We are anonymous, we are legion

E-administration Efforts are Lame Ducks without Internet

Amit Kumar & Sat Singh — 2017-12-20T16:05:44Z

Strap: How Haryana engages with the Digital India dream when one act of vandalism can invite a net ban.

Fatehabad, Haryana: It took Mahender Kumar a week to brush up his DJ-ing skills and understand what songs to play for crowds at different events. It wasn’t done out of some special love for music.

When he had to stop operations of his Common Service Center in Fatehabad district’s Badopal village for the third time in 18 months because of an internet shutdown “caused” by violence in his state, Mahender had to revisit his teenage hobby. He was more cautious about running a centre that depended on the internet. After all, the 31-year-old had to do something to feed a family of five. “Kuch to kaam karna tha. Parivar ko bhukhe to rakh nahi sakte."

Launched in 2015 as part of the central government’s ambitious Digital India programme, Common Service Centers or Atal Sewa Kendras (ASKs) are the “access points for delivery of various e-governance and business services to citizens in rural and remote areas of the country”. Sikander Kumar, in-charge of the Fatehabad District Informatics Center, informs that there are 14 such centers in urban areas and a whopping 223 in rural areas in his district alone.

These Kendras deal with banking, insurance, pension, health, and even railway ticketing, Aadhaar services, and electricity bill payment. The Haryana government claims to have integrated “around 170+ state government services of varied departments” with this scheme. More are in the pipeline.

Mahender, who undertook operations of the Kendra in December 2015, earns commissions ranging from Rs 10 to Rs 100 from his customers. A Rs 10 for paying electricity bills, another Rs 10 for correcting every mistake in Aadhar cards. He even fills up job applications and pension forms using the internet. His daily earning ranges from Rs 1000 to Rs 1200, and he provides food and pays Rs 1500 each to the two persons who assist him occasionally.

“Things were running in perfect order until February 2016. I had to incur losses after losses due to multiple internet bans since then," says Mahender. The Jat reservation stir of February 2016 had led to an internet ban when protests turned violent in various parts of Haryana. Internet service were suspended as a preventive measure a year later in March when the protests were brewing again. When Dera Sacha Sauda Chief Gurmeet Ram Rahim was convicted for rape in August 2017, Fatehabad faced internet shutdown for a week.

Mahender lost his bread and butter on these occasions, and being a part-time DJ was his way of minimising the risk. He continues to run the center though.

Rajesh Kumar too makes a living by running an ASK in Dhangar in Fatehabad. A graduate in arts from the National College in Sirsa, he started the Kendra in October 2015. Though he has reservations about the crawling pace of internet in his village, it doesn’t stop him from fulfilling the needs of customers who can be found “flooding the Kendra on any working day”.

He places great importance on the role of the center he runs. After the demonetisation of Rs 500 and Rs 1000 notes in November 2016, Rajesh says his Kendra “reduced the inconveniences caused to common people by the move”. When the cash lying around became of no use, the e-banking services his centre offered came to the rescue. This is why he doesn’t approve of the internet shutdowns. “Rural areas suffer the most. My friends in cities do not have to go through this.”

Even updating panchayat records on time is a hassle during shutdowns. Rajesh Koth, Fatehabad district development and panchayat officer, does not directly face the brunt of internet shutdowns since his office functions out of the mini-secretariat, which continues using internet through a lease line meant for such situations. But shutdowns do affect his department’s work as the 200 something panchayats with which emails are to be exchanged do not have the same luxury. “Village panchayats have been equipped with a computer and an internet connection, which are used to update the department on development works passed by the panchayat,” Rajesh says.

With villages losing access to whatever internet they had, panchayats have to send physical records to the Fatehabad district headquarters, thereby increasing the office’s burden.

Internet lost, grains lost

The impact of internet shutdowns on the administration’s e-governance schemes was felt even by fair price shops. Subhash Singh has been running a ration depot in the same village as Mahender’s, Badopal, for a decade now. It wasn’t just Subhash’s loss when he couldn’t disburse ration because of the internet shutdown in August 2017.

He says he was bound by authorities to not distribute ration without an Aadhar-enabled authentication using a thumbprint. “Several people came, but they had to return empty-handed due to failing biometric verification. I must’ve lost about Rs 2500 in that time.”

Fatehabad district food and supply controller Ashok Bansal confirmed that his department had indeed “issued clear instructions as mandated by the government to distribute ration only after Aadhar-enabled verification”. Strict action is taken on complaints for not complying this order, he says.

Being his only source of income, Subhash eventually "spent a lot of time and energy to persuade people to return” to his shop again. But he clearly remembers how he was accused of finding an excuse to not give people their lot of ration.

Amit Kumar and Sat Singh are Haryana-based members of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/e-administration-efforts-are-lame-ducks-without-internet

Dystopia vs development: The Kashmir paradox

Asmita Bakshi — 2019-10-20T06:31:00Z

On 26 July, Azmat Ali Mir, 26, landed in her hometown, Srinagar. A day later, uncertainty and panic gripped the Kashmir valley—the Amarnath yatris (pilgrims) and other tourists were being evacuated, there was heavy military deployment and news reports claimed that there could be a threat to the border.

The article by Asmita Bakshi was published by Livemint on October 19, 2019. Ambika Tandon was quoted.

But Mir had a lot of work to do—she had events planned as part of her startup Manzar Experience Curators, which promotes Kashmiri art, culture and fashion made and produced locally for audiences outside the state, particularly Bengaluru, where she now lives. “We are so used to things like this, we were like, ‘these things will keep happening, curfew laga denge (they will impose a curfew), that means you need to have ration in your home. But until then, you have to do your work’," Mir tells me over the phone from Bengaluru. “I had very little time, my tickets were already booked for 5 August, there was so much work, I had no time to think. I was going around, signing contracts, getting things done."

