We are anonymous, we are legion

DIDP Request #15: What is going on between Verisign and ICANN?

asvatha — 2016-07-29T02:01:06Z

During a hearing of the House Committee on Energy and Commerce on “Internet Governance Progress After ICANN 53,” President and CEO of ICANN - Mr Fadi Chehade indicated that ICANN follows up with registries and registrars on receipt of any complaint against them about violations of their contract with ICANN.

At CIS, we believe that any exchange of dialogue or any outcome from ICANN acting on these complaints needs to be in the public domain. Thus, our 15th DIDP request to ICANN were for documents pertinent to Verisign’s contractual compliance and actions taken by ICANN stemming from any discrepancies of Verisign’s compliance with its ICANN contract.

The DIDP request filed by Padmini Baruah can be found here.

What ICANN said

After sorting through a response designed to obfuscate information, it was clear that ICANN was not going to provide any of the details we requested. As mentioned in their previous responses, individual audit reports and the names of the registries associated with discrepancies are confidential under the DIDP Defined Conditions of Nondisclosure. Nevertheless, some details from the response are worth mentioning.

According to the response, “As identified in Appendix B of the 2012 Contractual Compliance Year One Audit Program Report, the following TLDs were selected for auditing: DotAsia Organisation Limited (.ASIA), Telnic Limited (.TEL), Public Interest Registry (.ORG), Verisign (.NET), Afilias (.INFO), and Employ Media LLC (.JOBS).” The response goes on to state that out of these 6 registries that were selected, only 5 chose to participate in the audit, the identies of which are once again confidential.

However, on further examination, it can be seen that Verisign (.NET) was chosen to participate in the audit the year after as well. Therefore, it’s clear that 2013 was the year Verisign was audited. Unfortunately, that was pretty much all that was relevant to our request in ICANN’s response.

Once again, ICANN was able to use the DIDP Defined Conditions of Nondisclosure, especially the following conditions to allow itself the ability not to answer the public:

Information exchanged, prepared for, or derived from the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process between and among ICANN, its constituents, and/or other entities with which ICANN cooperates by inhibiting the candid exchange of ideas and communications.
Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement.
Confidential business information and/or internal policies and procedures.[1]

ICANN’s response to our request can be found here.

[1] See DIDP https://www.icann.org/resources/pages/didp-2012-02-25-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-15-what-is-going-on-between-verisign-and-icann

DIDP Request #14: Keeping track of ICANN’s contracted parties: Registrars

asvatha — 2016-07-28T16:34:27Z

In September 2016, we filed two separate DIDP requests regarding ICANN’s Contractual Compliance Goals.

The first one which we have written about here,[1] was regarding ICANN contracts with registries while the second one about registrars is briefed below. In our second request, we specifically asked for the following information:

Copies of the registrar contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014-2015).
A generic template of the notice served by ICANN before conducting such an audit.
A list of the registrars to whom such notices were served in the last year.
An account of the expenditure incurred by ICANN in carrying out the audit process.
A list of the registrars that did not respond to the notice within a reasonable period of time.
Reports of the site visits conducted by ICANN to ascertain compliance.
Documents which identify the registrars who had committed material discrepancies in the terms of the contract.
Documents pertaining to the actions taken in the event that there was found to be some form of contractual non-compliance.
A copy of the registrar self-assessment form which is to be submitted to ICANN.

The DIDP request filed by Padmini Baruah can be viewed here.

What ICANN said

Information pertinent to item 1 and 3 can be found in the 2014 Contractual Compliance Annual Report here:https://www.icann.org/en/system/files/files/annual-2014-13feb15-en.pdf. While this report contains detailed information regarding the audit, individual audit reports are subject to the DIDP Defined Conditions for Nondisclosure.

