We are anonymous, we are legion

Democracy and the Internet in 2017

praskrishna — 2017-03-28T15:19:14Z

Vidushi Marda gave a talk at St. Joseph's College of Commerce in Bengaluru on January 25, 2017. Vidushi spoke about democracy and the internet. The 50 minute talk was followed by 20 minutes of questions/comments.

Undergraduate students from a variety of disciplines such as social science, engineering, business, etc. attended the lecture. The talk broadly focused on:

The relationship between democracy and the internet. Why/how are they are closely related.
The internet's role in changing information exchange and communication. I drew on examples like the Arab Spring/Elections/Political change.
The growing usage of internet platforms for elections and also governance. Problematising the fact that these few private platforms seem to monopolise the internet, are only restricted to a certain elite audience, cannot be conflated with actual governance etc.
Fake News.
Algorithmic curation and filter bubbles.

For more details visit https://cis-india.org/internet-governance/news/democracy-and-the-internet-in-2017

Delhi High Court Orders Blocking of Websites after Sony Complains Infringement of 2014 FIFA World Cup Telecast Rights

sinha — 2014-07-08T07:02:16Z

Of late the Indian judiciary has been issuing John Doe orders to block websites, most recently in Multi Screen Media v. Sunit Singh and Others. The order mandated blocking of 472 websites, out of which approximately 267 websites were blocked as on July 7, 2014. This trend is an extremely dangerous one because it encourages flagrant censorship by intermediaries based on a judicial order which does not provide for specific blocking of a URL, instead provides for blocking of the entire website.

The High Court of Delhi on June 23, 2014 issued a John Doe injunction restraining more than 400 websites from broadcasting 2014 FIFA world cup matches. News reports indicate that the Single judge bench of Justice V. Kameswar Rao directed the Department of Telecom to issue appropriate directions to ISPs to block the websites that Multi Screen Media provided, as well as “any other website identified by the plaintiff” in the future. On July 4, Justice G. S. Sistani permitted reducing the list to 219 websites.

Background

Multi Screen Media (MSM) is the official broadcaster for the ongoing 2014 FIFA World Cup tournament. FIFA (the Governing body) had exclusively licensed rights to MSM which included live, delayed, highlights, on demand, and repeat broadcast of the FIFA matches. MSM complained that the defendants indulged in hosting, streaming, providing access to, etc, thereby infringing the exclusive rights and broadcast and reproduction rights of MSM.

The court in the instant order held that the defendants had prima facie infringed MSM’s broadcasting rights, which are guaranteed by section 37 of the Copyright Act, 1957. In an over-zealous attempt to pre-empt infringement the court called for a blanket ban on all websites identified by MSM. Further, the court directed the concerned authorities to ensure ISPs complied with this order and block the websites mentioned by MSM presently, and other websites which may be subsequently be notified by MSM.

Where the Court went Wrong

The court stated that MSM successfully established a prima facie case, and on its basis granted a sweeping injunction to MSM ordering blocking 471 second level domains. I’d like to point out numerous flaws with the order-

Dissatisfactory "Prima facie case"

In my opinion the court could have scrutinised the list of websites provided by MSM more carefully. There is nothing in the order to suggest that evidence was proffered by MSM in support of the list. The order reveals that the list was prepared by MarkScan, a “consulting boutique dedicated to (the client’s) IP requirements in the cyberspace and the Indian sub-continent.” The list throws up names such as docs.google.com, goo.gl & ad.ly (provide URL shortening service only), torrent indexing websites, IP addresses, online file streaming websites, etc., at a cursory glance. Evidently, perfectly legitimate websites have been targeted by an ill conducted search and shoddily prepared list which may lead to blocking of legitimate content on account of no verification by the court. 471 websites out of 472 mentioned in the first list are second level domains and 23 websites have been listed twice.

2. Generic order which abysmally fails to identify specific infringing URLS

Out of the 472 websites (list provided in the order by MarkScan)-

471 are file streaming websites, video sharing websites, file lockers, URL shorteners, file storage websites; only one is a specific URL [http://www.24livestreamtv.com/brazil-2014-fifa-world-cup-football-%20%C2%A0%C2%A0live-streaming-online-t ].

The order calls for blocking of complete websites. This is in complete contradiction to the 2012 Madras High Court’s order in R K Productions v BSNL which held that only a particular URL where the infringing content is kept should be blocked, rather than the entire website. The Madras High Court order had also made it mandatory for the complainants to provide exact URLs where they find illegal content, such that ISPs could block only that content and not the entire site. MSM did not adhere to this and I have serious doubts if the defendants brought the distinguishing Madras High Court judgment to the attention of the bench. The entire situation is akin to MarkScan scamming MSM by providing their clients a dodgy list, and MSM scamming the court and the public at large.

3. Lack of Transparency – Different blocking messages on different ISPs

The message displayed uniformly on blocked websites was:

"This website/URL has been blocked until further notice either pursuant to court orders or on the directions issued by the Department of Telecommunications."

I observed that a few websites showed the message “Error 404 – File or Directory not found” without the blocking message (above) on the network provider Reliance, and same Error 404 with the blocking message on the network provider Airtel highlighting the non-transparent manner of adherence to the order. Further, both the messages do not indicate the end period of the block.

Legality of John Doe orders in Website Blocking

It is pertinent to reiterate the ‘misuse’ of John Doe orders to block websites in India. The judiciary has erred in applying the John Doe order to protect copyrightable content on the internet. While the R K Productions v BSNL case appears reasonable in terms of permitting blocking of only URL specific content, the application of John Doe order to block websites remains unfounded in law. Ananth Padmanabhan in a three part study (Part I, II and III) had earlier analysed the improper use of John Doe injunctions to block websites in India. The John Doe order was conceived by US courts to pre-emptively remedy the irreparable damages suffered by copyright holders on account of unidentified/unnamed infringers. The interim injunction allowed collection of evidence from infringers, who were identified later as certain defendants and the final relief was accordingly granted. The courts routinely advocated judicious use of the order, and ensured that the identified defendants were provided and informed of their right to apply to the court within twenty four hours for a review of the order and a right to claim damages in an appropriate case. Therefore, the John Doe order applied against primary infringers per se.

On the other hand, whilst extending this remedy in India the courts have unfortunately placed onus on the conduit i.e. the ISP to block websites. This is tantamount to providing final relief at the interim stage, since all content definitely gets blocked; however, this hardly helps in identifying the actual infringer on the internet. The court is prematurely doling out blocking remedies to the complaining party, which, legally speaking should be meted out only during the final disposition of the case after careful examination of the evidence available. Thus, the intent of a John Doe order is miserably lost in such an application. Moreover, this lends an arbitrary amount of power in the hands of intermediaries since ISPs may or may not choose to approach the court for directions to specifically block URLs which provide access to infringing content only.

For more details visit https://cis-india.org/internet-governance/blog/delhi-high-court-orders-blocking-of-websites-after-sony-complains-infringement-of-2014-fifa-world-cup-telecast-rights

Delhi Govt Sets Up WiFi Task Force

praskrishna — 2015-04-03T07:06:41Z

Delhi government is believed to have set up a task force to enable WiFi in the city. The task force, which has been recently constituted, includes entrepreneur and start-up advisor Mahesh Murthy, Medianama founder Nikhil Pahwa and Center for Internet Society director Pranesh Prakash, as per a report by PTI.

Originally published by Press Trust of India, the news was mirrored by TeleAnalysis on March 18, 2015.

The Wifi task force was set up by Delhi Dialogue Commission (DDC), which besides this, will also look after various initiatives that can make Delhi a better place to live. The commission, in the past, has sought suggestions, expert opinions and proposals from domain experts in various issues related to Delhi. The DDC is evaluating various proposals and will act accordingly, the report said.

The DDC is inviting proposals and suggestions, comments and ideas over email at ddc.delhi@gov.in and the Whatsapp helpline +919643327265.

“These have received tremendous response with over 400 emails and thousands of Whatsapp messages coming in from Delhi citizens, who sent in their requests and needs and also detailed technical assistance and support in the implementation of this project,” the government said in a statement.

While the above email Id is active and we got an instant automated response, when sent a query, the Whatsapp number seems to be dead, as it was last seen on ‘1/25/2015′.

Providing free WiFi in Delhi was a part of the manifesto of the Aam Aadmi Party.

For more details visit https://cis-india.org/internet-governance/news/tele-analysis-gyana-ranjan-swain-delhi-govt-sets-up-wifi-task-force

Delhi government in consultation with Centre to block Uber's Internet address

praskrishna — 2015-03-09T02:12:15Z

The Delhi transport department has started consultation with the central government to block the internet address of taxi hailing app Uber if the San Francisco-based startup does not obtain a radio taxi licence to ply its cabs in the national capital.

The article by Harsimran Julka was published in the Economic Times on February 25, 2015. Pranesh Prakash is quoted.

Blocking Uber's IP will mean the company's website and mobile phone application will no longer be accessible in India, effectively shutting down operations in a country which the startup estimates is its largest market outside the United States.

Uber has operations across 10 cities in India with over 10,000 cabs registered on its platform."We have initiated a process with the central government to block (Uber's) IP address in India if the company doesn't abide by law," said a senior official in the Delhi transport department.

Uber and other taxi app companies were banned from operating in Delhi after the alleged rape of a passenger by a driver on the Uber network in December 2014. Subsequently, the transport department modified radio taxi laws and directed Uber and rivals OlaCabs and Taxiforsure to obtain licences to operate legally in the city. While Ola has obtained a licence, Uber, which terms itself as a technology company and not a transport provider, has been demanding that it be regulated under the Information Technology Act. "There has to be an end to the matter somewhere," said the official quoted above. The department has given Uber time until February 25 to submit a revised application for a radio taxi licence.

"We are waiting to see if they comply and apply for a licence before issuing a written request (to block the IP address),' said a second official who confirmed that the transport department had already begun discussions with the department of IT. Zubeda Begum, the standing counsel for the Delhi government is likely to submit an affidavit on Wednesday in the Delhi High Court on the method to be adopted to block the IP address.

The court, which is hearing the case of the alleged rape, had raised the issue of banning IP addresses of taxi app companies after the state government complained that the companies continued to ply in the national despite the ban.

"It is the central government which will have to block the website. The Delhi government just has to make a request," Begum told ET.

Pawan Duggal, cyber law expert and a Supreme Court advocate, said that the blocking of websites in India can be done under Section 69A of the Information Technology Act but the rules to get them unblocked are unclear.

"A court order may be needed to get it unblocked," said Duggal.

A spokeswoman for Uber said the company will continue to work with the authorities and is "evaluating the perceived deficiencies in the time period provided to us by the government."

This is not the first time that the website of a foreign company will be banned in India. Last December, about 32 websites including SourceForge, Archive, Vimeo, Dailymotion were banned on grounds of national security. Uber itself has had its IP address blocked in countries such as Spain. Last December, a Madrid Court ordered Spain's telcos to block access to Uber.

"Any state government department can request the designated authority to block a website. The authority has to then forward the request to a committee, which takes the decision," said Pranesh Prakash, at the Centre for Internet and Society in Bengaluru.

