We are anonymous, we are legion

An Interview with Suresh Ramasubramanian

elonnai — 2013-09-06T09:37:47Z

Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud.

You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?
a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.

In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.

This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.

There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.
In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?
a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.

The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.

It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.

Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.

There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.
What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?
a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.

Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.

Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.

The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.
How is the jurisdiction of the data on the cloud determined?
This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.

However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.

The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.

In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.

In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.
Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?
a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].

A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.
What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?
a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.

Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html). Some standards you absolutely have to comply with for legal reasons.

Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.

The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.
What do you see as the big challenges for privacy in the cloud in the coming years?
a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.
Do you think encryption the answer to the private and public institutions snooping?
a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.

There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.

As a very popular XKCD cartoon that has been shared around social media and has been cited in multiple security papers says -

“A crypto nerd’s imagination”

“His laptop’s encrypted. Let us build a million dollar cluster to crack it”
“No good! It is 4096 bit RSA”
“Blast, our evil plan is foiled”

“What would actually happen”
“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”
“Got it”
Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?
a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.

The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.

Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.

Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.

Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.
There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?
a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.

Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.

Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.

This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.

User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian

Indien: Regierung will Nutzung von US-Mailprovidern in Verwaltungen verbieten

praskrishna — 2013-09-05T10:59:51Z

Die indische Regierung wird in Kürze all ihre Mitarbeiter auffordern, keine US-amerikanischen Mailprovider, allen voran Gmail, für ihre offizielle Kommunikation zu nutzen.

This was published in Netzpolitik (German Newspaper) on September 3, 2013. Sunil Abraham is quoted.

Ziel der Regierung ist es, die Sicherheit von vertraulichen Information der Regierung zu erhöhen. Die indische Regierung sieht sich zu diesem Schritt gezwungen, nachdem die flächendeckende Überwachung des Internets durch die USA bekannt wurde, an dem auch amerikanische Unternehmen gezwungenermaßen beteiligt sind.

Wie The Times of India berichtet, gab ein leitender Beamter der indischen Regierung an, dass die Regierung plane rund 500.000 Angestellte darüber zu informieren, dass die Nutzung amerikanischer Mailprovider zur offiziellen Kommunikation nicht mehr gestattet sei. Stattdessen sollen die Angestellten zum offiziellen Mailservice des indischen National Informatics Center wechseln.

“Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data,” said J Satyanarayana, secretary in the department of electronics and information technology.

Dass Angestellte der indischen Regierung und selbst Minister in Indien die Dienste von Gmail in Anspruch nehmen, statt auf Lösungen der eigenen Regierung zu setzen scheint nach Aussagen der Times of India keine Seltenheit zu sein.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

Ein Grund hierfür scheint die einfache und unbürokratische Anmeldung bei solchen Diensten zu sein. Wer eine offizielle Adresse der indischen Regierung haben wolle, müsse diese erst beantragen und in einem langwierigen Prozess seine tatsächliche Identität beweisen. Bei Gmail und anderen Mailprovidern hingegen sei eine Anmeldung oftmals mit wenigen Klicks durchführbar, wie ein leitender Angestellter im IT-Ministerium sagte.

Eine Pressesprecherin von Google Indien gab an, dass der Konzern bisher nicht von dem Verbot erfahren habe und es sich daher um reine Spekulation handele, auf die der Konzern nicht weiter eingehen wolle.

Erst in der letzten Woche gab der indische IT-Minister Kapil Sibal neue Richtlinien für im Ausland lebende Mitarbeiter der indischen Regierung bekannt. The Times of India berichtete:

[...] the new policy will make it mandatory for all government officials stationed in Indian missions abroad to use only static IP addresses, virtual private networks and one-time passwords for accessing Indian government email services.

Sibal ergänzte, dass alle Mails automatisch verschlüsselt würden und nur über indische Server des National Informatics Centers abgewickelt würden.

“All Indian missions will use NIC servers which are directly linked to a server in India and that will keep government information safe”

Sunil Abraham, Direktor des indischen Centre for Internet & Soceity in Bangalore nannte den Entschluss der Regierung “eine späte Reaktion”, begrüßte den Schritt aber dennoch:

“Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance.”

For more details visit https://cis-india.org/news/netzpolitik-indien-regierung-will-nutzung-von-us-mailprovidern-in-verwaltungen-verbieten

Syllabus: “Policy and regulation conducive to rapid ICT sector growth in Myanmar: An introductory course”

praskrishna — 2013-10-24T03:56:31Z

A five-day course is being offered by LIRNEasia in collaboration with Myanmar ICT Development Organization, with support from the Open Society Foundation and the International Development Research Centre of Canada in Myanmar from September 28 to October 5, 2013.

Sunil Abraham will be supporting Prof. Samarajiva on the last optional day of this course in Yangon. Read about the Introductory course on “Policy and regulation conducive to rapid ICT sector growth in Myanmar”

Goal

To enable members of Myanmar civil-society groups (including academics and those from the media) to marshal available research and evidence for effective participation in policy and regulatory processes, thereby improving policy processes and helping achieve the government’s objective of providing ICT access to all.

Outcomes

The objective of the course is to produce discerning and knowledgeable consumers of research who are able to engage in an informed manner in ICT policy and regulatory processes in Myanmar. The course will benefit those working in government and operators as well.

At the end of the course attendees will:

Have an understanding of telecom policy and regulatory processes
Be able to find and assess relevant research & evidence
Be able to summarize the research in a coherent and comprehensive manner
Have the necessary tools to improve their communication skills

- Have some understanding of how media functions and how to effectively interact with media

Assignments

Participants will be formed into teams on Day1. Each group will work on an assignment that addresses both substantive and procedural aspects of law, policy and regulation. Teams will be assigned topic areas that are being developed into regulations under the new Act. They will have to make presentations on what the desirable provisions should be. We will emphasize the procedural aspects as well as the substantive. Disciplined and focused team presentations, preferably using slides, are required.

It is necessary to use the Internet for the assignments. All who have laptops are encouraged to bring them. Arrangements will be made for Internet connectivity at the hotel.

Tentative topic areas

Licensing and authorization regulations
Essential facilities and anti-competitive practices
Universal service policy
Price and quality regulation
Independence of regulatory agency

Course schedule

	Day 1 (September 28)	Day 2 (September 29)	Day 3 (September 30)	Day4 (October 1)	Day 5 (October 2) (optional)
09:00-10:30	S1 Introduction to course: What have been the results of reform & rationale for regulation. Rohan Samarajiva (RS)	S5 Regulatory legitimacy, including procedural legitimacy (RS)	S10 Challenges of monitoring complex license commitments (HG)	S14 How does the Internet work? (TBA)	S16 Internet governance The big picture. Sunil Abraham (SA)
10:30-11:00	Break	Break	Break	Break
11:00-12:00	S2 Interrogating supply-side indicators & research based on them. Helani Galpaya (HG)	S6 Current status of telecom law and policy in Myanmar (RS)	S11 How evidence is used in policy & regulation (panel discussion, KS, RS	S15 The art of media interaction (RS)	S17 Economic & technical interface with telecom industry (RS)
12:00-13:00	S3 Finding information on the web. Roshanthi Lucas Gunaratne (RLG)	S7 Presenting evidence in slides & written submissions (HG)	S12 Essential facilities and anti-competitive practices (RS)	A3 Mock public hearing (RS & panel)	S18 How Internet is governed within India (SA)
13:00-14:00	Lunch	Lunch	Lunch	Lunch
14:00-15:00	A1 Group formation; Assignment explained (HG and RLG)	S8 Licensing and authorization (RS)	A2 Midpoint check on assignment/group work (HG and RLG)	A4 Mock public hearing & critique (RS & panel)	S19 Content regulation (TBA)
15:00-15:30	Break	Break	Break
15:30-17:00	S4 Demand-side research (RS)	S9 Price and quality regulation (RS & HG)	S13 Universal service subsidies: Theory & practice (RS & KS)	Reflection on the course	S20 Surveillance & privacy (SA & RS)
17:00	Group work	Group work	Group work
19:00	Welcome dinner Speaker: TBA