ICANN provided a link to all the communication templates used during the audit process, including the notice served by ICANN prior to conducting audits. (Item 2) It can be found here: https://www.icann.org/en/system/files/files/audit-communication-template-04dec15-en.pdf. As mentioned in an earlier blog post, ICANN set aside USD 0.6 million for the Three Year Audit plan.[2] (item 4)

According to the Audit FAQ on ICANN website,[3] “If a contracted party reaches the enforcement phase per process, ICANN will issue a notice of breach in which the outstanding issues are noted. The response links us to the ICANN webpage where these breach notices are listed: https://www.icann.org/compliance/notices#notices-2014. (Item 5) According to the link, 61 registrars received breach notices in 2014; a full explanation has been provided for each notice. (Item 7 and 8) Since no site visits were conducted, ICANN does not possess any document regarding this.

According to the ICANN website, “The 2013 Registrar Accreditation Agreement (RAA) requires ICANN-accredited registrars to complete an annual self-assessment and provide ICANN with a compliance certification by 20 January.”[4] The form for the same can be found here: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#compliance

ICANN’s response to our request can be found here.

[1] To be linked to the first post

[2] See FY15 budget (pg72): https://www.icann.org/en/system/files/files/adopted-opplan-budget-fy15-01dec14-en.pdf

[3] See Audit FAQ: https://www.icann.org/resources/pages/faqs-2012-10-31-en

[4] See CEO certification: https://www.icann.org/resources/pages/ceo-certification-2014-01-29-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-14-keeping-track-of-icann2019s-contracted-parties-registrars

DIDP Request #13: Keeping track of ICANN’s contracted parties: Registries

asvatha — 2016-07-28T15:40:01Z

On multiple occasions, Fadi Chehade, then President and CEO of ICANN has emphasized the importance of conducting audits (internal and external) to ensure compliance of ICANN’s contracted parties. At a US congressional hearing, he spoke about the contract monitoring function of ICANN.

In September 2015, we filed two separate DIDP requests regarding ICANN’s Contractual Compliance Goals. The first one, briefed below, is regarding the contracts with registries and the second one is regarding ICANN contracts with registrars. This post contains some additional background information on the Contractual Compliance Goals at ICANN. In our first request, we specifically asked for the following information:

Copies of the registry contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014-2015).
A generic template of the notice served by ICANN before conducting such an audit.
A list of the registries to whom such notices were served in the last year.
An account of the expenditure incurred by ICANN in carrying out the audit process.
A list of the registries that did not respond to the notice within a reasonable period of time.
Reports of the site visits conducted by ICANN to ascertain compliance.
Documents which identifies the registry operators who had committed material discrepancies in the terms of the contract.
Documents pertaining to the actions taken in the event that there was found to be some form of contractual non-compliance.

The DIDP request filed by Padmini Baruah can be viewed here.

What ICANN said

ICANN’s Contractual Compliance Goal is to ensure that all the parties that ICANN has entered into a contract with complies with the stipulations of the contract. This is done in several ways, including Contractual Compliance complaints and Audits.[1]

In 2012, ICANN initiated the Three Year Audit plan where one-third of registries were selected each year for an audit. In 2014, the third set of registries were audited. In response to Item 1, information about the audit for 2014 can be found here: https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2014-03feb15-en.pdf. At this link, we can also find the list of registries that went through the audit process in 2014 (item 3). Monthly updates on overall contractual compliance can be found here: https://www.icann.org/resources/pages/update-2013-03-15-en.

ICANN linked us to all the communication templates used during the audit process, including the notice served by ICANN prior to conducting audits. (Item 2) It can be found here: https://www.icann.org/en/system/files/files/audit-communication-template-04dec15-en.pdf

In the operating plan and budget for FY15, ICANN sets aside USD 0.2 million for the New Registry Agreement Audit and USD 0.6 million for the Three Year Audit plan.[2]

Other documents to answer this question such as invoices from the external auditing firm are subject to non-disclosure under DIDP policies. Since all registries responded in a timely manner and no site visits were conducted, there are no documents to answer items 5 and 6.

