We are anonymous, we are legion

DoT Blocks Domain Sites — But Reasons and Authority Unclear

smita — 2012-11-21T10:03:39Z

Earlier this year, ISPs such as Airtel and MTNL blocked a number of domain sites including BuyDomains, Fabulous Domains and Sedo.co.uk. Whereas the Indian Government and courts have previously issued orders blocking websites, these actions have generally been attributed to issues such as posting of inflammatory content or piracy of copyrighted material. However, the reasoning behind blocking domain marketplaces such as the above mentioned sites is not clear.

These websites offer users various tools to buy and sell domain names and simplify the purchasing process. Users on India Broad Band forum and websites like Medianama reported that these domain sites were not accessible and the following message was displayed instead — "This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Telecommunications".

.In Registry’s Anti-Abuse Policy

If the issue at hand is one of abusive registrations, it would fall under the .IN Domain Anti-abuse Policy adopted by the National Internet Exchange of India (NIXI) and the .in registry. This policy states that NIXI will have the right to "deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status" if necessary. This raises a question as to why the Department of Telecommunications (DoT) would issue directions to block these domain marketplaces instead of cancelling their registration or placing it on hold under the policies adopted by NIXI.

A second, more important question would be whether the DoT has the power to block websites or take action under NIXI’s anti-abuse policy. NIXI and the .in registry both work under the aegis of the Department of Electronics and Information Technology. In addition, the Information Technology Act, 2000 ("the IT Act") is the only legislation that provides the authority to block a website and this authority is bestowed upon the Secretary, Department of Information Technology.

Information Technology Act

Section 69-A of the IT Act authorizes the central government to issue directions/orders to block public access to any information generated, transmitted, received, stored or hosted in any computer resource i.e., block websites. Such orders can be issued if the authorized officer finds that it is necessary to do so in the India’s sovereign and national interests or in the interest of public order. These interests include defence, security of the state, friendly relations with foreign neighbours and preventing incitement to the commission of an offence.

The procedures and safeguards that are to be followed before issuing an order to block a website are detailed in the Information Technology (Procedure and Safeguards for blocking for access of information by public) Rules, 2009 ("the rules"). The rules provide that upon receiving a complaint, the concerned organization for the blocking of access to information shall examine the complaint to ensure that there is a need to take action under the reasons mentioned above. If such action is found necessary, a request if forwarded and a committee established as per the rules reviews any requests made to block access to any information. During this review, there is also provision for a notice and reply procedure. This allows for the person controlling the online publication of such information to appear before the committee and respond to the request or make any clarifications regarding the information.

The recommendations of the committee are then sent to the Secretary of the Department of Information Technology who further directs an agency of the government or the intermediary to block the relevant content/website. The rules also provide procedures for blocking access in case of an emergency and in cases where court orders directing the blocking of information have been issued.

Whereas the ideas of sovereign interest and public order are admittedly very broad, there is no clear explanation as to what actions of domain sites/marketplaces such as BuyDomain and sedo.co.uk would be considered to impinge upon either. Neither is there any information available regarding why the DoT considers this to be the case.

For more details visit https://cis-india.org/internet-governance/blog/dot-blocks-domain-sites

Dot Bharat domain to roll out on August 21

praskrishna — 2014-09-08T07:08:32Z

Web addresses are set to get multilingual in India. Soon you will be able to type in addresses in a web browser in the Devnagri script – with “dot bharat” standing in for the currently common “dot in” domain to begin with. The roll-out of the same begins on August 21.

This was originally published by IANS and mirrored in Firstpost on August 19, 2014. Sunil Abraham gave his inputs.

In the 90-day “sunrise period” of the roll-out those with registered trademarks will be able to register domain names in languages that use the Devnagri script, such as Hindi, Marathi, Boro, Dogri etc. After the sunrise period, it will be thrown open to regular users of the internet.

The National Internet Exchange of India (NIXI), an autonomous non-profit organisation, is responsible for peering of ISPs and routing the domestic traffic within the country. The NIXI and the government’s Centre for Development of Advanced Computing (C-DAC) have worked on enabling this country code top level domain (ccTLD) of dot bharat. They say more such domains in different scripts and languages will eventually follow.

Currently, one can find content in various languages online. However, the URLs or web addresses are in English. With this rollout, even URLs would be in Hindi or Marathi. “Once the sunrise period runs smoothly, we will introduce other languages in other scripts such as Bengali, Punjabi, Kannada, Telugu etc. There is no timeline set for it yet, but we hope there will be enough pressure with the adoption of the Devnagri domains to implement it soon,” says Mahesh Kulkarni, program coordinator at the C-DAC, heading the language technology group.

A few government websites too will be a part of the launch next week by the union minister of communications and information technology, Ravi Shankar Prasad. “For example, the pmindia dot gov dot in will be pradhanmantri dot sarkar dot bharat,” says Dr Govind, CEO of NIXI.

While some quarters have welcomed the introduction of the new domain, others are doubtful of its success given the low internet penetration and low literacy rate in the country. A June 2014 report from research firm eMarketer, India had the third largest online user-base globally after China and the US but had the lowest internet penetration growth in Asia Pacific at 17.4%. Osama Manzar, who heads the Digital Empowerment Foundation, suggests getting more people and public institutions online rolling out local language domain names.

“This is not a bad move, but I doubt and wonder if it will encourage people to buy domain names in Indian languages. Is it in sync with the national digital infrastructure? It is important that the government encourage every department and village panchayat to get online with a website along with this,” says Manzar.

Sahitya Akademi-winning Hindi writer Uday Prakash finds the Devnagri domain a welcome move, but stresses on the importance of making quality content in regional languages available online. “It’s a good step and will help those who are not comfortable with English. However, the problem remains that most of the content online is in English. If I search for Robin Williams in English, I will find hundreds of webpages. But if I google the same name in Devnagri, I’ll hardly find anything,” says Prakash.