Faculty

Sunil Abraham is the Executive Director of CIS. He is also a social entrepreneur and Free Software advocate. He founded Mahiti in 1998 which aims to reduce the cost and complexity of Information and Communication Technology for the Voluntary Sector by using Free Software. Today, Mahiti employs more than 50 engineers and Sunil continues to serve on the board as a board member. Sunil was elected an Ashoka fellow in 1999 to 'explore the democratic potential of the Internet' and was granted a Sarai FLOSS fellowship in 2003. Between June 2004 and June 2007, he managed the International Open Source Network, a project of the UNDP's Asia-Pacific Development Information Programme serving 42 countries in the Asia-Pacific region. Between September 2007 and June 2008, he also managed ENRAP, an electronic network of International Fund for Agricultural Development projects in the Asia-Pacific facilitated and co-funded by International Development Research Centre, Canada.

Helani Galpaya is LIRNEasia’s Chief Executive Officer. Helani leads LIRNEasia’s 2012-2014 IDRC funded research on improving customer life cycle management practices in the delivery of electricity and e-government services using ICTs. She recently completed an assessment of how the poor in Bangladesh and Sri Lanka use telecenters to access government services. For UNCTAD and GTZ she authored a report on how government procurement practices can be used to promote a country’s ICT sector and for the World Bank/InfoDev Broadband Toolkit, a report on broadband strategies in Sri Lanka. She has been an invited speaker at various international forums on topics ranging from m-Government to ICT indicators to communicating research to policy makers. Prior to LIRNEasia, Helani worked at the ICT Agency of Sri Lanka, implementing the World-Bank funded e-Sri Lanka initiative. Prior to her return to Sri Lanka, she worked in the United States at Booz & Co., Marengo Research, Citibank, and Merrill Lynch. Helani holds a Masters in Technology and Policy from the Massachusetts Institute of Technology, and a Bachelor’s in Computer Science from Mount Holyoke College, USA.

Roshanthi Lucas Gunaratne is a Research Manager at LIRNEasia and is currently managing the Ford Foundation Funded project on Giving Broadband Access to the Poor in India. She is also contributing to the IDRC Customer Lifecycle Management Practices Project by conducting research on customer lifecycle management practices in telecommunication sector in Bangladesh. Before joining LIRNEasia, Roshanthi worked at the Global Fund to fight AIDS, Tuberculosis and Malaria, Geneva, Switzerland as a Strategic Information Officer. She contributed to the process of defining the Global Fund Key Performance Indicators, and also worked on improving the performance measurements of their grants. Prior to that, she worked as a telecom project manager at Dialog Telecom, and Suntel Ltd in Sri Lanka. As Suntel she managed the design and implementation of corporate customer projects. She holds a MBA from the Judge Business School, University of Cambridge, UK and a BSc. Eng (Hons) specializing in Electronics and Telecommunication from the University of Moratuwa, Sri Lanka.

Rajat Kathuria, PhD

Rohan Samarajiva, PhD, is founding Chair of LIRNEasia, an ICT policy and regulation think tank active across emerging Asian and Pacific economies. He was Team Leader at the Sri Lanka Ministry for Economic Reform, Science and Technology (2002-04) responsible for infrastructure reforms, including participation in the design of the USD 83 million e-Sri Lanka Initiative. He was Director General of Telecommunications in Sri Lanka (1998-99), a founder director of the ICT Agency of Sri Lanka (2003-05), Honorary Professor at the University of Moratuwa in Sri Lanka (2003-04), Visiting Professor of Economics of Infrastructures at the Delft University of Technology in the Netherlands (2000-03) and Associate Professor of Communication and Public Policy at the Ohio State University in the US (1987-2000). Dr. Samarajiva was also Policy Advisor to the Ministry of Post and Telecom in Bangladesh (2007-09).

Koesmarihati Sugondo

Resource Material

infodev, ICT regulation toolkit. http://www.ictregulationtoolkit.org/en/Index.html

infoDev. Broadband strategies toolkit. http://broadbandtoolkit.org/en/toolkit/contents

infoDev (2011). Tenth anniversary telecom regulation handbook. http://www.infodev.org/En/Publication.1057.html

ITU (2011). The role of ICT in advancing growth in least developed countries: Trends, challenges and opportunities. Geneva: ITU. http://www.itu.int/ITU-D/ldc/turkey/docs/The_Role_of_ICT_in_Advancing_Growth_in_LDCs_Trends_Challenges_and_Opportunities.pdf

Samarajiva, Rohan (2000). The role of competition in institutional reform of telecommunications: Lessons from Sri Lanka, Telecommunications Policy, 24(8/9): 699-717. http://www.comunica.org/samarajiva.html

Samarajiva, Rohan (2002). Why regulate?, chapter 2 of Effective regulation: Trends in Telecommunication Reform 2002. Geneva: International Telecommunication Union.

Samarajiva, Rohan (2006). Preconditions for effective deployment of wireless technologies for development in the Asia-Pacific, Information Technology and International Development, 3(2): 57-71. http://itidjournal.org/itid/article/view/224/94

Samarajiva, Rohan & Zainudeen, Ayesha (2008). ICT infrastructure in emerging Asia: Policy and regulatory roadblocks, New Delhi & Ottawa: Sage & IDRC http://www.idrc.ca/en/ev-117916-201-1-DO_TOPIC.html

For more details visit https://cis-india.org/news/policy-and-regulation-conducive-to-rapid-ict-growth-in-myanmar

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit https://cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Gmail ban looms for Indian gov't workers

praskrishna — 2013-09-19T07:19:11Z

Government workers in India will soon be banned from using Google’s Gmail service for official communication in a move said to be in response to revelations of widespread cyberspying by the US, a national paper reported.

Beatrice Thomas's blog post was published in Arabian Business.com on September 1, 2013. Sunil Abraham is quoted.

Two weeks after Dubai announced a ban on private emails by Government staff, a senior official in India’s Ministry of Communications and Information Technology said the crackdown would apply to 500,000 government employees, according to The Times of India.

They would be banned from using providers such as Gmail, which had servers based in the US, and instead asked to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, secretary in the Department of Electronics and Information Technology, told the Times.

“Currently, we are looking to address this in the Government domain, where there are large amounts of critical data.”

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies such as Google, Facebook and Apple through a program called PRISM.

The Times said several senior government officials in India, including ministers of state for communications and IT, Milind Deora and Kruparani Killi, had their Gmail IDs listed in government portals as their official email.

However, IT Minister Kapil Sibal said last week there had been no evidence of the US accessing internet data from India.

The newspaper quoted a senior official in the IT Department saying Gmail was preferred by employees because, compared to official email services, it was easy to set up.

Sibal said the new policy would require all government officials living abroad to use NIC servers that were directly linked to a server in India while accessing government email services.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agreed with the ban.