The audit report linked above contains information on deficiencies identified during the audit. ICANN states that registries addressed these deficiencies during the remediation process. However, there is a caveat to this discussion. The names of the registries that are associated with these discrepancies remains confidential, subject to the DIDP Defined Conditions for Nondisclosure. (Item 7) ICANN goes on to state that it is not required to confirm if the registries have taken appropriate action and thus does not have any documents in response to item 8. While ICANN’s audit process seems thorough, does this last statement indicate a lack of enforcement mechanisms on ICANN’s part?

ICANN’s response to our request can be found here.

[1]. See Contractual Compliance website: https://www.icann.org/resources/pages/compliance-2012-02-25-en

[2]. See FY15 budget (pg72): https://www.icann.org/en/system/files/files/adopted-opplan-budget-fy15-01dec14-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-13-keeping-track-of-icann2019s-contracted-parties-registries

DIDP Request #12: Revenues

Aditya Garg — 2015-09-14T15:32:37Z

The Centre for Internet & Society (CIS) sought information from ICANN on their revenue streams by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in this blog post.

CIS Request

22 July 2015

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Raw data with respect to granular income/revenue statements of ICANN from 1999-2011

We would like to thank ICAN for their prompt response to our earlier requests. We appreciate that the granular Revenue Details for FY14 have been posted online.[1] We also appreciate that a similar document has been posted for FY13.[2]

And we hope that one for FY12 would be posted soon, as noted by you in your Response to our Request No. 20141222-1.[3]

As also noted by you in the same request, similar reports cannot be prepared for FY99 to FY11 since “[i]t would be extremely time consuming and overly burdensome to cull through the raw data in order to compile the reports for the prior years”.[4]

Additionally, it was also mentioned that the “relevant information is available in other public available documents”.[5]

Hence, we would like to request for the raw data for years FY99 to FY11, for our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN. Additionally, we would also like to request for the links to such public documents where the information is available.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.
Thank you very much.
Warm regards,
Aditya Garg,
I Year, National Law University, Delhi
For Centre for Internet & Society
W: http://cis-india.org

ICANN Response

ICANN referred to our earlier DIDP request (see here) where we had sought for a detailed report of their granular income and revenue statements from 1999-2014. They refused to disclose the data on grounds that it would be ‘time consuming’ and ‘overly burdensome’, which is a ground for refusal as per their exceptions to disclosure.

Our request may be found here, and their response is linked to here.

[1]. See FY14 Revenue Detail By Source, https://www.icann.org/en/system/files/files/fy2014-revenue-source-01may15-en.pdf.

[2]. See FY13 Revenue Detail By Source, https://www.icann.org/en/system/files/files/fy2013-revenue-source-01may15-en.pdf

[3]. See Response to Documentary Information Disclosure Policy Request No. 20141222-1, https://www.icann.org/en/system/files/files/cis-response-21jan15-en.pdf.

[4]. Id

[5]. See Response to Documentary Information Disclosure Policy Request No. 20141222-1, https://www.icann.org/en/system/files/files/cis-response-21jan15-en.pdf.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-12-revenues

DIDP Request #11: NETmundial Principles

Aditya Garg — 2015-09-14T15:08:40Z

The Centre for Internet & Society (CIS) followed up on the implementation of the NETmundial Principles that ICANN has been endorsing by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in this blog post.

22 July 2015

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Sub: Details of documents within ICANN regarding implementation of NETmundial Principles and documents modified within ICANN as a result of the same

It is our understanding that ICANN is one of the founding members of the NETmundial Initiative. And hence, it has been credited in the public forum for championing the Initiative.[1]

Mr. Fadi Chehade, CEO and President of ICANN, has maintained that it is time for the global community to act and implement the Principles set forth in the initiative.[2]

ICANN itself, in response to one of our earlier requests, has acknowledged that "NETmundial Principles are high-level statements that permeate through the work of any entity –particularly a multistakeholder entity like ICANN."[3]

We, therefore, request for all existing documents within ICANN which represent its efforts to implement the NETmundial Principles within its working. Additionally, we would also want to request for all the documents which were modified as the result of ICANN’s support of the NETmundial Initiave, highlighting the modification so made.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,
Aditya Garg,
1st Year, National Law University, Delhi for Centre for Internet & Society

ICANN Response

ICANN in their response pointed to an earlier DIDP request that we had sent in, and they replied along the same lines. They brought to our attention that ICANN was not responsible for the implementation of the NETMundial Principles, despite it being one of the founding members of the Initiative. They reiterated their earlier statement of ICANN not being the “…home for implementation of the NETmundial Principles or the evolution of multistakeholder participation in Internet governance.” They have failed to provide us with documentary proof of the implementation of these principles, and have only pointed to statements which indicate a potential prospective adoption of said the initiative [4]; the responses have been near identical to those for the earlier DIDP request, which you can find here.