On the other hand, there is also the view that the move towards a multilingual web need not follow a set path. “If a poor person buys a mobile phone before he build a toilet, who are we to judge? It is a market phenomenon. Like a jigsaw, some pieces of the puzzle may be worked out in advance. There are things like Indic input keyboards, text to speech and speech to text that need to be in place before an Indic language speaker can have the same experience as an English language user of the internet,” says Sunil Abraham, executive director of Bangalore-based research organization Center for Internet and Society.

In October 2013, the Internet Corporation for Assigned Names and Numbers (ICANN) delegated generic top level domains in Arabic, Chinese and Cyrillic scripts. This was under the Internationalized Domain Name (IDN) fast track process of the ICANN, which began in 2009, inviting requests from countries for territory names in scripts other than Latin. Meanwhile domestically, the union government has made a push for the use of local languages.

For more details visit https://cis-india.org/a2k/news/tech-first-post-dot-bharat-domain-to-roll-out-on-august-21

Don’t SLAPP free speech

sunil — 2013-02-28T11:22:09Z

IIPM is proving adept at the tactical use of lawsuits to stifle criticism, despite safeguards. THE DEPARTMENT of Telecommunications, on 14 February, issued orders to block certain web pages critical of the Indian Institute of Planning and Management (IIPM).

Sunil Abraham's column with inputs from Snehashish Ghosh was published in Tehelka on February 3, 2013 (Issue 9 Volume 10)

Despite our best efforts, we have not managed to get a copy of the court order. Meanwhile, there has been a lot of speculation among Internet policy experts on Twitter. What is the title of the case? Which judge issued the order? Who is the affected party? Why have mainstream media houses like Outlook not been served notice by the court? Is the infamous Section 66A of the IT Act to be blamed? That is highly unlikely. News reports suggest that a lower court in Gwalior has issued an ad interim injunction in a defamation suit. Most experts agree that this is a SLAPP (Strategic Litigation Against Public Participation) suit, where a company uses the cost of mounting a legal defence to silence critics.

Bullies with deep pockets use the law in very creative ways, such as forum shopping, forum shifting and the use of proxies. Forum shopping can be best understood through the example of mining giant Fomento suing Goan blogger Sebastian Rodrigues for $1 billion at the Kolkata High Court, even though Goa would have been a more logical location. Though IIPM lost an earlier case against Careers360 before the Uttaranchal High Court, the offending URLs from that case are included in the latest block order, exemplifying successful forum shifting. The doctrine of ‘res subjudice’ does not permit courts to proceed in a matter which is “directly and substantially” similar to a previous suit between the same parties. Proxies are usually employed to circumvent this procedural doctrine.

Article 19(2) of our Constitution empowers the State to create laws that place eight types (depending on how you count) of reasonable restrictions on the freedom of speech and expression. One of these reasonable restrictions is defamation. Tort law on defamation in India has been mostly borrowed from common law principles developed in the UK, which include a series of exceptions where the law cannot be used. In the present context, the exceptions important for the IIPM case include: fair and bona fide comment and matter of public interest. In addition, Section 499 of the Indian Penal Code provides for 10 exceptions to defamation. The exceptions relevant to this case are: “first: imputation of truth which public good requires to be made or published”, “ninth: imputation made in good faith by person for protection of his or other’s interests” and “tenth: caution intended for good of person to whom conveyed or for public good”. The criminal law on defamation in India is based on robust legal principles, but for the sake of public interest it’d be best to do away with such a law as it has far-reaching, chilling effects on free speech.

On interim injunctions in defamation suits, the Delhi High Court set an important precedent protecting free speech in 2011. While applying the English principle — the Bonnard Rule — the court in Tata Sons Pvt Ltd versus Greenpeace International held that a higher standard should be adhered to while granting an interim injunction in a defamation suit, because such an injunction might impinge upon freedom of expression and thus potentially be in violation of the Indian Constitution. This century-old rule states that “until it is clear that an alleged libel is untrue… the importance of leaving free speech unfetter – ed is a strong reason in cases of libel for dealing most cautiously and warily with the granting of interim injunctions…”

In the same case, the Court rejected the argument that since it was published online and thus had wider reach and greater permanence, an injunction should be granted. It observed that “publication is a comprehensive term, embracing all forms and mediums — including the Internet”, thus ruling out special treatment for the Inter net in cases of defamation. That is good news for free speech online in India. Now let’s stick to it.

For more details visit https://cis-india.org/internet-governance/blog/tehelka-sunil-abraham-feb-3-2013-dont-slap-free-speech

Don't Do Nothing. Take a Stand on Net Neutrality.

vishnu — 2015-05-08T14:11:23Z

Are you wondering what Net Neutrality is, and why the term has suddenly got so much attention in India among the Netizens? Do you need to be concerned about Net Neutrality? We will try to address these in this short post on Net Neutrality.

The blog post was published by NDTV on April 13, 2015.

First things first. Net Neutrality (or Network Neutrality) is a globally-accepted principle of keeping the Internet freedom intact. Now you may wonder who is threatening Internet freedom, or how that is even possible. Well, it is.

By who? Your Internet Service Provider (ISP). Some also use the term MISP, which means Mobile Internet Service Provider. How can they do it? By simply not treating the data on the Internet equally. Let's make it even simpler with an example. Imagine your cable network provider promises you access to ATV, BTV, CTV and DTV (of course we know you get 300+ channels!) and takes a monthly subscription fee. Now you have a favourite show on DTV that you have been watching for a year. Suddenly your cable network provider comes to some business arrangement with ATV (let's call it sharing revenues!) and starts tweaking his signal. So your DTV signal becomes faint and you keep getting frozen frames and breaking sounds, whereas the audio video quality of ATV is superb. Not only that, your channel numbers are automatically reset, and the channel number on which you used to watch DTV now is configured to ATV.

The same thing, when it happens in the Internet context, is called breaking Net Neutrality. That is, the ISP starts discriminating which App you can use better, which sites will stream video faster, and so on and so forth. So by breaking Net Neutrality, the ISPs, by joining hands with some big companies (content providers) will build walled Internet gardens within which your experience of the world wide web will be limited. The <www> will no more be "world wide web" but will be "walled within my web"!

