http://bbc.in/14UZCCm

[33]. National Information Standards Organization (2004), Understanding Metadata, NISO Press, http://bit.ly/LCSbZ

[34]. Ibid.

[35]. The Hindu, “In the dark about 'India's PRISM'”, 16 June 2013, http://bit.ly/1bJCXg3 ; Glenn Greenwald, “NSA collecting phone records of millions of Verizon customers daily”, The Guardian, 06 June 2013, http://bit.ly/16L89yo

[36]. Robert Anderson, “Wondering What Harmless 'Metadata' Can Actually Reveal? Using Own Data, German Politician Shows Us”, The CSIA Foundation, 01 July 2013, http://bit.ly/1cIhu7G

[37]. Microsoft: Corporate Citizenship, 2012 Law Enforcement Requests Report,http://bit.ly/Xs2y6D

[38]. Google, Transparency Report, http://bit.ly/14J7hKp

[39]. Guardian US Interactive Team, A Guardian Guide to your Metadata, The Guardian, 12 June 2013, http://bit.ly/ZJLkpy

[40]. Matt Blaze, “Phew, NSA is Just Collecting Metadata. (You Should Still Worry)”, Wired, 19 June 2013, http://bit.ly/1bVyTJF

[41]. Ibid.

[42]. Gamma Group, FinFisher IT Intrusion, FinFly LAN: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/14J70Hi

[43]. Gamma Group, FinFisher IT Intrusion, FinFly Web: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/19fn9m0

[44]. Gamma Group, FinFisher IT Intrusion, FinFly ISP: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/13gMblF

[45]. Robert Anderson, “Wondering What Harmless 'Metadata' Can Actually Reveal? Using Own Data, German Politician Shows Us”, The CSIA Foundation, 01 July 2013, http://bit.ly/1cIhu7G

[46]. Shalini Singh, “India's surveillance project may be as lethal as PRISM”, The Hindu, 21 June 2013, http://bit.ly/15oa05N

[47]. Cyberspace Law and Policy Centre, Privacy, http://bit.ly/14J5u7W

[48]. Bruce Schneier, “Privacy and Power”, Schneier on Security, 11 March 2008, http://bit.ly/i2I6Ez

[49]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[50]. Elonnai Hickok, “Draft International Principles on Communications Surveillance and Human Rights”, The Centre for Internet and Society, 16 January 2013, http://bit.ly/XCsk9b

For more details visit https://cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata

Finding Needles in Haystacks - Discussing the Role of Automated Filtering in the New Indian Intermediary Liability Rules

Shweta Mohandas and Torsha Sarkar — 2021-08-03T07:28:53Z

On the 25th of February this year The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The new Rules broaden the scope of which entities can be considered as intermediaries to now include curated-content platforms (Netflix) as well as digital news publications. This blogpost analyzes the rule on automated filtering, in the context of the growing use of automated content moderation.

This article first appeared on the KU Leuven's Centre for IT and IP (CITIP) blog. Cross-posted with permission.

----

Mathew Sag in his 2018 paper on internet safe harbours discussed how the internet resulted in a shift from the traditional gatekeepers of knowledge (publishing houses) that used to decide what knowledge could be showcased, to a system where everybody who has access to the internet can showcase their work. A “content creator” today ranges from legacy media companies to any person who has access to a smartphone and an internet connection. In a similar trajectory, with the increase in websites and mobile apps and the functions that they serve, the scope of what is an internet intermediary has widened all over the world.

Who is an Intermediary?

In India the definition of “intermediary” is found under Section 2(w) of the Information Technology (IT) Act 2000, which defines an Intermediary as “with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecoms service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-marketplaces and cyber cafes”. The all-encompassing nature of the definition has allowed the dynamic nature of intermediaries to be included under the definition of the Act, and the Guidelines that have been published periodically (2011, 2018 and 2021). With more websites and social media companies, and even more content creators online today, there is a need to look at ways in which intermediaries can remove illegal content or content that goes against their community guidelines.