Further, ICANN claims that the information we seek falls within the scope of the exceptions to disclosure they lay down, as it is not within their operational activities, an explanation that fails to satisfy us. As always, they have used the wide scope of their non-disclosure policy to avoid providing us with the requisite information.

The request can be found here, and ICANN’s response has been linked here.

[1]. See McCarthy, I’m Begging You To Join, The Register (12 December 2014), http://www.theregister.co.uk/2014/12/12/im_begging_you_to_join_netmundial_initiative_gets_desperate/

[2]. See NETmundial Initiative Goes Live, Gobal Internet Community Invited to Participate (Press Release), https://www.netmundial.org/press-release-1

[3]. See Response to Documentary Information Disclosure Policy Request No. 20141228-1-NETmundial, https://www.icann.org/en/system/files/files/cis-netmundial-response-27jan15-en.pdf

[4]. Such as Objective 4.3 of their Strategic Five Year Plan. “Demonstrate leadership by implementing best practices in multistakeholder mechanisms within the distributed Internet governance ecosystem while encouraging all stakeholders to implement the principles endorsed at NETmundial” at https://www.icann.org/en/system/files/files/strategic-plan-2016-2020-10oct14-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-11-netmundial-principles

DIDP Request #10 - ICANN does not know how much each RIR contributes to its Budget

asvatha — 2016-07-27T14:57:00Z

In an effort to understand the relationship between the Regional Internet Registries (RIRs) and ICANN, we requested current and historical information on the contract fees paid by the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) to ICANN annually.

We acknowledged that the independently audited financial reports on ICANN’s website list the total amount from all RIRs as a lump sum.[1] However, we specifically sought a breakdown of these fees detailing contributions made by each RIR from 1999 to 2014. Not only will this information help understand the RIR-ICANN relationship, it will also be relevant to the IANA transition.

The request filed by Protyush Choudhury can be found here.

What ICANN said

According to ICANN’s response to our request, the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) make a voluntary annual contribution to ICANN’s budget through the Number Resource Organization (NRO). [2] Since Financial Year 2000, this contribution has been made to ICANN as an aggregate amount without the kind of breakdown requested by us with the exception of FY03, FY04 and FY05. The breakdown of the contribution for those years is as below:

FY03: APNIC - $129,400; ARIN - $159,345; RIPE - $206,255
FY04: APNIC - $160,500; ARIN - $144,450; RIPE - $224,700; LACNIC - $5,350
FY05: APNIC - $220,976; ARIN - $218,507; RIPE - $358,086; LACNIC - $25,431

The response links back to the independent financial reports mentioned by us in the request. These reports can be found on the ICANN website here.

On closer examination of the audit reports of FY03, 04 and 05, it is clear that the information provided in their response is either incomplete or incorrect. According to KPMG’s audit report of FY03, the total contribution from Address Registries is US$535,000. The breakdown in the response adds up only to $494,600. The response does not account for the extra $40,400. If only APNIC, ARIN and RIPE contributed to ICANN in 2003, where did the other $40,400 come from? Moreover, why is it listed as an Address Registry Fee in the audit report if it was a voluntary contribution?[3]

The “Address Registry Fees” in the audit reports for FY04 and FY05 match the amounts in the response: $535,000 and $823,00 respectively. ICANN's response to our DIDP request may be found here.