Is this bad? Well, most of the Internet fraternity that believes in the unending freedom the Internet provides thinks so. For budding App makers, e-biz players, etc. it is quite a jolt. A large corporate player like Facebook can easily team up with ISPs and rob the level playing field to all these budding players. Because the ISPs can potentially discriminate against the budding players or newcomers, there is a fair chance that you are curtailing innovation and new entrepreneurship on the Internet. Well "make in India" may still happen, but with limited large players who could potentially cannibalize the Internet!

If you are a simple consumer of the Internet and not bothered about the business dynamics, the violation of net neutrality will affect you too. Definitely not in terms of increased Internet data pack prices. In fact, there is a fair chance that you will be given freebies like "Buy this Internet Data Pack and you will get 3 months free of Facebook usage". However, in the bargain, over the long run, we all will lose out on something precious that money cannot always buy, something that is considered inherent to the Internet ... the FREEDOM to choose and the FREEDOM to express.

Let's look at the other side of the coin. Why is it that the ISPs want to do this? They have realized that some data providers (those who build Apps, websites, etc.) are making quite a big buck and they want a share of that profit, because they need to meet their large infrastructural costs that they have incurred in setting up towers, cables, etc. They are bleeding, they say, and need to find sustainable business models. They do not want to burden the consumer by increasing the data charges and this is an ingenious way of making their business sustainable. Win-win scenario, only at the cost of Freedom. To hell with Freedom, we give you Internet for FREE!

To deal with this issue effectively, Telecom Regulatory Authority of India (TRAI) has put out a consultation paper called Regulatory Framework for Over-the-top (OTT) services for feedback from stakeholders. It's available here. If you use the Internet in India (either on mobile or on a system) then you too are a stakeholder. We hope that this post will help you to participate in the consultation process.

For more details visit https://cis-india.org/internet-governance/blog/ndtv-t-vishnu-vardhan-dont-do-nothing-take-a-stand-on-net-neutrality

Don't dive headlong into money-making schemes on the internet

praskrishna — 2017-02-07T15:02:24Z

If you do fall victim to fraud, file your complaint at RBI's Sachet web site.

The article by Sanjay Kumar Singh was published in the Business Standard on February 7, 2017. Udbhav Tiwari was quoted.

By now you have surely read the news about a Noida-based company called Ablaze Info Solutions, which is said to have defrauded about 700,000 people of Rs 3,700 crore. In this scheme, participants first had to pay a substantial subscription fee to join it, after which they were compensated for clicking on links. There were also incentives for bringing in other members, which made it akin to a multi-level marketing (MLM) scheme. Experts advise that investors should do the due diligence before putting their money in such schemes. According to cyber experts, this scheme took off because the activity it was pursuing was a legitimate one per se. There is an entire industry on the Internet, wherein you can earn money by clicking on links: This improves the traffic on websites and allows them to demand higher advertising rates. Many websites outsource the task of improving traffic to third parties, which in turn recruit people in countries like India for the task. You can also earn money through activities like filling up forms, answering surveys, etc.

The mistake participants made in this case was to join the scheme without exploring other options. "Many players would have offered a similar level of compensation without demanding a subscription fee. Moreover, the very fact that the company was demanding a substantial subscription fee should have made people suspicious," says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru. Before participating in such money-making schemes, spend time doing a detailed background check of the company's credentials, especially if the promised returns are realistic or not. "If the return offered by the company is high compared to the market rates of return, or the company is new, you should be extra cautious. Check various blogs and forums on the internet for possible complaints against the company and its key stakeholders," says Mukul Shrivastava, partner, fraud investigation and dispute services, EY India.

If you join such a programme, be warned the moment the company defaults on payments, delays them, or avoids your queries. Stop all interactions with it and lodge a complaint with the police. If the company had used forged documents, especially the ones claiming that the scheme had the approval of a regulator like Sebi, submit them.

You can also file a complaint at Sachet, a website set up by the Reserve Bank of India (see box). Another option is to contact the Serious Fraud Investigation Office (SFIO) under the Ministry of Corporate Affairs. As the police take up a case usually when many complaints pour in against an entity, motivate other victims to complain, too. The state fights the case on your behalf. Your task after complaining is to cooperate with the investigation and depose in court. Nowadays victims can be compensated under the Criminal Procedure Code as well. They also have the option to file a civil suit for recovering their money.

Finally, there is a need for new laws to tackle online frauds. "There is a gap both in terms of legislation and effective enforcement. We only have a central 1978 Act for Prize Chits and allied rules in states, which need to be updated," says Nishant Joshi, partner, Shardul Amarchand Mangaldas.

Word box
Turn to Sachet

RBI has launched a website, sachet.rbi.org.in, where you can complain if you have been cheated by an entity that has illegally collected money from you
The website also provides information on legitimate entities that are authorised to collect money
Many regulators and enforcement agencies take up the complaints filed on this site
Investors don’t have to know the regulator under whose jurisdiction the company they want to complain against falls
You will get an email informing you about the regulator/entity that will take up your case

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet

Don't blindly forward WhatsApp messages. You could be sued

Admin — 2018-05-31T23:49:19Z

Never before in Bengaluru has the Internet and social media taken such a vicious and violent turn as it did last week.

The article by Rajitha Menon and Surupasree Sarmmah was published in the Deccan Herald on May 29, 2018.

A fake Whatsapp message that went viral has led to the death of a man in Chamarajpet. But Bengaluru is not alone. In the recent past many have been lynched in Andhra Pradesh, Telangana, Tamil Nadu, Uttarakhand, Jharkhand and Hyderabad over rumours and fake videos.

In tech-savvy Bengaluru, a 26-year old man was beaten to death in Chamarajpet by a mob that mistook him for a kidnapper. "The big problem is that for a large part of India, WhatsApp is the first exposure to the Internet. What they see there becomes news; people don't do a critical analysis of what comes their way," says Swaraj Barooah, senior programme manager, Centre for Internet & Society, Bengaluru.

What are the legal implications of forwarding fake WhatsApp news? "It's a grey area in terms of current regulation," he says.

However, he advises caution: don't circulate messages you can't vouch for.