For more details visit https://cis-india.org/internet-governance/news/economic-times-harsimran-julka-february-25-2015-delhi-government-in-consultation-with-centre-to-block-ubers-internet-address

Delhi gang rape: What Facebook, Twitter expose about govt

praskrishna — 2012-12-31T01:02:44Z

When constable Subhash Tomar collapsed during the anti-rape agitation in New Delhi, the government was keen to say he suffered injuries inflicted by the protesters. But the administration's version of events was challenged soon on social media, and the mainstream media latched onto the mystery and started pressurising the government to come clean.

The article was published in the Times of India on December 29, 2012. Pranesh Prakash is quoted.

The Tomar episode, when social media set the agenda and put the government on the back foot, is one more example of rise of people's power online. The political class in India has been shaken by the speed and efficiency with which the recent protests were coordinated. Some of them, like Abhijit Mukherjee, have ended up putting their foot in their mouth while others like Congress' youth icon and heir apparent Rahul Gandhi have not even cared to react.

The reason for Tomar's death is still unclear, but the post-mortem report has attributed it to external injuries.

"Frankly, right now, we haven't figured out how to deal with this phenomenon," said Congress Party Spokesman Sandeep Dikshit.

The anti-corruption movement of Anna Hazare, the Occupy Wall Street movement in the US, and the Arab Spring were all largely organised through social networking sites. Even in neighbouring Pakistan, the raid that killed al-Qaeda chief Osama bin Laden was first reported on microblogging site Twitter, further highlighting social media's growing importance as a source of information. Such is the influence and impact of social media that many are increasingly referring to it as the "fifth pillar of democracy".

Influence bound to grow

India has over 120 million internet users - Twitter has about 16 million and Facebook over 60 million - but this is still just one-tenth of the population.

Also, as 3G penetration increases, data becomes accessible on more feature phones. While about 221 million mobiles were sold in India in 2012, sales are expected to touch 251 million units in 2013, according to technology market researcher Gartner. With so much of growth still left to come, the influence of social media is only bound to grow.

Minister of State for Human Resource Development Shashi Tharoor, one of the early converts to social media and inveterate tweeter, said the social media space is a "parallel universe to the mainstream media" and that stories on these platforms have a "resonance of their own".

"It is a medium that allows big issues to be made out of issues that mainstream media ignores but politicians cannot," he said.

Brand guru Harish Bijoor is of the view that the political class must pay attention to the information revolution as India is a very young country in terms of demographics. "The political class appears a gerontocracy while 54% of the population is below 25 and 70% below 35. There is a disconnect that must be addressed."

Kedar Gavane, director at Internet analytics company ComScore India, said an average Indian Facebook user has about 300 friends. "That's the kind of reach an individual and his messages have on social networks," he said. "Twitter has helped us identify the common man's feelings. For instance, when a candlelight protest is organised, you get to know what the protesters are thinking."

But the real question, he said, is whether people are actually willing to go beyond these platforms. "Whether it can become the Fifth Estate or not is hard to say because at the end of the day, this is just a channel for communication."

With the government struggling for a credible response to the growing influence of social media, it has often resorted to blocking user accounts and web pages. The government, which blocked 663 webpages in 2012, asked Indian Internet service providers to block 16 Twitter accounts, including those of right-wing leaders and journalists.

In the first half of 2012, the government made 2,319 requests for information on 3,467 user accounts of search engine giant Google. Google complied with 64% of these.

While the influence of social media is not lost on those such as Dikshit, he said the problem is "how to break in with an alternative view". "It is like a community of people who think the same way and validate each others' opinions. The number of people who validate your opinion does not make it the right opinion, but that fine distinction is getting lost somewhere."

There are others who feel the role of social media in protests is often exaggerated. "The agency for change resides first in people and only secondarily in platforms," according to Pranesh Prakash, policy director at the Centre for Internet and Society.

(With inputs from Joji Thomas Philip in New Delhi)

For more details visit https://cis-india.org/news/times-of-india-december-29-2012-delhi-gang-rape

Delhi defends Internet blocking

praskrishna — 2012-08-27T04:13:10Z

India on Friday defended itself against accusations of heavy-handed online censorship, saying it had been successful in blocking content blamed for fuelling ethnic tensions.

Published in Gulf Today on August 25, 2012. Pranesh Prakash is quoted.

The government over the past week has ordered Internet service providers to block 309 webpages, images and links on sites including Facebook, Twitter, Wikipedia, news channel ABC of Australia and Qatar-based Al Jazeera.

The orders were an effort to halt the spread of “hateful” material and rumours that Muslims planned to attack students and workers who have migrated from the northeast region to live in Bangalore and other southern cities.

“We have met with success. These pages were a threat to India’s national security and we demanded their immediate deletion,” Kuldeep Singh Dhatwalia, a spokesman for India’s home ministry said.

“Spreading rumours to encourage violence or cause tension will not be tolerated. The idea is not to restrict communication.” But Twitter users, legal experts and analysts criticised the government’s approach, which appeared to have resulted in only partial blocking of material, much of which was still accessible.

“The officials who are trusted with this don’t know the law or modern technology well enough,” Pranesh Prakash, programme manager at the Centre for Internet and Society research group, told AFP.

“It is counter-productive. I accuse them of monumental incompetence, given that the main problem is that they are getting really bad advice.

“I hope that this fiasco shows the folly of excessive censorship and encourages the government to make better use of social networks and technology to reach out to people.”

In a strange irony, account of none other than Minister of State for Communication and Information Technology Milind Deora was suspended by Twitter.

But at the same time, a fake account similar to Deora’s remained active.

The followers of Deora on Twitter were in for a surprise when they found a search for his name showed “No people results for Milind Deora.”

Deora’s tweets gave the government’s version on the crackdown on the microblogging site and other social networking websites.

Deora in his tweet on Thursday night had defended the government’s efforts to block hate content on the Internet.

“Ironically, let me clarify on Twitter that there is absolutely no intent of the government to curb freedom of social media platforms,” Deora’s tweet read.

“Account suspended. The profile you are trying to view has been suspended...,” was the automated message that was seen on the Twitter.

The news of Deora’s account suspension spread like wild fire on the microblogging site with some making sarcastic comments.

“Communication Minister Milind Deora’s Twitter Account ‘Suspended.’ It’s like the home minister losing his house key,” read one of the tweets, while another user’s tweet read: “Ah! I know what happened. Milind Deora sent Twitter a list of people to (be) banned and signed his name under it.”

The government has asked Internet service providers to block select 16 Twitter accounts, including that of some journalists.

Twitter has also removed six accounts, which resembled that of the Prime Minister’s Office (PMO) amid government’s assertion that action would be taken against those allowing objectionable content.

In a communication to the PMO, Twitter has said it has “removed the reported profile(s) from circulation due to violation of our Terms of Service regarding impersonation.”

For more details visit https://cis-india.org/news/gulf-today-aug-25-2012-delhi-defends-internet-blocking

DeitY says 143 URLs have been Blocked in 2015; Procedure for Blocking Content Remains Opaque and in Urgent Need of Transparency Measures

jyoti — 2015-04-30T07:37:40Z

Across India on 30 December 2014, following an order issued by the Department of Telecom (DOT), Internet Service Providers (ISPs) blocked 32 websites including Vimeo, Dailymotion, GitHub and Pastebin.

In February 2015, the Centre for Internet and Society (CIS) requested the Department of Electronics and Information Technology (DeitY) under the Right to Information Act, 2005 (RTI Act) to provide information clarifying the procedures for blocking in India. We have received a response from DeitY which may be seen here.

In this post, I shall elaborate on this response from DeitY and highlight some of the accountability and transparency measures that the procedure needs. To stress the urgency of reform, I shall also touch upon two recent developments—the response from Ministry of Communication to questions raised in Parliament on the blocking procedures and the Supreme Court (SC) judgment in Shreya Singhal v. Union of India.

Section 69A and the Blocking Rules

Section 69A of the Information Technology Act, 2008 (S69A hereinafter) grants powers to the central government to issue directions for blocking of access to any information through any computer resource. In other words, it allows the government to block any websites under certain grounds. The Government has notified rules laying down the procedure for blocking access online under the Procedure and Safeguards for Blocking for Access of Information by Public Rules, 2009 (Rules, 2009 hereinafter). CIS has produced a poster explaining the blocking procedure (download PDF, 2.037MB).

There are three key aspects of the blocking rules that need to be kept under consideration:

Officers and committees handling requests

Designated Officer (DO) – Appointed by the Central government, officer not below the rank of Joint Secretary.
Nodal Officer (NO) – Appointed by organizations including Ministries or Departments of the State governments and Union Territories and any agency of the Central Government.
Intermediary contact–Appointed by every intermediary to receive and handle blocking directions from the DO.
Committee for Examination of Request (CER) – The request along with printed sample of alleged offending information is examined by the CER—committee with the DO serving as the Chairperson and representatives from Ministry of Law and Justice; Ministry of Home Affairs; Ministry of Information and Broadcasting and representative from the Indian Computer Emergency Response Team (CERT-In). The CER is responsible for examining each blocking request and makes recommendations including revoking blocking orders to the DO, which are taken into consideration for final approval of request for blocking by the Secretary, DOT.
Review Committee (RC) – Constituted under rule 419A of the Indian Telegraph Act, 1951, the RC includes the Cabinet Secretary, Secretary to the Government of India (Legal Affairs) and Secretary (Department of Telecom). The RC is mandated to meet at least once in 2 months and record its findings and has to validate that directions issued are in compliance with S69A(1).

Provisions outlining the procedure for blocking

Rules 6, 9 and 10 create three distinct blocking procedures, which must commence within 7 days of the DO receiving the request.

a) Rule 6 lays out the first procedure, under which any person may approach the NO and request blocking, alternatively, the NO may also raise a blocking request. After the NO of the approached Ministry or Department of the State governments and Union Territories and/or any agency of the Central Government, is satisfied of the validity of the request they forward it to the DO. Requests when not sent through the NO of any organization, must be approved by Chief Secretary of the State or Union Territory or the Advisor to the Administrator of the Union Territory, before being sent to the DO.

The DO upon receiving the request places, must acknowledge receipt within 24 four hours and places the request along with printed copy of alleged information for validation by the CER. The DO also, must make reasonable efforts to identify the person or intermediary hosting the information, and having identified them issue a notice asking them to appear and submit their reply and clarifications before the committee at a specified date and time, within forty eight hours of the receipt of notice.

Foreign entities hosting the information are also informed and the CER gives it recommendations after hearing from the intermediary or the person has clarified their position and even if there is no representation by the same and after examining if the request falls within the scope outlined under S69A(1). The blocking directions are issued by the Secretary (DeitY), after the DO forwards the request and the CER recommendations. If approval is granted the DO directs the relevant intermediary or person to block the alleged information.

b) Rule 9 outlines a procedure wherein, under emergency circumstances, and after the DO has established the necessity and expediency to block alleged information submits recommendations in writing to the Secretary, DeitY. The Secretary, upon being satisfied by the justification for, and necessity of, and expediency to block information may issue an blocking directions as an interim measure and must record the reasons for doing so in writing.

Under such circumstances, the intermediary and person hosting information is not given the opportunity of a hearing. Nevertheless, the DO is required to place the request before the CER within forty eight hours of issuing of directions for interim blocking. Only upon receiving the final recommendations from the committee can the Secretary pass a final order approving the request. If the request for blocking is not approved then the interim order passed earlier is revoked, and the intermediary or identified person should be directed to unblock the information for public access.

c) Rule 10 outlines the process when an order is issued by the courts in India. The DO upon receipt of the court order for blocking of information submits it to the Secretary, DeitY and initiates action as directed by the courts.