For the reader’s reference, the audit reports for FY00 - FY14 are linked below:

[1] See audited financial reports: https://www.icann.org/resources/pages/governance/current-en

[2] See letter from NRO to ICANN: https://www.icann.org/en/system/files/files/akplogan-to-twomey-23mar09-en.pdf

[3]. See report for FY03 (pg 4): https://www.icann.org/en/system/files/files/financial-report-fye-30jun03-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-10-icann-does-not-know-how-much-each-rir-contributes-to-its-budget

DIDP Request #9 - Exactly how involved is ICANN in the NETmundial Initiative?

asvatha — 2016-07-27T15:53:22Z

The importance and relevance of knowing ICANN’s involvement in the NETmundial Initiative cannot be overstated.

It was reported recently that ICANN contributed US$200,000 to the Initiative.[1] Following this report, we requested the details of all expenses incurred by ICANN for NMI till date. This includes formal contributions to NMI as well as costs incurred towards travel and accommodation of ICANN board and staff to meetings relevant to the NMI discussion.

Apart from these financial details, we also requested information regarding the number of staff working on NMI from ICANN and the hours clocked by them for the same. We further specified that we would like this information to gauge ICANN’s involvement beyond its technical mandate. The request filed by Geetha Hariharan can be found here.

What ICANN said

In its response, ICANN separated the questions in the request into two categories: a) Expenses incurred by ICANN towards the NETmundial Initiative and b) Other resources (personnel and hours) allocated to the Initiative by ICANN. The first category in the request includes: formal contribution to the NETmundial Initiative; travel costs of ICANN board and staff; and costs of maintenance of other sponsored parties. The second includes the number of staff involved in the NETmundial Initiative from ICANN and the number of hours spent working on it.

To answer both, the response directs us to the Memorandum of Collaboration (MOC)[2]signed by the Brazilian Internet Steering Committee (CGI.br), ICANN and the World Economic Forum (WEF) to set up the NETmundial Initiative according to the outcome document from the initial NETmundial meeting in Sao Paulo, Brazil.

Some of the important takeaways from the MOC that are relevant to our request are the following:

Each party to the MOC agrees to pay $201,667 towards operational expenses on signature of the agreement.
Total anticipated cost of the NETmundial Initiative is $605,000 (also mentioned in the response).
Each party will assign 1 staff member to the NETmundial Initiative secretariat during the inaugural period to smoothen the process. This staff member will commit at least 50% of their time towards Secretariat work.

This information is important but it does not provide a comprehensive answer to our query. It does not, for example, answer if ICANN contributed anything more than the $201,667 the MOC specifies. It also does not tell us if ICANN allotted any staff apart from the designated secretariat member to work on NETmundial Initiative.

Further, the response states that ICANN does not keep track of costs according to the number of hours or the topic but rather according to strategic objectives. Since ICANN is not required to create a document that does not already exist to answer a DIDP enquiry,[3] we have no way of knowing the specific amount of time or money spent on the NETmundial Initiative by ICANN. The response instead directs us to the financial presentation at ICANN50 where the costs of attending the NETmundial Meeting at Sao Paulo is detailed. While this is interesting (ICANN spent $1.5 million)[4] it is not a satisfactory answer to our question.

ICANN justifies its lack of direct answers by expressing that not only is the request “overbroad", it is also “subject to the following DIDP Condition of Nondisclosure: Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; and (iii) complying with which is not feasible.”[5]

ICANN's response to our DIDP request may be found here.

[1] See McCarthy, ‘I’m Begging You To Join’ – ICANN’s NETmundial Initiative gets desperate, THE REGISTER (12 December 2014), http://www.theregister.co.uk/2014/12/12/im begging you to join netmundial initiative gets d esperate/

[2] See MOC: https://www.netmundial.org/sites/default/files/MOC-%20CGI.br,%20ICANN%20&%20WEF.pdf

[3] See Disclosure Policy: https://www.icann.org/resources/pages/didp-2012-02-25-en

[4] See ICANN50 Finance Presentation (Pg 4): https://london50.icann.org/en/schedule/thu-finance/presentation-finance-26jun14-en

[5] See ICANN conditions for non-disclosure: https://www.icann.org/resources/pages/didp-2012-02-25-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-9-exactly-how-involved-is-icann-in-the-netmundial-initiative

DIDP #34 On granular detail on ICANN's budget for policy development process

akriti — 2019-07-06T01:23:55Z

ICANN has Advisory Committees which help guide the policy recommendations that the ICANN community develops while its Supporting Organizations are charged with developing policy recommendations for a particular aspect of ICANN's operations. Supporting Organizations are composed of volunteers from the community. ICANN publishes a combined budget for all these bodies under the head of policy development and CIS inquired about the financial resources allocated to each of them specifically.