Along with the definition of an intermediary, the IT Act, under Section 79, provides exemptions which grant safe harbours to internet intermediaries, from liability from third-party content, and further empowers the central government to make Rules that act as guidelines for the intermediaries to follow. The Intermediary Liability Rules hence seek to regulate content and lay down safe harbour provisions for intermediaries and internet service providers. To keep up with the changing nature of the internet and internet intermediaries, India relies on the Intermediary Liability Rules to regulate and provide a conducive environment for intermediaries. In view of this provision India has as of now published three versions of the Intermediary Liability (IL) Rules. The first Rules came out in 2011, followed by the introduction of draft amendments to the law in 2018 and finally the latest 2021 version, which would supersede the earlier Rules of 2011.

The Growing Use of Automated Content Moderation

With each version of the Rules there seemed to be changes that ensured that they were abreast with the changing face of the internet and the changing nature of both content and content creator. Hence the 2018 version of the Rules showcase a push towards automated content filtering. The text of Rule 3(9) reads as follows: “The Intermediary shall deploy technology based automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”.

Under Rule 3(9), intermediaries were required to deploy automated tools or appropriate mechanisms to proactively identify, remove or disable public access to unlawful content. However, neither the 2018 IL Rules, nor the parent Act (the IT Act) specified which content can be deemed unlawful. The 2018 Rules also failed to establish the specific responsibilities of the intermediaries, instead relying on vague terms like “appropriate mechanisms” and with “appropriate controls”. Hence it can be seen that though the Rules mandated the use of automated tools, neither them nor the IT Act provided clear guidelines on what could be removed.

The lack of clear guidelines and list of content that can be removed had left the decision up to the intermediaries to decide which content, if not actively removed, could cost them their immunity. It has been previously documented that the lack of clear guidelines in the 2011 version of the Rules, led to intermediaries over complying with take down notices, often taking down content that did not warrant it. The existing tendency to over-comply, combined with automated filtering could have resulted in a number of unwarranted take downs.

While the 2018 Rules mandated the deployment of automated tools, the year 2020, (possibly due to the pandemic induced work from home safety protocols and global lockdowns) saw major social media companies announcing the move towards a fully automated system of content moderation. Though the use of automated content removal seems like the right step considering the trauma that human moderators had to go through, the algorithms that are being used now to remove content are relying on the parameters, practices and data from earlier removals made by the human moderators. More recently, in India with the emergence of the second wave of the COVID19 wave, the Ministry of Electronics and Information Technology has asked social media platforms to remove “unrelated, old and out of the context images or visuals, communally sensitive posts and misinformation about COVID19 protocols”.

The New IL Rules - A ray of hope?

The 2021 version of the IL Rules provides a more nuanced approach to the use of automated content filtering compared to the earlier version. Rule 4(4) now requires only “significant social media intermediaries” to use automated tools to identity and take down content pertaining to “child sexual abuse material”, or “depicting rape”, or any information which is identical to a content that has already been removed through a take-down notice. The Rules define a social media intermediary as “intermediary which primarily or solely enables interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services” .The Rules also go a step further to create another type of intermediary, the significant social media intermediary. A significant social media intermediary is defined as one “having a number of registered users in India above such threshold as notified by the Central Government''. Hence what can be considered as a social media intermediary that qualifies as a significant one could change at any time.

Along with adding a new threshold (qualifying as a significant social media intermediary) the Rules, in contrast to the 2018 version, also emphasises the need of such removal to be proportionate to the interests of freedom of speech and expression and privacy of users. The Rules also call for “appropriate human oversight” as well as a periodic review of the tools used for content moderation. The Rules by using the term “shall endeavor” aids in reducing the pressure on the intermediary to set up these mechanisms. This also means that the requirement is now on a best effort basis, as opposed to the word “shall” in the 2018 version of the Rules, which made it mandatory.

Although the Rules now narrow down the instances where automated content removal can take place, the concerns around over compliance and censorship still loom. One of the reasons for concern is that the Rules still fail to require the intermediaries to set up a mechanism for redress or for appeals to such removal. Additionally, the provision that states that automated systems could remove content that have been previously taken down, creates a cause for worry as the propensity of the intermediaries to over comply and take down content has already been documented. This then brings us back to the previous issue where the social media company’s automated systems were removing legitimate news sources. Though the 2021 Rules tries to clarify certain provisions related to automated filtering, like the addition of the safeguards, the Rules also suffer from vague provisions that could cause issues related to compliance. The use of terms such as “proportionate”, “having regard to free speech” etc. fail to lay down definitive directions for the intermediaries (in this case SSMI) to comply with. Additionally, as earlier stated, being qualified as a SSMI can change at any time, either based on the change in the number of users, or the change in the threshold of users, mandated by the government. The absence of human intervention during removal, vague guidelines and fear of losing out on safe harbour provisions, add to the already increasing trend of censorship in social media. With the use of automated means and the fast, and almost immediate removal of content would mean that certain content creators might not even be able to post their content online. With the use of proactive filtering through automated means the content can be removed almost immediately. With India’s current trend of new internet users, some of these creators would also be first time users of the internet.

