We are anonymous, we are legion

Trail of the Trolls

praskrishna — 2012-01-04T07:55:05Z

Bullying and abuse on the Internet is on the rise. Smitha Verma finds out why most offenders are going scot-free in this article published in the Telegraph on 4 January 2012.

When Shahana Nair Joshi, a young professional from Delhi, wrote a blog post titled ‘An Open Letter to a Delhi Boy’ last year, she was not prepared for the repercussions that followed. The post went viral overnight and received as many as 7,000 comments. Her blog post, which was a rant against the stereotypical Delhi man, became a topic of discussion on social networking sites, inviting with it a flurry of praise. But the fan following also brought with it an equal number of trolls (those who post inflammatory messages in an online community).

“Soon sexual insults, derogatory messages and inflammatory content became the norm,” says Joshi. “Then I started moderating the comments on my blog and went on to block trolls on Twitter,” says Joshi whose Twitter follower list jumped from 100 to 1,000 within a week. “One person even went to the extent of issuing a death threat to me over the phone,” she adds. “I decided to ignore the trolls as that is the best possible solution.”

Cases similar to Joshi’s are on the rise in cyber world. At a time when social networking sites are being asked to monitor and censor their content, bullying on the Internet is at an all time high. Trolls hide behind the anonymity that a social networking site provides to post derogatory comments and obscene remarks.

According to Supreme Court lawyer Pavan Duggal, harassment on social networking sites is emerging as one of the biggest problems in the online world. “Six out of 10 people aren’t aware of what constitutes a cyber crime. As a result they aren’t reported. Neither the victims nor the abusers know what is an offence,” says Duggal.

But even if a case of bullying on the Internet is reported, the law is somewhat fuzzy when it comes to bringing the offender to book. In India, social media come under a variety of civil and criminal laws. The Information Technology Act, 2000, tackles most cases related to cyber crimes. “However, we take recourse to not just the IT Act, 2000, and its amendments thereunder, but also to other legislation, such as the Indian Penal Code (IPC), the Trade Marks Act, the Copyright Act, etc., to tackle cyber crimes in India,” says Gurpreet Singh, Internet law head, Amarjit & Associates, Delhi.

Bullying on the Internet consists of abuses that may have emotional and physical repercussions. “Trolling provokes a non-productive argument and as of now it is not considered a criminal offence anywhere in the world,” says Sunil Abraham, executive director, Centre for Internet and Society, Bangalore. However, most Internet users point out that trolling is out and out harassment that often verges on sexual harassment as well.

“I am routinely harassed by trolls. Even if I block them, they create a new twitter handle, start following me and post abusive comments,” says Joy Das, an advertising professional from Mumbai. His strong stand on several issues makes him a favourite among the trolls. Once Das had gone to the extent of filing a case and shared the details of the troll with the cyber crime cell department of the state police. He withdrew the case when the abuser retreated.

One of the main problems in taking action against a troll is that no legal definition of bullying is provided in Indian laws. As Karnika Seth, a Delhi-based cyber law expert, points out, “Even though the laws are in place, there is a clear lack of definition of offensive terms.”

Still, the laws do provide some relief in cases of harassment by Internet trolls. Usually, Section 509 of the IPC comes into effect when there is an intention to insult the modesty of a woman. “The offence also extends to an online medium,” says Singh of Amarjeet & Associates. “Besides Section 509, various other sections such as Section 503 and Section 504 of the IPC can also be invoked based upon the particular facts of a case,” adds Singh.

The networking sites on their part aren’t proactive when it comes to keeping a check on trolls. Twitter maintains that it is a communications platform, not a content mediator. “Removal of content does not in and of itself resolve the issue that led to the content being posted in the first place,” blogs the head of Twitter’s safety centre.

If you want to know the IP address and other details about the bully, you will have to file a police complaint and the copy should be sent to Twitter, informs Nabeel Ziyaan, a Bangalore-based entrepreneur and a contributor to Twitter’s ‘#140help’ section which deals with user queries. “In such cases, Twitter will work with the law enforcement agency,” says Ziyaan.

An accused can be booked for mental cruelty and sexual harassment under the provisions of the IPC as well as under Sections 67(a) & 67(b) of the IT Amendment Act, 2008, depending upon the facts and circumstances of the case. Section 66(a) lays down, for example, that any person who sends, by means of a computer resource or a communication device, any information that is grossly offensive or has menacing character or any information which he knows to be false, but for the purpose of causing annoyance, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs 5 lakh or with both.

According to Section 67(a), whoever publishes or transmits in the electronic form any material which contains a sexually explicit act or conduct shall be punished with up to five years’ imprisonment and with a fine which may extend to Rs 10 lakh. And Section 67(b) hands out punishment for publishing or transmitting material depicting children in a sexually explicit act in an electronic form.

But law enforcement agencies are not always able to work out a way to track the trolls. “IP addresses can be spoofed using different software. In fact, innocent people can get punished if a troll hides under a proxy server,” says Seth.

Experts say that cyber laws need clarification and appropriate interpretation. The public should also be made aware of what constitutes a cyber offence. Until that happens, the trolls will, in all probability, trawl the Internet and maul Netizens at will.

Trail of the Trolls was published in the Telegraph on 4 January 2012

For more details visit https://cis-india.org/news/trail-of-trolls

TRAI urged to take action against P2P throttling and DNS hijacking

Anand Priya Singh — 2012-03-27T06:07:30Z

On 4 November 2010, Anand had sent a complaint letter to the Telecom Regulatory Authority of India (TRAI) regarding unethical practices adopted by Internet Service Providers (ISPs), particularly Airtel. The letter was sent by post and through an e-mail. It was addressed to the Advisor, CN & IT, TRAI. Anand got no help from the ISP and the reply from TRAI (No. 340-1\2010-CA/VOLv) stated that he contact the nodal officer. We have reproduced below the complaint letter that Anand sent to TRAI.

The Advisor,
CN & IT, TRAI
New Delhi

Respected Sir,

I wanted to bring to your notice some unethical marketing practices being adopted by Airtel in their broadband market.

ISPs in India, especially Airtel and Tata have recently started to use Domain Name System (DNS) hijacking where they redirect a misspelled or a non-existent website to their own site — where they serve advertisements to make money and these get redirected to Airtel or Tata whenever you connect to the Internet. The reply from the Internet Corporation for Assigned Names and Numbers (ICANN) was: "DNS hijacking practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-scripting attacks. According to ICANN, the international body responsible for administering top level domain names has published a memorandum highlighting its concerns, affirming that ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in existing Generic Top Level Domains (GTLDs), Country-Code Top Level Domains (CCTLDs) and any other level in the DNS tree for registry-class domain names." See for example, http://goo.gl/lZ2r6 or http://goo.gl/fDLNC

Our ISPs are violating international regulations and exposing the customer to phishing and hacking. Here are their rules: RFC 2308 - Negative Caching of DNS Queries (DNS NCACHE) (rfc2308). See http://goo.gl/QrKLs

I hope TRAI fines Airtel for their unethical practices. Now even toll free customer complaint numbers are no longer toll free. They charge 50 paise per call.