But soon, it became clear that things would be different this time. By August 1, fear and tension had escalated. Rumours of war grew louder, and additional troops were flown in. “The guy who heads the agency that was to help with online promotions for my event said things don’t seem okay and we should wait and see how this goes," says Mir. “Our lives, both personal and professional, are governed around the political calendar of Kashmir."

Across town, on 26 July, Sheikh Samiullah, 28, from downtown Srinagar was at a café called ZeroBridge Fine Dine along with his team and representatives from the state administration, including deputy commissioner Shahid Choudhary, to launch the Android app for his company FastBeetle. The logistics startup, launched last year by Samiullah and co-founder Abid Rashid Lone, is often called “Kashmir’s Dunzo", and provides door-to-door delivery services for businesses ranging from online grocers and retail commerce to pharmacies and individuals.

The launch of their iOS app was scheduled for 13 August, the day after Eid. But this had to be cancelled a few days later due to the prevailing situation in the valley. Today, FastBeetle’s operations—which run on the internet—have ceased. “I invested all my savings in this company. For me, it’s not possible to run this again. It is like starting from the beginning. I have a massive liability on my head," Samiullah tells me in Delhi, where he has gone from running a profitable business to being unemployed and now searching for work.

Over the same period, Qazi Zaid, 30, who runs and edits the news platform Free Press Kashmir, was in overdrive. “As journalists living in Kashmir, we aren’t just reporting the conflict, we are also living the conflict. We are members of the same society," he says. “One of the last stories we did was on the panic—how panic is being manufactured and the standard response of people who are scared and entering panic mode. That’s what happened with us as well." Free Press Kashmir, which is primarily an online news portal, has not published for close to three months. And now Zaid is in the Capital, exploring ways to save his news portal from complete closure and prevent the 15 young journalists he employs from being rendered jobless.

These young Kashmiris and their organizations have been driven into a state of near-obscurity since 5 August, when the Union government abrogated Article 370 of the Constitution, which granted the state of Jammu and Kashmir its special status, and subsequently sent the valley into a communication blackout. Two and a half months later, only landlines and post-paid mobile services (excluding SMS) have been restored. Internet and data services remain closed.

With thousands of arrests, instances of violence from both militants and the Armed Forces reported in the international press, the impact of this shutdown has been immense. But it has also inflicted a huge monetary cost. A report in the BBC, published on 8 October, stated that “the Kashmir Chamber of Commerce and Industry estimates the shutdown has already cost the region more than $1.4bn (around ₹9,800 crore), and thousands of jobs have been lost".

Shutting down of startups

In a region ridden with decades of armed conflict and the presence of the Indian armed forces in large numbers, entrepreneurship is no easy feat. Kashmiris have typically chosen public sector jobs, but the valley’s entrepreneurs agree that over the last decade or so, young and resilient men and women from the valley had been working to change this with online and offline ventures.

In fact, the startup ecosystem in Kashmir seemed to have been poised for growth. Notably, in September last year, the Jammu and Kashmir Entrepreneurship Development Institute (JKEDI), established by the state government, released the J&K Startup Policy 2018, which aimed to boost the startup ecosystem by granting founders a monthly allowance of up to ₹12,000 for a period of one year during incubation. Recognized startups would be provided with one-time assistance of up to ₹12 Lakh for product research and development, marketing and publicity.

It was around this time that Samiullah started FastBeetle. He had noticed that though logistics companies existed, they catered largely to big organizations like Amazon. FastBeetle tied up with smaller businesses, including close to 200 women in the valley who were making and selling apparel and other wares on Instagram. “They would have trouble going out every day on multiple deliveries since it is a conservative society," he says. FastBeetle had over 30 merchants within its first month of operations. Over the first five months, they had grown to making 100 deliveries per day, employed a team of six, got an office space and two bikes. In a year, they had generated a positive cash flow despite numerous internet shutdowns imposed in the valley.

Since August 5, the company has been plunged into what Samiullah believes is an interminable downturn. He estimates monetary losses at approximately ₹15 lakh, not considering the ₹4 lakh he invested in the Android app and another ₹3 lakh on the iOS app that never took off. In the unlikely event that restrictions are lifted immediately and business as usual resumes in the valley, it will cost him another ₹10 lakhs to restart the company.

Financial losses aside, he says, it is the time and passion he had invested in the business that won’t come back. And his young employees face an uncertain future as well. One of his delivery boys, Arsalan Shabir Bhat, 21, doesn’t know what the future holds both for him or the valley. “The salary of ₹10,000 for me was good, I was satisfied. “Aage ka nahi pata par haalaat bohot kharab hai. Filhaal toh baithe hi hai ghar pe (I don’t know about the future but the current situation is grim. For now, I am sitting at home)," he says.

Through all this, the state administration and Union government are trying to push the narrative of development. In late September, minister of state for finance and corporate affairs Anurag Thakur, told news outlets: “Our government has taken a historic decision to abrogate Article 370. Now, J&K will witness massive development." Yet, the 33 startups registered with the JKEDI and 70 with the Startup India portal in J&K, among others that run on private funding and bootstrapping models, have been struggling since this decision was taken. Earlier this week, militants attacked two non-local apple traders in the valley, casting doubt on the claim that Kashmir is safe for business.

It was to assess conflicting claims such as these, by providing an insight into the lives of people in the valley, that Zaid restarted Free Press Kashmir in 2017 (it was previously shut down in 2014), using investments from his family business. “It’s all the more important now. Because authentic voices from Kashmir are not coming out," says Zaid. He says that while the international media focuses on Kashmir from a breaking news perspective and some of the Indian press takes a nationalistic line, human perspectives from the valley largely remained unheard.