MT Nanaiah, senior advocate says, "If a message is intended to harm a person's reputation, it might come under the purview of the Indian Penal Code Section 499 A, which defines defamation and Section 500, which defines the punishment."

Defamation can attract a punishment of up to two years in jail and a fine. Victims of fake forwards can also sue for damage, he says.

In Varanasi, district officials are holding WhatsApp admins responsible for fake news, and issued guidelines.

"I think the courts have been doing a flip-flop on this. I am not sure but the legal validity is weak to hold admins responsible for what happens in the group," notes Barooah.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-rajitha-menon-surupasree-sarmmah-dont-blindly-forward-whatsapp-messages-you-could-be-sued

Doing Standpoint Theory

Ambika Tandon and Aayush Rathi — 2019-09-19T14:22:48Z

Feminist research methodology has evolved from different epistemologies, with several different schools of thought. Some of the more popular ones are feminist standpoint theory, feminist empiricism, and feminist relativism.

The article by Ambika Tandon and Aayush Rathi was published by GenderIT.org on September 1, 2019.

Standpoint theory holds the experiences of the marginalised as the source of ‘truth’ about structures of oppression, which is silenced by traditional objectivist research methods as they produce knowledge from the standpoint of voices in positions of power2. Feminist empiricism does not eschew traditional modes of knowledge production, but emphasises diversity of research participants for feminist (and therefore also rigorous) knowledge production3. Relativists have critiqued standpoint theory for its tendency to essentialise the experience of marginalised groups, and subsume them into one homogenous voice to achieve the goal of ‘emancipatory’ research4. Relativists instead focus on multiple standpoints, which could be Dalit women, lesbian women, or women with disabilities5. We will be discussing the practical applicability of these epistemologies to research practices in the field of technology and gender.

As part of the Feminist Internet Research Network, the Centre for Internet and Society is undertaking research on the digital mediation of domestic and care work in India. The project aims to assess shifts in the sector, including conditions of work, brought on by the entry of digital platforms. Our starting point for designing a methodology for the research was standpoint theory, which we thought to be the best fit as the goal of the project was to disrupt dominant narratives of women’s labour in relation to platformisation. In the context of dalit feminis, Rege warns that standpoint research risks producing a narrow frame of identity politics, although it is critical to pay attention to lived experience and the “naming of difference” between dalit women and savarna women6. She asserts that neither ‘women’ nor ‘dalit women’ is a homogenous category. While feminist researchers from outside these categories cannot claim to “speak for” those within, they can “reinvent” themselves as dalit feminists and ally themselves with their politics.

In order to address this risk of appropriating the voices of domestic workers (“speaking for”), we chose to directly work with a domestic workers’ union in Bengaluru called Stree Jagruti Smiti. Bengaluru is one of the two cities we are conducting research in (the other being Delhi, with very few registered unions). This is meant to radically destabilise power hierarchies and material relations within the research process, as benefits of participatory research tend to accumulate with the researchers rather than participants7.

Along with amplifying the voices of workers, a central objective of our project is to question the techno-solutionism that has accompanied the entry of digital platforms into the domestic work sector, which is unorganised and unregulated. To do so, we included companies and state labour departments as participants whose standpoint is to be interrogated. By juxtaposing the standpoints of stakeholders that have differential access to power and resources, the researcher is able to surface various conflicts and intersections in dominant and alternative narratives. This form of research also brings with it unique challenges, as researchers could find themselves mediating between the different stakeholders, while constantly choosing to privilege the standpoint of the least powerful - in this case the workers. Self-reflexivity then becomes necessary to ensure that the project does not slip into an absolutely relativist position, rather using the narratives of workers to challenge those of governments and private actors. This can also be done by ensuring that workers have agency to shape the agenda of researchers, thereby producing research which is instrumental in supporting grassroots campaigns and movements.

Self-reflexivity then becomes necessary to ensure that the project does not slip into an absolutely relativist position, rather using the narratives of workers to challenge those of governments and private actors.

Feminist participatory research itself, despite its many promises, is not a linear pathway to empowerment for participants8. At the very outset of the project, we were constantly asked the question by domestic workers and unions – why should we participate in this project? Researchers, in their experience, acquire information from the community throughout the process of data collection by positioning themselves as allies. However, as all such engagements are bound to limited timelines and budgets, researchers are then often absent at critical junctures where the community may need external support. We were also told that all too often, the output of the research itself does not make its way back to the participants, making it a one-way process of knowledge extraction. Being mindful of these experiences, we have integrated a feedback loop into our research design, which will allow us to design outputs that are accessible and useful to collectives of domestic workers.

Not only domestic workers and their organisations, many corporations operating these online portals and platforms often questioned the benefits of participating in the project. However, the manner of articulation differed. While attempting to reject the hierarchical nature of the researcher/participant relationship, we increasingly became aware that the underlying power equation was not a monolith. Rather, it varied across stakeholder groups and was explicitly contingent on the socially constructed positionalities already existing outside of the space of the interview. Companies, governments and workers all exemplified varying degrees of engagement with, knowledge of, and contributions to research. Interviews with workers and unions, and even some bootstrapped (i.e. without much external funding) , socially-minded companies, were often cathartic with an expectation of some benefits in return for opening themselves up to researchers. This was quite different for governments and larger companies, as conversations typically adhered to the patriarchal and classed notions of professionalism in sanitised, formal spaces9 and the strict dichotomy between public and personal spaces. Their contribution seemingly required lesser affective engagement from the interviewee, thereby resulting in lesser investment in the outcome of the research itself.

The cathartic nature of interviews also speak to the impossibility of the distanced, Platonic, school of research. We were often asked politically charged questions, our advice solicited and information sought. Workers and representatives from platform companies alike would question our motivations with the research and challenge us by inquiring about the benefits accruing to us. Again, both set of stakeholders would often ask differently about how other platforms were; workers already registered on a platform would wonder if another platform would be ‘better’ and representatives of platform companies would be curious about competition. This is perhaps a consequence of attempting to design a study that is of use and of interest to the workers we have been reaching out to.10 At times, we found ourselves at a place in the conversation where we were compelled to respond to political positions for the conversation to continue. There were interviews where notions of caste hierarchies (within oppressed classes) as a justification/complaint for engaging/having to engage in certain tasks would surface. Despite being beholden to a feminist consciousness that disregards the idea of the interviewer as neutral, we often found ourselves only hesitantly forthcoming. At times, it was to keep the interview broadly focused around the research subject, at others it was due to our own ignorance about the research artefact (in this instance, platforms mediating domestic work services). This underscores the challenges of seeing the interview as a value ridden space, where the contradictions between the interview as a data collection method and as a consciousness raising emerged - how could we share information about the artefact we were in the process of collecting data about?