The ICANN budgets are published for public comment yet the community does not have supporting documents to illustrate how the numbers were estimated or the rationale for allocation of the resources. There is a lack of transparency when it comes to the internal budgeting.

This DIDP is concerned with the policy development budget which, as Stephanie Perrin of the Non-Commercial Stakeholder Group pointed out, was merely 5% of ICANN’s total budget, a number significantly low for a policy making organization. Thus, the information we request is a detailed breakdown for the budgets for every Advisory Council as well as Supporting Organizations for the previous fiscal year. You can find the attached request here.

For more details visit https://cis-india.org/internet-governance/blog/didp-34-on-granular-detail-on-icanns-budget-for-policy-development-process

DIDP #33 On ICANN's 2012 gTLD round auction fund

akriti — 2019-07-09T15:51:47Z

This DIDP was filed to inquire about the state of the funds ICANN received from the last gTLD auctions.

In 2012, after years of deliberation ICANN opened the application round for new top level domains and saw over 1930 applications. Since October 2013, delegation of these extensions commenced with it still going on. However, 7 years since the round was open there has been no consensus on how to utilize the funds obtained from the auctions. ICANN until its last meeting was debating on the legal mechanisms/ entities to be created who will decide on the disbursement of these funds. There is no clear information on how those funds have been maintained over the years or its treatments in terms of whether they have been set aside or invested etc. Thus, our DIDP questions ICANN on the status of these funds and can be found here.

The response to the DIDP received on 24th April, 2019 states that that even though the request asked for information, rather than documentation, our question was answered. Reiterating that the DIDP mechanism was developed to provide documentation rather than information. It stated that on 25 October 2018, Resolution 2018.10.25.23 was passed that compels the President and CEO to allocate $36 million to the Reserve Fund. The gTLD auction proceeds were allocated to separate investment accounts, and the interest accruing from the proceedings was in accordance with the new gTLD Investment Policy.

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-april-4-2019-didp-33-on-icann-s-2012-gtld-round-auction-fund

DIDP #32 On ICANN's Fellowship Program

akriti — 2018-11-12T15:58:30Z

In furtherance of its capacity building functions, ICANN selects Fellows for every public meeting. These are individuals from underserved and underrepresented communities who are trained to become active participants in the ICANN community.

These fellows are assigned a mentor and receive training on ICANN's various areas of engagement. They are also given travel assistance to attend the meeting. While the process and selection criteria is detailed on their website, CIS had some questions as to the execution of these.

Our DIDP questioned the following aspects:

Has any individual received the ICANN Fellowship more than the stated maximum limit of 3 times?
If so, whose decision and what was the justification given for awarding it the 4th time and any other times after that?
What countries did any such individuals belong to?
How many times has the limit of 3 been breached while giving fellowships?
What recording mechanisms are being used to ensure that awarding of these fellowships is kept track of, stored and updated? Are these public or privately made available anywhere?

You can access the request here.

For more details visit https://cis-india.org/internet-governance/blog/didp-31-on-icanns-fellowship-program

DIDP #31 Diversity of employees at ICANN

Akash Sriram — 2018-08-21T09:26:48Z

We have requested ICANN to disclose information pertaining to the diversity of employees based on race and citizenship.