“There was a gap of a human narrative coming out of Kashmir, which we saw and filled," he says. “If we were to relaunch right now, I don’t think there would be a lot of positive stories. There would be stories of struggle, survival, trauma, pain, hardship. That’s what we would be reporting right now."

With a civil curfew reportedly in place in the valley as a means of protest, even businesses that could have provided financial assistance to these startups are not in operation.

“The economy is so badly hit and it will take another year or two years or more—no idea how long—to recover. Because right now advertisers will take some time to recover as well," says Zaid. “I don’t think we can sustain that long. Our business was at 50% of sustenance and now it’s down to 0. Traffic is down to 0 form 350,000-500,000 hits."

Some investors like Asmat Ashai, who runs the US-based non-profit organization Funkar International, would provide financial assistance to young Kashmiri artists, nevertheless maintain that the difficult situation will not deter them from providing support. “I will continue to help anyone who asks me for help because we cannot give up and we will not be broken. We will stay the course and save whatever we have in spite of the abrogation of all the articles. That is paperwork. Kashmiris will not be broken."

Lost hope

According to the Software Freedom Law Foundation, a legal services organization working to protect digital freedom, Kashmir has had the maximum number of internet shutdowns in the country—55, of varying durations and extents, in 2019 alone, and a total of 180 since 2015. This time however, the shutdown was far more severe—all media and communication platforms, including landlines, internet, news publications and certain television services were suspended. “A large majority of businesses today rely on the internet for some part if not all of their function," says Ambika Tandon, policy officer, Centre for Internet and Society (CIS), Bengaluru.

CIS published a digital book titled Internet Shutdown Stories in May 2018 which tracked how internet blockades impact lives and livelihoods in India. “We collected stories from Internet Service Providers (ISPs) and digital marketing firms in Kashmir that were on the brink of closing down due to the frequency of shutdowns in the valley. The reporters spoke to musicians who used YouTube as a means to earn a livelihood and popularity, and were doubly upset with the effect on their income and their freedom of expression. Given the absence of any public notice before shutdowns, or information regarding the extent and duration of shutdowns, the government definitely has the minimal responsibility of compensating direct losses incurred by those who cannot afford it," says Tandon.

Take the example of Furqan Qureshi, who set up KartFood, popularly called “Kashmir’s Zomato", when he was still pursuing a commerce degree from Islamia College, Srinagar. He started in 2017 and would take orders on call. Once the response grew, Qureshi had a website and application built. But for two months thereafter, in May and June 2017, there was a clampdown on the internet. “I suffered a loss of close to ₹1.5 lakh and that time I had no investment, but I had employed people and was responsible for them, so I persevered and started again from July. It’s always about working from scratch in Kashmir. Whenever there is a shutdown, you start from zero," he says on the phone from Bengaluru.

Qureshi says they always fought the odds and remained in business through internet shutdowns during which the team, which stood at 25-30 as on 5 August, would call customers and coordinate deliveries on the phone.

This dedication is what eventually resulted in his first round of investment in February 2018, from a local Kashmiri businessman. “I upgraded the app, included more restaurants, added delivery tracking features and was creating jobs."

Since 5 August, however, not only have communication channels been hit, initially there was complete restriction on movement within the valley. “I had to leave Kashmir around six or seven days after the clampdown, since I live in an area where there was stone-pelting every day and the police was entering homes and picking up boys. My parents were scared and said it was better to go to Bengaluru and stay here," he says, now hoping he can set up a small restaurant in the city, using whatever he has managed to save.

As young entrepreneurs leave, the JKEDI remains hopeful that the startup ecosystem will bounce back once normalcy returns. “I think as soon as the internet starts working again we will push the things here as well, with the policy we are trying to give some incentive to these people, so that we can get these startups back and they can inspire other people to start their own," says Irtif Lone, in-charge, Centre for Innovation Incubation and Business Modelling, JKEDI.

“It is difficult for people to choose to pursue a startup and these situations make it even tougher. We will be pushing all the startups that have made a mark and are now suffering due to the financial constraints. They will be given an incentive as soon as possible so that none of them are starved for finances."

But there are doubts about whether such promises can be fulfilled. In any case, it may already be too late. Shayan Nabi, 29, who ran a digital marketing company and had invested in other ventures of his own such as KashmirCalling (to coordinate private carpooling), has given up hope. As he waits for his employees to receive the emails he has sent asking them to look for alternative opportunities, he himself is facing professional uncertainty in Delhi. “I have been very vocal about providing internet freedom in Kashmir. It’s a basic human right. But it always falls on deaf ears." He adds: “I had ideas about making Kashmir digital. But I am sorry, not any more. Not after all the humiliation we have been through."

The road to recovery from here is paved with crippling debt, unemployment and loss of morale. What was once seen as an act of resilience amidst conflict, has today crumbled due to a State diktat, paradoxically executed with promises of peace and prosperity.

When Mir finally landed in Bengaluru on the morning of 5 August, she broke down when she finally heard the news. Today, with payments stuck with vendors and Mir’s inability to reach her artisans and wazas (Kashmiri cooks) in the valley, the Manzar website reads, “All verticals of Manzar Experience Curators... are currently unoperational due to the unprecedented lockdown in Kashmir". She fears that her venture, which set out to create conversations about Kashmir around the country, has lost all meaning and purpose. “I am not someone who set out with hate, I set out with love and passion and this idea of changing things," she says.

“Do you think with the kind of environment that this country has created for a Kashmiri today, I can go out and do what I do? Is it safe for someone like me to take a place somewhere in Bengaluru to open a place that serves authentic Kashmiri food? I am scared it could be burnt down the next day."