We were often asked politically charged questions, our advice solicited and information sought.

The fostering of ‘rapport’11 has made its may into method, almost unknowingly. Often, respondents across stakeholder groups started from an initial place of hesitation, sometimes even suspicion. Several structural issues could be at work here - our inability in being able to accurately describe research itself, the class differences and at times, ideological ones as well. While with most participants, rapport was eventually established, its establishment was a laboured process. Especially given that we were using one-off, in-depth interviews as our method, securing an interview was contingent on the establishment of rapport. This isn’t to suggest that feminist research mandatorily requires the ‘doing of rapport’12, but that when it does, it’s a fortunate outcome and that feminist researchers engage with it more critically.

Building rapport creates an impression of having minimised the exploitation of the participant, however the underlying politics and pressures of building rapport need to be interrogated. Rapport, like research itself, is at times a performance; rapport is often not naturally occuring. Rather, rapport may also be built to conceal the very structural factors preventing it. For instance, during instances of ideological differences during the interview, we were at times complicit through our silence. This may have been to further a certain notion of ‘objectivity’ itself whereby the building and maintenance of rapport is essential to surfacing a participant’s real views. This then raises the questions: What are the ethical questions that the suppression of certain viewpoints and reactions pose? How does the building, maintenance and continuance of rapport inform the research findings? Rapport, then, comes in all shapes and sizes and its manifold forms implicate the research process differently. Another critical question to be addressed is - why does some rapport take less work than others? With platform companies, building rapport came by easier than it did with workers both on and off platforms. If understood as removing degrees of distance between the researcher and participants, several factors could play into the effort required to build rapport. For instance, language was a critical determinant of the ease of relationship-building. Being more fluent in English than in colloquial Hindi enabled clearer articulation of the research. Further, familiarity with the research process was, as expected, mediated along class lines. This influenced the manner in which we articulated research outcomes and objectives to workers with complete unfamiliarity with the meaning of research. Among workers, this unfamiliarity often resulted in distrust, which required the underlying politics of the research to be more critically articulated.

By and large, the feminist engagement with research methods has been quite successful in its resistance and transformation of traditional forms. Since Oakley’s conception of the interview as a deeply subjective space13 and Harding’s dialectical conception of masculinist science through its history14, the application of feminist critical theory has increasingly subverted assumptions around the averseness of research to political motivations. At the same time, it has made knowledge-production occur in a more equitable space. It is in this context that standpoint theory has had wide purchase, but challenges persist in its application. As the foregoing discussion outlines, we have been able to achieve some of the goals of feminist standpoint research while missing out on others. We also found the ‘multiple standpoints’ approach of relativists to be useful in a project involving multiple stakeholders - thereby also avoiding the risk of essentialisation of the identities of domestic workers. However, unlike the tendency of relativists to focus on each perspective as ‘equally valid truth’, we are choosing to focus on the conflicts and intersections between emerging discourses. Through this hybrid theoretical framework, we are seeking to make knowledge production more equitable. At the same time, the discussion around rapport shows that this may nevertheless happen in a limited fashion. Feminist research may never be fully non-extractive. The reflexivity exercised and choices made during the course of the research are key.

Unlike the tendency of relativists to focus on each perspective as ‘equally valid truth’, we are choosing to focus on the conflicts and intersections between emerging discourses.

The names of the authors are in alphabetical order.

Harding, S. (2003) The Feminist Standpoint Theory Reader: Intellectual and Political Controversies, Routledge.

M. Wickramasinghe, Feminist Research Methodology: Making meaning out of meaning-making, Zubaan, 2014

Pease, D. (2000) Researching profeminist men's narratives: participatory methodologies in a postmodern frame. In B. Fawcett, D. Featherstone, J. Fook ll)'ld A. Rossiter (eds) Restarching and Practising in Social Work: Postmodern Feminist Perspectives (London: Routledge).

Stanley, L. and Wise, S. (1983) Breaking Out: Feminist Consciousness and Feminist Research (London: Routledge and Kegan Paul).

Rege, S. 1998. ” Dalit Women Talk Differently: A critique of ‘Difference’ and Towards a Dalit Feminist Standpoint.” Economic and Political Weekly, Vol. 33, No.44, pp 39-48.

Heeks, R. and Shekhar, S. (2018) An Applied Data Justice Framework: Analysing Datafication and Marginalised Communities in Cities of the Global South. Working Paper Series, Centre for Development Informatics, University of Manchester.

Stone, E. and Priestley, M. (1996) Parasites, pawn and partners: disability research and the role of nondisabled researchers. British Journal of Sociology, 47(4), 699-716.

Evans, L. (2010). Professionalism, professionality and the development of education professionals. Br. J. Educ. Stud. 56, 20–38. doi:10.1111/j.1467-8527.2007.00392.x

Webb C. Feminist methodology in nursing research. J Adv Nurs. 1984 May;9(3):249-56.

Berger, R. (2015). Now I see it, now I don’t: researcher’s position and reflexivity in qualitative research. Qual. Res. 15, 219–234. doi:10.1177/1468794112468475; Pitts, M. J., and Miller-Day, M. (2007). Upward turning points and positive rapport development across time in researcher-participant relationships. Qual. Res. 7, 177–201. doi:10.1177/1468794107071409

Dunscombe, J., and Jessop, J. (2002). “Doing rapport, and the ethics of ’faking friendship’,” in Ethics in Qualitative Research, eds T. Miller, M. Birch, M. Mauthner, and J. Jessop (London: SAGE), 108–121.