Conclusion

The need for automated removal of content is understandable, based not only on the sheer volume of content but also the nightmare stories of the toll it takes on human content moderators, who otherwise have to go through hours of disturbing content. Though the Indian Intermediary Liability Guidelines have improved from the earlier versions in terms of moving away from mandating proactive filtering, there still needs to be consideration of how these technologies are used, and the laws should understand the shift in the definition of who a content creator is. There needs to be ways of recourse to unfair removal of content and a means to get an explanation of why the content was removed, via notices to the user. In the case of India, the notices should be in Indian languages as well, so that the people are able to understand them.

In the absence of further clear guidelines, the perils of over-censorship by the intermediaries in order to stay out of trouble could lead to further stifling of not just freedom of speech but also access to information. In addition, the fear of content being taken down or even potential prosecution could mean that people resort to self-censorship, preventing them from exercising their fundamental rights to freedom of speech and expression, as guaranteed by the Indian Constitution. We hope that the next version of the Rules take a more nuanced approach to automated content removal and ensure adequate and specific safeguards to ensure a conducive environment for both intermediaries and content creators.

For more details visit https://cis-india.org/internet-governance/blog/finding-needles-in-haystacks-discussing-the-role-of-automated-filtering-in-the-new-indian-intermediary-liability-rules

Find ways to trace origin of messages: Government to WhatsApp

Admin — 2018-09-24T02:53:23Z

Unhappy with the steps taken so far by WhatsApp, the government plans to trace the origins of incendiary messages spread on its platform.

The article by Surabhi Agarwal was published in Economic Times on September 20, 2018. Sunil Abraham was quoted.

The Ministry of Electronics and IT (MeitY) is drafting a letter — its third since July to the Facebook-owned platform — asking it to design a technology-led solution to the issue that in the past has led to mob lynching or riots in the country. Since India first raising its concerns, WhatsApp has announced measures such as limiting forwards to five groups at a time from the earlier 250, identifying forwarded messages, and a publicity campaign against fake news.

The government says these measures may not be enough. “It’s a reasonable demand from us, and very much doable. The third letter will reiterate that WhatsApp is not meeting all our concerns,” said a top government official, who did not want to be identified.

If WhatsApp feels the solution given by the government for traceability goes against its end-to-end encryption policy, then the company should be able to find a solution on its own which is technically feasible without compromising on its offering, the official said. “We are not asking them to look into the contents of the message, but if some message has been forwarded, say, 100 times and has caused some law and order problem, then they should be able to identify where it originated from,” he said, adding that WhatsApp cannot absolve itself from responsibility in the name of user privacy. “We are not being unfair since we can’t allow anonymous publishing.”

WhatsApp could not be immediately reached for comment.

Some analysts say the government’s demand from WhatsApp is reasonable and the company could provide traceability using metadata without compromising on encryption.

“For basic level of traceability, storing the metadata is enough,” said Sunil Abraham, executive director of Center of Internet and Society.

“For the kind of traceability that the Indian government is asking for, WhatsApp may have to break its end-toend encryption. But other kind of traceablity, such as who is messaging whom, how many times, who are the propagators of messages, and who are receivers, can all be seen through storing just metadata.”

Just like every organisation used to store copies of end-of-end encrypted emails on their own servers, similarly WhatsApp can either store copies of encrypted messages or the metadata, he said. Last month, at a meeting between Union minister for electronics and IT Ravi Shankar Prasad and WhatsApp CEO Chris Daniels, the government asked the company to appoint a grievance officer in India, set up an Indian entity, and ensure traceability of messages.
While the company agreed to register a corporate entity and build a team here, a stalemate over the issue of traceability continues.