The question she now asks herself transcends the uncertainty of business in the valley, and straddles a precariousness both political and personal: “Where do I go from here?"

For more details visit https://cis-india.org/internet-governance/news/livemint-asmita-bakshi-october-18-2019-dystopia-vs-development

Due Diligence Project FGD by UN Women

Admin — 2019-10-20T07:11:13Z

On October 11, 2019, Radhika Radhakrishnan attended a focussed group discussion at the UN House, New Delhi, organized by UN Women for their multi-country research study on online violence (Due Diligence Project).

The purpose of the discussion was to provide a better understanding of the nature and the scope of this form of VAWG and to provide recommendations to inform policies, plans, programming and advocacy on the issue.

For more details visit https://cis-india.org/internet-governance/news/due-diligence-project-fgd-by-un-women

DSCI-Infosys Roundtable

Admin — 2019-04-05T02:06:00Z

Sunil Abraham participated in this meeting organized by Infosys in Bangalore on March 25, 2019 as a speaker.

AGENDA:

10:00-10:15 AM	Opening Remarks: Infosys Context Setting: DSCI and Infosys
10:15- 11:00 AM	Elements shaping Data Economy § Digitization: Personalization, Experience, Productivity & Possibilities § Global Internet Platforms: Transforming B2C and B2B § Phantomization of Technology & Business Models § Changing nature of Deliveries: value driven, subscription based and platform based § Product Economy: Data-centric Designs, Start-ups and Unicorn, § IOT and Industrialisation 4.0: Next generation service & business lines § Data flow and how it’s shaping trade of goods and services § Role of data in delivering the public service and improving public order § Artificial Intelligence: at specific product/service level and its ramification to industrial and national economy § Technology: role of data in developing next generation tech platforms Discussion Facilitation: DSCI and Infosys
11:00- 11:45 AM	Tech’s Dilemmas § Scale and reach of BigTech: Industrial Capitalism versus Internet Capitalism § Competition § Influence on personal, social, transactional, economic and political life § Stressed relations with values of modern value system § Ethical issues: human rights, social harmony, public space decency, health electoral processes, information warfare... § Data Privacy § Tech’s response: Locking down of data, editorial/ censorship controls... § Challenges of law enforcement, fraud management and supervision § Relevance to national security objectives ...... § Principles of Responsible Innovation § Ideas under discussion/ experimentation Discussion Facilitation: DSCI and Infosys
11:45-12:15 AM	Shaping Data Economy § Structures and approaches: state controlled, private sector led, decentralized § Directions: legal/ policy, innovation, investments, architectures (like India Stack), § Searching the role of liberal economic principles § Open architectures and open data ecosystem § Positions, Obligations, Burdens and Liabilities for protecting rights, creating level playing field, ensuring competition... § Regulatory approaches: establishing supervisory controls § National security: Interventions, mandates and cooperation Discussion Facilitation: DSCI and Infosys
12:15 to 12:30 PM	Discussion Summary
12:30 PM onwards	Lunch

For more details visit https://cis-india.org/internet-governance/news/dsci-infosys-roundtable

DSCI's Bangalore chapter meet

Admin — 2019-02-02T01:47:51Z

On January 29, 2019, Karan Saini and Gurshabad Grover participated in the Bangalore chapter meet organized by Data Security Council of India in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/dscis-bangalore-chapter-meet

DSCI Information Security Summit 2010 – A Report

elonnai — 2012-03-21T10:04:22Z

On 2 and 3 December 2010, the DSCI Information Security Summit 2010 took place in the Trident Hotel, Chennai. The two day summit included a broad spectrum of speakers/panels and topics, ranging from Securing Data & Systems to how to leverage the Cloud. The key speakers were Mr. Gulshan Rai, Director General, CERT-In, DIT, Mr. Rajeev Kapoor, Joint Secretary, DoPT, Govt. of India, Mr. Vakul Sharma, Advocate, Supreme Court of India and Dr. Kamlesh Bajaj, CEO, DSCI. Elonnai Hickok attended the summit.

Day one commenced with keynote address given by Jeffery Carr, Principal, GreyLogic, US who spoke about the gravity and risk that businesses and countries are facing in the digital age. A prominent theme in every presentation throughout the day was that India is facing both serious changes and challenges in light of evolving technology and global standards. A few specific challenges addressed were: encryption standards, the cloud, and securing business transactions. During the panel on encryption standards it was pointed out that India desperately needs a clear and comprehensive policy on encryption standards. Not only will this serve to facilitate transactions in India, but it will increase trade as foreign countries will have an enforced policy to ensure them that India is a safe destination to export to. The panel addressing the cloud focused on the challenges that businesses are facing in terms of the cloud in the Indian context. The three main challenges to the Cloud are:

data security and privacy
compliance requirements
legal and contractual requirements

It was pointed out that in particular the Indian legal environment is serving as an obstacle to businesses wishing to move to the cloud, because of policies such as 40 bit encryption, and the Indian Telecom licensing policy which do not permit data transfer outside the cloud. Discussed also were measures that organisations have adopted to address data protection challenges in the cloud including: Including security & privacy clauses in the contractual agreement, making the Cloud service provider liable for a data breach, and auditing the services of Cloud service providers. Further information about the Cloud in the Indian context can be found in the DSCI report on Data Protection Challenges in Cloud Computing: An Indian Perspective. In the session on Securing Business Transactions, the challenge of protecting data and transactions was addressed. Many approaches were presented which explained how securing systems has moved away from using security enables software to security embedded hardware. The first day concluded with a presentation of DSCI Study Reports, including their recent study on the State of Data Security and Privacy in the Indian BPO Industry, Service Provider Assessment Framework – A Study Report, and the DSCI Security Framework.