Oakley, A. (1981). “Interviewing women: a contradiction in terms?” in Doing Feminist Research, ed. H. Roberts (London: Routledge and Kegan Paul), 30–61.

Harding, S. (1986). The Science Question in Feminism. Ithaca: Cornell University Press.

For more details visit https://cis-india.org/internet-governance/blog/ambika-tandon-and-aayush-rathi-gender-it-september-1-2019-doing-standpoint-theory

Does this click with you?

praskrishna — 2015-09-27T10:07:00Z

While the web caters to customers who purchase basic lifestyle products, the app is ideal to make impulsive shopping decisions.

The article by Parshathy J. Nath was published in the Hindu on September 1, 2015. Sunil Abraham was quoted.

Netizens were caught by surprise when online retail giant Flipkart announced that they were going the app-only way. Some grumbled and a few rejoiced. There were debates on its pros and cons. However, a few days ago, Flipkart revoked the decision because it wanted to assess the impact of this move on sales in big-ticket categories. But the debate continues.

Bangalore-based techie Diljeet Kaur feels the app makes shopping a lot easier. “I shop on the app for everything — from mobile chargers, laptop, mobile covers and kitchen appliances to books and even water bottles. In case I am not happy, I click on the return option. They call up immediately, pick up the item within 48 hours and refund the amount to my account. What more can one ask for?”

Rachna Binani, who owns a toy store in Madurai, also says shopping has become faster with the app. “A mobile phone is with you for 18 hours a day. But, you can’t lug a laptop around everywhere you go.” Prasannan B., an HR General Manager in Madurai, agrees. “A year ago, I would not have chosen a mobile app over a website, because it was not as advanced. But, now things have changed.”

But, some prefer the website to the app. Like Paulami Guha Biswas, an avid online book shopper from Hyderabad, who says, “Browsing becomes difficult when you are shopping through an app. On a website, you can open multiple tabs and compare prices and discount rates in peace. The screen is also bigger.”

While the web caters to customers who purchase basic lifestyle products, the app is ideal to make impulsive shopping decisions. Says Jaishree S. Santhosh, CEO of a Coimbatore-based educational institution, “I prefer to do random window shopping through a website and stick to apps when it comes to my regular Flipkart and Amazon shopping. Because when I use apps, I need to log in and share my personal information. I would prefer to do that only with two or three sites and not every virtual shopping platform.”

However, apps are redefining our shopping culture and experience. With efficient data-tracking systems, these apps record the customer’s buys. “The app keeps throwing images of products that interest you, based on your purchase history. This can be a little creepy at times,” says Jaishree. “It seems like it can read your mind. I do not like it getting too personal with me. Moreover, it tempts me to buy things that I otherwise would not have thought of buying.”

The personalised shopping experience can be both a boon and bane. According to Sunil Abraham, Executive Director of the Centre for Internet and Society, a Bangalore-based research organisation, “It is a terrible development from the perspective of the online user’s rights. Apps violate user privacy. Moreover, they waste your phone’s memory, storage and battery.”

Even though mobiles and apps are popular among the youth, young entrepreneurs from the online world are still hesitant to venture into the app domain. Nilisha Bhimani, a 28-year-old online entrepreneur who runs www.stayfabulous.com, says she cannot even imagine making her portal app-only. “Mine is a fashion portal. And with fashion shopping, one would want to open multiple windows and compare products. It is difficult to do this on our phones.”

However, Nilisha thinks that it is a good move from Flipkart to have sparked off this debate. “It sounds like a well-thought-out strategy. More so, since surveys point out that there are increasingly more people doing mobile transactions.”

According to an article published in Business Insider on August 24, a study conducted by Internet & Mobile Association of India and KPMG found out that India is projected to have 236 million mobile Internet users by 2016. Flipkart’s move could be a response to the large influx of smart phones into the Indian mobile market, feels Ashish Jhalani, founder of eTailing India, an e-commerce knowledge platform and advisory. “We will be the second-largest smartphone market in the world soon, but that does not mean we are ready for an app-only strategy. Our consumer base is still getting used to shopping online and to ask them to use only one interface to shop is a little premature. I believe, in the long term, this strategy will work, but there is still some time for that.”

And, how will elders in the society, who also constitute a large section of online customers, cope with change? Suchi Dalmia, a business woman from Coimbatore, says that even though her mother shops online, she is still not comfortable with it. “And on top of it, if we open up an app-only shopping system, it is going to hit her hard. A retail giant like Flipkart stands the risk of losing a big chunk of their clientele with this move.”

(With inputs from Soma Basu, Shilpa Sebastian R. and Nikhil Varma)

For more details visit https://cis-india.org/internet-governance/news/the-hindu-september-1-2015-parshathy-nath-does-this-click-with-you

Does the UID Reflect India?

elonnai — 2012-03-22T05:45:32Z

On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events.

Introduction

Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit Aadhaar numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications.

Benefits for the Poor

Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.

Appropriate Methodology

Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.

Legal Questions

Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the Aadhaar number. Legally the UID Bill does not make the Aadhaar number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the Aadhaar number would be truly voluntary.

Does India Comprehend what the UID Could Bring?

Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.

Conclusion

One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india

Does the Safe-Harbor Program Adequately Address Third Parties Online?

rebecca — 2011-08-02T07:19:34Z

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online. As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach. While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices. Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1]. The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU. After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly.

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU. Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce.

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally. In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites.

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed. These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement. The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected. The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused. Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social networking services have become increasingly clear and straightforward since their inception. Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used. The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members. In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs. This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program. The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites. This had included, for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information. The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information. Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues. Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program. For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies. Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources. Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”? The right to review information held by a social networking site is an important one that should be upheld. This is most notable as supplementary information from outside social networking services is employed to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program. It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere to the Safe Harbor Program. However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party. Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles. Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program. This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes that the program does not apply to third parties. Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook. The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”. Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information. Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”. Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles. In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector. However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate. However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles. Therefore, it remains questionable as to where responsibility for third parties exactly lies. When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed is worrisome. Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do. However, in practice, this has yet to become the case. A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5]. For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”.