One of the most dangerous things that Airtel and Tata have done is to secretly throttle internet traffic particularly of peer-to-peer (P2P) protocol and not telling the customers, thereby violating the Consumer Protection Act, 1986. In October 2010, Airtel and Tata began using Elitecore's networking bandwidth tool NetVertex to throttle net traffic.

This violates net neutrality principle and could make the internet a cable television system where for different protocols different tariffs would be charged. Please watch this clip on net neutrality.

Since January 2011 Airtel is throttling P2P speeds to 256k from 10 a.m. to 11 p.m. If a user has 1\2\4 mbps connection, his\her speeds are being throttled to 256 k. The only legal proof that customers have is the results from this site which tells if your connection is being throttled for specific protocols (for example, http, ftp, torrent, video streaming, email, etc) known as glasnost test.

This forum has many Airtel users complaining about this. For example: http://goo.gl/Utd72, http://goo.gl/uLZdg, http://goo.gl/bfgaE and http://goo.gl/S7lIQ

Sir P2P is controversial as it used to download copyright works but P2P is also used for legitimate files like Linux OS or Legit P2P streaming. Some torrent sites only provide legit torrents, for example,mininova.

In 2006 TRAI had a consultation paper on network neutrality para 3.6.2. In the reply, organisations like Google, Skype and Microsoft recommended that network neutrality be made a law. See the Google letter for network neutrality of August 2010.

In 2011 the TRAI-NGN said that they have not found any ISP violating this but I have been writing to TRAI since October 2010 to warn them about the impending 2 tier internet which is coming to India, page 91.

Like the Federal Communications Commission (FCC) which fined Comcast ISP in USA $ 16 million for secretly blocking P2P, TRAI should at least codify network neutrality as a simple sentence stating "All internet traffic irrespective of protocols and carrier shall be treated as neutral" and fine Airtel via Telecom Disputes Settlement Appellate Tribunal for violating Consumer Protection Act, 1986.

FCC passed diluted rules and TRAI should not copy FCC. I hope TRAI takes action against illegal secret P2P throttling and DNS hijacking.

Yours respectfully,

Anand

For more details visit https://cis-india.org/internet-governance/p2p-throttling-and-dns-hijacking

Trai upholds Net Neutrality in setback to Facebook’s Free Basics

praskrishna — 2016-02-15T02:01:37Z

Trai says Internet service providers will not be allowed to discriminate on pricing of data access for different web services.

The article by Moulishree Srivastava and Shauvik Ghosh was published in Livemint on February 9, 2016. Sunil Abraham was quoted.

India’s telecom regulator has barred Internet service providers from offering customers preferential tariffs to access certain content over concerns that it will violate Net neutrality norms, dealing a blow to Facebook Inc.’s free data service plan.

Internet service providers, including telecom operators, are prohibited from offering discriminatory tariffs for data services based on content, the Telecom Regulatory Authority of India (Trai) said on Monday. Service providers that violate these rules will be fined Rs.50,000 per day to a maximum of Rs.50 lakh. Trai said it may review the rules after two years.

The decision ends a long battle between Facebook and the country’s telecom operators, including Bharti Airtel Ltd, on one side and Net neutrality activists on the other. Facebook had launched an intense lobbying effort that included full-page advertisements in newspapers and an Internet campaign to assure people that its Free Basics plan, which allows access to its social network and some other websites without a data plan, would benefit millions of poor Indians.

“BJP wholeheartedly welcomes the Trai decision on differential pricing. The decision is a clear expression of popular will,” said telecom minister Ravi Shankar Prasad on Monday. “The government made sure proper processes were followed at all levels which eventually led to the victory of an open and equal Internet... It is gladdening to see that the NDA government ensured unparalleled transparency in the entire issue of net neutrality,” he added.

Net neutrality requires Internet service providers not to discriminate on online data by user, content, site, platform, application, mode of communication or price.

“The net neutrality activists... have got exactly what they wanted—the complete prohibition of the differential pricing,” said Sunil Abraham, executive director of the Bengaluru-based research organization Centre for Internet and Society. “Before Facebook started with its aggressive and outrageous campaign to promote Free Basics, the Net neutrality debate was a peaceful discussion. The way it has behaved must have led the regulator to lose trust that big companies can self-regulate.”

It, however, remains to be seen whether telcos challenge the regulation in court, he added.

“This has been a litigious issue and a lot of money is at stake so quite likely, I think, they will go to court,” said Apar Gupta, a lawyer and part of Save The Internet campaign.

The basic rationale behind the regulation is that the network that carries the data should be agnostic to data packets, R.S. Sharma, chairman of Trai, told reporters.

“Anything on the Internet cannot be priced discriminately based on source, destination, content and applications,” he said.

A spokesperson for Facebook said the company will carefully study what the regulator has said and comment accordingly.

Bharti Airtel and Reliance Communications Ltd (Facebook partnered with R-Com in India) declined to comment.

Differential pricing based on the network speed, Sharma said, is a larger issue and so is Net neutrality.

“We have used the term discriminatory pricing in place of differential pricing, because differential pricing in the consultation paper had a particular context. Differential word was quite contextual in the regulation, but it was misunderstood in a very larger context. Therefore, to differentiate, we are calling it discriminatory,” he said.

However, Sharma said that the Net neutrality debate is not over.

“Net neutrality is a larger question, and we have not gone into that question, though, I must admit, differential pricing is looking at Net neutrality from a tariff perspective. Net neutrality has a number of other components which is fast lane, throttling and differentially treating the packet in terms of speed etc. So this is not a part of this regulation,” Sharma said.

Amresh Nandan, research director at Gartner in India, said the Trai order favouring Net neutrality is in line with rules in the US. “The European Union has also ruled in favour of treating all Internet traffic equally,” Nandan said.

Nandan said the proponents of Net neutrality all over the world have been highlighting the importance of democratic values of the Internet and even a marginal attempt to curb it can possibly trigger all kinds of differentiation.

All the major telcos in India have, however, been lobbying the regulator to allow differential-pricing plans for data services. The telcos said such tariffs will increase Internet penetration in the country, benefiting consumers in the long run. They further argued that the existing legal framework is sufficient for regulating and monitoring differential pricing measures provided by the service providers and that Trai can deal with any issue regarding anti-competitive practices on a case-by-case basis as and when they arise.

Activists say such a practice will undermine competition and create monopolies. Differential pricing, they said, will allow big companies to buy favoured treatment from carriers.

Telecom operators said they were disappointed with the ruling. “Differential pricing could be useful in connecting the unconnected in India. This is an upfront disbarment,” said Rajan Mathews, director general of the Cellular Operators Association of India, the lobby group that represent some of the major telcos. “We believe that it was an appropriate tool to allow consumers who have never been on the Internet, to enjoy getting accustomed to it without getting sticker shock.”

Hemant Joshi, a partner at Deloitte Haskins and Sells Llp, said differential pricing was a well-accepted principle across industries.

“The concept inherently recognizes the economic principle of paying differently for different levels of service and experience. In telecom, there are virtual highways that need to follow the same principle. More awareness and education is needed around the economics of differential pricing and its long-term implications on the Industry and the consumer,” he added.

Trai, which put up the consultation paper on differential pricing on 9 December, asked four specific questions, broadly on whether telecom operators should be allowed to offer different services at different price points and models that can be implemented to achieve this.

Trai extended the deadline for comments and counter-comments on its consultation paper to 7 January and 14 January from 31 December and 7 January, respectively. For the consultation process, Trai said that majority of the individual comments received did not address the specific questions that were raised in the consultation paper.

P.R. Sanjai and Ashish K. Mishra in Mumbai contributed to this story.

For more details visit https://cis-india.org/internet-governance/news/livemint-february-9-2016-shauvik-ghosh-moulishree-srivastava-trai-upholds-net-neutrality-in-setback-to-facebooks-free-basics

TRAI recommendations on data privacy raises eyebrows

Admin — 2018-07-19T13:33:44Z

The telecom regulator’s recommendations on data privacy have raised eyebrows over jurisdiction and timing, with IT ministry officials as well as companies questioning the need for it at a time when the government appointed Justice BN Srikrishna committee is in the final stages of drafting the data protection law.

The article by Surabhi Agarwal and Gulveen Aulakh was published in Economic Times on July 18, 2018. Swaraj Paul Barooah was quoted.

Telecom Regulatory Authority of India (TRAI) Chairman RS Sharma though countered that the sectoral watchdog has the jurisdiction to protect consumer interest in the sector, and those who feed off the industry - content providers, or apps, browsers, operating systems, and devices - need to be accountable as far as data protection is concerned.

TRAI Monday released its recommendations on the subject titled ‘Privacy, Security and Ownership of Data in the Telecom Sector’ which are applicable for apps, browsers, operating systems and handset makers.

An official of the Ministry of electronics and IT, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. “Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the data protection Act.”

The official also added that TRAI saying that their recommendations will be applicable till the data protection law comes into force "doesn't make sense since it won't have a legal mandate."

Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna committee report.

Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.

But Sharma was argued Trai was well within its rights to protect telecom consumers.

"Do I not have the jurisdiction to protect the interest of consumers in the telecom sector? I have that. And data protection of consumers in the telecom sector is an issue which is certainly related to the interest of consumers. I have deliberated on that issue, and I’m not saying that bring all those entities under my jurisdiction,” Sharma said.

He added that there is a regulatory imbalance because entities such as devices, OS, browsers and apps are not following any law. “So, the government can come up with a broad framework but till that time let the telecom rules apply on them too."

In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were "mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.

In its statement, IAMAI, which represents companies such as Facebook and Google, called TRAI’s assertion that the existing framework is not sufficient to protect telecom consumers “contradictory.”

“The TRAI recommendations on privacy are premised on a voice and SMS regime. It is not meant for data driven business, which the app companies are. App companies use pseudo anonymous data and app companies do not give Call Detail Records. Incidentally, the Sri Krishna Committee under the Ministry of IT, which is the nodal body for apps as well as for handset manufacturers, is deeply, looking into this issue of consent, which is a fair thing to do.”

Voicing similar concerns, the ICA, which represents most of India’s top handset makers, said that the telecom watchdog has absolutely no powers to begin regulating on issues of privacy and ownership of data, leave alone having jurisdiction over devices, operating systems, browsers and applications.

“The industry rejects TRAI's attempts to expand its powers and usurp government's jurisdiction.” It added that TRAI “jumped the gun” by seeking to regulate the digital ecosystem without waiting for the data protection law under consideration by the Justice Srikrishna Committee. “This piecemeal approach is dangerous and unproductive.”

Handset makers such as Intex and Karbonn added they should be kept out of the ambit of the proposed regulations because they don't use customer data or monetise from it, which is mostly what apps do. Any additional pressure on indirect costs will lead to wafer-thin margins getting eroded further and consumers will have to bear the brunt, as it will lead to increase in prices of mobile phones.

Trai’s recommendations have been sent to the Department of Telecommunications (DoT) which has to take a final call on whether they will be adopted.

An official spokesperson for Zomato said that they have not been contacted by any of the regulatory bodies on this, as of now. “Our country is still undergoing the process of setting up a regulatory framework, and what happens between the TRAI recommendations and the B N Srikrishna's committee's draft for Data Protection bill will eventually help set up a much required benchmark.

In its suggestions, Trai said that as with telcos, all user data flows through smart devices, putting the device manufacturers, browsers, operating systems, and applications etc. in a prime position to collect and process the personal information of users. Since all user data passes through telcos and devices, appropriate steps must be taken to protect user privacy vis-a-vis these entities. “This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained”.

Swaraj Paul Barooah, policy director at Center for Internet and Society, said that the recommendations is worrying at one level since “There is nothing in the telecom sector that requires interim urgent intervention and it may mean that the privacy framework maybe further delayed.”

For more details visit https://cis-india.org/internet-governance/news/economic-times-july-18-2018-surabhi-agarwal-and-gulveen-aulakh-trai-recommendations-on-data-privacy-raises-eyebrows

TRAI Consultation on Differential Pricing for Data Services - Post-Open House Discussion Submission

sumandro — 2016-03-30T13:13:30Z

The Centre for Internet and Society sent this submission to the Telecom Regulatory Authority of India (TRAI) following the Open House Discussion on Differential Pricing of Data Services, held in Delhi on February 21, 2016.

Download the submission document: PDF.

Post-Open House Discussion Submission to TRAI

Dear Ms. Kotwal,

This is to heartily congratulate TRAI once again for taking several steps, including the Open House Discussion, to ensure that various opinions about the topic of ‘differential pricing for data services’ are presented and are responded to - and are all in full public view.

This brief note is to a) add to the positions and arguments submitted previously by the Centre for Internet and Society (CIS), India, b) put in writing our comments during the Open House Discussion (January 21, 2016), and c) respond to other comments shared at the same event. We have six points to share in this note:

Forbearance is not an option: We are of the opinion that though the data services market has thus far been kept un-monitored and unregulated, and there are several reasons why this situation should not continue any more. Although the reality of differential pricing (that is data packets originating from different sources being priced differently by ISPs) was highlighted with the recent offering of zero rated packs, it is a general practice in the sector, as illustrated by widely available special/curated content packs for the user to consume data from a specified web-based source. It is not surprising that most such special/curated content packs involve an arrangement between the ISP and a prominent leader in the web-content/platform sector, such as Facebook and Twitter. Serious market distorting impacts of such arrangements are imminent if they are allowed to continue without any monitoring, enforced public disclosure, and regulatory actions by a public authority.
Address differential treatment of data, and not only differential pricing: Pricing is only of the three ways in which data services can be treated differently by the ISPs depending upon the source of the data packets concerned. The other two ways are: a) differential speed, or throttling of some data packets and prioritisation of the others, and b) differential treatment of data protocols, for example, the blocking of peer-to-peer or voice-over-IP traffic by an ISP. If the public authority decides to only regulate differential pricing of data service, it is highly probable that ISPs may shift to other forms of discrimination between data packets - either in terms of prioritising some data packets over others based upon their origin, or blocking of specific protocols such as voice-over-IP to prevent the functioning of certain web-based services - and continue the market distorting impacts through these other means.
Allow and define reasonable network management practices: Reasonable network management has to be allowed to enable the ISPs to manage performance on their network. However, ISPs may not indulge in acts that are harmful to users in the name of reasonable network management. Below is a set of potential guidelines to identify cases when discrimination against classes of data traffic in the name of reasonable network management can be considered justified and permissible:
- there is an intelligible differentia between the classes which are to be treated differently,
- there is a rational nexus between the differential treatment and the aim of such differentiation,
- the aim sought to be furthered is legitimate, and is related to the security, stability, or efficient functioning of the network, or is a technical limitation outside the control of the ISP, and
- the network management practice is the least harmful technical means that is reasonably available to achieve the aim.
Establish an effective enforcement mechanism: TRAI must establish an enforcement mechanism that is open to users [and groups of users] and private sector actors as current forums are insufficient. Clear and simple rules must be established ex-ante, if they are violated - ex-post regulation must be undertaken on the basis of principles listed in the TRAI consultation paper, that is “non-discrimination, transparency, affordable internet access, competition and market entry, and innovation” [1]
Take regulatory decisions now, but also conduct and commission further research to review and refine the decisions over a defined period of time
Need for better collection and proactive disclosure of statistics: TRAI publishes quarterly performance indicators statistics collected from the telecom companies about telephone, mobile, and internet sectors in India [2]. It will be very useful for researchers and analysts, and allow for a much more informed public debate on the matter, if the content and form of such data are improved in the following ways:

Content:
- Please start collection (unless already done) and publication of not only data of average incoming and outgoing MOUs, average of total outgoing SMSs, Average Revenue Per User, and average data usage per GSM and CDMA subscriber, but distributions of the same in terms of user deciles (that is in terms of representative figures for each 10% section of users in ascending order of usage),
- Provide granular data about data usage across service areas and service providers (the numbers on ‘average data usage’ and total ‘revenue from data usage’ provided at present are very insufficient for the state of public debate),
- Provide data about internet subscriber base according to network technologies (for both wired and wireless) and the service providers concerned,
- Provide data about IP-based telephony across service areas and service providers,
- Provide data separately for the North Eastern states, and
- Provide granular data (separated from the corresponding state data) for all tier-1 cities.
Form:
- Please do not publish the data only as part of the quarterly reports available in PDF format, but also as independent machine-readable spreadsheet file (preferably in CSV format),
- Do not only publish quarterly data in separate files, but also provide a combined (all quarters together) dataset that would make it much easier for researchers and analysts to use the data,
- In some exceptional cases, the data is not provided in the report directly but a diagram containing the data is published [3], which should be kindly avoided, and
- Please publish these statistics as open data, that is in open standards and under open licenses.

Further, we request TRAI to explore possibilities of distributed sourcing of data, perhaps from the users themselves, about the actual network usage experiences, including but not limited to signal strength, data transfer speed (incoming and outgoing), frequency of switches between mobile (GSM and CDMA) and wi-fi connectivity, etc.

References

[1]. http://trai.gov.in/WriteReaddata/ConsultationPaper/Document/CP-Differential-Pricing-09122015.pdf.

[2]. http://www.trai.gov.in/Content/PerformanceIndicatorsReports/1_1_PerformanceIndicatorsReports.aspx.

[3]. http://www.trai.gov.in/WriteReadData/PIRReport/Documents/Performance_Indicator_Report_Jun_2015.pdf , sections 1.43 and 1.44 (pp. 31-32).

For more details visit https://cis-india.org/telecom/blog/trai-consultation-on-differential-pricing-for-data-services

TRAI and the Disclosure of Personal Information

Nehaa Chaudhari and Vidushi Marda — 2015-05-10T09:16:28Z

The Telecom Regulatory Authority of India (TRAI), in March 2015 invited comments on its Consultation Paper for the regulation of over-the-top (OTT) services. In an unprecedented wave of public participation, TRAI received over a million e-mails in support of net neutrality.

This note sets out the law in relation to the unauthorized disclosure of personal information. Many thanks to Bhairav Acharya for his inputs on this.

Subsequently, on April 27, 2015, TRAI made all responses received by it public, including personal information like email addresses along with any information contained in email signatures, which invariably include a phone number or address. While disclosure of names was needed to ensure transparency in the consultation process, disclosure of personal information gave rise to criticism and questions around the legality of such disclosure.

This note sets out the law in relation to the unauthorized disclosure of personal information:
Section 43A of the IT Act provides for subordinate legislation to govern the manner in which sensitive personal data is collected and processed. The governance of personal information is dealt with under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“2011 Rules”). The 2011 Rules are made to give effect to Section 43A of the IT Act.

TRAI is a body corporate as per Section 3(2) of the TRAI Act. Hence, TRAI’s collection, storage, and disclosure of personal information is governed by the 2011 Rules. Rule 5(8) requires personal information collected to be held securely. TRAIs publishing of email addresses is a violation of Rule 5(8).

Rule 4 of the 2011 rules requires a body corporate to have a privacy policy. On its website, TRAI publishes a Privacy Policy. However, the Policy speaks of information gathered from the TRAI- Website. Even the wording on the Home Page of the TRAI website (that links to these policies) says “Website Policies”. It is unclear therefore, whether the Privacy Policy applies ONLY to the collection of information over the TRAI- Website or whether the Privacy Policy applies to TRAI overall.

Either way there is an argument to be made. TRAI has failed to draft and publicize a privacy policy for the personal information it collects directly. Without prejudice to the above, if the privacy policy on the TRAI website governs this collection of email addresses, then its unauthorized disclosure is a contravention of its own Privacy Policy, specifically paragraph 2.

Since the IT Act does not enact a specific penalty for contravention of section 43A in respect of personal information, TRAI’s unauthorized disclosure will be penalized through the residuary penalty contained in section 45 of the IT Act.

Hence TRAI is liable under Section 45 of the IT Act read with Rules 4 and 5(8) of the 2011 Rules. Section 45 provides a “residuary penalty”; for those provisions under the IT Act or Rules for whose contravention no other penalty has been prescribed. For this contravention, TRAI would have to pay a compensation of 25,000/- to the affected persons or a penalty of 25,000/- rupees.

TRAI may argue that it disclosed that personal information would be disclosed/published. However, the Call for Comments Press Release says that Comments will be published. Email addresses are not comments, and therefore TRAI did not issue a prior disclaimer for the publication of this personal information – hence the disclosure of e-mail addresses is still a violation.

The remedy for violation of Section 43A of the IT Act is the Adjudicating Authority appointed under Section 46(1), which requires a person not below the rank of Director in the appropriate government to receive complaints. Since TRAI is a body corporate as per the Act, it is unclear as to who the adjudicating officer in the present case should be; and is the matter of a separate research question.

The Appellate authority is the Cyber Appellate Tribunal constituted under Section 48 of the IT Act . It is not known if the tribunal has been constituted, and if it has; it is unknown whether it is staffed.

In the absence of clarity with regard to statutory authorities, a citizen whose personal information has been disclosed by TRAI without authorization may file a writ petition in the Delhi High Court under Article 226, or in the Supreme Court under Article 32 for issue of a writ of mandamus or prohibition, for appointment of the first adjudicating officer and also for issuance of directions in lieu of such an officer.

For more details visit https://cis-india.org/telecom/blog/trai-and-the-disclosure-of-personal-information

Towards an Equitable and Just Internet

praskrishna — 2014-02-17T11:20:19Z

IT for Change is organizing an international meeting to formulate a progressive response to issues of global governance of the Internet. Bhairav Acharya will be participating in this event to be held in New Delhi on February 14 and 15.

The Internet is emerging as a central feature of contemporary human life. We use it to access and disseminate information, to communicate and build community, to transact business and to practise democracy. Ever increasing dimensions of our social, economic, cultural and political life are tied to the Internet.

However, the benefits of the Internet - knowledge and power, wealth and influence, are distributed unevenly. A technology built on the egalitarian peer-to-peer principle, ironically, is emerging as a key axis of inequality, an instrument perpetuating and reinforcing longstanding social, economic, cultural and political injustices. Snowden's dramatic exposé of a deep nexus between the US government and a few global corporations to enable global surveillance, confirmed just one aspect of the problem. The truth about the Internet and how its socio-technical architecture is being shaped is considerably more complex and insidious. The rapid colonisation of the Internet by a few monopolizing global corporations, and its governance being subject, in a highly disproportionate manner, to the laws and policy priorities of one country, impacts not just privacy, but a huge range of very important social, economic, cultural and political issues. (To a lesser extent, policy frameworks developed by clubs of rich countries like the the OCED also impact the emerging shape of the Internet.)

Questions of democracy, social justice and equity need to become central to how the Internet, and how an Internet-mediated society, are evolving. The smokescreen of technical-neutrality has prevented for too long a critical, political examination of the social underpinnings of the Internet, its normative boundaries and legalinstitutional frames. In addition, self-serving formulations like 'Multistakeholderism' and 'Internet Freedom', are employed by the status quo to maintain a facade of legitimacy. Beyond the rhetoric, it is clear that the Internet – in its dominance by the powerful, is neither genuinely multi-stakeholder nor genuinely free.

There are foundational questions to be pursued, in this regard : How is the Internet redistributing power and resources? How does this impact those at the margins, those on the peripheries of an increasingly globalised world? How is such redistribution connected to the socio-technical architecture of the Internet? What kind of Internet would promote social justice and equity? What needs to be done to make it more just, more egalitarian? Who governs the Internet, and how can its governance be democratized? From the standpoint of global justice, two urgent priorities lie ahead of us.

A progressive conception and vision of the Internet, and
A common global ownership of the Internet that protects and promotes its public-ness, and its evolution as a 'global commons'. The Internet was envisaged as a decentralized network, with control from the peripheries. This characteristic of the network is rapidly eroding, What is urgently needed is a recasting of this technical principle into a socio-political framework for a truly people-owned and people-controlled Internet, and one that works for all. The global governance of the Internet requires a proper institutionalization and legal framework incorporating the true spirit of participatory democracy. It should inter alia serve to insulate the Internet both from corporatist and from statist dominations.

An international meeting, entitled 'Towards a Just and Equitable Internet', is envisaged to address the key issues identified above. It will be held in New Delhi, India, on February 14th and 15th, 2013. The meeting will bring together actors engaged in social justice movements and ICT, communication and media rights advocacy to dialogue with some of those already engaged with Internet governance issues, with a view to chart a progressive response to issues related to global governance of the Internet.

Potential outcomes from the meeting include:

A 'charter for Internet justice and equity';
Specific proposals for democratizing the global governance of the Internet as contributions to the 'Global Multistakeholder Meeting on the Future of Internet Governance' being hosted by Brazilian government in April, 2013, the UN Working Group on Enhanced Cooperation and the WSIS + 10 process.

For more details visit https://cis-india.org/news/towards-an-equitable-and-just-internet

Towards Algorithmic Transparency

Radhika Radhakrishnan, and Amber Sinha — 2020-07-15T13:16:44Z

This policy brief examines the issue of transparency as a key ethical component in the development, deployment, and use of Artificial Intelligence.

This brief proposes a framework that seeks to overcome the challenges in preserving transparency when dealing with machine learning algorithms, and suggests solutions such as the incorporation of audits, and ex ante approaches to building interpretable models right from the design stage. Read the full report here.

The Regulatory Practices Lab at CIS aims to produce regulatory policy suggestions focused on India, but with global application, in an agile and targeted manner and to promote transparency around practices affecting digital rights.
The Regulatory Practices Lab is supported by Google and Facebook.

For more details visit https://cis-india.org/internet-governance/blog/towards-algorithmic-transparency

Towards a Multi-Stakeholder Consultation on ‘Internet Rights, Accessibility, Regulation & Ethics’

praskrishna — 2012-05-31T07:14:42Z

This event was organised by Digital Empowerment Foundation, National Internet Exchange of India and Association for Progressive Communications at Mirza Ghalib Hall, SCOPE Complex, New Delhi from 9.00 a.m. to 2.30 p.m. on May 3, 2012. Pranesh Prakash participated as a speaker in the session on Access to Internet: Right to Information.

9.00 a.m. to 9.30 a.m. (Registration)

9.30 a.m. to 11.00 a.m.

Inauguration & Plenary: Internet Rights, Accessibility, Regulation & Ethics

Introduction: Osama Manzar, Founder & Director, Digital Empowerment Foundation
Chair: Aruna Roy, Head, Mazdoor Kisan Shakti Sangathan (MKSS) & Member, National Advisory Council (NAC), Govt. of India
Co-Chair: Ajay Kumar, Joint Secretary, DIT, Govt. of India
Plenary Speakers:

Honey Tan, Human Rights Lawyer, Malaysia, APC
Venkatesh Nayak, Co-convener, Secretary, National Campaign for Peoples’ Right to Information
Jitendra Kohli, Executive Member, Transparency International India Summary of the Session by the Chair

11.00 to 11.15 a.m. (Tea break)

11.15 a.m. to 12.30 p.m.

Working Session I - Access to Internet: Right to Information

Chairperson: Basheerhamad Shadrach, Development Consultant
Plenary Speakers:

Pranesh Prakash, Programme Manager, Centre for Internet & Society
NA Vijayashankar, E-Business Consultant, Founder Secretary of Cyber Society of India, Founder Trustee of International Institute of Information Technology Law
Pavan Duggal, Advocate, Supreme Court of India
Varsha Iyenger, Member, Centre for Law and Policy Research
Amitabh Singhal, Former CEO, National Internet Exchange of India (NIXI)
Prof Jagdeep Chhokar, Founding Member, Association for Democratic Reforms

12.30 p.m. to 1.30 p.m.
Working Session II - Internet Right as Human Right: Need for a Holistic Framework towards Universal Access in India

Chairperson: Dr. Govind, CEO, National Internet Exchange of India (NIXI), Govt. of India
Co-chair & Moderator: R. Sukumar , Managing Editor, Live Mint Newspaper
Panel Members:

Subho Ray, President, Internet & Mobile Association of India (IMAI)
Deepak Maheshwari, Vice President - Public Policy, South Asia, MasterCard
Ravina Agarwal, Program Officer, Ford Foundation
Honey Tan, Human Rights Lawyer, Malaysia, APC
Suhas Chakma, Director, Asian Centre for Human Rights
Anoop Saha, Co-Founder, CGNet Swara
Shivam Vij, Writer, Kafila.org

Click to see the original

For more details visit https://cis-india.org/news/towards-a-multi-stakeholder-consultation

Towards a Global Network of Internet and Society Centres

praskrishna — 2013-06-05T07:29:43Z

This event was held in Istanbul by Bilgi University as part of the collaboration on Global Network of Interdisciplinary Internet and Society Research Centres.

Chinmayi Arun spoke on the Internet Governance panel at the conference on 'ICT, Law and Innovation: Recent Developments, Challenges, and Lessons Learned'.

Tough neighbourhood tests India's e-tolerance

praskrishna — 2011-06-15T10:51:48Z

The combination of having restrictive neighbours as well as security threats could make freedom on the web in India a casualty, writes Anahita Mukherji in this article published by the Times of India on June 12, 2011.

While Indians have enjoyed relatively free cyberspace, growing security threats have resulted in new laws that may tighten the screws on India's freedom on the web. This is one of the findings of a global report titled Freedom on the Net 2011.

There is a widespread fear that the lack of internet freedom in neighbouring countries, like China and Pakistan, may adversely impact India. "If restrictions are placed in certain countries, information links get weakened. Also, governments tend to copy moves of other countries when it comes to a restriction of freedom on the net," said Ketan Tanna, the India researcher for the report.

However, Sarah Cook, Asian research analyst and assistant editor for Freedom on the Net, said that while India may be in a tough neighborhood, it is also possible to seek out the "best practices from countries further afield, or even design its own, and not follow the 'worst practices' from the countries next door".

"It is ultimately up to the Indian government and people to decide how adversely they let being in a tough neighborhood impact internet freedom. It is true that there are objective threats that India faces. All of these can be used as justifications for why the government should be given wide authority to block certain content or monitor internet traffic. But in a democratic society, such needs must be balanced against citizens' rights to free expression and privacy. Ensuring transparency, accountability and legal specificity in any measures taken to restrict the free flow of information is an important way of balancing those factors," said Cook in an email interview with TOI.

Recent regulations have given the government more freedom to censor content. In 2008, Parliament passed amendments to the IT Act, which came into effect in 2009 and have expanded the government's monitoring capabilities. Two months ago, the government enforced another set of guidelines on internet usage. They make it mandatory for intermediaries (ISPs, websites, blogs etc) to notify users not to publish or use information that could be harmful, defamatory or cause annoyance in any way. If an intermediary is informed of such information by the government, it has to block it within 36 hours.

According to the new rules, content that "threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states or public order" is entitled to a ban.

An RTI activist from The Centre for Internet and Society managed to get a list of 11 officially banned websites in India in April 2011.

Nikhil Pahwa, the founder editor of Medianama, a digital media portal, feels the new guidelines could result in a further slide in India's rank.

Read the original published in the Times of India here

For more details visit https://cis-india.org/news/india-e-tolerance

Too Clever By Half: Strengthening India’s Smart Cities Plan with Human Rights Protection

vanya — 2016-03-22T13:49:32Z

The data involved in planning for urbanized and networked cities are currently flawed and politically-inflected. Therefore, we must ensure that basic human rights are not violated in the race to make cities “smart”.

The article was published in the Wire on March 21, 2016

As Indian cities reposition themselves to play a significant role in development due to urban transformation, the government has envisioned building 100 smart cities across the country. Due to the lack of a precise definition as to what exactly constitutes a smart city, the mutual consensus that has evolved is that modern technology will be harnessed, which will lead to smart outcomes.

Here, Big Data and analytics will play a predominant role by the way of cloud, mobile technology and other social technologies that gather data for the purpose of ascertaining and accordingly addressing concerns of people.

Role of Big Data

Leveraging city data and using geographical information systems (GIS) to collect valuable information about stakeholders are some techniques that are commonly used in smart cities to execute emergency systems, creating dynamic parking areas, naming streets, and develop monitoring. Other sources which would harness such data would be from fire alarms, in disaster management situations and energy saving mechanisms, which would sense, communicate, analyze and combine information across platforms to generate data to facilitate decision making and manage services.

According to the Department of Electronics and Information Technology, the government’s plan to develop smart cities in the country could lead to a massive expansion of an IoT (Internet of Things) ecosystem within the country. The revised draft IoT policy aims at developing IoT products in this domain by using Big Data for government decision-making processes. For example, in India a key opportunity that has been identified is with regard to traffic management and congestion. Here, collecting data during peak hours, processing information in real time and using GPS history from mobile phones can give insight into the routes taken and modes of transportation preferred by commuters to deal with traffic woes. The Bengaluru Transport Information System (BTIS) was an early adopter of big data technology which resorted to aggregating data streams from multiple sources to enable planning of travel routes by avoiding traffic congestions, car-pooling, etc.

Challenges

The idea of a data-driven urban city has drawn criticism as the initiative tends to homogenize Indian culture and change the fabric of cities by treating them alike in terms of their political economy, culture, and governance.

Despite basing the idea of a smart city on the assumption that technology-based solutions and techniques would be a viable solution for city problems in India, it is pertinent to note that the collection of personal real-time data may blur the line between personal data with the large data collected from multiple sources, leaving questions around privacy considerations, use and reuse of such data, especially by companies and businesses involved in providing services in legally and morally grey areas.

Privacy concerns cloud the dependence on big data for functioning of smart cities as it may lead to erosion of privacy in different forms, for example if it is used to carry out surveillance, identification and disclosures without consent, discriminatory inferences, etc.

Apart from right to privacy, a number of rights of an individual like the right to access and security rights would be at risk as it may enable practices of algorithmic social sorting (whether people get a loan, a tenancy, a job, etc.), and anticipatory governance using predictive profiling (wherein data precedes how a person is policed and governed). Dataveillance raises concerns around access and use of data due to increase in digital footprints (data they themselves leave behind) and data shadows (information about them generated by others). Also, the challenges and the realities of getting access to correct and standardized data, and proper communication seem to be a hurdle which still needs to be overcome.

The huge, yet untapped, amount of data available in India requires proper categorization and this makes a robust and reliable data management system prerequisite for realization of the country’s smart city vision. Cooperation between agencies in Indian cities and a holistic technology-based approach like ICT and GT (geospatial technologies) to resolve issues pertaining to wide use of technology is the need of the hour. The skills to manage, analyze and develop insights for effective policy decisions are still being developed, particularly in the public sector. Recognizing this, Nasscom in India has announced setting up a Centre of Excellence (CoE) to create quality workforce.

Though it is apparent that data will play a considerable role in smart city mission, the peril is lack of planning in terms of policies to govern the big data mechanics and use of data. This calls for development of suitable standards and policies to guide technology providers & administrators to manage and interpret data in a secured environment.

Legal hurdles

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 deals with accountability regarding data security and protection as it applies to ‘body corporates’ and digital data. It defines a ‘body corporate’ as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” under the IT Act. Therefore, it can be ascertained that government bodies or individuals collecting and using Big Data for the smart cities in India would be excluded from the scope of these Rules. This highlights the lack of a suitable regulatory framework to take into account potential privacy challenges, which currently seem to be underestimated by our planners and administrators.

Regarding access to open data, though the National Data Sharing and Accessibility Policy 2012 recognizes sensitive data, the term has not been clearly defined under it. However, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 clearly define sensitive personal data or information. Therefore, the open data framework must refer to or adopt a clear definition drawing from section 43A Rules to bring clarity in this regard.

Way forward

As India moves toward a digital transformation, highlighted by flagship programmes like Smart Cities Mission, Digital India and the UID project, data regulation and recognition of use of data will change the nature of the relationship between the state and the individual. However, this seems to have been overlooked. Policies that regulate the digital environment of the country will intertwine with urban policies due to the smart cities mission. Use of ICTs in the form of IoT and Big Data entails access to open data, bringing another policy area in its ambit which needs consideration. Identification/development of open standards for IoT particularly for interoperability between cross sector data must be looked at.

To address privacy concerns due to the use of big data techniques, nuanced data legislation is required. For a conducive big data and technologically equipped environment, the governments must increase efforts to create awareness about the risks involved and provide assurance about the responsible use of data.

Additionally, a lack of skilled and educated manpower to deal with such data effectively must also be duly considered.

The concept note produced by the government reflects how it visualizes smart cities to be a product of marrying the physical form of cities and its infrastructure to a wider discourse on the use of technology and big data in city governance. This makes the role of big data quite indispensable, making it synonymous with the very notion of a smart city. However, the important issue is to understand that data analytics is only a part of the idea. What is additionally required is effective governance mechanism and political will. Collaboration and co-operation is the glue that will make this idea work. It is important to merge urban development policies with principles of democracy. The data involved in planning for urbanized and networked cities are currently flawed and politically-inflected. Therefore, collective efforts must go into minimizing pernicious effects of the same to ensure the basic human rights are not violated in the race to make cities “smart”.

Vanya Rakesh is Programme Officer, The Centre for Internet & Society (CIS), Bangalore. Elonnai Hickok, Policy Director of CIS, also provided inputs for this story.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-march-21-2016-vanya-rakesh-too-clever-by-half-strengthening-indias-smart-cities-plan-with-human-rights-protection

Tomorrow, Today

nishant — 2013-01-02T05:00:41Z

Our present is the future that our past had imagined. Around the same time last year, I remember taking stock of the technologies that we live with and wondering what 2012 would bring in.

Nishant Shah's end of the year column was published in the Indian Express on December 29, 2012.

And I find myself in a similar frame of mind, celebrating with joy the promises that were kept, reflecting sombrely on the opportunities we missed, and speculating about what the new year is going to bring in for the future of digital and internet technologies, and how they are going to change the ways in which we understand what it means to be human, to be social, and to be the political architects of our lives.

We all know that dramatic change is rare. Nothing transforms overnight, and a lot of what we can look forward to in the next year, is going to be contingent on how we have lived in this one. And yet, the rapid pace at which digital technologies change and morph, and the ways in which they produce new networked conditions of living, make it worthwhile to speculate on what are the top five things to look out for in 2013, when it comes to the internet and how it is going to affect our techno-social lives.

Head in the Cloud

If the last year was the year of the mobile, as more and more smartphones started penetrating societies, providing new conditions of portable and easy computing, making ‘app’ the word of the year, then the next year definitely promises to be the year of the cloud. As internet broadband and mobile data access become affordable, increasingly we are going to see services that no longer require personal computing power. All you will need is a screen and a Wi-Fi connection and everything else will happen in the cloud. No more hard drives, no more storage, no more disconnectivity, and data in the cloud.

More Talk

One of the biggest problems with the internet has been that it has been extremely text heavy. We often forget that the text is still a matter of privilege as questions of illiteracy and translation still hound a large section of the global population. However, with the new protocols of access, availability of 4G spectrum and the release of IPV6 as the new standard, we can expect faster voice and video-based communication at almost zero costs. It might be soon time to say goodbye to the SMS.

Big Data

You think you are suffering from information overload now? Wait for the next year as mobile and internet penetration are estimated to rise by 30 per cent around the world! This is going to be the year of Big Data — data so big that it can no longer be fathomed or understood by human beings. We will be dependent on machines to read it, process it, and show us patterns and trends because we are now at a point in our information societies where we are producing data faster than we can process it. Our governments, markets and societies are going to have to produce new ways of governing these data landscapes, leading to dramatic changes in notions of privacy, property and safety.

No Next Big Thing

If you haven’t noticed it, the pace of dramatic innovation has slowed down in the last few years and it will slow down even more. We have been riding the wave of the next big thing, in the last few years, constantly in search of new gadgets, platforms and ways of networking. However, the coming year is going to make innovation granular. It will be a year where things become better, and innovation happens behind the scene. So if you thought this was the year that Facebook will finally become obsolete and something else will take over, you might want to reconsider deleting your account, and start looking at the changes that shall happen behind the scenes, for better or for worse.

The Return of the Human

The rise of the social network has distracted us from looking at the human conditions. We have been so engaged in understanding friendship in the time of Facebook, analysing relationships, networked existences and our own performance as actors of information, that we haven’t given much thought to what it means to be human in our rapidly digitising worlds. And yet, the revolutions and the uprisings we have witnessed have been about people using these social networks to reinforce the ideas of equity, justice, inclusion, peace and rights across the world. As these processes strengthen and find new public spaces of collaboration, we will hopefully see social and political movements which reinforce, that at the end of the day, what really counts, is being human.

The future, specially in our superconnected times, is always unpredictable. But the rise of digital technologies has helped us revisit some of the problems that have been central to a lot of emerging societies — problems of inequity, injustice, violence and violation of rights. And here is hoping that the tech trends in the coming year, will be trends that help create a better version of today, tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-december-29-2012-tomorrow-today

Token security or tokenized security?

Admin — 2018-01-17T00:17:41Z

Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.

The article by Manasa Venkataraman and Ajay Patri was published in Livemint on January 9, 2018.

Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in The Tribune on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.

These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.

There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.

Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.

One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.

Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.

Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.

The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.

Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.

The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.

Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in The Tribune. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.

These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.

Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.

For more details visit https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security

Token disclosures?

praskrishna — 2013-08-07T09:30:39Z

Snowden’s Xkeyscore expose makes a mockery of Twitter’s transparency revelations.

The article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.

This week, roughly around the same time, two ‘revelations’ made headlines in the world of technology. The first, the U.S. National Security Agency’s top secret web surveillance programme, codenamed Xkeyscore, another expose from the house of Edward Snowden & Co.; and second, microblogging site Twitter’s third biannual Transparency Report for the first half of 2013.

The former exposed a global surveillance net, cast far and wide to freely (no formal authorisation required) access and mine emails, chats and browsing histories of millions. The content of the latter report not only pales in comparison but also raises fundamental questions on just how much goes on beyond the arguably modest claims made on Twitter’s transparency charts.

Documents published by The Guardian have the NSA claiming that the “widest-reaching” system mining intelligence from the web had, over a month in 2012, retrieved and stored no less than 41 billion records on its Xkeyscore servers. These mind-boggling numbers make a mockery of Twitter’s few hundred access request disclosures, advocates of online privacy and freedom point out. Then, it is hardly surprising that a large chunk of global requests came from the U.S. government: no less than 902 of the total 1,157 requests, accounting for 78 per cent. A far second is Japan at 8 per cent followed by the U.K.

India References

Interestingly, both Twitter’s report and the NSA’s Xkeyscore document have India references. While a map titled 'Where is Xkeyscore' in the training manual released showing India as one of 150 sites (hosting a total of 700 servers) indicates that India's very much on the global surveillance radar of the United States government; the fact that the India is a new entrant on Twitter's ‘Country Withheld Content Tool’ means that the government here is also making active interventions in microblogging content. This is very much in line with stances the Indian government has taken over the last year, swinging indecisively between asking internet firms to pre-screen content and asking service providers to take down what it finds offensive.

India, A Bit-Player

The Twitter report states that over the last six months it has seen an increase in the number of requests received (and eventual withholding of content) in five new countries: India, Brazil, Japan, Netherlands and Russia. In terms of numbers, India is still very much a bit player in the game given it falls under the ‘less than 10 category, a list where the number of requests for user information made by the government during this period is fewer than 10. It appears from the report that Twitter did not honour any of these requests, indicating that either the requests were too broad or failed to identify individual accounts.

In the same period, Twitter received two requests from India to remove content, one from the “government/law enforcement agency” and the other through a court order. In all, three tweets were removed by Twitter. No details on the nature of content removed were available.

Transparency Trends

A late entrant to transparency initiatives, Twitter's bi-annual reports have been applauded by privacy activists as an initiative that at least attempted to offer a glimpse into the otherwise opaque medium/industry. According to 'Who Has Your Back' an initiative by the Electronic Frontier Foundation, which tracks which corporate helps protect your data from the government, only a third of the 18 internet majors publish Transparency Reports – in fact, Facebook, WordPress and Tumblr all don't publish.

This article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.

While it's definitely good that Twitter's providing data for India, post-Edward Snowden and his revealing PRISM leaks, netizens would question to what extent this data is representative of the magnitude or extent of user data tracking. Do governments like the U.S. need to approach Twitter (or other internet service providers) at all to access detailed user activity logs, content and metadata?

Secret Orders Excluded

Twitter makes it clear that its current report does not include "secret orders" or FISA disclosures. In another blog related to the Transparency Report, Jeremy Kessel, Manager, Legal Policy at Twitter Inc, writes that since 2012, Twitter's seen an uptick in requests to withhold content from two to seven countries. He writes that while Twitter wants to publish “numbers of national security requests – including FISA (Foreign Intelligence Surveillance Act) disclosures – separately from non-secret requests.” It claims it has “insisted” that the United States government allow for increased transparency into “secret orders”. “We believe it’s important to be able to publish numbers of national security requests – including FISA disclosures – separately from non-secret requests." Unfortunately, we are still not able to include such metrics, Twitter states.

'Not the Whole Truth'

In the absence of these metrics, Sunil Abraham, director of Centre for Internet and Society, feels transparency reports “may not tell us the whole truth”. The Xkeyscore revelations then may explain why the U.S. government has made only 902 information requests. “A rogramme like XKeyScore potentially allows them to capture the very same data without having to approach Twitter. This is the very same imperative behind the CMS project in India. Governments across the world want to automate private sector involvement in blanket surveillance measures so that it wont serve as a check on their unbridled appetite for data”

He warns that there's a likely “race to the bottom”, given that an unintended consequence of transparency may be that governments, rather than being shamed into respect for free speech and privacy, would be emboldened by the scale of surveillance and censorship in the so-called democracies such as the US and EU members that are on top of the global blanket surveillance game.

For more details visit https://cis-india.org/news/the-hindu-august-4-2013-deepa-kurup-token-disclosures