The second day included presentations and panel discussions on privacy, the economics of security, and security technologies. The presentation on privacy presented many different viewpoints which ranged from the stance that India has been taking the right steps towards securing individuals privacy, and in contrast, that India has seen a dilution of privacy standards in the recent years. Contributing to the panel on privacy, Vakul Sharma, Supreme Court Advocate created a timeline of privacy in India, dispelling the popular belief that India does not have a history of privacy. Mr. Sharma closed his presentation with a challenge to those who believe that India does not have adequate privacy protections - to return to the clauses in the ITA, see if they are indeed being followed, and then assess if India does not have adequate privacy protection. The panel on the Economics of Security spoke about the rising costs of security in the wake of cyber crime, and the rising cost of not adequately protecting one’s business. In the session on Technology Challenges to Fight Data Breaches and Cyber Crimes a debate evoked on current measures taken by industry and government to fight cyber crime, and steps that still need to be taken. Opening the session was a presentation by Mr. West, member of the National Cyber Forensics Training and Alliance. His presentation introduced a new approach taken by the States in which key stakeholders including students and local law enforcement were engaged when tracking down cyber criminals. Mr. West demonstrated the success of the program, and explained how such an approach could be easily adapted in India. From different comments made by the panel and audience it was clear from this session that there is a need for the Indian government to be more invested in funding and supporting smaller cybercrime initiatives. Closing the day was a panel on E-Security for the next five years including the application and enforcement of DSCI’s best practices for a Security and Privacy Framework.

The event was sponsored by: Trusted Computing Group, Computer Associates, McAfee, Verizon Business, Tata Consultancy Services, Deloitte, (ISC)2, BlackBerry, ACS, CSC, Microsoft, RSA, and Intel.

For more details visit https://cis-india.org/internet-governance/blog/dsci-information-summit

DSCI Best Practices Meet 2013

kovey — 2013-07-26T08:18:01Z

The DSCI Best Practices Meet 2013 was organized on July 12, 2013 at Hyatt Regency, Anna Salai in Chennai. Kovey Coles attended the meet and shares a summary of the happenings in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Last year’s annual Best Practices Meet, sponsored by the Data Security Council of India (DSCI), was held in here in Bangalore, and featured CIS associates as panelists for an agenda focused mostly around mobility in technology. This year, the event was continued in nearby Chennai, where many of India’s top stakeholders in Cyber Security came together at the Hyatt hotel to discuss the modern cyber security landscape. Several of the key points of the day emphasized how the industry realm needed to be especially keen on Cyber Security today. Early speakers explained how many Cyber-Attacks occur as opportunistic attacks on financial institutions, and that these breaches often take months to be discovered, with the discovery usually being made by a third-party. For those reasons, it was repeatedly mentioned throughout the day that modern entities must anticipate attacks as inevitable, and prepare themselves to be able to respond and successfully bounce-back.

Several panelists of the event expanded upon the evolving challenges facing industries, and explained why service based industry continually grows more susceptible to Cyber-Attack. There were representatives from Microsoft, Flextronics, MyEasyDoc, and others, who explained how technological demands of modern consumers resulted inadvertently in weaker security. For example, with customers expecting real-time access to data rather than periodic data reports, i.e financial data reports, industries must now keep their data open, which weakens database security. Overall, the primary challenge faced by the industry was effectively summarized by Microsoft India CSO Ganapathi Subramaniam, stating that within web services, “Security and usability are inversely proportional.” Essentially, the more convenient a product, the less secure its infrastructure.

Despite discussion of the difficulties facing modern producers and consumers, there were undoubtedly highlights of optimism at the conference. A presentation by event sponsor Juniper Networks shed light on practices which combat Cyber-Attackers, including rerouting perceived Distributed Denial of Service (DDoS) attacks and finger-printing suspected hackers through a series of characteristics rather than just IP addresses (these characteristics include browser version, fonts, Add-Ons, time zone, and more). Notably, there was a call for cooperation on all fronts in combatting Cyber-crime, for public-private partnerships (PPP), and many citizens stood and spoke on the behalf of civil society’s incorporation in the process as well. One speaker, Retired Brig. Abhimanyu Ghosh admirably tore down sector divisions in the face of Cyber-Security threats, saying “We all want to secure ourselves. It is not a question of industry versus government, government versus industry. Government needs industry, and industry needs government.”

Finally, a few speakers used their opportunity at the conference to highlight issues related to rights and responsibilities of both citizens and government in internet. Nikhil Moro, a scholar at the Hindu Center for Politics and Public Policy, spoke at length about the urgent condition of laws which undermine freedom of speech and freedom of expression in India, especially within while online. His talk, which occurred near the end of the event, stirred the crowd to discussion, and helped remind the attendees of the comprehensiveness of issues which demand attention in the realm of a growing internet presence.

For more details visit https://cis-india.org/internet-governance/blog/dsci-bpm-2013-conference-notes

DSCI Best Practices Meet

praskrishna — 2017-07-07T01:39:23Z

Udbhav Tiwari represented CIS on a Panel titled "Reposing Trust in Citizen Identity Systems" at the DSCI Best Practices Meet held at the ITC Gardenia on June 22 and 23, 2017 in Bangalore.

The event discussions featured around privacy and Aadhaar.

For more details visit https://cis-india.org/internet-governance/news/dsci-best-practices-meet

DSCI Bangalore Chapter meet

Admin — 2018-11-28T01:45:23Z

Gurshabad Grover and Karan Saini attended the DSCI Bangalore Chapter meet held in Bangalore at 10K NASSCOM Startup Warehouse on November 22, 2018.