Confidentiality clause

Rule 16 mandates confidentiality regarding all requests and actions taken thereof, which renders any requests received by the NO and the DO, recommendations made by the DO or the CER and any written reasons for blocking or revoking blocking requests outside the purview of public scrutiny. More detail on the officers and committees that enforce the blocking rules and procedure can be found here.

Response on blocking from the Ministry of Communication and Information Technology

The response to our RTI from E-Security and Cyber Law Group is timely, given the recent clarification from the Ministry of Communication and Information Technology to a number of questions, raised by parliamentarian Shri Avinash Pande in the Rajya Sabha. The questions had been raised in reference to the Emergency blocking order under IT Act, the current status of the Central Monitoring System, Data Privacy law and Net Neutrality. The Centre for Communication Governance (CCG), National Law University New Delhi have extracted a set of 6 questions and you can read the full article here.

The governments response as quoted by CCG, clarifies under rule 9—the Government has issued directions for emergency blocking of a total number of 216 URLs from 1st January, 2014 till date and that a total of 255 URLs were blocked in 2014 and no URLs has been blocked in 2015 (till 31 March 2015) under S69A through the Committee constituted under the rules therein. Further, a total of 2091 URLs and 143 URLs were blocked in order to comply with the directions of the competent courts of India in 2014 and 2015 (till 31 March 2015) respectively. The government also clarified that the CER, had recommended not to block 19 URLs in the meetings held between 1^stJanuary 2014 upto till date and so far, two orders have been issued to revoke 251 blocked URLs from 1st January 2014 till date. Besides, CERT-In received requests for blocking of objectionable content from individuals and organisations, and these were forwarded to the concerned websites for appropriate action, however the response did not specify the number of requests.

We have prepared a table explaining the information released by the government and to highlight the inconsistency in their response.

Applicable rule and procedure outlined under the Blocking Rules	Number of websites
	2014	2015	Total
Rule 6 - Blocking requests from NO and others	255	None	255
Rule 9 - Blocking under emergency circumstances	-	-	216
Rule 10 - Blocking orders from Court	2091	143	2234
Requests from individuals and orgs forwarded to CERT-In	-	-	-
Recommendations to not block by CER	-	-	19
Number of blocking requests revoked	-	-	251

In a response to an RTI filed by the Software Freedom Law Centre, DeitY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014.

Shreya Singhal v. Union of India

In its recent judgment, the SC of India upheld the constitutionality of 69A, stating that it was a narrowly-drawn provision with adequate safeguards. The constitutional challenge on behalf of the People’s Union for Civil Liberties (PUCL) considered the manner in which the blocking is done and the arguments focused on the secrecy present in blocking.

The rules may indicate that there is a requirement to identify and contact the originator of information, though as an expert has pointed out, there is no evidence of this in practice. The court has stressed the importance of a written order so that writ petitions may be filed under Article 226 of the Constitution. In doing so, the court seems to have assumed that the originator or intermediary is informed, and therefore held the view that any procedural inconsistencies may be challenged through writ petitions. However, this recourse is rendered ineffective not only due to procedural constraints, but also because of the confidentiality clause. The opaqueness through rule 16 severely reigns in the recourse that may be given to the originator and the intermediary. While the court notes that rule 16 requiring confidentality was argued to be unconstitutional, it does not state its opinion on this question in the judgment. One expert, holds the view that this, by implication, requires that requests cannot be confidential. However, such a reading down of rule 16 is yet to be tested.

Further, Sunil Abraham has pointed out, “block orders are unevenly implemented by ISPs making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.” As there are no comprehensive list of blocked websites or of the legal orders through which they are blocked exists, the public has to rely on media reports and filing RTI requests to understand the censorship regime in India. CIS has previously analysed the leaked block lists and lists received as responses to RTI requests which have revealed that the block orders are full of errors and blocking of entire platforms and not just specific links has taken place.

While the state has the power of blocking content, doing so in secrecy and without judical scrutiny, mark deficiencies that remain in the procedure outlined under the provisions of the blocking rules . The Court could read down rule 16 except for a really narrow set of exceptions, and in not doing so, perhaps has overlooked the opportunities for reform in the existing system. The blocking of 32 websites, is an example of the opaqueness of the system of blocking orders, and where the safeguards assumed by the SC are often not observed such as there being no access to the recommendations that were made by the CER, or towards the revocation of the blocking orders subsequently. CIS filed the RTI to try and understand the grounds for blocking and related procedures and the response has thrown up some issues that must need urgent attention.

Response to RTI filed by CIS

Our first question sought clarification on the websites blocked on 30^thDecember 2014 and the response received from DeitY, E-Security and Cyber Law Group reveals that the websites had been blocked as “they were being used to post information related to ISIS using the resources provided by these websites”. The response also clarifies that the directions to block were issued on 18-12-2014 and as of 09-01-2015, after obtaining an undertaking from website owners, stating their compliance with the Government and Indian laws, the sites were unblocked.

It is not clear if ATS, Mumbai had been intercepting communication or if someone reported these websites. If the ATS was indeed intercepting communication, then as per the rules, the RC should be informed and their recommendations sought. It is unclear, if this was the case and the response evokes the confidentiality clause under rule 16 for not divulging further details. Based on our reading of the rules, court orders should be accessible to the public and without copies of requests and complaints received and knowledge of which organization raised them, there can be no appeal or recourse available to the intermediary or even the general public.

We also asked for a list of all requests for blocking of information that had been received by the DO between January 2013 and January 2015, including the copies of all files that had accepted or rejected. We also specifically, asked for a list of requests under rule 9. The response from DeitY stated that since January 1, 2015 to March 31, 2015 directions to block 143 URLs had been issued based on court orders. The response completely overlooks our request for information, covering the 2 year time period. It also does not cover all types of blocking orders under rule 6 and rule 9, nor the requests that are forwarded to CERT-In, as we have gauged from the ministry's response to the Parliament. Contrary to the SC's assumption of contacting the orginator of information, it is also clear from DeitY's response that only the websites had been contacted and the letter states that the “websites replied only after blocking of objectionable content”.

Further, seeking clarification on the functioning of the CER, we asked for the recent composition of members and the dates and copies of the minutes of all meetings including copies of the recommendations made by them. The response merely quotes rule 7 as the reference for the composition and does not provide any names or other details. We ascertain that as per the DeitY website Shri B.J. Srinath, Scientist-G/GC is the appointed Designated Officer, however this needs confirmation. While we are already aware of the structure of the CER which representatives and appointed public officers are guiding the examination of requests remains unclear. Presently, there are 3 Joint Secretaries appointed under the Ministry of Law and Justice, the Home Ministry has appointed 19, while 3 are appointed under the Ministry of Information and Broadcasting. Further, it is not clear which grade of scientist would be appointed to this committee from CERT-In as the rules do not specify this. While the government has clarified in their answer to Parliament that the committee had recommended not to block 19 URLs in the meetings held between 1st January 2014 to till date, it is remains unclear who is taking these decisions to block and revoke blocked URLs. The response from DeitY specifies that the CER has met six times between 2014 and March 2015, however stops short on sharing any further information or copies of files on complaints and recommendations of the CER, citing rule 16.

Finally, answering our question on the composition of the RC the letter merely highlights the provision providing for the composition under 419A of the Indian Telegraph Rules, 1951. The response clarifies that so far, the RC has met once on 7th December, 2013 under the Chairmanship of the Cabinet Secretary, Department of Legal Affaits and Secretary, DOT. Our request for minutes of meetings and copies of orders and findings of the RC is denied by simply stating that “minutes are not available”. Under 419A, any directions for interception of any message or class of messages under sub-section (2) of Section 5 of the Indian Telegraph Act, 1885 issued by the competent authority shall contain reasons for such direction and a copy of such order shall be forwarded to the concerned RC within a period of seven working days. Given that the RC has met just once since 2013, it is unclear if the RC is not functioning or if the interception of messages is being guided through other procedures. Further, we do not yet know details or have any records of revocation orders or notices sent to intermediary contacts. This restricts the citizens’ right to receive information and DeitY should work to make these available for the public.

Given the response to our RTI, the Ministry's response to Parliament and the SC judgment we recommend the following steps be taken by the DeitY to ensure that we create a procedure that is just, accountable and follows the rule of law.

The revocation of rule 16 needs urgent clarification for two reasons:

Under Section 22 of the RTI Act provisions thereof, override all conflicting provisions in any other legislation.
In upholding the constitutionality of S69A the SC cites the requirement of reasons behind blocking orders to be recorded in writing, so that they may be challenged by means of writ petitions filed under A rticle 226 of the Constitution of India.

If the blocking orders or the meetings of the CER and RC that consider the reasons in the orders are to remain shrouded in secrecy and unavailable through RTI requests, filing writ petitions challenging these decisions will not be possible, rendering this very important safeguard for the protection of online free speech and expression infructuous. In summation, the need for comprehensive legislative reform remains in the blocking procedures and the government should act to address the pressing need for transparency and accountability. Not only does opacity curtial the strengths of democracy it also impedes good governance. We have filed an RTI seeking a comprehensive account of the blocking procedure, functioning of committees from 2009-2015 and we shall publish any information that we may receive.

For more details visit https://cis-india.org/internet-governance/blog/deity-says-143-urls-blocked-in-2015

Definition of Net Neutrality should be flexible: Pranesh Prakash

pranesh — 2015-06-19T01:43:04Z

Critics argue that Facebook’s Internet.org violates the principle of Net Neutrality.

The article by Sanjay Vijaykumar was published in the Hindu on May 10, 2015. Pranesh Prakash is extensively quoted.

The definition of Net Neutrality should be flexible enough to allow for experimentation with different models of providing cheaper Internet access and such experimentation needs to be regulated by the telecom regulator, Telecom and Regulatory Authority of India (TRAI) according to Internet expert Pranesh Prakash.

Mr. Prakash was reacting to the business model of Boston-based start-up Jana, which said it had figured out a way to offer billions of people in the emerging world free access to the Internet, without violating the web’s open nature. The firm has launched Jana Loyalty, a product that seeks to reward its smartphone users in two ways. One, it reimburses users the cost of downloading and using an app of Jana’s clients. Two, it gives free additional data with which the user can access any content online.

“While Jana is like Internet.org, since it is Internet service-specific zero-rating, Jana Loyalty is what my colleague Sunil Abraham dubs a ‘leaky walled garden’. The walled garden (site-specific access) exists, but you also get free access to the whole of the Web in return. Given that there is no one universal definition of Net Neutrality, and given India currently doesn’t have a definition, I can’t answer if this is a violation of Net Neutrality,” said Mr. Prakash, who is Policy Director at The Centre for Internet and Society (CIS), a Bangalore-based, non-profit, research and policy advocacy.

Facebook’s attempts to provide a limited version of the Internet free has been attracting criticism from supporters of Net Neutrality, especially in India. Critics argue that Facebook’s Internet.org, which offers users free access to a bouquet of pre-selected Web sites, violates the principle of Net Neutrality by choosing what is accessible and what isn’t. Facebook has reacted to this by opening up Internet.org to all developers who meet its guidelines. Mr. Prakash said the definition of Net Neturality should be flexible enough to allow for experimentation with different models of providing cheaper Internet access, including Jana Loyalty.

“However, such experimentation ought to be regulated by the telecom regulator. To minimise harm, they should be allowed on a case-by-case basis after the regulator has had an opportunity to conduct risk-benefit analysis against four goals it should seek to promote — universal and affordable access; effective competition; protection of consumers against harm; and diversity that arises from the openness and interconnectedness of the Internet,” he added.

Net neutrality is a principle that says Internet Service Providers (ISPs) should treat all traffic and content on their networks equally.

Why now?

Late last month, Trai released a draft consultation paper seeking views from the industry and the general public on the need for regulations for over-the-top (OTT) players such as Whatsapp, Skype, Viber etc, security concerns and net neutrality. The objective of this consultation paper, the regulator said, was to analyse the implications of the growth of OTTs and consider whether or not changes were required in the current regulatory framework.

What is an OTT?

OTT or over-the-top refers to applications and services which are accessible over the internet and ride on operators' networks offering internet access services. The best known examples of OTT are Skype, Viber, WhatsApp, e-commerce sites, Ola, Facebook messenger. The OTTs are not bound by any regulations. The Trai is of the view that the lack of regulations poses a threat to security and there’s a need for government’s intervention to ensure a level playing field in terms of regulatory compliance.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-sanjay-vijaykumar-may-10-2015-pranesh-prakash-on-definition-of-net-neutrality

Deepfakes: Algorithms at war, trust at stake

Rajmohan Sudhakar — 2019-07-21T15:42:12Z

A case in point is the video that surfaced of an Indian journalist not so long ago.

The article by Rajmohan Sudhakar was published in Deccan Herald on July 14, 2019. Elonnai Hickok was quoted.

Now machines are learning to manipulate imagery. That is a real worry. Deepfakes for instance. They are AI-manipulated videos achieved by machine learning. Products of the humongous volume of images and videos now available online.

The danger is, this imagery could be yours or mine. Imagine artificial intelligence of neural networks creating convincing identities of our real counterparts, and starts posting videos. Absurd.

“Society has grappled with spurious and specious content in media over time. Media has been modified for various reasons, usually by those with access to significant resources and influence in the past,” says Elonnai Hickok, COO of the Bengaluru-based Centre for Internet and Society.

From an AI and machine learning perspective, deepfakes could be understood by what is known as GAN -- generative adversarial networks, essentially two algorithms at war. One is a generator, the other a discriminator. They compete with each other based on set inputs, in time bettering the version they together help create. These are behind what are now known as deepfakes of popular figures floating around online. Barack Obama is seen saying in a purported deepfake, “stay woke bitches”, which of course he did not say.

Another deepfake has Mark Zuckerberg boasting: “I have total control of billions of people’s stolen data, all their secrets, their lives, their futures.” “Deepfakes are media modified by current technology and techniques. Easy availability of technology and media allows anyone to create, tailor or manipulate media for their own ends. Deepfakes present an opportunity for introspection and research into the contours of freedom of expression as well as societal frameworks for dealing with fake content,” explains Hickok.

One of the horrid instances of a deepfake-like attack was the video that surfaced of an Indian woman journalist not so long ago. Or the child-kidnapping rumours that spread through WhatsApp and the subsequent mob lynchings. However, there’s the view that in post-truth times, deepfakes would be seen with caution in the inherent dilemma over believing what one views online.

“In India, people do not take these so seriously, especially on social media. It is mostly entertainment for many. Now, we are seeing people with diametrically opposing views. They often view content which they like to see. It would rather work as a reinforcer of views than a transformer,” feels political analyst Sandeep Shastri.

Open source software can create basic deepfakes if someone wanted to hurt somebody. The potential scale of danger and damage looms larger for influential figures and nations at war.

“While deep fakes can be used to damage societies, it is important that collectively society takes steps to become sensitised to ways that media can be used to manipulate opinions and choices, and allow people to develop skills that build awareness and context to what they see and believe,” adds Hickok.

A video emerged recently of an ‘Iranian’ boat near an attacked oil tanker in the Persian Gulf. Deepfake or not, the authenticity of the video was questionable. If used wily, it could have triggered a war.

According to Hickok, society has to get more resilient to manipulation. “This includes spoken, written, seen as well as heard information. We have to learn to question the basis on which we confirm trust. Multiple forms of verification may help to address spurious media and information,” she says.

Deepfakes are no surprise as social media feed into the small and large divisions and differences of multitudes. Emergence of such potentially dangerous AIs isn’t taken quite seriously by the tech czars. In fact, it is a matter of economy for them.

Oscar Schwartz writes in The Guardian that ‘technological solutionism’ in the ‘attention economy’ may not be the real approach. “And herein lies the problem: by formulating deepfakes as a technological problem, we allow social media platforms to promote technological solutions to those problems – cleverly distracting the public from the idea that there may be more fundamental problems with powerful Silicon Valley tech platforms,” Schwartz warns.

“The measures do not fall on the regulators alone. I think, individuals (by introspection and building awareness), society (through education), the legal system (stringent evidentiary requirements and capacity building) industry (differentiating recreational and prejudicial content, tagging content that is manipulated, etc.) and regulators (enabling accountability, oversight, transparency and redress) can all contribute to a more resilient society,” observes Hickok.

In India, viewing a video is still considered close to truth, almost sacred by the vast majority. Necessarily, it would not require a technologically advanced deepfake, especially in the backward rural pockets, to rile up and aggravate biases and prejudices.

“Deepfakes can further existing biases and manipulate opinions and choices. They can disrupt trust inherent in societal groups to co-exist and politically, they can breed distrust in leadership and capability. That said, deepfakes can be used for humour and satire. Ultimately, the impact will be shaped by a number of factors including pre-existing biases, individual response, etc.,” Hickok elaborates.

On a lighter note, deepfakes could be helpful too. We could very well do away with some of our television news presenters.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-july-14-2019-rajmohan-sudhakar-deepfakes-algorithms-at-war-trust-at-stake

Deep Packet Inspection: How it Works and its Impact on Privacy

amber — 2016-12-16T23:14:49Z

In the last few years, there has been extensive debate and discussion around network neutrality in India. The online campaign in favor of Network Neutrality was led by Savetheinternet.in in India. The campaign was a spectacular success and facilitated sending over a million emails supporting the cause of network neutrality, eventually leading to ban on differential pricing. Following in the footsteps of the Shreya Singhal judgement, the fact that the issue of net neutrality has managed to attract wide public attention is an encouraging sign for a free and open Internet in India. Since the debate has been focused largely on zero rating, other kinds of network practices impacting network neutrality have yet to be comprehensively explored in the Indian context, nor their impact on other values. In this article, the author focuses on network management, in general, and deep packet inspection, in particular and how it impacts the privacy of users.

Background

In the last few years, there has been extensive debate and discussion around network neutrality in India. The online campaign in favor of Network Neutrality was led by Savetheinternet.in in India. The campaign, captured in detail by an article in Mint, ^{^[1]} was a spectacular success and facilitated sending over a million emails supporting the cause of network neutrality, eventually leading to ban on differential pricing. Following in the footsteps of the Shreya Singhal judgement, the fact that the issue of net neutrality has managed to attract wide public attention is an encouraging sign for a free and open Internet in India. Since the debate has been focused largely on zero rating, other kinds of network practices impacting network neutrality have yet to be comprehensively explored in the Indian context, nor their impact on other values. In this article, I focus on network management, in general, and deep packet inspection, in particular and how it impacts the privacy of users.

The Architecture of the Internet

The Internet exists as a network acting as an intermediary between providers of content and it users. ^{^[2]} Traditionally, the network did not distinguish between those who provided content and those who were recipients of this service, in fact often, the users also functioned as content providers. The architectural design of the Internet mandated that all content be broken down into data packets which were transmitted through nodes in the network transparently from the source machine to the destination machine.^{^[3]} As discussed in detail later, as per the OSI model, the network consists of 7 layers. We will go into each of these layers in detail below, however is important to understand that at the base is the physical layer of cables and wires, while at the top is application layer which contains all the functions that people want to perform on the Internet and the content associated with it. The layers in the middle can be characterised as the protocol layers for the purpose of this discussion. What makes the architecture of the Internet remarkable is that these layers are completely independent of each other, and in most cases, indifferent to the other layers. The protocol layer is what impacts net neutrality. It is this layer which provides the standards for the manner in which the data must flow through the network. The idea was for the it to be as simple and feature free as possible such that it is only concerned with the transmission data as fast as possible ('best efforts principle') while innovations are pushed to the layers above or below it.^{^[4]}

This aspect of the Internet's architectural design, which mandates that network features are implemented as the end points only (destination and source machine), i.e. at the application level, is called the 'end to end principle'.^{^[5]} This means that the intermediate nodes do not differentiate between the data packets in any way based on source, application or any other feature and are only concerned with transmitting data as fast as possible, thus creating what has been described as a 'dumb' or neutral network. ^{^[6]} This feature of the Internet architecture was also considered essential to what Jonathan Zittrain has termed as the 'generative' model of the Internet.^{^[7]} Since, the Internet Protocol remains a simple layer incapable of discrimination of any form, it meant that no additional criteria could be established for what kind of application would access the Internet. Thus, the network remained truly open and ensured that the Internet does not privilege or become the preserve of a class of applications, nor does it differentiate between the different kinds of technologies that comprise the physical layer below.

While the above model speaks of a dumb network not differentiating between the data packets that travel through it, in truth, the network operators engage in various kinds of practices that priorities, throttle or discount certain kinds of data packets. In her thesis essay at the Oxford Internet Institute, Alissa Cooper^{^[8]} states that traffic management involves three different set of criteria- a) Some subsets of traffic needs to be managed, and arriving at a criteria to identify those subsets the criteria can be based on source, destination, application or users, b) Trigger for the traffic management measure which - could be based upon time of the day, usage threshold or a specific network condition, and c) the traffic treatment put into practice when the trigger is met. The traffic treatment can be of three kinds. The first is Blocking, in which traffic is prevented from being delivered. The second is Prioritization under which identified traffic is sent sooner or later. This is usually done in cases of congestion and one kind of traffic needs to be prioritized. The third kind of treatment is Rate limiting where identified traffic is limited to a defined sending rate.^{^[9]} The dumb network does not interfere with an application's operation, nor is it sensitive to the needs of an application, and in this way it treats all information sent over it as equal. In such a network, the content of the packets is not examined, and Internet providers act according to the destination of the data as opposed to any other factor. However, in order to perform traffic management in various circumstances, Deep packet Inspection technology, which does look at the content of data packets is commonly used by service providers.

Deep Packet Inspection

Deep packet inspection (DPI) enables the examination of the content of a data packets being sent over the Internet. Christopher Parsons explains the header and the payload of a data packet with respect to the OSI model. In order to understand this better, it is more useful to speak of network in terms of the seven layers in the OSI model as opposed to the three layers discussed above.^{^[10]}

Under the OSI model, the top layer, the Application Layer is in contact with the software making a data request. For instance, if the activity in question is accessing a webpage, the web-browser makes a request to access a page which is then passed on to the lower layers. The next layer is the Presentation Layer which deals with the format in which the data is presented. This lateral performs encryption and compression of the data. In the above example, this would involve asking for the HTML file. Next comes the Session Layer which initiates, manages and ends communication between the sender and receiver. In the above example, this would involve transmitting and regulating the data of the webpage including its text, images or any other media. These three layers are part of the 'payload' of the data packet.^{^[11]}

The next four layers are part of the 'header' of the data packet. It begins with the Transport Layer which collects data from the Payload and creates a connection between the point of origin and the point of receipt, and assembles the packets in the correct order. In terms of accessing a webpage, this involves connecting the requesting computer system with the server hosting the data, and ensuring the data packets are put together in an arrangement which is cohesive when they are received. The next layer is the Data Link Layer. This layer formats the data packets in such a way that that they are compatible with the medium being used for their transmission. The final layer is the Physical Layer which determines the actual media used for transmitting the packets.^{^[12]}

The transmission of the data packet occurs between the client and server, and packet inspect occurs through some equipment placed between the client and the server. There are various ways in which packet inspection has been classified and the level of depth that the inspection needs to qualify in order to be categorized as Deep Packet Inspection. We rely on Parson's classification system in this article. According to him, there are three broad categories of packet inspection - shallow, medium and deep.^{^[13]}

Shallow packet inspection involves the inspection of the only the header, and usually checking it against a blacklist. The focus in this form of inspection is on the source and destination (IP address and packet;s port number). This form of inspection primarily deals with the Data Link Layer and Network Layer information of the packet. Shallow Packet Inspection is used by firewalls.^{^[14]}

Medium Packet Inspection involves equipment existing between computers running the applications and the ISP or Internet gateways. They use application proxies where the header information is inspected against their loaded parse-list and used to look at a specific flows. These kinds of inspections technologies are used to look for specific kinds of traffic flows and take pre-defined actions upon identifying it. In this case, the header and a small part of the payload is also being examined.^{^[15]}

Finally, Deep Packet Inspection (DPI) enables networks to examine the origin, destination as well the content of data packets (header and payload). These technologies look for protocol non-compliance, spam, harmful code or any specific kinds of data that the network wants to monitor. The feature of the DPI technology that makes it an important subject of study is the different uses it can be put to. The use cases vary from real time analysis of the packets to interception, storage and analysis of contents of a packets.^{^[16]}

The different purposes of DPI

Network Management and QoS

The primary justification for DPI presented is network management, and as a means to guarantee and ensure a certain minimum level of QoS (Quality of Service). Quality of Service (QoS) as a value conflicting with the objectives of Network Neutrality, has emerged as a significant discussion point in this topic. Much like network neutrality, QoS is also a term thrown around in vague, general and non-definitive references. The factors that come into play in QoS are network imposed delay, jitter, bandwidth and reliability. Delay, as the name suggests, is the time taken for a packet to be passed by the sender to the receiver. Higher levels of delay are characterized by more data packets held 'in transit' in the network. ^{^[17]} A paper by Paul Ferguson and Geoff Huston described the TCP as a 'self clocking' protocol.^{^[18]} This enables the transmission rate of the sender to be adjusted as per the rate of reception by the receiver. As the delay and consequent stress on the protocol increases, this feedback ability begins to lose its sensitivity. This becomes most problematic in cases of VoIP and video applications. The idea of QoS generally entails consistent service quality with low delay, low jitter and high reliability through a system of preferential treatment provided to some traffic on a criteria formulated around the need of such traffic to have greater latency sensitivity and low delay and jitter. This is where Deep Packet Inspection comes into play. In 1991, Cisco pioneered the use of a new kind of router that could inspect data packets flowing through the network. DPI is able to look inside the packets and its content, enabling it to classify packets according to a formulated policy. DPI, which was used a security tool, to begin with, is a powerful tool as it allows ISPs to limit or block specific applications or improve performances of applications in telephony, streaming and real-time gaming. Very few scholars believe in an all-or-nothing approach to network neutrality and QoS and debate often comes down to what forms of differentiations are reasonable for service providers to practice. ^{^[19]}

Security

Deep Packet inspection was initially intended as a measure to manage the network and protect it from transmitting malicious programs . As mentioned above, Shallow Packet Inspection was used to secure LANs and keep out certain kinds of unwanted traffic. ^{^[20]} Similarly, DPI is used for identical purposes, where it is felt useful to enhance security and complete a 'deeper' inspection that also examines the payload along with the header information.

Surveillance

The third purpose of DPI is what concerns privacy theorists the most. The fact that DPI technologies enable the network operators to have access to the actual content of the data packets puts them a position of great power as well as making them susceptible to significant pressure from the state. ^{^[21]} For instance, in US, the ISPs are required to conform to the provisions of the Communications Assistance for Law Enforcement Act (CALEA) which means they need to have some surveillance capacities designed into their systems. What is more disturbing for privacy theorists compared to the use of DPI for surveillance under legislation like CALEA, are the other alleged uses by organisation like the National Security Agency through back end access to the information via the ISPs. Aside from the US government, there have been various reports of use of DPI by governments in countries like China,^{^[22]} Malaysia^{^[23]} and Singapore. ^{^[24]}

Behavioral targeting

DPI also enables very granular tracking of the online activities of Internet users. This information is invaluable for the purposes of behavioral targeting of content and advertising. Traditionally, this has been done through cookies and other tracking software. DPI allows new way to do this, so far exercised only through web-based tools to ISPs and their advertising partners. DPI will enable the ISPs to monitor contents of data packets and use this to create profiles of users which can later be employed for purposes such as targeted advertising. ^{^[25]}

Impact on Privacy

Each of the above use-cases has significant implications for the privacy of Internet users as the technology in question involves access, tracking or retention of their online communication and usage activity.

Alyssa Cooper compares DPI with other technologies carrying out content inspection such as caching services and individual users employing firewalls or packet sniffers. She argues that one of the most distinguishing feature of DPI is the potential for "mission-creep." ^{^[26]} Kevin Werbach writes that while networks may deploy DPI for implementation under CALEA or traffic peer-to-peer shaping, once deployed DPI techniques can be used for completely different purposes such as pattern matching of intercepted content and storage of raw data or conclusions drawn from the data.^{^[27]} This scope of mission creep is even more problematic as it is completely invisible. As opposed to other technologies which rely on cookies or other web-based services, the inspection occurs not at the end points, but somewhere in the middle of the network, often without leaving any traces on the user's system, thus rendering them virtually undiscoverable.

Much like other forms of surveillance, DPI threatens the sense that the web is a space where people can engage freely with a wide range of people and services. For such a space to continue to exist, it is important for people to feel secure about their communication and transaction on medium. This notion of trust is severely harmed by a sense that users are being surveilled and their communication intercepted. This has obvious chilling effect on free speech and could also impact electronic commerce.^{^[28]}

Allyssa Cooper also points out another way in which DPI differs from other content tracking technologies. As the DPI is deployed by the ISPs, it creates a greater barrier to opting out and choosing another service. There are only limited options available to individuals as far as ISPs are concerned. Christopher Parsons does a review of ISPs using DPI technology in UK, US and Canada and offers that various ISPs do provide in their terms of services that they use DPI for network management purposes. However, this information is often not as easily accessible as the terms and conditions of online services. A;so, As opposed to online services, where it is relatively easier to migrate to another service, due to both presence of more options and the ease of migration, it is a much longer and more difficult process to change one's ISP.^{^[29]}

Measures to mitigate risk

Currently, there are no existing regulatory frameworks in India which deal govern DPI technology in any way. The International Telecommunications Union (ITU) prescribes a standard for DPI^{^[30]} however, the standard does not engage with any questions of privacy and requires all DPI technologies to be capable of identifying payload data, and prescribing classification rules for specific applications, thus, conflicting with notions of application agnosticism in network management. More importantly, the requirements to identify, decrypt and analyse tunneled and encrypted data threaten the reasonable expectation of privacy when sending and receiving encrypted communication. In this final section, I look at some possible principles and practices that may be evolved in order to mitigate privacy risks caused due to DPI technology.

Limiting 'depth' and breadth

It has been argued that inherently what DPI technology intends to do is matching of patterns in the inspected content against a pre-defined list which is relevant to the purpose how which DPI is employed. Much like data minimization principles applicable to data controllers and data processors, it is possible for network operators to minimize the depth of the inspection (restrict it to header information only or limited payload information) so as to serve the purpose at hand. For instance, in cases where the ISP is looking to identify peer-to-peer traffic, there are protocols which declare their names in the application header itself. Similarly, a network operators looking to generate usage data about email traffic can do so simply by looking at port number and checking them against common email ports.^{^[31]} However, this mitigation strategy may not work well for other use-cases such as blocking malicious software or prohibited content or monitoring for the sake of behavioral advertising.

While depth referred to the degree of inspection within data packets, breadth refers to the volume of packets being inspected. Alyssa Cooper argues that for many DPI use cases, it may be possible to rely on pattern matching on only the first few data packets in a flow, in order to arrive at sufficient data to take appropriate response. Cooper uses the same example about peer-to-peer traffic. In some cases, the protocol name may appear on the header file of only the first packet of a flow between two peers. In such circumstances, the network operators need not look beyond the header files of the first packet in a flow, and can apply the network management rule to the entire flow.^{^[32]}

Data retention

Aside from the depth and breadth of inspection, another important question whether and for along is there a need for data retention. All use cases may not require any kind of data retention and even in case where DPI is used for behavioral advertising, only the conclusions drawn may be retained instead of retaining the payload data.

Transparency

One of the issues is that DPI technology is developed and deployed outside the purview of standard organizations like ISO. Hence, there has been a lack of open, transparent standards development process in which participants have deliberated the impact of the technology. It is important for DPI to undergo these process which are inclusive, in that there is participation by non-engineering stakeholders to highlight the public policy issues such as privacy. Further, aside from the technology, the practices by networks need to be more transparent. ^{^[33]} Disclosure of the presence of DPI, the level of detail being inspected or retained and the purpose for deployment of DPI can be done. Some ISPs provide some of these details in their terms of service and website notices. ^{^[34]} However, as opposed to web-based services, users have limited interaction with their ISP. It would be useful for ISPs to enable greater engagement with their users and make their practices more transparent.

Conclusion

The very nature of of the DPI technology renders some aspects of recognized privacy principles like notice and consent obsolete. The current privacy frameworks under FIPP^{^[35]} and OECD ^{^[36]} rely on the idea of empowering the individual by providing them with knowledge and this knowledge enables them to make informed choices. However, for this liberal conception of privacy to function meaningfully, it is necessary that there are real and genuine choices presented to the alternatives. While some principles like data minimisation, necessity and proportionality and purpose limitation can be instrumental in ensuring that DPI technology is used only for legitimate purposes, however, without effective opt-out mechanisms and limited capacity of individual to assess the risks, the efficacy of privacy principles may be far from satisfactory.

The ongoing Aadhaar case and a host of surveillance projects like CMS, NATGRID, NETRA^{^[37]} and NMAC ^{^[38]} have raised concerns about the state conducting mass-surveillance, particularly of online content. In this regard, it is all the more important to recognise the potential of Deep Packet Inspection technologies for impact on privacy rights of individuals. Earlier, the Centre for Internet and Society had filed Right to Information applications with the Department of Telecommunications, Government of India regarding the use of DPI, and the government had responded that there was no direction/reference to the ISPs to employ DPI technology. ^{^[39]} Similarly, MTNL also responded to the RTI Applications and denied using the technology.^{^[40]} It is notable though, that they did not respond to the questions about the traffic management policies they follow. Thus, so far there has been little clarity on actual usage of DPI technology by the ISPs.

^{^[1]} Ashish Mishra, "India's Net Neutrality Crusaders", available at http://mintonsunday.livemint.com/news/indias-net-neutrality-crusaders/2.3.2289565628.html

^{^[2]} http://www.livinginternet.com/i/iw_arch.htm

^{^[3]} Vinton Cerf and Robert Kahn, "A protocol for packet network intercommunication", available at https://www.semanticscholar.org/paper/A-protocol-for-packet-network-intercommunication-Cerf-Kahn/7b2fdcdfeb5ad8a4adf688eb02ce18b2c38fed7a

^{^[4]} Paul Ganley and Ben Algove, "Network Neutrality-A User's Guide", available at http://wiki.commres.org/pds/NetworkNeutrality/NetNeutrality.pdf

^{^[5]} J H Saltzer, D D Clark and D P Reed, "End-to-End arguments in System Design", available at http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf

^{^[6]} Supra Note 4.

^{^[7]} Jonathan Zittrain, The future of Internet - and how to stop it, (Yale University Press and Penguin UK, 2008) available at https://dash.harvard.edu/bitstream/handle/1/4455262/Zittrain_Future%20of%20the%20Internet.pdf?sequence=1

^{^[8]} Alissa Cooper, How Regulation and Competition Influence Discrimination in Broadband Traffic Management: A Comparative Study of Net Neutrality in the United States and the United Kingdom available at http://ora.ox.ac.uk/objects/uuid:757d85af-ec4d-4d8a-86ab-4dec86dab568

^{^[9]} Id .

^{^[10]} Christopher Parsons, "The Politics of Deep Packet Inspection: What Drives Surveillance by Internet Service Providers?", available at https://www.christopher-parsons.com/the-politics-of-deep-packet-inspection-what-drives-surveillance-by-internet-service-providers/ at 15.

^{^[11]} Ibid at 16.

^{^[12]} Id .

^{^[13]} Ibid at 19.

^{^[14]} Id .

^{^[15]} Id .

^{^[16]} Jay Klein, "Digging Deeper Into Deep Packet Inspection (DPI)", available at http://spi.unob.cz/papers/2007/2007-06.pdf

^{^[17]} Tim Wu, "Network Neutrality: Broadband Discrimination", available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=388863

^{^[18]} Paul Ferguson and Geoff Huston, "Quality of Service on the Internet: Fact, Fiction,

or Compromise?", available at http://www.potaroo.net/papers/1998-6-qos/qos.pdf

^{^[19]} Barbara van Schewick, "Network Neutrality and Quality of Service: What a non-discrimination Rule should look like", available at http://cyberlaw.stanford.edu/downloads/20120611-NetworkNeutrality.pdf

^{^[20]} Supra Note 14.

^{^[21]} Paul Ohm, "The Rise and Fall of Invasive ISP Surveillance," available at http://paulohm.com/classes/infopriv10/files/ExcerptOhmISPSurveillance.pdf

^{^[22]} Ben Elgin and Bruce Einhorn, "The great firewall of China", available at http://www.bloomberg.com/news/articles/2006-01-22/the-great-firewall-of-china .

^{^[23]} Mike Wheatley, "Malaysia's Web Heavily Censored Before Controversial Elections", available at http://siliconangle.com/blog/2013/05/06/malaysias-web-heavily-censored-before-controversial-elections/

^{^[24]} Fazal Majid, "Deep packet inspection rears it ugly head" available at https://majid.info/blog/telco-snooping/.

^{^[25]} Alissa Cooper, "Doing the DPI Dance: Assessing the Privacy Impact of Deep Packet Inspection," in W. Aspray and P. Doty (Eds.), Privacy in America: Interdisciplinary Perspectives, Plymouth, UK: Scarecrow Press, 2011 at 151.

^{^[26]} Ibid at 148.

^{^[27]} Kevin Werbach, "Breaking the Ice: Rethinking Telecommunications Law for the Digital Age", Journal of Telecommunications and High Technology, available at http://www.jthtl.org/articles.php?volume=4

^{^[28]} Supra Note 25 at 149.

^{^[29]} Supra Note 25 at 147.

^{^[30]} International Telecommunications Union, Recommendation ITU-T.Y.2770, Requirements for Deep Packet Inspection in next generation networks, available at https://www.itu.int/rec/T-REC-Y.2770-201211-I/en.

^{^[31]} Supra Note 25 at 154.

^{^[32]} Ibid at 156.

^{^[33]} Supra Note 10.

^{^[34]} Paul Ohm, "The Rise and Fall of Invasive ISP Surveillance", available at http://paulohm.com/classes/infopriv10/files/ExcerptOhmISPSurveillance.pdf .

^{^[35]} http://www.nist.gov/nstic/NSTIC-FIPPs.pdf

^{^[36]} https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

^{^[37]} "India's Surveillance State" Software Freedom Law Centre, available at http://sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india/

^{^[38]} Amber Sinha, "Are we losing our right to privacy and freedom on speech on Indian Internet", DNA, available at http://www.dnaindia.com/scitech/column-are-we-losing-the-right-to-privacy-and-freedom-of-speech-on-indian-internet-2187527

^{^[39]} http://cis-india.org/telecom/use-of-dpi-technology-by-isps.pdf

^{^[40]} Smita Mujumdar, "Use of DPI Technology by ISPs - Response by the Department of Telecommunications" available at http://cis-india.org/telecom/dot-response-to-rti-on-use-of-dpi-technology-by-isps

For more details visit https://cis-india.org/internet-governance/blog/deep-packet-inspection-how-it-works-and-its-impact-on-privacy

Decrypting Automated Facial Recognition Systems (AFRS) and Delineating Related Privacy Concerns

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:01:48Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the first of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The use of aggregated Big Data by governments has the potential to exacerbate power asymmetries and erode civil liberties like few technologies of the past. In order to guard against the aggressive aggregation and manipulation of the data generated by individuals who are branded as suspect, it is critical that our firmly established constitutional rights protect human dignity in the face of this potential erosion.

The increasing ubiquity of Automated Facial Recognition Systems (AFRS) serve as a prime example of the rising desire of governments to push fundamental rights to the brink. With AFRS, the core fundamental right in question is privacy, although questions have been posed regarding the potential violation of other related rights, such as the Right to Equality and the Right to Free Speech and Expression, as well.

There is a rich corpus of literature, (see here, here and an excellent recent paper by Smriti Parsheera here) from a diverse coterie of scholars that call out the challenges posed by AFRS, particularly with respect to its proportionality as a restriction over the right to privacy. Our contribution to this discourse focuses on a very specific question around a ‘reasonable expectation of privacy’ — the standard identified for the protection of privacy in public spaces across jurisdictions, including in India. This is because at this juncture, the precise nature of the AFRS which will eventually be used and the regulations it will be subject to are not clear.

In Retd. K.S Puttaswamy (Retd.) v. Union of India: Justice Chandrachud (Puttaswamy I), the Indian Supreme Court was concerned with the question whether there exists a fundamental right to privacy under the Indian Constitution. A nine-judge bench of the Court recognized that the right to privacy is a fundamental right implicit inter alia in the right to life within Article 21 of the Constitution.

The right to privacy protects people and not places. Every person is entitled, however, to a reasonable expectation of privacy. The expectation of privacy must be twofold. First, the person must prove that the alleged act could inflict some harm. Such harm must be real and not be speculative or imaginary. Second, society must recognize this expectation as reasonable. The test of reasonable expectations is contextual, i.e., the extent to which it safeguards privacy depends on the place at which the individual is.

In order to pass any constitutional test, therefore, AFRS must satisfy the ‘reasonable expectation’ test articulated in Puttaswamy. However, in this context, the test itself has multiple contours. Do we have a right to privacy in a public place? Is AFRS collecting any data that specifically violates a right to privacy? Is the aggregation of that data a potential violation?

After providing a brief introduction to the use cases of AFRS in India and across the world, we embark upon answering all these questions.

Primer on Automated Facial Recognition Systems (AFRS)

Facial recognition is a biometric technology that utilises cameras to match stored or live footage of individuals (including both stills and moving footage) with images or video from an existing database. Some systems might also be used to analyze broader demographic trends or conduct sentiment analysis through crowd scanning.

While the use of photographs and video footage have been core components of police investigation, the use of algorithms to process vast tracts of Big Data (characterized by ‘Volume, Velocity, and Variety), and compare disparate and discrete data points allows for the derivation of hitherto unfeasible insights on the subjects of Big Data.

The utilisation of AFRS for law enforcement is rapidly spreading around the world. A Global AI Surveillance Index compiled by the Carnegie Endowment for International Peace found that at least sixty-four countries are incorporating facial recognition systems into their AI surveillance programs.

Chinese technology company Yitu has entered into a partnership with security forces in Malaysia to equip police officers with facial recognition body cameras that, powered by enabling technologies, would allow a comparison of images caught by the live body cameras with images from several central databases.

In England and Wales, London Metropolitan Police, South Wales Police, and Leicestershire Police are all in the process of developing technologies that allow for the identification and comparison of live images with those stored in a database.

The technology is being developed by Japanese firm NEC and the police force has limited ability to oversee or modify the software, given its proprietary nature. The Deputy Chief of South Wales Police stated that “the tech is given to [them] as a sealed box… [and the police force themselves] have no input – whatever it does, it does what it does.”

In the US, Baltimore’s police set up facial recognition cameras to track and arrest protestors — a system that reached its zenith during the 2018 riots in the city.

It is suspected that authorities in Hong Kong are also using AFRS to clamp down on the ongoing pro-democracy protests.

In India, the Ministry of Home Affairs, through the National Crime Records Bureau put out a tender for a new AFRS, whose stated objective is to “act as a foundation for national level searchable platform of facial images.” The AFRS will pull facial image data from CCTV feeds and compare these with existing records across databases including the Crime and Criminal Tracking Networks and Systems (CCTNS), Inter-operable Criminal Justice System (or ICJS), Immigration Visa Foreigner Registration Tracking (IVFRT), Passport, Prisons and state police records.

Plans are also afoot to integrate this with the yet to be deployed National Automated Fingerprint Identification System (NAFIS), thereby creating a multi-faceted surveillance system.

Despite raising eyeballs due to its potential all-pervasive scope, this tender is not the first instance of AFRS being used by Indian authorities. Punjab Police, in partnership with Gurugram-based start-up Staqu has launched and commenced implementation of the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on a suspected criminal and essentially tracks their public whereabouts, which poses potential constitutional questions.

This was published by AI Policy Exchange.

For more details visit https://cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns

Deconstructing ‘Internet addiction’

radha — 2011-04-02T15:09:28Z

An article by Sruthi Krishnan and Shyam Ranganathan in The Hindu on August 30th,'09

CHENNAI: Earlier this week, the first rehabilitation centre for ‘Internet addicts’ was opened in the United States. De-addiction camps in China were in the news recently for the death of a teenager because of the brutal methods used there to cure ‘Internet addiction.’

‘Internet addiction’ for now is a catch-all term that not only stands for addiction to specific activities such as gambling or gaming but also refers to longer hours devoted to the computer network at the expense of other activities.

Though the Internet is only a medium of communication and information transmission like the printed book or television, ‘addiction’ is being used in this case with concern because of a fundamental dialectic: ‘quantity becomes quality.’

“A whole new world is just a click away with the Internet. It is a medium just like books and TV, but the amount of interaction it makes possible with others, sometimes replacing the need for real world interaction, makes it vastly different,” says E.S. Krishnamoorthy, consultant neuropsychiatrist, Voluntary Health Services, Chennai.

Though chemical changes may not be induced by the broadly repetitive action involved in gaming and general ‘Internet addiction,’ social behavioural modifications do take place, including sleep deprivation and aggression towards the depriver of access to the Internet, he says.

“It is somewhat between Obsessive Compulsive Disorder (OCD) and addiction due to substance abuse. Substance abuse-led addiction focusses on gratification which this form of attachment provides, though there is no chemical ingestion. At the same time, the behavioural modifications are similar to those with OCD. It is almost like the ‘rush’ gamblers get out of a purely gratification-oriented repetitive action,” Dr. Krishnamoorthy adds.

Generational gap

Sunil Abraham, director-policy, Centre for Internet and Society, Bangalore, says what constitutes ‘Internet addiction’ is sometimes misunderstood because of a generational gap between those who grew up immersed in technology and those who adopted technology later in their lives.

Can a teenager’s extensive use of social networking be categorised as ‘addiction’? Not necessarily. Social networking could lead to forging new relationships which could be beneficial.

For now, such activities may not be the norm, but it could be the way our society is configured in the future, says Mr. Abraham.

The Internet itself offers solutions to balance your real and virtual activities. For instance, ‘Freedom’ is an application that disables networking on an Apple computer for up to eight hours at a time. In the settings of Google mail, you can enable ‘Email addict’ (a Google Labs feature) that disables your screen and makes you invisible on chat for 15 minutes. There are many such timer software that let you set a period for which a certain activity would be banned.

Dr. Krishnamoorthy advocates counselling and concerted effort to increase real world social interactions for “treating” Internet addiction. He warns that the problem is larger in that we are creating an “inward-looking society.”

“There is a big problem on hand if many people replace the real world with the Internet instead of using it as a device to enhance interactions,” he says.

Mr. Abraham says controls should come from a more open and informed discussion, of which even children are a part. Dubbing an activity not fully understood an “addiction” and imposing old-fashioned controls are not the right approach, he adds.

For more details visit https://cis-india.org/news/deconstructing-2018internet-addiction2019

Decline in web freedom steepest in India: Report

praskrishna — 2013-10-24T03:50:51Z

In a report on the state of internet in 60 countries, Freedom House, a US-based organization, said that in 2013 India saw the "most significant year-on-year decline" in terms of the web freedom.

The article by Javed Anwer was published in the Times of India on October 3, 2013. Sunil Abraham is quoted.

The report said that that the internet in India was "partly free". This is the same status that India had in 2012. But the country's score is now 47 points (higher means more censorship) in 2013 compared to 39 in 2012. The 8-point fall is the steepest Freedom House found among all 60 countries that the group surveyed. Freedom House said it recorded 5-point fall in Brazil, Venezuela and the US.

Despite mass surveillance revealed by Edward Snowden, a former contractor for National Security Agency in the US, Freedom House calls the web in the country "free".

The Freedom House report said that in 2013 India "suffered from deliberate interruptions of mobile and internet service to limit unrest, excessive blocks on content during rioting in northeastern states, and an uptick in the filing of criminal charges against ordinary users for posts of social media sites".

In 2013, India's commitment to the web freedom has not only been worse than developed countries but has also been inferior to countries like Malawi, Tunisia and Mexico.

In the case of India, Freedom House particularly singles out Central Monitoring System, which Indian government is putting in place to regulate and monitor the web usage within the country. "Surveillance (under CMS) requires no judicial oversight. While some of this activity might be justifiable, the lack of transparency surrounding the system, which was never reviewed by Parliament, is concerning," it notes in the report. "The system's potential for abuse is also disquieting, as is its inadequate legal framework.

The report cites the case of the girl who was arrested for liking a Facebook post in Maharashtra, blocking of some Twitter accounts belonging to Indian users, overly broad court directives that have resulted in blocking of websites and a general lack of transparency in how Indian government blocks or filters content reach a conclusion that Indians now have less freedom on how they use the web.

Sunil Abraham, director at Bangalore-based Centre for Internet and Society, says that Freedom House reports are not very accurate because they don't factor in censorship by copyright holders. But he agreed with its basic premise that in India conditions for web users are getting more difficult.

"The report is absolutely right in pointing out that censorship and surveillance in India is increasing. Despite protests from many quarters, it is a real pity that the government is not taking steps to amend the IT act and has joined other nation states in the global race to the bottom of the internet freedom," said Abraham.

Anja Kovacs, founder of Delhi-based Internet Democracy Project, agrees. "I have some issues with Freedom House reports due to how they are prepared and their methodologies. But yes I can say that last year has been very eventful and difficult," said. "But at the same time, there has also been a lot of push back from web users and activists. There have been conversations around the issue of web censorship, which is good."

Globally, the web surveillance is on the rise. "Broad surveillance, new laws controlling web content, and growing arrests of social-media users drove a worldwide decline in internet freedom in the past year," noted Freedom House.

Overall, 34 out of 60 countries part of the report saw a decline in the web freedom. "Vietnam and Ethiopia continued on a worsening cycle of repression; Venezuela stepped up censorship during presidential elections; and three democracies—India, the United States, and Brazil—saw troubling declines," noted the report.

Iceland and Estonia topped the list of countries with the greatest degree of internet freedom. China, Cuba, and Iran were found to be the most repressive countries.

For more details visit https://cis-india.org/news/times-of-india-october-3-2013-javed-anwer-decline-in-web-freedom-steepest-in-india

Deceptive Design in Voice Interfaces: Impact on Inclusivity, Accessibility, and Privacy

Saumyaa Naidu and Shweta Mohandas — 2023-08-08T15:22:51Z

This article was commissioned by the Pranava Institute, as part of their project titled Design Beyond Deception, supported by the University of Notre Dame - IBM's Tech Ethics Lab.” The article examines the design of voice interfaces (VI) to anticipate potential deceptive design patterns in VIs. It also presents design and regulatory recommendations to mitigate these practices.

The original blog post can be accessed here.

Introduction

Voice Interfaces (VIs) have come a long way in recent years and are easily available as inbuilt technology with smartphones, downloadable applications, or standalone devices. In line with growing mobile and internet connectivity, there is now an increasing interest in India in internet-based multilingual VIs which have the potential to enable people to access services that were earlier restricted by language (primarily English) and interface (text-based systems). This current interest has seen even global voice applications such as Google Home and Amazon’s Alexa being available in Hindi (Singal, 2019) as well as the growth of multilingual voice bots for certain banks, hotels, and hospitals (Mohandas, 2022).

The design of VIs can have a significant impact on the behavior of the people using them. Deceptive design patterns or design practices that trick people into taking actions they might otherwise not take (Tech Policy Design Lab, n.d.), have gradually become pervasive in most digital products and services. Their use in visual interfaces has been widely criticized by researchers (Narayanan, Mathur, Chetty, and Kshirsagar, 2020), along with recent policy interventions (Schroeder and Lützow-Holm Myrstad, 2022) as well. As VIs become more relevant and mainstream, it is critical to anticipate and address the use of deceptive design patterns in them. This article, based on our learnings from the study of VIs in India, examines the various types of deceptive design patterns in VIs and focuses on their implications in terms of linguistic barriers, accessibility, and privacy.

Potential deceptive design patterns in VIs

Our research findings suggest that VIs in India are still a long way off from being inclusive, accessible and privacy-preserving. While there has been some development in multilingual VIs in India, their compatibility has been limited to a few Indian languages (Mohandas, 2022) (Naidu, 2022)., The potential of VIs as a tool for people with vision loss and certain cognitive disabilities such as dyslexia is widely recognized (Pradhan, Mehta, and Findlater, 2018), but our conversations suggest that most developers and designers do not consider accessibility when conceptualizing a voice-based product, which leads to interfaces that do not understand non standard speech patterns, or have only text-based privacy policies (Mohandas, 2022). Inaccessible privacy policies full of legal jargon along with the lack of regulations specific to VIs, also make people vulnerable to privacy risks.

Deceptive design patterns can be used by companies to further these gaps in VIs. As with visual interfaces, the affordances and attributes of VI can determine the way in which they can be used to manipulate behavior. Kentrell Owens, et.al in their recent research lay down six unique properties of VIs that may be used to implement deceptive design patterns (Owens, Gunawan, Choffnes, Emami-Naeini, Kohno, and Roesner, 2022). Expanding upon these properties, and drawing from our research, we look at how they can be exacerbated in India.

Making processes cumbersome

VIs are often limited by their inability to share large amounts of information through voice. They thus operate in combination with a smartphone app or a website. This can be intentionally used by platforms to make processes such as changing privacy settings or accessing the full privacy notice inconvenient for people to carry out. In India, this is experienced while unsubscribing from services such as Amazon Prime (Owens et al., 2022). Amazon Echo Dot presently allows individuals to subscribe to an Amazon Prime membership using a voice command, but directs them to use the website in order to unsubscribe from the membership. This can also manifest in the form of canceling orders and changing privacy settings.

VIs follow a predetermined linear structure that ensures a tightly controlled interaction. People make decisions based on the information they are provided with at various steps. Changing their decision or switching contexts could involve going back several steps. People may accept undesirable actions from the VI in order to avoid this added effort (Owens et al., 2022). The urgency to make decisions on each step can also cause people to make unfavorable choices such as allowing consent to third party apps. The VI may prompt advertisements and push for the company’s preferred services in this controlled conversation structure, which the user cannot side-step. For example, while setting up the Google voice assistant on any device, it nudges people to sign into their Google account. This means the voice assistant gets access to their web and app activity and location history at this step. While the data management of Google accounts can be tweaked through the settings, it may get skipped during a linear set-up structure. Voice assistants can also push people to opt into features such as ads personalisation, default news sources, and location tracking.

Making options difficult to find

Discoverability is another challenge for VIs. This means that people might find it difficult to discover available actions or options using just voice commands. This gap can be misused by companies to trick people into making undesirable choices. For instance, while purchasing items, the VI may suggest products that have been sponsored and not share full information on other cheaper products, forcing people to choose without complete knowledge of their options. Many mobile based voice apps in India use a combination of images or icons with the voice prompts to enable discoverability of options and potential actions, which excludes people with vision loss (Naidu, 2022). These apps comprise a voice layer added to an otherwise touch-based visual platform so that people are able to understand and navigate through all available options using the visual interface, and use voice only for purposes such as searching or narrating. This means that these apps cannot be used through voice alone, making them disadvantageous for people with vision loss.

Discreet integration with third parties

VIs can use the same voice for varying contexts. In the case of Alexa, Skills, which are apps on its platform, have the same voice output and invocation phrases as its own in-built features. End users find it difficult to differentiate between an interaction with Amazon and that with Skills which are third-party applications. This can cause users to share information that they otherwise would not have with third parties (Mozilla Foundation, 2022). There are numerous Amazon Skills inHindi and people might not be aware that the developers of these Skills are not vetted by Amazon. This misunderstanding can create significant privacy or security risks if Skills are linked to contacts, banking, or social media accounts.

Lack of language inclusivity

The lack of local language support, colloquial translations, and accents can lead to individuals not receiving clear and complete information. VI’s failure to understand certain accents can also make people feel isolated (Harwell, 2018). While in India voice assistants and even voice bots are available in few Indic languages, the default initial setup, privacy policies, and terms and conditions are still in English. The translated policies also use literary language which is difficult for people to understand, and miss out on colloquial terms. This could mean that the person might have not fully understood these notices and hence not have given informed consent. Such use of unclear language and unavailability of information in Indic languages can be viewed as a deceptive design pattern.

Making certain choices more apparent

The different dimensions of voice such as volume, pitch, rate, fluency, pronunciation, articulation, and emphasis can be controlled and manipulated to implement deceptive design patterns. VIs may present the more privacy-invasive options more loudly or clearly, and the more privacy-preserving options more softly or quickly. It can use tone modulations to shame people into making a specific choice (Owens et al., 2022). For example, media streaming platforms may ask people to subscribe for a premium account to avoid ads in normal volume and mention the option to keep ads in a lower volume. Companies have also been observed to discreetly integrate product advertisements in voice assistants using tone. SKIN, a neurotargeting advertising strategy business, used a change of tone of the voice assistant to suggest a dry throat to advertise a drink (Chatellier, Delcroix, Hary, and Girard-Chanudet, 2019).

The attribution of gender, race, class, and age through stereotyping can create a persona of the VI for the user. This can extend to personality traits, such as an extroverted or an introverted, docile or aggressive character (Simone, 2020). The default use of female voices with a friendly and polite persona for voice assistants has drawn criticism for perpetuating harmful gender stereotypes (Cambre and Kulkarni, 2019). Although there is an option to change the wake word “Alexa” in Amazon’s devices, certain devices and third party apps do not work with another wake word (Ard, 2021). Further, projection of demographics can also be used to employ deceptive design patterns. For example, a VI persona that is constructed to create a perception of intelligence, reliability, and credibility can have a stronger influence on people’s decisions. Additionally, the effort to make voice assistants as human sounding as possible without letting people know they are human, could create a number of issues (X. Chen and Metz, 2019). First time users might divulge sensitive information thinking that they are interacting with a person. This becomes more ethically challenging when persons with vision loss are not able to know who they are interacting with.

Recording without notification

Owens et al speak about VIs occupying physical domains due to which they have a much wider impact as opposed to a visual interface (Owens et al., 2022). The always-on nature of virtual assistants could result in personal information of a guest being recorded without their knowledge or consent as consent is only given at the setup stage by the owner of the device or smartphone.

Making personalization more convenient through data collection

VIs are trained to adapt to the experience and expertise of the user. Virtual assistants provide personalization and the possibility to download a number of skills, save payment information, and phone contacts. In order to facilitate differentiation between multiple users on the same VI, individuals talking to the device are profiled based on their speech patterns and/or voice biometrics. This also helps in controlling or restricting content for children (Naidu, 2022). There is also tracking of commands to identify and list their intent for future use. The increase of specific and verified data can be used to provide better targeted advertisements, as well possibly be shared with law enforcement agencies in certain cases. Recently, a payment gateway company was made to share customer information to the law enforcement without their customer’s knowledge. This included not just the information about the client but also revealed sensitive personal data of the people who had used the gateway for transactions to the customer. While providing such details are not illegal and companies are meant to comply with requests from law enforcement, if more people knew of the possibility of every conversation of the house being accessible to law enforcement they would make more informed choices of what the VI records.

Reducing friction in actions desired by the platform

One of the fundamental advantages of VIs is that it can reduce several steps to perform an action using a single command. While this is helpful to people interacting with it, the feature can also be used to reduce friction from actions that the platform wants them to take. These actions could include sharing sensitive information, providing consent to further data sharing, and making purchases. An example of this can be seen where children have found it very easy to purchase items using Alexa (BILD, 2019).

Recommendations for Designers and Policymakers

Through these deceptive design patterns, VIs can obstruct and control information according to the preferences of the platform. This can result in a heightened impact on people with less experience with technology. Presently, profitability is a key driving factor for development and design of VI products. There is more importance given to data-based and technical approaches, and interfaces are often conceptualized by people with technical expertise with lack of inputs from designers at the early stages (Naidu, 2022). Designers also focus more on the usability and functionality of the interfaces by enabling personalization, but are often not as sensitive to safeguarding the rights of individuals using them. In order to tackle deceptive design, designers must work towards prioritizing ethical practice, and building in more agency and control for people who use VIs.

Many of the potential deceptive design patterns can be addressed by designing for accessibility and inclusivity in a privacy preserving manner. This includes vetting third-party apps, providing opt-outs, and clearly communicating privacy notices. Privacy implications can also be prompted by the interface at the time of taking actions. There should be clear notice mechanisms such as a prominent visual cue to alert people when a device is on and recording, along with an easy way to turn off the ‘always listening’ mode. The use of different voice outputs for third party apps can also signal to people about who they are interacting with and what information they would like to share in that context.

Training data that covers a diverse population should be built for more inclusivity. A linear and time-efficient architecture is helpful for people with cognitive disabilities. But, this linearity can be offset by adding conversational markers that let the individual know where they are in the conversation (Pearl, 2016). This could address discoverability as well, allowing people to easily switch between different steps. Speech-only interactions can also allow people with vision loss to access the interface with clarity.

A number of policy documents including the 2019 version of India’s Personal Data Protection Bill, emphasize on the need for privacy by design. But, they do not mention how deceptive design practices could be identified and avoided, or prescribe penalties for using these practices (Naidu, Sheshadri, Mohandas, and Bidare, 2020). In the case of VI particularly, there is a need to look at it as biometric data that is being collected and have related regulations in place to prevent harm to users. In terms of accessibility as well, there could be policies that require not just websites but also apps (including voice based apps) to be compliant with international accessibility guidelines , and to conduct regular audits to ensure that the apps are meeting the accessibility threshold.

For more details visit https://cis-india.org/internet-governance/blog/deceptive-design-in-voice-interfaces-impact-on-inclusivity-accessibility-and-privacy

December 2018 Newsletter

praskrishna — 2019-01-08T16:15:38Z

We at the Centre for Internet & Society (CIS) wish you all a great year ahead and welcome you to the twelfth issue of its newsletter (December) for the year 2018:

Highlights

CIS signed a MoU with Odia Virtual Academy to work on drafting an open content policy for the state, to promote use of Wikimedia projects by various user types and to ensure sustainability of Wikimedia projects, and to facilitate development of relevant free and open source software projects. This partnership between OVA and CIS will be carried out from December 2018 to November 2019.
Natalia Khaniejo, in a four-part report has attempted to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same. The literature review was edited by Amber Sinha.
Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah created an infographic which has mapped the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. The authors have stated that broadly policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem.
In April 2018 European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). Vipul Kharbanda has analysed how service providers based in India whose services are also available in Europe would be affected by these proposals.
Feminist research methodology is a vast body of knowledge, spanning across multiple disciplines including sociology, media studies, and critical legal studies. A literature review by Ambika Tandon aims to understand key aspects of feminist methodology across these disciplines, with a particular focus on research on technology and its interaction with society.
CIS and design collective Design Beku came together for a workshop on Illustrations and Visual Representations of Cybersecurity. The authors Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu have stated that images play a vital role in the public’s perception of cybercrime and cybersecurity.
A list of selected sessions and papers for the Internet Researchers' Conference 2019 (IRC19) has been published. IRC19 will be held in Lamakaan, Hyderabad, from Jan 30 to Feb 1, 2019.

Articles

Private-public partnership for cyber security (Arindrajit Basu; Hindu Businessline; December 24, 2018).
Is the new ‘interception’ order old wine in a new bottle? (Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare; Newslaundry.com; December 27, 2018).
Digital Native: System Needs a Reboot (Nishant Shah; Indian Express; December 30, 2018).

Media Coverage

Many sites bypass porn ban (Rajitha Menon; Deccan Herald; December 6, 2018).
How data privacy and governance issues have battered Facebook ahead of 2019 polls (Rahul Sachitanand; Economic Times; December 6, 2018).
Is Aadhaar Essential To Achieve Error-Free Electoral Rolls? (Bloomberg Quint; December 16, 2018).
Centre’s order on computer surveillance threatens right to privacy, experts say (Abhishek Dey; Scroll.in; December 22, 2018).
Centre’s order on computer surveillance is backed by law – but the law lacks adequate safeguards (Nehaa Chaudhari and Tuhina Joshi; Scroll.in; December 23, 2018).
Ten Indian government agencies can now snoop on people’s internet data (David Spenser; VPN Compare; December 24, 2018).
Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete' (Keerthana Sankaran; New Indian Express; December 26, 2018).
MHA snoop order & bid to amend IT rules: China-like clampdown or tracking unlawful content? (Fatima Khan; The Print December 28, 2018).
The dark side of future tech: Where are we headed on privacy, security, truth? (Dipanjan Sinha; Hindustan Times; December 29, 2018).
The constitutionality of MHA surveillance order (Nehaa Chaudhari; Asian Age; December 30, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Punjabi Wikisource Training Workshop, Patiala (Jayanta Nath; December 6, 2018).
Indic Wikisource Community Consultation 2018 (Jayanta Nath; December 8, 2019).
CIS Signs MoU with Odia Virtual Academy (Sailesh Patnaik; December 19, 2018).

Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Guest Lecture

Lecture on Open Access and Open Content Licensing at ICAR (short course) (Organized by ICAR-Indian Institute of Horticultural Research (IIHR) a constituent establishment of Indian Council of Agricultural Research; November 13 - 22, 2018). Anubha Sinha delivered a lecture.

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Guest Lecture

Teaching at Shristi Interlude (Organised by Shristi; Bangalore; December 7, 2018). Shweta Mohandas participated as a mentor.

Gender

Research Paper

Feminist Methodology in Technology Research: A Literature Review (Ambika Tandon with contributions from Mukta Joshi; research assistance by by Kumarjeet Ray and Navya Sharma; design by Saumyaa Naidu; December 23, 2018).

Blog Entry

Event Report on Intermediary Liability and Gender Based Violence (Akriti Bopanna; edited by Ambika Tandon; December 20, 2018).

Participation in Event

International Network on Feminist Approaches to Bioethics 2018 (Co-organized by Feminist Approaches to Bioethics and Sama; St. John's Medical College; Bangalore; December 3 - 5, 2018). Aayush Rathi and Ambika Tandon were speakers at the event.

Cyber Security

Research Papers

European E-Evidence Proposal and Indian Law (Vipul Kharbanda; December 23, 2018).
Economics of Cybersecurity: Literature Review Compendium (Natalia Khaniejo; edited by Amber Sinha; December 31, 2018).

Infographic

Mapping cybersecurity in India: An infographic (information contributed by Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah; designed by Saumyaa Naidu; December 23, 2018).

Blog Entry

A Critical Look at the Visual Representation of Cybersecurity (Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu; December 11, 2018).

Participation in Event

India-China Tech Forum 2018 (Organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies; Mumbai; December 11 - 12, 2018). Arindrajit Basu was a speaker.

Artificial Intelligence

Participation in Event

Future Tech and Future Law (Organised by Dept. of IT & BT, Government of Karnataka; Palace Grounds; Bangalore; November 29 - December 1, 2018). Arindrajit Basu was a speaker.
AI for Social Good Summit (Co-organised by Google AI and United Nations ESCAP; Bangkok; December 13, 2018).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Selected Papers

Internet Researchers' Conference 2019 (IRC19): #List - Selected Sessions and Papers (P.P. Sneha; January 2, 2019).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/december-2018-newsletter