“(WhatsApp) needs to find solutions to deal with sinister developments like mob lynching and revenge porn and has to follow Indian law,” Prasad said in August. “It does not take rocket science to locate a message being circulated in hundreds and thousands...

(WhatsApp) must have a mechanism to find a solution.”

WhatsApp has maintained that people rely on the platform for all kinds of sensitive conversations, including with their doctors, banks and families. “Building traceability would undermine end-to-end encryption and the private nature of WhatsApp, creating the potential for serious misuse. WhatsApp will not weaken the privacy protections we provide,” the company’s spokesperson said in August after the demand from the Indian government on traceability.

The official quoted earlier reiterated that the government is notasking the company to break its end-to-end encryption, adding that if the company could find ways to tag non-original content with ‘forward’ labels and flag some links as spurious, it could also find a way around this problem.

For more details visit https://cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-september-20-2018-find-ways-to-trace-origin-of-messages-govt-to-whatsapp

Financial Inclusion and the UID

elonnai hickok — 2011-08-23T10:36:31Z

Since 2009, when Nandan Nilekani began to envision and implement the Unique Identification Project, the UID authority has promoted the UID/Aadhaar scheme as a tool of development for India - arguing that an identity will assist in bringing benefits to the poor, promote financial inclusion in India, and allow for economic and social development. In this blog entry I will focus on the challenges and possibilities of the UID number providing the residents of India a viable method of access to financial services across the country.

Why the UID could bring financial inclusion

In their strategy document “Exclusion to Inclusion with Micro payments” the UIDAI argues that a few of many challenges to successful financial inclusion in India for the poor have been: lack of identity, lack of accessibility of financial outlets, unreliability of infrastructure, high costs of banking, and the common presence of a middle man. For Indian banks the UID sites challenges such as: the high cost of transactions for banks servicing clients in rural areas, lack of infrastructure, costly processes of cash management, and high costs of IT.(UIDAI, 2010)The UID's solution to these obstacles is a system of financial services and micro payments based off of an individuals UID number, in which an individual with a UID number would be able to: open a bank account, make a payment, withdraw money, deposit money, and send remittances. The hope is that this system will allow banks to scale up their branch less banking, and reach out to larger populations. Residents having a bank account linked to their UID number is also key to the UID's larger scheme for subsidy delivery to the poor. Until all consumers who rely on government subsidies have a bank account linked to their UID number, the UID will not be able to implement a system of direct transfer of cash subsidies.(CNBC-TV18, 2011) For example, the UIDAI has started conducting a pilot disbursement of funds under the Mahatma Gandhi National Rural Employment Guarantee Scheme (MNREGS) to Jharkhand through Union Bank, ICICI Bank and Bank of India branches.(IBN-Live, 2011)

How the UID will bring financial inclusion

In their vision, the UIDAI has designed a system that involves bank branches enrolling individuals, bank branches establishing relationships with BC organizations, the use of Micro ATM's, and the use of the UID numbers for authentication in all financial transactions. In short the system of financial inclusion would work as follows:

Step 1. Enroll and obtain UID number

An individual enrolls for a UID number. During enrollment an individual shares his/her KYC information with the UIDAI. The UIDAI verifies the individuals KYC information, along with their other information, and issues the individual a UID number. If an individual already has a bank account at the time of enrollment they have the option to link their UID number to their bank account [1]

In India every bank must verify and confirm an individuals KYC information. This is to help reduce tax evasion and fraud. In December 2011, India's Ministry of Finance recognized the Aadhaar number has an officially valid identification to satisfy the KYC norms for opening bank accounts. By verifying an individuals KYC information at the enrollment stage the UIDAI is hoping reduce the amount of paperwork and time needed for an individual to open a bank account. In addition to satisfying KYC norms, the Government of India has also recognized the Aadhaar number as an acceptable form of identity for the purpose of obtaining a mobile connection. By having the UID number accepted for establishing both mobile connections and bank accounts, financial inclusion through mobile banking is encouraged as it allows for individuals who previously had no identity, to join the financial system and mobile network – thus allowing bank accounts to be more accessible than before, and aiding banks by simplifying the process of account opening.(Akhand Tiawari, Anurodh Giri, 2011)

Step 2. Open UID Enabled Bank Account
Now that the individual has a UID number they can open a bank account by presenting their UID number and thumb print to the bank branch for authentication. Currently the one bank enrolling citizens and issuing UID numbers and UID based ATM cards is the Bank of India.(Aggarwal, 2011) Bank of Maharashtra, State Bank of India and Indian Overseas Bank are currently waiting for approval from the UIDAI.(Chavan, 2011) In this scenario the UID number will be the only form of identification needed to open a bank account.

3.Make financial transactions with UID number
Once a UID Enabled Bank Account (UEBA) is opened, individuals can begin making financial transactions using their UID number and fingerprint. Individuals can access their UEBA through BC institutions. With a UEBA individuals have the option of using four basic banking services:

Store cash for savings through electronic deposits and withdraw only small amounts of cash
Make payments
Send and receive remittances
Acquire balance and transaction history

Transactions completed through the UID-enabled bank account work similarly to a prepaid mobile system. BC organizations, or Bank Correspondents, are organizations such as SHGs, kirana stores, dairy agents that larger banks develop a business relationship with. The BC organizations handle all transactions at the local level. Using BC organizations as financial outlets is meant to increase the penetration of financial outlets and make financial services more accessible in rural areas. How the process works is: a BC institution begins by depositing a certain amount of money with a larger banking institution. This ‘ prepaid balance’ paid by the BC institution changes with every transaction the BC institution makes. For example, when an individual makes a deposit it decreases as that money is then transferred into an individuals account, and increases when an individual withdraws money, because of the transaction fee that is charged to the individual. When the individual is making a deposit, he pays physical cash to the BC, who in turn makes an electronic transfer from the BC account to the individual's account. When making a withdrawal, the electronic transfer is made from the individual's account to the BC account, and the BC hands out physical cash to the customer, (UIDAI, 2010).

The micro ATM that is to be used at BC institutions is a hand held device, in this case a mobile phone, attached to a finger print reader. The micro ATM is meant to replace larger ATM’s and reduce the cost that banks incur when establishing full fledged ATM machines. The hand held device will be remotely accessed to the central server of the bank. Currently Italian tech company Telit Communication SpA, is hoping to provide the GSM wireless M2M modules that will allow the wireless device and the wired server to communicate with each other. (Kanth, 2011) The most significant difference between the micro ATM system and the traditional ATM system is that the BC employee executes the transaction.

Though having BC employees carry out financial transactions might eliminate the possibility of a fraudulent ATM being set up, it opens many possibly corrupt doors. How will it be ensured that the transaction is completed without fraud, and how can it be ensured that the Micro-ATM is not fraudulent, or that the BC organization itself is not fraudulent. Though this scenario might sound unlikely, the UID has already experienced difficulties with fake enrollment centers being set up, such as in Pune. (Gadkari, 2011), fake UID papers being issued, as was done in Patna(Tripathi, 2011) and enrollment centers illegally outsourcing work, as the IT company Tera Software was found doing (Prajakta, 2011). If these scenarios have all been tried, it is not unreasonable to see the same being tried with financial institutions.

Challenges to a system of authentication for financial transactions with the biometric based UID number

Not withstanding the fact that financial inclusion cannot be achieved only through an identity, focusing on the identity component of financial inclusion - in the report Low Cost Secure Transaction Model for Financial Services, published by Nitin Munjal, Ashish Paliwal, and Rajat Moona, from the Indian Institute of Technology, the authors note that present challenges in India to financial inclusion through access to financial institutions include(Munjal, Nitin Paliwal, Ashish Moona, 2011):

Currently financial transactions require network connectivity to take place. For financial transactions made in rural areas this has lead to both high costs for each transaction and to high fixed IT costs.
Current financial schemes such as mobile banking depend on network connectivity, making the network indispensable, yet 70% of the Indian population is rurally located with limited or no network connectivity.
Current financial service outlets are densely located in urban areas and not rural areas. Rural populations are financially excluded, as in most cases the completion of financial transaction require the presence of financial outlets.
Currently there are no easy safeguards to protect against fake ATMS or fraud, because the current Financial Service Model is based on blind trust of the service outlet – this allows for high rates of fake ATM’s being installed and fraud.
For an individual to access financial services, an identity is required. In most cases the poor lack an identity.

Clearly there are many obstacles that the UID identity card must overcome to successfully authenticate individuals in financial transactions and facilitate financial inclusion. For the system to be successful the UID must at the minimum do the following:

Accurately generate unique numbers
Capture accurate personal information
Ensure security of the database
Ensure that the technology is secure and accurate
Ensure that only necessary information is collected
Verify BC centers
Provide a secure network that can handle large numbers of transactions

Possible ways in which the system can go wrong include:

Inaccurate authentication
Delays in authentication
Fraud at the level of the BC institution
Over collection of personal information by banks
Linking of databases by banks, or other agencies
Network failure
Down time of the database

Though UID enabled bank accounts have yet to be officially established the UID is already experiencing many of the listed difficulties. For instance, in an Indian Express article published on June 15th, it was reported that banks are issuing additional UID forms that ask if individuals have credit cards, operate mobile or internet banking accounts, own a two wheeler or four wheeler, or live in a rented or personally owned accommodation. (Indian Express, 2011) Even more alarming is a recent news item from the Deccan Herald, which details the efforts that have been taken by NATGRID to access banking clients personal information, and NATGRID's proposal to tie banking information to a linked database containing information from bank accounts, railways, airlines, stock exchanges, income tax, credit card, immigration records, and telecom service providers. (Arun, 2011)The banks
have refused to give NATGRID access to clients personal information, but the ease at which NATGRID could track and collect information about individuals with the UID is chilling – especially if the UID is linked to almost every bank account in India. Several news reports have also shared experiences of confusion, inconsistent requirements, and unorganized enrollment centers, which place doubt in the accuracy of the information collected and the accuracy of the UID numbers issued.(Tripathi, 2011).

Looking at the technology and operational design of the UEBA system, though the scheme relies on mobile networks, it fails to eliminate the need for connectivity to the central server, because authentication of individuals biometric must be done through comparison of one fingerprint to the central server of all fingerprints. This will not only complicate the effectiveness of delivery of services, as it is possible for connectivity to be limited and slow, but it will also incur large network overhead costs for each transaction that is verified. Furthermore, even though the use of BC institutions as financial service outlets is meant to increases the availability of financial outlets, a dependency is created on BC institutions – as they must be present for any financial transaction to take place.
Additionally, individuals have no way of authenticating and verifying BC institutions. As mentioned earlier this allows for possible scenarios of fraud. Additionally, the UID has not provided any alternative method of identification in the case that the network or technology fails, or if an individuals biometrics are incorrectly rejected.

Could the SCOSTA standard be an option?

Many developing countries, like Kenya and Brazil, that face similar challenges to financial inclusion have looked towards smart cards as secure methods for authenticating individuals. In 2003 India also implemented a smart card approach to identity management. The SCOSTA standard smart card was introduced with the MNIC national identification scheme. Though the scheme was eventually dropped by the Indian Government, the SCOSTA smart card standard is still a valid option for authentication of individuals in financial transactions. A SCOSTA standard based approach for financial inclusion would include:

Authentication of an individuals key, pass-phrase, and pin. This is known as public keyinfrastructure. This will allow a person to protect their password and easily replace it if stolen.
Authentication through public key infrastructure would not depend on connectivity to thenetwork. This would allow for financial inclusion of populations not connected to networks and not be fully dependent on working networks.
Authentication through public key infrastructure establishes mutual trust of user and institution. This would lower the presence of fraudulent institutions and corrupt transactions.
Connection to a central server is not required for the authentication of an individual in a financial transaction. This will lower the cost of transactions and lower IT overhead costs (ibid Munjal, Nitin Paliwal, Ashish Moona, 2011)

Conclusion

Though it is hard to say that a fool proof system of authentication can easily be made, and that system will indeed promote financial inclusion, when comparing the biometric UID number with the SCOSTA standard smart card, there are many benefits to the SCOSTA standard such as ability of individuals to verify banking institutions, no need for connectivity to the central server, and the ability to easily replace lost or stolen pins and passwords. No matter what standard is implemented though, it is important to clearly look at the current implementation, technological, and operational challenges that identification schemes face and the possible ramifications of such challenges before adapting it as a ubiquitous system.

For more details visit https://cis-india.org/internet-governance/privacy_uidfinancialinclusion

Financial Express hosts #NetNeutralityDebate: ‘Price discrimination can be allowed, but not for the same packet of data’

pranesh — 2015-04-27T02:18:18Z

Trying to cut through the noise on Net Neutrality in India, FICCI in partnership with Financial Express is hosting a panel discussion titled ‘Decoding Net Neutrality’ in New Delhi on Wednesday.

This was published in the Financial Express on April 24, 2015. Pranesh Prakash participated in the discussion.

Moderated by Sunil Jain, the guests on the Net Neutrality debate panel are Rajya Sabha MP Rajeev Chandrasekhar, Lok Sabha MP Baijayant Jay Panda along with ICRIER chief executive Dr Rajat Kathuria, IAMAI president Dr Subho Ray, Facebook’s head of public policy for South and Central Asia Ankhi Das, COAI director general Rajan S Mathew, Com First director Dr Mahesh Uppal and Policy Director of the Centre for Internet and Society Pranesh Prakash.

Highlights of the debate:

Starting off the discussion, Rajeev Chandrasekhar said that this issue is all about market abuse and market power and not as utopian as it sounds. He said that this debate is nothing new as regulators identified the problem long ago. Chandarasekhar added, “TRAI had recognized in 2006 that there is an opportunity to abuse by access providers.”

Joining the conversation, COAI director general Rajan S Mathew said, “We have put the cart before the horse. What needs to be addressed first is online governance.”

Looking forward, ICRIER chief executive Rajat Kathuria said that we need to figure out the best way to use this privately funded public good. He added, “We still haven’t so far.”

Video

Com First director Dr Mahesh Uppal tries to find a common ground and said, “Everyone is against ‘arbitrary commercial’ prioritisation or throttling.”

Subho Ray agreed and said, “There should be no blocking, throttling and preferential treatment.”

Facebook India’s Ankhi Das said that Internet.org is not for people who are already on the Internet. She explained, “Our objective is that it should be free and non-exclusive.”

Watch video: It’s free, no one has to pay to join the app, says Ankhi Das, Facebook India, on internet.org

Pranesh Prakash, Policy Director of the Centre for Internet and Society intervened to add, “An universally affordable model is important. We must ensure that the diversity that Internet provides is not lost.”

Taking the conversation further, Rajeev Chandrasekhar said, “I don’t believe data packets can be discriminated except in terms of speed and bandwidth.

Rajan Mathews interjected, “We do not discriminate, we differentiate. And all businesses differentiate.”

On this point, Rajat Kathuria said, “Price discrimination is something that should be allowed within boundaries of regulation.”

The Indian Express New Media Editor Nandagopal Rajan said that, “#NetNeutralityDebate panel agrees that price discrimination can be allowed, but not for the same packet of data.”

Jay Panda, Lok Sabha MP now also joins the discussion and says, “I have come out in favour of net neutrality despite the fact that my family will be benefiting from the lack of it. Whether fragmentation is desirable on the Internet or not, it needs to be debated. I am not in favour of fragmented access to the Internet.”

Watch video: There should be no prioritisation of one brand over another, says Baijayant Jay Panda on Net Neutrality

Underlining his views, Jay Panda reiterated, “Spectrum may be limited but access won’t be in the future. I am against prioritizing packets over others.”

Pranesh Prakash gave an overarching view and said, “Everyone benefits from Internet. What we need to figure out is whether everyone is getting paid enough.”

Jay Panda said, “It is possible for access providers to make money.”

Rajan Mathews said, “I think it is not fair to say that telcos can influence the govt.”

On this Jay Panda quipped, “The govt has to chip in its share to make the Internet accessible to all.”

Jay Panda says govts have been behind the curve in #NetNeutralityDebate and telcos have benefitted from it.

For more details visit https://cis-india.org/internet-governance/news/financial-express-april-24-2015-net-neutrality-debate

Financial Express hosts #NetNeutralityDebate: ‘Price discrimination can be allowed, but not for the same packet of data’

praskrishna — 2015-05-09T10:05:10Z

Trying to cut through the noise on Net Neutrality in India, FICCI in partnership with Financial Express is hosting a panel discussion titled “Decoding Net Neutrality” in New Delhi on Wednesday.

The article was published in Financial Express on April 24, 2015. Pranesh Prakash participated in the discussion.

Trying to cut through the noise on Net Neutrality in India, FICCI in partnership with Financial Express is hosting a panel discussion titled ‘Decoding Net Neutrality’ in New Delhi on Wednesday.