For more details visit https://cis-india.org/internet-governance/news/dsci-bangalore-chapter-meet

Droidcon India, first Android Conference in Bangalore

praskrishna — 2011-11-24T04:17:12Z

HasGeek is happy to announce the forthcoming Droidcon India on the 18th and 19th of November 2011 at the MLR Convention Centre in Bangalore. Droidcon.com, Bangalore Android User Group, MobileMonday Bangalore, Medianama, Android Advices and the Centre for Internet and Society are the event partners.

Droidcon is India’s first international Android conference and is part of the world’s largest series of Android conferences, with other editions in London, Bucharest (Romania), Brussels, Amsterdam and Berlin. Droidcon India is a response to the booming market for Android, which has seen sales increase by 888.88 per cent in 2010, and reach nearly 50 per cent market share worldwide.

Organized by developers for developers, the multi-track two day event will provide a rich variety of content for delegates by attracting the best speakers in the Android community. HasGeek expects the participation of over 400 delegates, including students, developers, UX and UI designers, and people with strong interests in the Android ecosystem, both from India and beyond.

The sessions will be presented in an informal environment that gives everyone a chance to be heard. The theme for the conference covers a range of topics that include building well designed apps, dealing with device diversity, performance optimization, NFC, Arduino, and usage in the Enterprise. For more details about session topics visit http://goo.gl/F9bEB

For registrations and tickets, visit http://goo.gl/pmXpJ

Following the first day conference on November 18, there will be an after party for this event which will be held at the CounterCulture restaurant.

For more information on tickets and registrations, contact Zainab Bawa @ zainab@hasgeek.in or call @ +91 99454 73641.

For more details visit https://cis-india.org/internet-governance/events/droidcon-india

Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes...

maria — 2013-07-12T15:26:33Z

In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have already adopted measures to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, privacy concerns have arisen as it remains unclear how data collected will be used.

Red light cameras

Last week, the Chennai police announced that it plans to install traffic enforcement cameras, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since early 2008 and a study indicates that they have reduced the traffic violation rates. A 2003 report by the National Cooperative Highway Research Programme (NCHRP) examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.

However, how are traffic violation rates even measured? According to Barbara Langland Orban, an associate professor of health policy and management at the University of South Florida:

“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”

Last year, the Bombay state government informed the High Court that the 100 CCTV cameras installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s due-process rights?

RFID tags and Black Boxes

A communication revolution is upon us, as Maharashtra state transport department is currently including radio frequency identification (RFID) tags on each and every number plate of vehicles. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the 2001 amendment of Rule 50 of the Central Motor Vehicles Rules, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.

RFID technology has also been launched at Maharashtra´s state border check-posts. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.

By 31 March 2014, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to Dr. Joshi, the Union Minister for Road Transport and Highways:

“The RFID technology shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”

Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it uniquely identifies each vehicle, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.

The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an Event Data Recorder (EDR), otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.

Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it mandatory for cars to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.

Are monitored cars safer?

The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a 2005 Federal Highway Administration study, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other studies of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.

Furthermore, there have been claims that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.

Companies which manufacture vehicle tracking systems are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?

And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope, but us. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored, we are all suspects and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.

Maneuvering our monitoring

Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.

Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as increasing the duration of the yellow light between the green and the red, re-timing lights so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.

Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:

Should we be monitored at all?

For more details visit https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes

Drawing maps for change

radha — 2011-04-04T06:49:53Z

Digital maps can hold immense academic value – an article by Deepa Kurup, The Hindu, 3rd Jan, 2010.

BANGALORE: The mash-up story is an old but compelling one, particularly when used for advocacy as in Tunisia where exile Sami Ben Gharbiais used a GoogleMaps mash-up to paint a different kind of landscape.
So random net surfers were startled to find the Tunisian map dotted with a string of prisoner’s names, their biographies, and videos of their family members telling the story of the human rights situation in the country.
Closer home, rights activist K. Ramnarayan is trying to do something similar. Using GPS and simple mapping technologies, Mr. Ramnarayan maps the location and extent of damage that will be created by proposed hydro-electric projects in Uttarakhand.

“We knew that many projects were announced. But it was only when we began mapping, we found that the 550-odd projects were concentrated in three valleys, and could potentially ruin all the State’s rivers,” he says.

Detailed perspectives

Mr. Ramnarayan believes that mapping technology can provide detailed perspectives, enable analysis — GPS devices are easy to use and collated data can be simply added as layers to existing maps — and create better awareness by sharing data online. Using the more accurate GIS mapping can also hold immense academic value.

It is this potential that “Maps for Change,” a collaborative project hosted by Bangalore-based Centre for Internet and Society (CIS) and Tactical Tech, endeavours to tap into. Anja Kovacs, a CIS fellow, believes maps are powerful, as they provide the larger picture. For instance, she says, news reports lead one to believe that protests against SEZs are isolated today. Now, put all those protests on a map, and you get the real picture! “Maps for Change” participants are involved in a slew of fascinating projects such as mapping land acquisition patterns in Bangalore, tribal displacement issues and dissident sexualities in Delhi.

Layer of information

So mapping is not a complex cartographer’s job anymore. With cheaper and more efficient GPS devices, in the market and on your cellphones, anybody can map. Pradeep B.V. of MapUnity.org, a site that lets you create your own map, says that ‘neogeographers’ are redefining online maps.

Neogeographers use available online maps such as Google MyMaps or Open Street Maps to add layers of information to a typical mashup.

GIS adds that critical layer of accuracy, and is essential in remote areas which are not mapped by these services. So you collect data (typically latitude, longitude and altitude information), mark your points of interest and upload this on a map, Mr. Pradeep explains.

Using attributes these simple maps can be used, accurately, to tell a story and document several layers of information.