“After Snowden’s revelations, we can never be sure to what extent foreign governments are intercepting government emails," he told the Times.

It emerged last month that Dubai government employees had been banned from sending and receiving private emails at work, including the use of independent email providers such as Hotmail, Yahoo! and Gmail.

The new regulations announced by Sheikh Mohammed bin Rashid Al Maktoum, Vice President, Prime Minister and ruler of Dubai, specifically referred to religious and political communication as well as messages relating to charitable causes.

Workers are also not allowed to open unsolicited mail, spam or emails that contain viruses, or alter the date, time, source of destination information on an email.

For more details visit https://cis-india.org/news/arabian-business-september-1-2013-beatrice-thomas-gmail-ban-looms-for-indian-govt-workers

Indian government to bar politicians from using Gmail for official business

praskrishna — 2013-09-05T09:52:17Z

US-based email services seen as too risky.

This article by Neil McAllister was published in the Register on August 30, 2013. Sunil Abraham is quoted.

The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, told the Times of India. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."

The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the contact page for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.

Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the Times of India that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.

The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from United Nations headquarters in New York City.

No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory asserted that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.

But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®

For more details visit https://cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business

August 2013 Bulletin

praskrishna — 2013-09-13T06:26:30Z

Our newsletter for the month of August 2013 can be accessed below.

The Centre for Internet & Society (CIS) welcomes you to the eighth issue of its newsletter for the year 2013. In this issue we are glad to bring you the final report on banking and accessibility submitted to the Ministry of Finance, Government of India, a research paper on India’s obligations under bilateral investment treaties, a report from a Wikipedia workshop held at the Konkani Department in Goa University, a report on the sixth privacy roundtable held in New Delhi, recent news coverage, and updates on our upcoming events.

Archives of our newsletters are here. Our policies on Ethical Research Guidelines, Non-Discrimination and Equal Opportunities, Privacy, Terms of Website Use and Travel can be accessed here.

Jobs
CIS is inviting applications for the posts of Developer (NVDA Screen Reader Project). To apply for this post, send in your resume to Nirmita Narasimhan (nirmita@cis-india.org). CIS is also seeking applications for the post of Policy Associate (Internet Governance). To apply send your resume to Sunil Abraham (sunil@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org).

Accessibility

As part of its project on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India with the Hans Foundation, we bring you three new draft chapters on Assam, Manipur and Puducherry. With this we have completed compilation of draft chapters for 21 states and 3 union territories. Feedback and comments are invited from readers for the below chapters:

The Assam Chapter (by CLPR, August 28, 2013)
The Manipur Chapter (by CLPR, August 29, 2013)
The Puducherry Chapter (by Anandhi Viswanathan, August 31, 2013)

Note: All the chapters published on the website are early drafts and will be reviewed and updated.

Reports

Banking and Accessibility in India: A Report by CIS (by Vrinda Maheshwari, August 12, 2013). This is the final report submitted to the Ministry of Finance, Government of India.
Opening New Avenues for Empowerment (by UNESCO, August 31, 2013). UNESCO has published a global report on higher education titled “Opening New Avenues for Empowerment”. Nirmita Narasimhan was the coordinating author for the Asia Pacific region.

Access to Knowledge and Openness

As part of its project on developing the growth of Indic language communities with Wikimedia Foundation, CIS-A2K held six Wikipedia workshops. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Access to Knowledge
Research Paper

India's Obligations under Bilateral Investment Treaties (Part A): “Bilateral Inhibiting Treaty?” — Investigating the Challenges that Bilateral Investment Treaties pose to the Compulsory Licensing of Pervasive Technology Patent Pools (by Gavin Pereira, August 31, 2013).

Column

Copyrights and Copywrongs Why the Government Should Embrace the Public Domain (by Pranesh Prakash, Yojana, Issue: August 2013).

Media Coverage

Dictionary words in software patent guidelines puzzle industry (by C.H. Unnikrishnan, Livemint, August 26, 2013). CIS work on Access to Knowledge is mentioned.

Blog Entries

Are Indian Consumer Laws Ready for the Digital Age? (by Vipul Kharbanda, August 8, 2013).
Do You Have the Right to Unlock Your Smart Phone? (by Puneeth Nagaraj, August 7, 2013).

Access to Knowledge (Wikipedia)

The A2K team consists of four members based in Bangalore: T. Vishnu Vardhan, Dr. U.B. Pavanaja, Subhashish Panigrahi and Syed Muzammiluddin, and one team member Nitika Tandon who works from Delhi.

Event Reports

A Kannada Wikipedia Workshop at Krishnarajapet (by Dr. U.B. Pavanaja, August 14, 2013). The workshop was co-organized by the CIS-A2K team along with Kannada Sahitya Parishat of KR Pet.
An Odia Wikipedia Workshop at Sambalpur (by Gorvachove Pothal, August 27, 2013). This workshop was held at Veer Surendra Sai University of Technology, Burla, Sambalpur on July 26 and 27, 2013. Odia Wikipedian Gorvachove Pothal organized this workshop with financial support from the CIS-A2K programme.

Konkani Wikipedia — Climbing up the Indian Language Ladder? (by Subhashish Panigrahi, August 31, 2013). CIS-A2K team organized this event at the Konkani Department, Goa University from August 21 to 24, 2013.
Konkani Wikipedia Advances in 4 Days — From 90 Articles to 130 Articles! (by Nitika Tandon, August 31, 2013). CIS-A2K team organized this event at the Konkani Department, Goa University from August 21 to 24, 2013. Thirty-eight students took part in the wiki editing workshop.

Events Co-organised

Digitization of Books for Indic Language WikiSource (organised by Wikimedia India and CIS-A2K, CIS, Bangalore, August 18, 2013).
A Workshop on Editing Wikipedia in Mumbai (organised by the Centre for Indian Languages in Higher Education and CIS-A2K, Tata Institute of Social Sciences, Mumbai, August 24, 2013). The workshop was aimed at assisting students to take part in the Indian Languages Mela at the Tata Institute of Social Sciences (September 20-21, 2013) which is hosting a competition for best Indian language entries on Wikipedia.

Event Hosted

Mobile Training Workshop @ CIS (CIS, Bangalore, August 29, 2013). Rachita and Keerthana Chandrashekar gave a talk on mobile campaigns.

Events Participated

Wikimania 2013: The International Wikimedia Conference (organised by Wikimedia Foundation, Hong Kong Polytechnic University, August 7 – 11, 2013). T. Vishnu Vardhan and Subhashish Panigrahi participated in the event.
Wikimedia Asia Meeting (organised by Wikimedia community, Hong Kong, August 10, 2013). T. Vishnu Vardhan and Subhashish Panigrahi participated in the meeting. Unedited transcript of the entire conversation is posted online.
వికీపీడియా:సమావేశం/హైదరాబాద్/ఆగష్టు (Hyderabad, August 25, 2013). T.Vishnu Vardhan participated for the meeting through Skype.