This data is being requested to verify ICANN’s claim of being an equal opportunities employer. ICANN’s employee handbook states that they “...provide equal opportunities and are committed to the principle of equality regardless of race, colour, ethnic or national origin, religious belief, political opinion or affiliation, sex, marital status, sexual orientation, gender reassignment, age or disability.” The data on the diversity of employees based on race and nationality of their employees will depict how much they have stuck to their commitment to delivering equal opportunities to personnel in ICANN and potential employees.

The request filed by CIS can be accessed here

For more details visit https://cis-india.org/internet-governance/blog/didp-31-diversity-of-employees-at-icann

Dialogue Cafe @ Centre for Internet and Society

praskrishna — 2011-12-07T11:10:08Z

The Centre for Internet and Society announces the launch of its dialogue cafe, where every month, we approach seminal thinkers, scholars and practitioners to help explore knowledge paradigms that help us understand and research techno-social realities through innovative thought, concepts and frameworks.

The dialogue cafe draws upon different disciplines, histories, perspectives and intellectual legacies in order to respond to a seminal piece of writing that has changed, challenged and shaped the contours of interdisciplinary science and technology studies.

The dialogue cafe initiates several strands of dialogues — between critical thinkers and canonical texts, between different paradigm of knowledges that interact with digital and internet technologies, and between interlocutors located in different disciplines, to initiate critical thought/work for new and innovative research in the field of Internet and Society.

For its first brew of conversations, the Dialogue Cafe serves you...

Computation and the Humanities: Revisiting a Silent Revolution

Steve Jobs’ comments on how “technology married with liberal arts, married with the humanities” made Apple hearts sing is today widely re-circulated, but not fully comprehended. We often take this to be the mark of one man’s genius, rather than the symptom of a broader interdisciplinary history. Noted Artificial Intelligence scholar Philip Agre recalls, “When I was a graduate student in artificial intelligence, the humanities were not held in high regard. They were vague and woolly, they employed impenetrable jargons, and they engaged in "meta-level bickering that never decides anything".

What happened, in the formative decades of Jobs and Agre’s generation, to bring technology and the humanities into conversation? What have the results been, other than well-designed personal computational devices, and what is the significance for us? On December 2, 2011, the Centre for Internet and Society invites you to a Dialogue Cafe, where we engage in exploring what this all means and what kinds of labour it might take to ‘marry’ these disparate ways of knowing.

As a response to Philip Agre’s seminal essay on “Critical Technology Practice”, the cafe will begin with an exposition by Kavita Philip (University of California, Irvine), opening up into a critical response spearheaded by Cherry Matthew, and leading to a larger dialogue with the audience, exploring fault lines of interdisciplinary research and challenges of integrated technology studies.

For more background on these questions, audience is encouraged (but not required) to explore the materials at Agre’s home page http://polaris.gseis.ucla.edu/pagre/, and STSrelated links from Wikipedia’s page http://en.wikipedia.org/wiki/Science,_technology_and_society

VIDEOS

For more details visit https://cis-india.org/internet-governance/dialogue-cafe

Developing location-based services

praskrishna — 2012-02-28T09:31:50Z

For mapping enthusiasts, geeks and neogeographers in Bangalore, here's something to look forward to. Cartonama, a workshop that offers intensive hands-on training on tools to build and manage location data for location-based services, will be held in the city on March 2 and 3.

The article was published in the Hindu on February 26, 2012

This workshop, being organised by city-based tech event management firm HasGeek, is open to developers, neogeographers and entrepreneurs working on location-based services who want to understand how to use advanced tools to manage and represent their geographic data.

The workshop will be conducted by Mikel Maron and Schuyler Erle, both from the OpenStreetMap project. The event is being held at the Centre for Internet and Society in Domlur.

For more on this, log on to workshop.cartonama.com or contact sajjad@hasgeek.com

Cloud 20/20: online technical paper contest

Unisys India announced the results of Cloud 20/20 Version 3.0, the third edition of one of India's largest technical paper contests, designed to encourage innovative ideas and recognise emerging technical talent from among the country's leading engineering colleges.

Following several rigorous rounds of evaluation, the judges selected Dharmesh Kakadia from International Institute of Information Technology, Hyderabad, as the first prize winner for his entry on ‘Network Virtualisation and Cloud Computing'. The runner-ups were Sridhar S. from Anna University, Chennai, and Poornima J.R. from M.S. Ramaiah Institute of Technology.

A system to protect confidential data

Xerox and computer security firm McAfee have teamed up to design a security system to help companies protect against threats to confidential data, a release from McAfee stated.

This involves integrating embedded McAfee software into Xerox technology. The two companies plan to use a whitelisting method that allows only approved files to run, offering significantly more protection than traditional blacklisting tactics, where a user has to be aware of and proactively block viruses, spyware and other malicious software.

Additionally, the solution provides an audit trail to track and investigate the time and origin of security events, and take action on them, the release added. The companies claim that the decision to partner on this was a result of a survey commissioned by the two firms that found that 54 per cent employees in India do not follow their company's IT security policies, even fewer (33 per cent) are aware of these policies.

Automating healthcare and insurance

IT major Wipro Infotech announced that it has successfully implemented the digitisation of the Employees' State Insurance Corporation's (ESIC) Project, Panchdeep, the healthcare administration programme that automates healthcare services to over six crore beneficiaries across the country.

This is the largest e-governance programme in this sector, providing online facilities to employers and insured people for registration, payment of premium and disbursement of cash benefits.

It also automates medicare services to all insured people, and an estimated 75,000 people use this every day.

HP launches new press

Hewlett-Packard announced the launch of HP Indigo W7200 Digital Offset press for the Indian market. This has been installed at Bangalore-based printing press, the KolorKode digital press. With its robust productivity this new press offers the ability to address a wider range of long-run jobs. It will be able to deliver a broader range of jobs for a dynamic market place meeting the demands of monochrome to seven-color jobs, from spot to highlight color during a single run, without stopping or changing the settings, a press release from HP stated.

For more details visit https://cis-india.org/news/developing-location-based-services

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Developer releases WannaCry key-recovery tool for Windows XP

praskrishna — 2017-06-07T01:02:12Z

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. Unfortunately, however, a new variant of the program is already in the wild.

The article by Cirilo Laguardia was published by Hoyen TV on May 20, 2017.

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them. Eternal Blue was technically created to spy on key target points that the NSA deems necessary to.

Smith says cyberweapons require a new approach, and governments must "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits".

"We're looking at many decades of building complex systems - one on top of the other - with no effort to go back to fix what we did wrong along the way", said Wendy Nather, principal security strategist at Duo Security, who has worked in security for 22 years.

And while Smith says Microsoft and other tech companies need to take the lead on combatting these widespread attacks, he highlights the shared responsibility required to protect, detect and respond to threats.

Unfortunately, numerous millions of computers now still running the 2001 operating system never received those updates because their owners refused to pay for it.

WannaCry doesn't seem to be any more virulent or more expensive than other ransomware.

Make sure that your computer is up to date with its Windows updates.

In both cases, these computer owners are the digital equivalent of medical vaccine deniers.

While businesses that failed to update Microsoft's Windows-based computer systems could be sued over lax cyber security, Microsoft itself enjoys strong immunity from lawsuits. When a user clicks on the link, their computer and the information on it is held for ransom while being used to further spread the ransomware. Without doing a thing, when WannaCry came along nearly 2 months later, the machine was protected because the exploit it targeted had already been patched.

According to the company, "customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March". These are valid explanations for using obsolete software, but they are not excuses. Unfortunately, far too few people even bother.

WannaCry, developed in part with hacking techniques that were either stolen or leaked from the United States National Security Agency, has infected over 300,000 computers since last Friday, locking up their data and demanding a ransom payment to release it. This is to prevent the ransomware from using the unprotected Windows XP unit as a gateway.

Government agencies running obsolete software is also a huge problem.

While the federal government mostly avoided WannaCry infections, its processes highlight how hard it is for large organizations to modernize.

For more details visit https://cis-india.org/internet-governance/news/hoyen-tv-may-20-2017-cirilo-laguardia-developer-releases-wanna-cry-key-recovery-tool-for-windows-xp