Tracking changes
Say you wish to record access to health facilities in a backward district. A GPS device helps you collate info and create a ‘schema’ of data that can be uploaded directly to any mashup. Open source tools such as JUMP or UDIG can help you work easily with GIS datasets. The map can be interactive, you can track changes and can be as dynamic as you want it to be — for instance, you upload videos of health care facilities or highlight patches of social exclusion.

Link to the original article

For more details visit https://cis-india.org/news/drawing-maps-for-change

Draft nonsense

pranesh — 2012-12-03T09:08:10Z

Seriously flawed and dodgily drafted provisions in the IT Act provide the state a stick to beat its citizens with.

Pranesh Prakash's op-ed was published in the Times of India on November 24, 2012.

Section 66A of the Information Technology Act once again finds itself in the middle of a brewing storm. It has been used in cases ranging from the Mamata Banerjee cartoon case, the Aseem Trivedi case, the Karti Chidambaram case, the Chinmayi case, to the current Bal Thackeray-Facebook comments case. In all except the Karti Chidambaram case (which is actually a case of defamation where 's. 66A' is inapplicable), it was used in conjunction with another penal provision, showing that existing laws are more than adequate for regulation of online speech. That everything from online threats wishing sexual assault (the Chinmayi case) to harmless cartoons are sought to be covered under this should give one cause for concern. Importantly, this provision is cognisable (though bailable), meaning an arrest warrant isn't required. This makes it a favourite for those wishing to harass others into not speaking.

Section 66A prohibits the sending "by means of a computer resource or a communication device" certain kinds of messages. These messages are divided into three sub-parts : (a) anything that is "grossly offensive or has menacing character";(b) information known to be false for the purposes of "causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will" and is sent persistently;or (c) "for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages". This carries with it a punishment of up to three years in jail and a fine without an upper limit. As even non-lawyers can see, these are very broadly worded, with use of 'or' everywhere instead of 'and', and the punishment is excessive. The lawyers amongst the readers will note that while some of the words used are familiar from other laws (such as the Indian Penal Code), they are never used this loosely. And all should hopefully be able to conclude that large parts of section 66A are plainly unconstitutional.

If that is so obvious, how did we end up getting this law? We copied (and badly at that) from the UK. The sad part is that the modifications that were introduced while copying are the bits that cause the most trouble. The most noteworthy of these changes are the increase in term of punishment to 3 years (in the UK it's 6 months); the late introduction (on December 16, 2008 by A Raja) of sub-section (c), meant as an anti-spam provision, but covering everything in the world except spam;and the mangling up of sub-section (b) to become a witches brew of all the evil intentions in this world.

Further, we must recognise that our Constitution is much stronger when it comes to issues like free speech than the UK's unwritten constitution, and our high courts and Supreme Court have the power to strike down laws for being unconstitutional, unlike in the UK where Parliament reigns supreme. The most the courts can do there is accommodate the European Convention on Human Rights by 'reading down' laws rather than striking them down.

Lastly, even if we do decide to engage in policy-laundering, we need to do so intelligently. The way the government messed up section 66A should serve as a fine lesson on how not to do so. While one should fault the ministry of communications and IT for messing up the IT Act so badly, it is apparent that the law ministry deserves equal blame as well for being the sleeping partner in this deplorable joint venture. For instance, wrongfully accessing a computer to remove material which one believes can be used for defamation can be considered 'cyber-terrorism'. Where have all our fine legal drafters gone? In a meeting, former SEBI chairman M Damodaran noted how bad drafters make our policies seem far dumber than they are. We wouldn't be in this soup if we had good drafters who clearly understand the fundamental rights guaranteed by our constitution.

There are a great many things flawed in this unconstitutional provision, from the disproportionality of the punishment to the non-existence of the crime. The 2008 amendment to the IT Act was one of eight laws passed in 15 minutes without any debate in the 2008 winter session of Parliament. For far too long the Indian government has spoken about "multi-stakeholder" governance of the internet at international fora (meaning that civil society and industry must be seen as equal to governments when it comes to policymaking for the governance of the internet). It is about time we implemented multi-stakeholder internet governance domestically. The way to go forward in changing this would be to set up a multi-stakeholder body (including civil society and industry) which can remedy this and other ridiculously unconstitutional provisions of our IT Act.

For more details visit https://cis-india.org/internet-governance/blog/times-crest-pranesh-prakash-november-24-2012-draft-nonsense

Draft Law Would Prohibit Showing ‘Disputed Areas’ on Maps of India

subha — 2016-05-15T13:05:41Z

Maps that label geographic areas of conflict as “disputed” territories in India could put one behind bars for seven years with 1B Indian Rupees (US$15M) penalty if a recently proposed bill becomes law.

The article was published in Global Voices on May 11, 2016.

The controversial bill, also known as Geospatial Information Regulation Bill 2016 would make it illegal to “depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.”

If approved, it could put large corporations like Google (with its Google map), free and open source projects like Wikipedia and Open Street Map, and several other organizations in trouble for showing areas of conflict as disputed. Pakistan-Occupied Kashmir (PoK) and Arunachal Pradesh near the China border are two well-known examples of such areas.

The Indian government ruled by Bharatiya Janata Party (BJP) under the leadership of Prime Minister Narendra Modi has been quite critical of the depiction of the PoK and China border in Arunachal Pradesh.

If passed in the parliament as law, it could prevent Indians and foreigners, government employees and people traveling in ships and aircrafts that are registered in India, to acquire geospatial imagery or data. To acquire such data, one needs to obtain permissions from the security vetting authority.

In recent years, the Indian government has targeted numerous foreign publications including Al Jazeera for showing distorted maps of India that excluded parts of the state of Jammu and Kashmir and even another state Arunachal Pradesh. While the bill does not explicitly mention these efforts, it seems to fall in line with these previous attempts to control the free flow of geospatial information.