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6]. After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites. This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”. This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service. Electronic Arts also maintains similar provisions for data retention in its privacy policy. Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held. This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games. It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model. Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications. This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches. The same is likely to be true for governments, too. As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate. While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook. This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern. If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively. Imposing more stringent responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties. However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically opt out of this practice.

[7]See Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

For more details visit https://cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online

Does the Government want to enter our homes?

sunil — 2012-03-21T10:12:40Z

When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes.

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information.

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme.

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users.

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia.

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

For more details visit https://cis-india.org/internet-governance/blog/government-enter-homes

Does Size Matter? A Tale of Performing Welfare, Producing Bodies and Faking Identity

praskrishna — 2014-06-04T09:45:49Z

Malavika Jayaram gave a talk.

This was published by the website of Berkman Center for Internet and Society

Big Data doesn’t get much bigger than India’s identity project. The world’s largest biometric database - currently consisting of almost 600 million enrolled - seduces with promises of inclusion, legitimacy and visibility. By locating this techno-utopian vision within the larger surveillance state that a unique identifier facilitates, Malavika will describe the ‘welfare industrial complex’ that imagines the poor as the next emerging market. She will highlight the risks of the body as password, of implementing e-governance in a legal vacuum, and of digitization reinforcing existing inequalities. The export of technologies of control - once they have been tested on a massive population that has little agency and limited ability to withhold consent - transforms this project from a site of local activism to one with global repercussions. By offering a perspective that is somewhat different from the traditional western focus of privacy, she hopes to generate a more inclusive discourse about what it means to be autonomous and empowered in the face of paternalistic development projects. She will highlight, in particular, the varied ways in which the project is already being subverted and re-purposed, in ways that are humorous and poignant.

About Malavika

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers - one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. She is working on a PhD about the development of a privacy jurisprudence and discourse in India, viewed partly through the lens of the Indian biometric ID project.

Podcast

Watch the podcast at this link.

For more details visit https://cis-india.org/news/harvard-university-may-13-2014-does-size-matter

DOC 2.0: A Resources Sharing Mela by NGO Documentation Centres

praskrishna — 2011-04-02T08:13:51Z

A Resource Sharing Mela and Meet of DCM (Document Centres Meet) at the Centre for Education & Documentation in Domlur, Bangalore.

Programme

18th Nov: 9.30 am to 20th Nov. 2 pm

Draft 3 ( to be finalised )

For DCMers
9.30 pm to 12 noon
CED Terrace

Interaction
2 pm to 4 pm
CED Exhibition Hall

Public Session
5 pm to 7 pm
CED Terrace

18th Nov.	Multi-Media/New Media. AVs, Photos, Internet - blogs	Managing Data Akshara Class.; Mapping Data: Timbaktu experience- Anne Marie.	Knowledge in an Internet Era: Role of DCs in Info-digital Society: Avinash Jha - KICS Sharing Session: Chair: Ashish Rajadhaksha
19th Nov.	Print Media Training Manuals, Newsletters, Posters etc	Producing Data: Data generation tools used by Aalochana in PC4D, Jagori safety audit	Internet : Reclaiming Civil society on the Internet. Public domain V/s copyright: Sunil Abraham:
20th Nov.	Interactive Media: Theatre, Melas?; Yuvati Mela:	Dissemination Marketing issues: Alvito; Mobile Libraries (Aalochana)	Ends

Workshop Banner

See the original here

For more details visit https://cis-india.org/news/doc-2.0

Do You Want to be Watched?

sunil — 2012-03-21T09:11:45Z

The new rules under the IT Act are an assault on our freedom, says Sunil Abraham in this article published in Pragati on June 8, 2011.

Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 Amendment of the Information Technology (IT) Act and their associated rules notified April 2011 proposes to eliminate whatever little privacy Indian netizens have had so far. Already as per the internet service provider (ISP) license, citizens using encryption above 40-bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station. With the IT Act’s latest rules things get from bad to worse. (For an analysis of the new rules under the IT Act, see the In Parliament section of this issue).

Now imagine my daughter visits the neighborhood cybercafe, the manager would now be entitled to scan her ID document and take a photograph of her using his own camera. He would also be authorised to capture her browser history including unencrypted credentials and authentication factors. He would then store this information for a period of one year and provide them to any government entity that sends him a letter. He could continue to hold on to the files as there would be no clear guidelines or penalties around deletion. The ISP that provides connectivity to the cybercafe would store a copy of my daughter’s Internet activities for two years. None of our ISPs publish or provide on request a copy of their data retention policies.

Now suppose my daughter used an online peer-production like Wikipedia or social-media platform like MySpace to commit an act of blasphemy by drawing fan-art for her favorite Swedish symphonic black metal band. A neo-Pentecostal Church sends a takedown notice to the website hosting the artwork. Unfortunately, this is a fringe Web 2.0 platform run by Indian entrepreneur who happens to be a friend of yours. When the notice arrived, our entrepreneur was in the middle of a three-week trek in the Himalayas. Even though he had disabled anonymous contributions and started comprehensive data retention of user activity on the site, unfortunately he was not able to delete the offending piece of content within 36 hours. If the honourable judge is convinced, both your friend and my daughter would be sitting in jail for a maximum of three years for the newly christened offence of blasphemous online speech.

You might dismiss my misgivings by saying “after all we are not China, Saudi Arabia or Myanmar”, and that no matter what the law says we are always weak on implementation. But that is completely missing the point. The IT Act appears to be based on the idea that the the Indian public can be bullied into self-censorship via systemic surveillance. Employ tough language in the law and occasionally make public examples of certain minor infringers. There have been news reports of young men being jailed for using expletives against Indian politicians or referring to a head of state as a “rubber stamp.” The message is clear—you are being watched so watch your tongue.

Surveillance capabilities are not a necessary feature of information systems. They have to be engineered into these systems. Once these features exists, they could potentially serve both the legally authorised official and other undesirable elements. Terrorists, cyber-warriors and criminals will all find systems with surveillance capabilities easier to compromise. In other words, surveillance compromises security at the level of system design. There were no internet connections or phone lines in the bin Laden compound—he was depending on store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via master key would have lead the investigators to him earlier? Has the ban on public wi-fi and the current ID requirements at cyber-cafes led to the arrest of any terrorists or criminals in India? Where is the evidence that resource hungry blanket surveillance is providing return on investment? Intelligence work cannot be replaced with resource-hungry blanket surveillance. Unnecessary surveillance distracts the security with irrelevance.

Increase in security levels is not directly proportional to increase in levels of surveillance. A certain amount of surveillance is unavoidable and essential. But after the optimum amount of surveillance has been reached, additional surveillance only undermines security. The multiple levels of data retention at the cybercafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of personal sensitive information only acts as multiple points of failure and leaks—in the age of Niira Radia and Amar Singh one does not have be reminded of authorised and unauthorised surveillance and their associated leaks.

Finally, there is the question of perception management. Perceptions of security does not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems—one, where the fundamental organising principle is trust or second, where the principle is suspicion. Systems based on suspicion usually gives rise to criminal and corrupt behavior. If the state were to repeatedly accuse its law-abiding citizens of being terrorists and criminals, it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies—they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the internet just to download encryption tools and other privacy enabling software. Like the prohibition, this will only result in further insecurity and break-down in the rule of law.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/want-to-be-watched

Do you agree with our fee hike? Press 1 to answer Yes; or 2 for Yes

praskrishna — 2015-10-01T15:28:37Z

It has long been a concern that domain-name overseer ICANN is largely funded by companies reliant on the organization to make money.

The article by Kieren McCarthy was published in the Register on September 29, 2015.

Every biz that wishes to sell domain names – called a registrar – has to pay the organization $4,000 a year, plus 18 cents on every domain they sell.

In addition, they have to pay a variable fee that comprises the money ICANN says it spends on registrar-related activities divided by the number of companies that are accredited. This year that cost was $3.8m and with roughly 1,150 companies, that's $3,300 a head.

The pricing structure provides California-based ICANN with just under $40m a year, more than a third of its total budget. But in order to make sure the non-profit organization doesn't abuse its market control to hike up its fees, each year the registrars have to formally approve the fee structure that the ICANN Board has adopted. And they do that through an online vote.

This year, some registrars are wondering whether the $3.8m spent by ICANN is a good deal for them.

"What do your ICANN fees get you?" ICANN asks itself in an email sent to all registrars. "In addition to helping cover the expenses associated with ICANN meetings and ICANN's day-to-day operations, your fees have allowed us to conduct regular outreach with registrars through 'roadshow' type training seminars, webinars, in-person events, and site visits."

Don't ask, don't tell

It's not clear how that money is spent nor on what, since ICANN continues to provide only the vaguest details over its budget, providing annual sums for "travel" and for "meetings" across the entire organization.

ICANN is also actively refusing to hand that information over, telling one outfit that formally asked for additional financial data that for it to do so would be "extremely time consuming and overly burdensome." That organization – the Centre for Internet and Society – is appealing that decision [PDF] to ICANN's Board with a decision made two days ago but still unpublished.

ICANN expenditure is increasing: in 2014 alone, its "travel" costs jumped by 85 per cent to $17m; its meetings budget nearly doubled from an average of $3.2m per public meeting in 2013 to $6m in 2014. But there is almost no information on where this money has been spent, and so far no explanation for why it spent $113m in 2014 with an income of just $84m.

What else is ICANN spending registrars' fees on? "We've recruited Registrar Services staff dedicated to serving Europe, the Middle East/Africa, and Asia and have already begun a series of (low-cost) micro-regional events in China, Japan, Singapore, and South Korea, with plans taking shape for events in Europe, Africa, the Middle East, and the Americas in the near future," we're told.

But existing registrars are wondering whether all these new staff and events are needed. Are there hundreds of new registrars entering the market? Are they in Asia?

Unfortunately, ICANN has stopped providing that kind of information. In 2009, under pressure to be more open about what was going on, the organization made big play of the fact it was going to produce statistics showing how many registrars there were, how big they were, and where they were based in a new "dashboard."

But those stats stopped being produced two years ago and the most recent data provided is from 2012.

Software and security

Where else do the millions of dollars from the companies that support ICANN go? "We're building up the 'GDD Portal'," says a note from ICANN's staff, "which will become a one-stop destination for all registrar resources at ICANN, and transitioning our customer relationship management software from RADAR to salesforce.com."

This is the same GDD Portal that ICANN had to shut down earlier this year because of a security breach. It had misconfigured out-the-box software and exposed every user's information, including financial projections, launch plans, and confidential exchanges, to every other user. Having at first claimed there was "no indication" that confidential information was exposed, it later admitted that it had in fact happened 330 times.

As for RADAR, it was specifically named in a report by Verisign as a security risk; this is one of the things on a "growing list of examples where ICANN's operational track record leaves much to be desired."

We're listening...

Finally, in explaining why the registrar fees are a good deal for the companies, ICANN's staff note: "Most importantly, we're doing our best to listen to you to ensure that our work is of real value to you."

Unfortunately that listening does not extend to hearing any complaints about the fees, or what they are spent on.

All registrars receive an email during the annual approval of the fees levied against them with a link to an online survey. Incredibly enough, however, they are only allowed to agree to the fees – there is no option to disagree. Or in fact do anything other than sign up for another year.

And what is ICANN's explanation for why the companies that provide it with over a third of its budget are not allowed to express anything but approval of the fees ICANN sets? Problems with the voting software:

The system is only able to accept affirmative expressions of approval. (A technical limitation in the voting software prevents us from knowing when we've reached the level of approval required if we offer both a 'yes, I approve,' and a 'no, I don't approve' option.) But if you have reservations about approving the budget or concerns you'd like addressed first, please let me know and I'll be happy to try to address those directly with you.

So despite charging the companies $3,500 each a year to run the systems that they use, ICANN has been unable to find voting software that is capable of accepting more than one answer. Money well spent.

For more details visit https://cis-india.org/internet-governance/news/the-register-september-29-2015-kieren-mccurthy-do-you-agree-with-our-fee-hike