Media Coverage

Wikipedia Gains Massive Traffic Thanks To Vernacular Languages (Before It’s News, August 1, 2013). T. Vishnu Vardhan is quoted.
Wikipedia boom in Marathi, Malayalam and other desi languages (by Sandhya Soman, The Times of India, August 1, 2013). T. Vishnu Vardhan is quoted.
Wikipedia boom in vernacular languages (by Divya Saboo, August 1, 2013). The Centre for Internet and Society is mentioned.
Stress on posting articles on Kannada Wikipedia (by R. Krishna Kumar, Hindu, August 2, 2013). Dr. U.B.Pavanaja is quoted.
India’s Indigenous Languages Drive Wikipedia’s Growth (by Mahesh Sharma, TechCrunch, August 6, 2013). T. Vishnu Vardhan is quoted.
Krishnarajapet Wikipedia Workshop Coverage (Prajavani, August 12, 2013).
Krishnarajapet Wikipedia Workshop Coverage (Vijaya Vani, August 12, 2013).
Krishnarajapet Wikipedia Workshop Coverage (Suvarna Times of Karnataka, August 12, 2013).
Wikipedia writes a new script (by Joyce Dias, August 24, 2013, The Goan). CIS-A2K workshop held in Goa is mentioned extensively. Nitika Tandon and Subhashish Panigrahi are quoted.
Konkani Wikipedia makes headway (by Diana Fernandes, OHeraldO, August 24, 2013). Nitika Tandon is quoted.
Konkani Wikipedians Speak (Goan Voice Daily Newsletter, September 4, 2013). Konkani Wikipedia workshop organized in Goa from August 21 – 24, 2013 is mentioned in this newsletter.

Ongoing / Upcoming Events

Wikipedia Training in Telugu for Dr. B.R. Ambedkar Open University, Hyderabad (Dr. B.R. Ambedkar Open University, Hyderabad, September 5-6, 2013). T. Vishnu Vardhan is teaching a module on "Knowledge and Openness in the Digital Era".
You too can write on Wikipedia! — Orientation Workshop (co-organised by CIS-A2K and the Centre for Contemporary Studies, Indian Institute of Science, Bangalore, September 15, 2013).

Train the Trainer — Four-day long Residential Training Workshop in Bangalore (organised by CIS-A2K, Bangalore, October 1 – 5, 2013). The programme will be held in the first week of October.

Blog Entries

Voices from Goa: Frania Pereira tells Why She Writes Articles on Konkani Wikipedia (by Subhashish Panigrahi, August 27, 2013).
Voices from Goa: Wikipedia Editor Rusita Paryekar (by Subhashish Panigrahi, August 27, 2013).

Openness

Event Hosted

Open Hardware Lab: Play & Invent + Bonus Film Screening (CIS, Bangalore, August 4, 2013). A hangout was done with CIS Lab Community and with members of the Computer Club of India and Arduino enthusiasts.

Event Participated

e-DIRAP Google+ Hangout on Open Government (organised by Google, July 25, 2013). Sunil Abraham was a panelist.

Media Coverage

Beyond Property Rights: Thinking About Moral Definitions of Openness (by David Eaves, Tech President, August 6, 2013). Sunil Abraham is quoted.
Extending The Spectrum Of Openness To Include The Moral Right To Share (by Glyn Moody, Techdirt, August 19, 2013). Sunil Abraham is quoted.

Internet Governance

CIS began two projects earlier this year. The first one on facilitating research and events on surveillance and freedom of expression is with Privacy International and support from the International Development Research Centre, Canada. The second one on mapping cyber security actors in South Asia and South East Asia is with the Citizen Lab, Munk School of Global Affairs, University of Toronto and support from the International Development Research Centre, Canada:

SAFEGUARDS Project

Event Report

Sixth Privacy Roundtable (co-organised by CIS, FICCI and DSCI, New Delhi, August 24, 2013). Bhairav Acharya and Prachi Arya participated in this event. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

Newspaper / Magazine Columns

Freedom from Monitoring: India Inc Should Push For Privacy Laws (by Sunil Abraham, Forbes India Magazine, August 21, 2013).
Out of the Bedroom (by Nishant Shah, Indian Express, August 25, 2013).

Blog Entries

'Ethical Hacker' Saket Modi Calls for Stronger Cyber Security Discussions (by Kovey Coles, August 5, 2013).
Ethical Issues in Open Data (by Kovey Coles, August 7, 2013).
FinFisher in India and the Myth of Harmless Metadata (by Maria Xynou, August 13, 2013).

Events Organised

The Hackers Way of Reshaping Policies (CIS, Bangalore, August 2, 2013). Bernadette Langle gave a talk on different ways to reshape policies.
Chennai: Learn to Protect your Online Activities! (Asian College of Journalism, Taramani, Chennai, August 7, 2013). A Crypto Party was organised.
The Phishing Society: Why 'Facebook' is more dangerous than the Government Spying on You - A Talk by Maria Xynou (CIS, Bangalore, August 7, 2013). Maria Xynou gave a talk on phishing society.
Learn to Protect your Online Activities! (ACJ - Asian College of Journalism, Second Main Road (Behind M.S. Swaminathan Research Foundation), Taramani, Chennai, August 7, 2013).
Privacy Meeting: Brussels – Bangalore (CIS, Bangalore, August 14, 2013). Gertjan Boulet and Dariusz Kloza gave a talk on privacy.
Learn to Protect your Online Activities! (CIS, Bangalore, August 17, 2013). A Crypto Party was held at CIS.

Events Participated In

Summer School 2013 (organized by the Research Center of Media and Communication at the University of Hamburg, Germany, July 29 – August 2, 2013). Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".
Meeting of a Sub-committee on DNA Profiling Bill (Hyderabad, August 6, 2013). Sunil Abraham participated in this meeting for discussing the draft bill.
Surveillance: Privacy Vs Security (organized by the Foundation for Media Professionals, India International Centre, New Delhi, August 17, 2013). Pranesh Prakash was a panelist.

Media Coverage

Crypto Night (by Rahul M., Caravan, August 1, 2013). Pranesh Prakash and Bernadette Langle are quoted.
Facebook: Limiting access to social media can restrict freedom of speech (by Kim Arora, The Times of India, August 1, 2013). Sunil Abraham is quoted.
Token disclosures? (by Deepa Kurup, The Hindu, August 4, 2013). Sunil Abraham is quoted.
Memeâ€™s the word now (by Padmaparna Ghosh, The Times of India, August 4, 2013). Nishant Shah is quoted.
Chinese hackers baiting Indian govt, corporate employees: report (by Moulishree Srivastava and Anirban Sen, Livemint, August 9, 2013). Sunil Abraham is quoted.
Mixed signals? Supreme Court notices to states on Facebook arrests (NDTV, August 16, 2013). Pranesh Prakash, Shreya Singhal and Faizal Farooqui discussed the grey areas of the IT Act.
Balancing vigilance and privacy (by Prashant Jha, The Hindu, August 18, 2013). Pranesh Prakash is quoted.
How Next-Gen Smartphone Users are Being Bought and Sold (by Rohin Dharmakumar, Forbes India Magazine, August 13, 2013, and IBN Live, August 19, 2013). Sunil Abraham is quoted.
Dear Milind Deora, Prakash Javadekar Deserved The Truth (by Rohin Dharmakumar, Forbes India, August 22, 2013). Sunil Abraham is quoted.
Election campaign: parties draw battle lines on media platforms (by Venkatesh Upadhyay, Livemint, August 26, 2013). Sunil Abraham is quoted.
India's Internet Privacy Woes (by Rohin Dharmakumar, Forbes India Magazine, August 26, 2013). Pranesh Prakash is quoted.
Cyberspying: Government may ban Gmail for official communication (The Times of India, August 30, 2013). Sunil Abraham is quoted.
Indian government to bar politicians from using Gmail for official business (by Neil McAllister, The Register, August 30, 2013). Sunil Abraham is quoted.

Cyber Stewards Project
Laird Brown, a strategic planner and writer with core competencies on brand analysis, public relations and resource management and Purba Sarkar who in the past worked as a strategic advisor in the field of SAP Retail are working in this project.

Video Interview

Part 9: Interview with Saikat Datta (August 5, 2013).

Telecom

CIS has published one newspaper column in the Business Standard and also made a submission to TRAI:

Newspaper Column

Breaking into the Closed Circle: Domestic High-Tech Manufacturing Needs Access To Markets (by Shyam Ponappa, originally published in the Business Standard, July 31, 2013 and also mirrored in Organizing India Blogspot, August 1, 2013).

Submission

TRAI Consultation Paper on Spectrum (by Shyam Ponappa and A.B. Beliappa, August 31, 2013). The submission was made to the Telecom Regulatory Authority of India on August 21, 2013.

Digital Humanities

We are building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia.

Blog Entries

Digital Humanities Talk (by Sara Morais, August 1, 2013). Sara wrote about her talk in this blog entry.
Theorizing the Digital Subaltern (by Sara Morais, August 2, 2013).

Event Organised

Digital Humanities for Indian Higher Education (co-organised by CIS-A2K, HEIRA, CSCS, Tumkur University, Tata Institute of Social Sciences, Mumbai and CCS-Indian Institute of Science, Bangalore, July 13, 2013). Errata: We had got the name of one of the co-organisers wrong in our previous newsletter. We have corrected this now.

Event Participated In

South Asia Conference on Higher Education (organised by the Centre for Study of Culture and Society, Ford Foundation Office, New Delhi, August 5 – 7, 2013). Sunil Abraham participated in this conference.

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.
Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

*Support Us*

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/august-2013-bulletin

The Personal Data (Protection) Bill, 2013

prachi — 2013-08-30T14:53:11Z

Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013. Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.

For more details visit https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013

Report on the Sixth Privacy Roundtable Meeting, New Delhi

prachi — 2013-08-30T15:04:51Z

In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.

CIS was a member of the Justice A.P. Shah Committee which drafted the "Report of Groups of Experts on Privacy". CIS also drafted a Privacy (Protection) Bill 2013 (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: April 13, 2013
Bangalore Roundtable: April 20, 2013
Chennai Roundtable: May 18, 2013
Mumbai Roundtable: June 15, 2013
Kolkata Roundtable: July 13, 2013
New Delhi Roundtable: August 24, 2013
New Delhi Final Roundtable and National Meeting: October 19, 2013

This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. The Personal Data (Protection) Bill, 2013 was discussed at the Roundtable.

The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to Personal Data (Protection) Bill from the more expansive – Privacy (Protection) Bill.

Chapter I – Preliminary

Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.

Religion and Caste

A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –

Whether religion and caste should be categorized as sensitive personal data or personal data?
Whether it is impracticable to include it in either category?
If included as sensitive personal data, how should it be implemented?

The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.

Political Affiliation

Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.

Conviction Data

The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.

Financial and Credit Information

From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.

Conclusion

The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:

The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.
Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.
While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.
Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law.

Chapter II – Regulation of Personal Data

This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.

The main issues under consideration with regard to this part were –

The scope of the protection provided
Whether the exemptions should be expanded or diminished.

A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in Kharak Singh v. The State of U.P. (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.

The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.

Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.

Conclusion

The overall conclusion of the discussion on this Chapter was –

All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.
Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise.

Chapter III – Protection of Personal Data

This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.

Collection of Personal Data

Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.

Collection of Data with Prior Informed Consent

Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.

The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.

Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3^rd party.

Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3^rd party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3^rd party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3^rd party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3^rd party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3^rd party.

Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.

Collection of Data without Consent

Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -

“(a) necessary for the provision of an emergency medical service to the data subject;
(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;
(c) necessary to prevent a reasonable threat to national security, defence or public order; or
(d) necessary to prevent, investigate or prosecute a cognisable offence”

Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as Maneka Gandhi v. Union of India (1978) and PUCL v. Union of India (1997).

Storage and Processing of Personal Data

Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.

The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.

Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.

With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.

Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.

The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.

Conclusion

Mediated collection of data should be qualified on the basis of purpose and intent of collection.
The issue of cost to company (C2C) was not given adequate consideration in the Bill.
The need to lay down Procedures at all stages of handling personal data.
Special exemptions need to be provided for journalistic sources.

Meeting Conclusion

The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ Personal Data (Protection) Bill, 2013. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi

International Summer School: "Digitization and its Impact on Society"

praskrishna — 2013-11-20T10:00:59Z

Dr. Nishant Shah will be the key note speaker in the session "Social Networks and the Revolution of Political Communication". The event is being hosted by the Dresden Center for Digital Linguistics from September 29 to October 5, 2013.

Click to read the full programme schedule published by the Dresden Center for Digital Linguistics. More details on the program here.

The Summer School takes place on the TUD campus, mainly in the buildings of the Faculty of Computer Science (Nöthnitzer Straße 46) and the Max Planck Institute for the Physics of Complex Systems (Nöthnitzer Straße 38).

Co - Conveners and Scientific Committee

Noah Bubenhofer, Dresden Center for Digital Linguistics, TU Dresden
Thomas Bürger, Saxon State and University Library Dresden (SLUB)
Wolfgang Donsbach, Chair of Communication Studies I, Institute of Media and Communication, TU Dresden
Katrin Etzrodt, Institute of Media and Communication, TU Dresden
Horst - Peter Götting, Chair of Civil Law and Intellectual Property Law, Institute for Intellectual Property, Competition and Media Law, TU Dresden
Lutz Hagen, Chair of Communications Studies II, Institute of Media and Communication, TU Dresden
Thomas Köhler, Professorship for Educational Technology, Institute for Vocational Education, TU Dresden
Holger Kuße,Chair of Linguistics and History of Slavonic Languages, Institute of Slavonic Studies, TU Dresden
Claudia Lange, Chair of English Linguistics, Institute of English and American Studies, TU Dresden
Rebecca Renatus, Institute of Media and Communication, TU Dresden
Anne Lauber-Rönsberg, Institute for Intellectual Property, Competition and Media Law, TU Dresden
Joachim Scharloth, Chair of Applied Linguistics, Institute of German Studies, TU Dresden
Eric Schoop, Chair of Business Informatics, esp Information Management, Faculty of Business and Economics
Marcel Thum, Chair of Public Economics, TU Dresden

Coordination: Dresden Center for Digital Linguistics, Joachim Scharloth, Noah Bubenhofer, Yvonne Krämer

Website: http://linguistik.zih.tu-dresden.de/digitization/
Email: summerschool.gsw@tu-dresden.de

For more details visit https://cis-india.org/news/digitization-and-its-impact-on-society

Mixed signals? Supreme Court notices to states on Facebook arrests

praskrishna — 2013-08-28T08:42:56Z

In wake of the recent arrests of UP-based scholar Kanwal Bharti and Andhra-based PUCL activist Jaya Vindhyala over their Facebook posts, NDTV aired a discussion on the grey areas of the IT Act. Pranesh Prakash, Shreya Singhal and Faizal Farooqui

The video was published by NDTV on August 16, 2013. Pranesh Prakash is quoted.

The NDTV anchor asked Pranesh that this notice — the indicator coming from the government is that nobody seems to really know what section 66A is all about...and at the end of the day we are going to make a case by case decision.

Pranesh said that:

"This not just about 66A. This is actually about rule of law. We see that the arrest of Kanwal Bharti is actually a legal arrest. It goes against a judgment of the Allahabad High Court saying that routine arrests shouldn't be made in cases where the imprisonment term is less than 7 years. He actually hasn't been charged under 66A, he was charged under the IPC. It is not just about Internet censorship. It also very much about the rule of law and that completely breaking down in India and ... people's persectives and government's perspectives many times are withering away when it comes offensive content or what they deem offensive or communal content being posted online...and if something like what Kanwal Bharti posted is actually deemed to be illegal under those provisions then lots of statements that the Prime Minister of India has said should also be deemed to be equally illegal."

Watch the full video below:

For more details visit https://cis-india.org/news/ndtv-the-social-network-mixed-signals-supreme-court-notices-to-states-on-facebook-arrests

India's Internet Privacy Woes

praskrishna — 2013-09-05T11:09:30Z

“For the sake of national security and to protect the privacy of its citizens, India should develop its own social media platforms,” says Dr Kamlesh Bajaj, CEO of Data Security Council of India (DSCI), a Nasscom-promoted ‘self-regulatory’ organisation on data protection and privacy in India, in a blog post dated August 13.

This article by Rohin Dharmakumar was published in Forbes India on August 26, 2013. Pranesh Prakash is quoted.

Citing a litany of woes, including American control over internet infrastructure, Bajaj makes the case for India to take a leaf out of China’s playbook (“even though its reasons were different”) and encourages the creation of “Indian” social media sites and search engines.

“Unfortunately, Dr Bajaj provides a wrong solution to a correct diagnosis,” says Pranesh Prakash, a policy director with the Centre for Internet and Society. “First, I can’t think of any governmental intervention—short of a ban on existing foreign services—that can make a new Indian service successful. Second, India’s privacy laws are worse than those in the US. Nothing will stop the US and Indian governments from coming after this company too.”

The problem arises because services like Facebook and Google store all your data unencrypted on their servers, making it easy for them, or governments and hackers, to monitor everything you do. The correct solution, says Prakash, would be to encourage the creation and use of de-centralised and end-to-end encrypted services that do not store all your data in one place.

For more details visit https://cis-india.org/news/forbesindia-august-26-2013-india-internet-privacy-woes

Election campaign: parties draw battle lines on media platforms

praskrishna — 2013-09-05T10:23:41Z

In the run-up to the 2014 polls, parties are drawing up media strategies that have a focus on young voters.

This article by Venkatesh Upadhyay was published in Livemint on August 26, 2013. Sunil Abraham is quoted.

Major national political parties have begun to sharpen and tweak their tools of public relations and media engagement in the run-up to the 2014 general election, with an eager nod towards a voters list that is expected to be packed by the young.

National parties currently in the process of shortlisting their advertising, public relations and mobile marketing agencies declined to share details.

“The advertising strategy will crystalize by January. We will go for multiple agencies,” said Manish Tewari, spokesperson for the Congress as well as minister for information and broadcasting.

According to people familiar with the selection process, JWT, Crayons Communications and Dentsu India, among others, are all in the race for the Congress business. Home-grown Crayons has worked closely with the Delhi government and Congress in the past.

Refusing to confirm the names on the shortlist, Tewari said it was a line-up of the “usual suspects”.

For social media, the Congress has engaged Delhi-based OMLogic, an online media marketing company, which helped create the website fekuexpress.com that seeks to highlight the supposedly braggart nature of the opposition Bharatiya Janata Party’s chief campaigner Narendra Modi.

The website ran contests in which winners received film tickets. OMLogic was among three shortlisted agencies from 22 that competed for the same account, a person familiar with the bid said. According to others aware of the developments, senior Congress leaders such as Digvijay Singh and Deepender Singh Hooda helped select the agencies.

OMLogic helps clients enhance their brands across platforms and creates social media applications for them. The company declined to comment for this story.

“I believe these elections will represent the first time that political parties will have a conscious media strategy,” said Sanjaya Baru, communications advisor to Prime Minister Manmohan Singh from 2004 to 2008.

	“By conscious I mean that political parties have acknowledged the role of mass media in getting their message across to voters. TV has taken the space of political rallies.” Baru said the media strategy for the coming elections was essentially focused on TV and social media as “both these platforms allow parties to reach out to large parts of the urban and semi-urban demographic”. Close to 60 million new voters have been enrolled for the 2014 election, of whom 17.6 million are 18-19 year-old first-timers. A study by the Iris Knowledge Foundation and Internet and Mobile Association of India (IAMAI) estimates the number of urban social media users to be around 78 million. The main users were in the age groups of 18-24 and 25-34 years.

“By conscious I mean that political parties have acknowledged the role of mass media in getting their message across to voters. TV has taken the space of political rallies.”

Baru said the media strategy for the coming elections was essentially focused on TV and social media as “both these platforms allow parties to reach out to large parts of the urban and semi-urban demographic”.

Close to 60 million new voters have been enrolled for the 2014 election, of whom 17.6 million are 18-19 year-old first-timers. A study by the Iris Knowledge Foundation and Internet and Mobile Association of India (IAMAI) estimates the number of urban social media users to be around 78 million. The main users were in the age groups of 18-24 and 25-34 years.

The Congress has already highlighted the role of social media in its communication strategy. The party held a special session on the use of social media by party members on 22 August that was addressed by minister of state for human resources Shashi Tharoor, and Manish Tewari. In a similar meeting last month, party members were briefed on how to comment on key issues, including the state of the economy, and personalities like Modi, who is also Gujarat chief minister.

It also launched an intranet software called Khidki (Hindi for window) for use by Congress members. According to party politicians, another important part of last month’s exercise was to identify young members who would make up a cadre of spokespersons that would then participate across news channels.

The BJP, meanwhile, has drafted Internet entrepreneurs B.G. Mahesh and Rajesh Jain to help the party with its social media operations. Acknowledging the role of social media in the party’s media strategy, BJP spokesperson Nirmala Seetharaman said, “Our exercise has already taken on board the position which the party enjoys on various social media. We only emphasized the content that such media ought to have,” she added.

Prominent members of the party, led by Modi, have large followings on social media. Modi’s Twitter account is followed by close to 2.1 million people.

Last week, the BJP launched india272.com that would “crowd source” suggestions by the electorate. It also launched a website where its members can upload “chargesheets” on the Congress-led United Progressive Alliance. Visitors to www.bjp.org/upachargesheet can also make use of different social media platforms such as Facebook, Twitter, YouTube and Flickr to register their complaints.

Some Internet activists are sceptical about such strategies. “The average Indian netizen is not that well equipped to critically analyse the content coming from so-called crowdsourced mechanisms,” said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based Internet policy research organization. “I believe that social media might be one step removed from actual voters and might be more oriented towards opinion makers. In that sense social media (in India) behaves very differently from the way it has been used in the US.”

According to an online media expert familiar with the BJP’s social media campaign, the interactive nature of social media helps build up an image of transparency while making the party more accessible to a young audience that has been switching off television news.

In addition, social media allows political leaders to gauge public response quickly.

Ajay Maken, Congress general secretary and the man who heads the party’s communication strategy, pointed out in an article published this month that subjects that become influential on Twitter during the day tend to turn into full-fledged TV debates by the evening.

But political parties are not giving up on television channels just yet.

According to a report by consulting firm KPMG, the number of Indian households with TV sets is estimated to be 154 million, and is expected to grow to 173 million by 2017. TAM Media research estimated the number of TV households to be 123 million in 2009. Meanwhile, cable- and satellite-owning TV households has in the period 2009-2012 ballooned from 90 million to 126 million, according to TAM.

The Congress has issued guidelines to its members on how to behave on television. According to individuals familiar with the move, the party has also set up a research cell that informs Congress spokespersons about subjects that they are asked to speak on.

Congress members who participate in televised debates have been given strict orders to not go on air without a thorough understanding of the nuances of issues—provided to them by Congress researchers. For instance, spokespersons have been advised to rely on facts and be data-specific when confronted with the twin issues of Gujarat’s high-growth economy and Modi’s governance record.

In order to streamline the process, the party has come up with lists of speakers who are focused on specific issues. It has also constituted media cells in each state capitals with three units—spokespersons, social media cell and research —and a social media division for every urban centre with a population of at least a million.

The BJP has devised a similar strategy. Party spokespersons have been asked to mention chief ministers other than Modi if asked about the leadership for the 2014 elections. Arun Jaitley, in a interview to The Hindu, on 19 August had spoken about the possibility of there being close to 10 prime ministerial candidates in the BJP.

The BJP, which held a closed-door media workshop for party members last week, is also keen on research. “A lot of policy requires specialized understanding which is largely domain-specific. In that regard, members of our party will need to be prepared when they speak on such issues,” said spokesperson Seetharaman.

The Congress has already begun a television ads-blitzkrieg to trumpet its record in government. Begun in May, these ads have sought to showcase the fruits of the welfare state, including schemes aimed at the poor, such as theMahatma Gandhi National Rural Employment Guarantee Act, as well a long list of rights-based laws. One well-known ad tells the story of a fictional young woman named Priya who lives in a village but makes use of opportunities in education and improved electricity connections to become a successful entrepreneur.

For more details visit https://cis-india.org/news/livemint-august-26-2013-venkatesh-upadhyay-election-campaign

Out of the Bedroom

nishant — 2013-09-06T08:32:58Z

We have shared it with our friends. We have watched it with our lovers. We have discussed it with our children and talked about it with our partners. It is in our bedrooms, hidden in sock drawers. It is in our laptops, in a folder marked "Miscellaneous". It is in our cellphones and tablets, protected under passwords. It is the biggest reason why people have learned to clean their browsing history and cookies from their browsers.

The article by Nishant Shah was published in the Indian Express on August 25, 2013.

Whether we go into surreptitious shops to buy unmarked CDs or trawl through Torrent and user-generated content sites in the quest of a video, there is no denying the fact that it has become a part of our multimedia life. Even in countries like India, where consumption and distribution of pornography are punished by law, we know that pornography is rampant. With the rise of the digital technologies of easy copy and sharing, and the internet which facilitates amateur production and anonymous distribution, pornography has escaped the industrial market and become one of the most intimate and commonplace practices of the online world.

In fact, if Google trend results are to be believed, Indians are among the top 10 nationalities searching for pornography daily. Even a quick look at our internet history tells us that it has all been about porn. The morphed pictures of a naked Pooja Bhatt adorned the covers of Stardust in the late 1990s, warning us that the true potential of Photoshop had been realised. The extraordinary sensation of the Delhi Public School MMS case which captured two underage youngsters in a grainy sexcapade announced the arrival of user-generated porn in a big way. The demise of Savita Bhabhi — India's first pornographic graphic novel — is still recent enough for us to remember that the history of the internet in India is book-ended by porn and censorship.

Recent discussions on pornography have been catalysed by a public interest litigation requesting for a ban on internet pornography filed in April by Kamlesh Vaswani. Whether Vaswani's observations on what porn can make us do stem from his own personal epiphany or his self-appointed role as our moral compass is a discussion that merits its own special space. Similarly, a debate on the role, function, and use of pornography in a society is complex, rich and not for today.

Instead, I want to focus on the pre-Web imagination of porn that Vaswani and his endorsers are trying to impose upon the rest of us. There is a common misunderstanding that all porn is the same porn, no matter what the format, medium and aesthetics of representations. Or in other words, a homogenising presumption is that erotic fiction and fantasies, pictures of naked people in a magazine, adult films produced by entertainment houses, and user-generated videos on the internet are the same kind of porn. However, as historical legal debates and public discussions have shown us, what constitutes porn is specific to the technologies that produce it. There was a time when DH Lawrence's iconic novel now taught in undergraduate university courses — Lady Chatterley's Lover — was deemed pornographic and banned in India. In more recent times, the nation was in uproar at the Choli ke peeche song from Khalnayak which eventually won awards for its lyrics and choreography.

In all the controversy, there has so far been a "broadcast imagination" of how pornography gets produced, consumed and distributed. There is a very distinct separation of us versus them when it comes to pornography. They produce porn. They distribute porn. They push porn down our throats (that was probably a poor choice of words) by spamming us and buying Google adwords to infect our search results. We consume porn. And all we need to do is go and regulate, like we do with Bollywood, the central management and distribution mechanism so that the flow of pornography can be curbed. This is what I call a broadcast way of thinking, where the roles of the performers, producers, consumers and distributors of pornography are all distinct and can be regulated.

However, within the murky spaces of the World Wide Web, the scenario is quite different. Internet pornography is not the same as availability of pornography on the internet. True, the digital multimedia space of sharing and peer-2-peer distribution has made the internet the largest gateway to accessing pornographic objects which are produced through commercial production houses. However, the internet is not merely a way of getting access to existing older forms of porn. The internet also produces pornography that is new, strange, unprecedented and is an essential part of the everyday experience of being digitally connected and networked into sociality.

The recent controversies about the former congressman from New York, Anthony Weiner, sexting — sending inappropriate sexual messages through his cellphone — gives us some idea of what internet porn looks like. It is not just something captured on a phone-cam but interactive and collaboratively produced. Or as our own Porngate, where two cabinet ministers of the Karnataka legislative assembly were caught surfing some good old porn on their mobile devices while the legislature was in session, indicated, porn is not something confined to the privacy of our rooms. Naked flashmobs, young people experimenting with sexual identities in public, and sometimes bizarre videos of a bus-ride where the camera merely captures the banal and the everyday through a "pornographic gaze" are also a part of the digital porn landscape. The world of virtual reality and multiple online role-playing games offer simulated sexual experiences that allow for human, humanoid, and non-human avatars to engage in sexual activities in digital spaces. Peer-2-peer video chat platforms like Chatroulette, offer random encounters of the naked kind, where nothing is recorded but almost everything can be seen.

The list of pornography produced by the internet — as opposed to pornography made accessible through the internet — is huge. It doesn't just hide in subcultural practices but resides on popular video-sharing sites like YouTube or Tumblr blogs. It vibrates in our cellphones as we connect to people far away from us, and pulsates on the glowing screens of our tablets as we get glimpses of random strangers and their intimate bodies and moments. An attempt to ban and censor this porn is going to be futile because it does not necessarily take the shape of a full narrative text which can be examined by others to judge its moral content. Any petition that tries to censor such activities is going to fall flat on its face because it fails to recognise that sexual expression, engagement and experimentation is a part of being human — and the ubiquitous presence of digital technologies in our life is going to make the internet a fair playground for activities which might seem pornographic in nature. In fact, trying to restrict and censor them, will only make our task of identifying harmful pornography — porn that involves minors, or hate speech or extreme acts of violence — so much more difficult because it will be pushed into the underbelly of the internet which is much larger than the searched and indexed World Wide Web.

Trying to suggest that internet pornography is an appendage which can be surgically removed from everyday cyberspace is to not understand the integral part that pornography and sexual interactions play in the development and the unfolding of the internet. The more fruitful efforts would be to try and perhaps create a guideline that helps promote healthy sexual interaction and alerts us to undesirable sexual expressions which reinforce misogyny, violence, hate speech and non-consensual invasions of bodies and privacy. This blanket ban on trying to sweep all internet porn under a carpet is not going to work — it will just show up as a big bump, in places we had not foreseen.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-august-25-2013-nishant-shah-out-of-the-bedroom

Dear Milind Deora, Prakash Javadekar Deserved The Truth

praskrishna — 2013-09-05T10:38:05Z

Milind Deora, the Minister of State for Communications, Information Technology and Shipping, isn’t your typical politician.

This article by Rohin Dharmakumar was published in Forbesindia Magazine on August 22, 2013. Sunil Abraham is quoted.

At just 36, he’s way younger than the average cabinet minister (64) or Member of Parliament (53). He’s also richer (Rs.17.5 crore compared to Rs.5.3 crore for the average M.P.)

He’s got his own website - www.milinddeora.in - which unlike most of his peer’s websites, is fairly well-designed and constantly updated. He’s also an avid user of social networks like Twitter (@milinddeora) and Facebook.

Oh, he’s also a Blues fan and a pretty good guitarist.

In short, he’s the kind of politician or minister many Indians would like to vote for.

And vote they do, in fact. Deora’s won the Mumbai (South) parliamentary constituency two times in a row, garnering nearly twice his next opponent’s votes during the 2009 elections.

Which is why it’s surprising, and saddening, to see Deora trot out a patently false set of answers to how America’s global dragnet of Internet surveillance is affecting the privacy of Indians.

On 16th August Deora responded to a question from Rajya Sabha M.P. and BJP Spokesperson Prakash Javadekar, asking the following:

(a) whether it is a fact that India was the fifth most tracked country by the United States intelligence, particularly on the internet;
(b) if so, the details thereof;
(c) the impact of USA”s surveillance program-Prism and Boundless Information on the country; and
(d) the steps Government intends to take to protect country”s interests and the privacy of its citizens?

Javadekar’s question was sorely needed in light of the near-daily disclosures being made about the scarily omnipresent extent to which the US Government spies on global Internet users through a myriad of ways.

India, as Javadekar rightly pointed out, was indeed the fifth most monitored country under the “Boundless Informant” data mining tool that tracks the NSA’s (the US’ lead communications spy agency) global surveillance efforts. In just March 2013 alone, according to a leaked presentation on the tool, the NSA collected 6.3 billion pieces of information from India. Suffice it to say, the information would have come from Indian citizens, businesses, ministries, bureaucrats and of course, members of Parliament (most of who now use webmail and social network from the likes of Google and Facebook).

The only countries that were spied upon more than us were Iran, Pakistan, Jordan and Egypt. Some sobering company, that!

One would thus expect Deora to be seized of the urgency and concern behind Javadekar’s questions. His answer was:

(a) & (b) In June 2013, Media reports have disclosed that India is the fifth largest target of United States electronic surveillance programmes, in terms of interception of communications on fibre cables and other infrastructure. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL,Youtube, Paltalk and Skype.

Here we have a member of Parliament asks India’s Minister for Communications & IT about the extent to which Indian citizens and businesses are being spied upon by the US – ostensibly a friendly country – and all the Minister could do was cite newspaper reports?

What about your own investigations Mr.Minister? What is the opinion of your leading spy agencies like the NTRO, R&AW and IB? Are they also relying on newspaper reports?

But wait, Deora does go on to provide a few more answers:

(c) & (d) Government has expressed concerns over reported United States monitoring of internet traffic from India. Concerns with regard to violation of any Indian laws relating to privacy of information of ordinary Indian citizen as well as intrusive data capture deployed against Indian citizens or government infrastructure have been conveyed to the United States. The issue of United States Cyber surveillance activities was discussed during the Indo-US (India United States ) strategic dialogue meeting held in New Delhi on 24.06.2013.

Whew. That was reassuring. We expressed “concerns with regard to violation of any Indian laws relating to privacy of information” to the US during a “strategic dialogue meeting”.

Let me guess what the US side responded: “Sure. We’ll do that. Come back to us when you have a privacy law. Ha ha!”

As Sunil Abraham, the director for the Center for Internet & Society points out in Forbes India, India has no modern and comprehensive privacy law. And the government is working on a new one for only the last three years:

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

Which brings me to the final part of Deora’s response to Javadekar:

United States official responded that PRISM dealt only with Meta Data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored. United States Officials maintained that data content/content of emails are not accessed or not monitored under these surveillance programmes; therefore, it is not a violation of privacy. It was stated by United States that its agencies need to get separate authorization from Foreign Intelligence Surveillance Act (FISA) court, if they want to access the content of any of the data intercepted by these surveillance programmes.

Dear Mr.Minister, either you have been lied to by your friendly “United States Official”, or, well…

Firstly, by limiting the answer to only PRISM, which happens to be just one of the NSA’s secret tools for online surveillance, you are willfully or inadvertently narrowing down Javadekar’s question which specifically mentions other tools like Boundless Informant.

Almost all of the big Internet companies revealed to be part of the NSA’s global spying mechanism have also used the same tactic to tailor their denials. I suppose they got the cue from the NSA, which loves using the “Under This Program” dodge to derail specific questions about its secret programs, according to the Electronic Frontier Foundation:

Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.

In case you weren’t aware of the NSA’s obfuscation tactics Mr.Minister, here is another great piece on it from the Slate – “How to Decode the True Meaning of What NSA Officials Say”

Thus when your friendly US official tells you that “only meta data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored” under PRISM, not “data content/content of emails”, he or she is technically right.

Because the NSA has other programs that capture all of that. For instance, XKeyscore, which according to leaked presentations, it can capture “nearly everything a typical user does on the internet”. This includes emails, visits to websites, web searches and Facebook chats & private messages.

Did you also know, Mr. Minister, that the XKeyscore surveillance program has servers located inside India?

Finally, you make a statement that is patently false. You say that US spy agencies need authorizations from the secret Foreign Intelligence Surveillance Courts (FISC) in order to access the data collected by various surveillance programs.

FISA courts almost always approve any request made to them (they apparently rejected just 11 requests out of 33,900 made by the US government in the last 33 years), so that’s that for oversight.

And in the NSA’s Orwellian world of doublespeak, large scale interception and storage of Internet communications isn’t considered “collected” till such time one of their agents has had a chance to look at it. Which means if you’re reading this post – the NSA’s secret servers over the world and in India can coolly capture that and store it in vast databases for posterity – without it ever registering as a “collection” or requiring any approval from FISA courts.

Fact is, Mr.Minister, we “foreigners” (unless you belong to one of the four other countries that are part of the “Five Eyes” alliance, in which case you’ll be treated with a wee bit more caution) , that is, us, are fair game:

The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.

The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.

We expected better answers from you Mr.Minister – sorry, expect better.

Alas your recent answers don’t inspire much trust, for instance when you tell us constant surveillance is “good for us” and “will enhance the privacy of citizens”.

Or when you tell us that “Google Hangouts” – a service provided by a company that looms over nearly everything Indians do online – is a better medium to reach out to people than Parliament or Television.

We deserve the truth from you Mr.Minister. Just like Prakash Javadekar.

For more details visit https://cis-india.org/news/forbesindia-august-22-2013-rohin-dharmakumar-dear-milind-deora-prakash-javadekar-deserved-the-truth