A news article about the proposed bill published on the portal MediaNama explains how the potential law could affect map portals like Open Street Map and Google Maps, taxi, e-commerce and public safety sites and many other services that allow marking and sharing coordinates. “Most digital photographs contain location meta-data, and by sharing your photos online, you’re adding to a repository of data related to man-made phenomenon,” suggests the same article. Open data advocates also have published list of 25 different services, seven major news portals, and 14 nonprofits that would be affected if the bill is approved.

The Open Data community of India also has come up with a campaign “SaveTheMap” to draft a request to the government to not pass the bill. The draft request states:

Request for comments / suggestions on draft “The Geospatial Information Regulation Bill, 2016” To regulate the acquisition, dissemination, publication and distribution of geospatial information of India which is likely to affect the security, sovereignty and integrity of India, a draft “The Geospatial Information Regulation Bill, 2016” has been prepared. Copy of the draft “The Geospatial Information Regulation Bill, 2016” is attached herewith for comments/suggestions. The comments/suggestions on the draft Bill may be forwarded to the Joint Secretary (Internal Security-I), Ministry of Home Affairs, North Block, New Delhi at email id: jsis@nic.in within 30 days.

There has been a lot of discussion with hashtag #GeoSpatialBill and humorous comments on social media:

Many have already started tweeting with the hashtag #savethemap:

Twitter user Prasanto Roy explained the implications of geospatial bill for various companies including Google, Uber and Open street maps:

Here's what other experts have to say:

Arup. R writes in Geospatial World:

This Act needs to be dropped. In its attempt to cover all bases it has been made so broadband and all encompassing that it may actually impede the progress of work on Geospatial systems and therefore on key Government programmes and projects. The Act does not take into account the fact that with the advent of the Cloud, Data as a Service, Software as a Service and Platform as a Service there is no need for ‘persons’ to possess data. They can just access data, do their work and retain only the final results. This Act does not, in fact cannot, even begin to comprehend the paradigm shift in geospatial technologies which makes it a non-starter.

India does need a Geospatial Information Act, but it has to be an enabling and encouraging Act that makes for faster and better implementation of programmes, not a regressive and punitive Act as the proposed one.

Devdutta Tengshe writes about the overreaching ambit of Geospatial bill on Medium:

Worst of all, it (the bill) is trying to implement Security by Obscurity, which is expecting the country to become secure by hiding information from its citizens. This is dangerous, because the real mischief creators, be they terrorists, Foreign government agencies, or domestic criminals, will most likely have access to kind of data from foreign sources, and will not even think about getting permits and licenses from these Indian Authorities.

Cyber law expert Pavan Duggal told The Wire:

The draft legislation has the intrinsic problem that it has been given extra-territorial applicability in terms of jurisdiction. It is applicable to any person anywhere in the world. We have historically seen that such jurisdiction does not work well in practical terms. What if global players do not want to take your licence or subject themselves to your jurisdiction?

Duggal further spoke about how the law could impact the growth of e-commerce and m-commerce in India.

Under this law, Google Maps will be illegal without a licence, which means that all mobile or e-commerce applications working on Google Maps will also become illegal. The licence will also only be applicable to the concerned person. So if I am a taxi aggregator like Ola or Uber, I will have to get a separate licence over and above what Google Map has.

Indian Express calls the Geospatial bill a death note for Cartography:

The draft Geospatial Information Regulation Bill of 2016 is so perfectly ridiculous that one can only hope that it falls off the map before it can be tabled in the House. Publishers the world over have learned, to their bewildered amusement, that India censors maps of itself. Now, to strike fear into their anti-national gizzards, the government has invoked an official map censor, a babu-led organisation whose prior permission will be required to publish geospatial information, which is newspeak for maps. Failure to correctly depict the borders of India could attract a fine of up to Rs 100 crore, before the poor offending bozo is dragged away to the cooler for seven years. With this draft, the government has embarked on a journey without maps, which must rapidly become directionless.

Not the first time around?

Meanwhile, this clearly isn't the first time that services such as Google Maps have come under the federal scanner in India. In 2014, India's prime investigation agency Central Bureau of Investigation (CBI) had launched a probe into Google Maps’ irregularities in Mapathon 2013 and had accused the company of running the competition without procuring proper governmental permissions. But the agency had called off the case citing lack of ‘adequate evidence to corroborate the allegations’.

For more details visit https://cis-india.org/a2k/blogs/draft-law-would-prohibit-showing-2018disputed-areas2019-on-maps-of-india

Draft International Principles on Communications Surveillance and Human Rights

elonnai — 2013-07-12T15:55:45Z

These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles.

The principles are still in draft form. The most recent version can be accessed here. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.

These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.[1]

We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.

Preamble
Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.[2] Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.[3]

Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.[4]

While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. [5] When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. [6] Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.

It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:

Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.
Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media.

We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.

These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.[7] Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,[8] we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.

The Principles

Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process

Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Necessity: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.[9]While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. [10]

User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. [11]

Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Signatories

Organisations

Article 19 (International)
Bits of Freedom (Netherlands)
Center for Internet & Society India (CIS India)
Derechos Digitales (Chile)
Electronic Frontier Foundation (International)
Privacy International (International)
Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)
Statewatch (UK)

Individuals

Renata Avila, human rights lawyer (Guatemala)

Footnotes

[1]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance
[2]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.
[3]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument.
[4]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.
[5]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.
[6]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at http://www2.technologyreview.com/article/409598/tr10-reality-mining/ and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.
[7]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf
[8]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See http://www.globalnetworkinitiative.org/
[9]As defined by international and regional conventions mentioned above.
[10]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.
[11]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top.

For more details visit https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights