We are anonymous, we are legion

The Web of Our Strife

pranesh — 2012-06-04T05:45:34Z

At the 66th session of the UN General Assembly, India proposed the formation of a Committee on Internet-Related Policies (CIRP) to address what it sees as a policy vacuum in internet governance.

Pranesh Prakash's article was published in the Times of India on June 2, 2012.

This CIRP will, in the view of India's government, address the US domination of internet policymaking, and make it more democratic and 'multistakeholder'. As an example of this domination, our government cites the oversight role that the US government exercises over ICANN, the non-profit corporation that controls the net's domain name system, as well as the control it exerts over DNS root servers (with all changes needing to go through the US Department of Commerce).

But many civil society organisations, technology companies, and even a few Indian politicians (notably Rajeev Chandrashekar and P Rajeeve), oppose the CIRP as being a proposal for the UN takeover of internet governance. The role of nation-states in governing the internet has been minimal so far. Many attribute the success of the internet to this lack of interference from governments. They ask why we need to fix something that is not broken? In effect, why regulate something that clearly works without such regulation?

It is clear that this status quo will not suffice for many governments. Various countries - like the US, with its Stop Online Piracy and Cyber Intelligence Sharing and Protection acts, and India, with our Information Technology Act and recent Intermediary Guidelines Rules - look to actively regulate the net. ICANN, supposedly a purely technical organisation, has got embroiled in policy issues too. This was seen in the. xxx top-level domain name debacle, where governments tried to intervene, but ultimately failed. Many such purely domestic regulations, like SOPA, have international implications. Even India's Intermediary Guidelines Rules, for instance, require compliance from internet companies across the world. The US government has seized domain names of Spanish file-sharing websites that are hosted in Spain, even though they have been held to be legal there.

So while international forums exist for internetrelated policy discussions, including the Internet Governance Forum (IGF), they are limited by a lack of actual power to even so much as recommend policy positions. Hence there are forums for discussions, but none for resolving problems. The proposed CIRP seeks to be such a body, "with a view to ensuring coordination and coherence in crosscutting internet-related global issues".

Besides, apart from domestic legislation starting to encroach upon the international nature of the internet, there's another issue: that of countries like Russia and China pushing for a less 'multistakeholder' approach to internet governance. So the status quo is unsatisfactory, the alternatives are worrisome, and attempts at 'enhanced cooperation' within existing frameworks (for instance, through India's proposal for IGF reforms) have failed to find enough backers. Given this, a CIRP-like mechanism might well be the preferred option. Importantly, a singular body within the UN system for internet policy could help ensure that other UN agencies which are even less 'multistakeholder' don't overstep their mandates and start making regulations all by themselves.

However, the current CIRP proposal lacks many safeguards that would allay the fears expressed by those who oppose it as 'government control of the internet'. First, while the Indian government has, in its proposal, laid out the CIRP's mandate, it has not laid out the limits of its powers in carrying out that mandate. Second, the CIRP is currently a government body that is merely 'advised' by various stakeholders, with nothing to indicate that this advice will be heeded. This is unsatisfactory, given the internet policy transgressions that are committed by various national governments, as seen, say, in Iran or China. Arguments that the UN system is nation-state-centric do not suffice, since processes that aren't nation-state-centric, such as the Internet Governance Forum, are also being spearheaded by the UN.

If such criticism is addressed, then the CIRP should indeed be welcomed. But we should also be realistic. Governments are effectively being asked to cede certain aspects of sovereignty by being told that the internet is a phenomenon that traditional approaches to policymaking just cannot address. They will not do so easily.

Further, the reality of international realpolitik must be acknowledged - about governments actually following the CIRP. The US, for instance, regularly ignores rulings by the ICJ and the WTO with impunity.

More importantly, and as some cyberlibertarians like Milton Mueller and Adam Thierer remind us, 'multistakeholderism' is only a process (involving multiple stakeholders), and does not provide substantive principles for internet governance (when may websites be blocked, for instance;or who should control the domain name system). Such sobering realpolitik, Mueller believes, is reason enough to be sceptical of the CIRP proposal as it currently stands. He may well be right.

But given the current trend of states individually wielding excessive powers over various aspects of how their citizens access and use the internet, a CIRP-like body may well be what is needed to safeguard democratic principles and innovation on the internet.

For more details visit https://cis-india.org/internet-governance/the-web-of-our-strife

The War for India's Internet

praskrishna — 2012-06-14T09:12:34Z

Why is the world's biggest democracy cracking down on Facebook and Google? Rebecca Mackinnon's article was published in Foreign Policy on June 6, 2012.

"65 years since your independence," a new battle for freedom is under way in India -- according to a YouTube video uploaded by an Indian member of Anonymous, the global "hacktivist" movement. With popular websites like Vimeo.com blocked across India by court order, the video calls for action: "Fight for your rights. Fight for India." Over the past several weeks, the group has launched distributed denial-of-service attacks against websites belonging to Internet service providers, government departments, India's Supreme Court, and two political parties.

Street protests are being planned for this coming Saturday, June 9, in as many as 18 cities to protest laws and other government actions that a growing number of Indian Internet users believe have violated their right to free expression and privacy online. A lively national Internet freedom movement has grown rapidly across India since the beginning of this year. The most colorful highlight so far was a seven-day Gandhian hunger strike, otherwise known as a "freedom fast," held in early May on a New Delhi sidewalk by political cartoonist Aseem Trivedi and activist-journalist Alok Dixit. Trivedi's website was shut down this year in response to a police complaint by a Mumbai-based advocate who alleged that some of Trivedi's works "ridicule the Indian Parliament, the national emblem, and the national flag."

Escalating political and legal battles over Internet regulation in India are the latest front in a global struggle for online freedom -- not only in countries like China and Iran where the Internet is heavily censored and monitored by autocratic regimes, but also in democracies where the political motivations for control are much more complicated. Democratically elected governments all over the world are failing to find the right balance between demands from constituents to fight crime, control hate speech, keep children safe, and protect intellectual property, and their duty to ensure and respect all citizens' rights to free expression and privacy. Popular online movements -- many of them globally interconnected -- are arising in response to these failures.

Only about 10 percent of India's population uses the web, making it unlikely that Internet freedom will be a decisive ballot-box issue anytime soon. Yet activists are determined to punish New Delhi's "humorless babus," as one columnist recently called India's censorious politicians and bureaucrats, in the country's media. Grassroots organizers are bringing a new generation of white-collar protesters to the streets to defend the right to use a technology that remains alien to the majority of India's people.

The trouble started with the 2008 passage of the Information Technology (Amendment) Act, whose Section 69 empowers the government to direct any Internet service to block, intercept, monitor, or decrypt any information through any computer resource. Company officials who fail to comply with government requests can face fines and up to seven years in jail. Then, in April 2011, the Ministry of Communications and Information Technology issued new rules under which Internet companies are expected to remove within 36 hours any content that regulators designate as "grossly harmful," "harassing," or "ethnically objectionable" -- designations that are open to a wide variety of interpretations and that free speech advocates argue have opened the door to abuse. It is thanks to these rules that the website of the hunger-striking cartoonist, Trivedi, was taken offline. Also thanks to the 2011 rules, Facebook and Google are facing trial for having failed to remove objectionable content. If found guilty, the companies could face fines, and executives could be sentenced to jail time.

Saturday's protesters are calling for annulment of the 2011 rules and the repeal of part of the 2008 act. They are also calling for Internet service companies to reverse the wholesale blocking of hundreds of websites, including the file-sharing services isoHunt and The Pirate Bay, as well as the video-sharing site Vimeo and Pastebin, which is primarily used for the sharing of text and links. Internet service providers were responding to a court order from the Madras High Court demanding the blockage, which is aimed at preventing the online distribution of pirated versions of one particular film. The Internet companies, fearing that they would not be able to catch every individual instance on every possible site they host, instead chose to block entire services along with all of their content -- which had nothing to do with the film in question.

Such "John Doe" orders, named because they are directed against unknown potential offenders in the present and future, are characterized "by their overly broad and sweeping nature," argue lawyer Lawrence Liang and researcher Achal Prabhala, which extends "to a range of non-infringing activities as well, thus catching a whole range of legal acts in their net." More broadly, as Delhi-based journalist Shivam Vij wrote in a recent essay: "The current mechanisms of internet censorship in India -- blocking, direct removal requests to websites, intermediary rules -- are draconian and unconstitutional. They need to be replaced with a new set of rules that are fair, transparent and accessible for public scrutiny. They should not be amenable to misuse by the powers-that-be for their own private interests."

Not only are the rules abused, but researchers find that they are causing extralegal censorship by companies that overcompensate in order to err on the side of caution. Last year, the Bangalore-based Centre for Internet and Society performed an experiment in which it sent "legally flawed" takedown demands to seven companies that provide a range of online services, including search, online shopping, and news with user-generated comments. The legal flaws in the notices were such that the companies could have rejected them without being in breach of the law. Yet "of the 7 intermediaries to which takedown notices were sent, 6 intermediaries over-complied with the notices, despite the apparent flaws in them," reads the Centre for Internet and Society report.

Despite the growing public opposition, a motion to annul the 2011 rules was defeated by voice vote in the upper house of Parliament last month. Yet the criticism was sufficiently sharp that Communications Minister Kapil Sibal announced that he will hold consultations with all members of Parliament, representatives of industry, and other "stakeholders" to discuss the law's problems and how it might be revised. Many of the law's critics, however, are skeptical that this will eliminate the law's deep flaws and loopholes for abuse, especially given the government's failure to listen so far. Comments on the 2011 rules submitted last year by the Centre for Internet and Society were not even acknowledged as having been received by the Ministry of Communications and Information Technology. "Sibal uses the excuse of national security and hate speech," says the center's director, Sunil Abraham, "but that is not what is happening."

Abraham worries that what is really happening is a government effort at Internet "behavior modification" through a process akin to an experiment involving caged monkeys, bananas, and ice water. Put four monkeys in a cage and hang a bunch of bananas on the ceiling. Every time one of them climbs up to reach the bananas, you drench all of them with ice water. Soon enough, the monkeys will start policing themselves -- attacking anybody who tries to reach the bananas, making it unnecessary for their masters to deploy the ice water. "This is why the government is being so aggressive so early on, with only 10 percent of India's population online," says Abraham. "If you start the drenching early on, by the time you get to 50 percent [Internet penetration], every one will be well-behaved monkeys." Companies will act as private Internet police for fear of legal punishment before the government is called upon to step in and enforce the law. If it works, Indian politicians could have fewer reasons to worry about online critiques or mockery, because companies fearing prosecution will proactively delete speech that could potentially be designated "harassing" or "grossly harmful."

India is not China or Iran, however. Its politicians may be corrupt, and most of its voters may not understand why Internet freedom matters because they've never used the Internet. But it still has an independent press and boisterous civil society that are not going to give up their critiques and protests anytime soon. India also has a strong, independent judiciary, with a record of ruling against censorship and surveillance measures when a strong case can be made that they conflict with constitutional protections of individual rights. "On free speech I have high faith in the Indian judiciary," says Abraham. "There is a good chance to launch a constitutional challenge."

If Google and Facebook lose at their impending trial -- now scheduled for July -- they will most certainly appeal, which activists hope could provide just such an opportunity to prevent the sort of "behavior modification" process that Abraham warns against. Now India's burgeoning Internet freedom movement needs its own reverse "behavior modification" strategy -- imposing consistent and regular doses of political and legal ice water upon India's bureaucrats, politicians, and companies whenever they do things that threaten to corrode the rights of India's Internet users. Saturday's protest is just the beginning.

Sunil Abraham is quoted in this article. Read the original here

For more details visit https://cis-india.org/news/war-of-india-internet

The Uncertain Future of India's Plan to Biometrically Identify Everyone

praskrishna — 2014-09-08T05:31:28Z

Last Sunday an 11-year-old boy in Andhra Pradesh, a state in southeast India, hung himself from a ceiling fan as his family slept.

Jessica Mckenzie's blog post was published in Techpresident on August 28, 2014. Sunil Abraham gave his inputs.

He was allegedly driven to this act after being denied an Aadhaar card—formally known as Unique Identification (UID)—which he was told he needed to attend school. The card is one arm of India's sprawling scheme to collect the biometric data, including fingerprints and iris scans, of its 1.2 billion citizens and residents, and is quickly becoming practically, if not legally, mandatory, for nearly every aspect of life, from getting married to buying cooking gas to opening a bank account. More than 630 million residents have already enrolled and received their unique 12-digit identification number.

Since its launch in 2010, people have raised a number of questions and concerns about Aadhaar, citing its effects on privacy rights, potential security flaws, and failures in functionality. India's poor, who were supposed to be the biggest beneficiaries of the program, are actually most at risk of being excluded from UID, and there is no evidence that biometric identification has curtailed corruption. The newly-elected Prime Minister Narendra Modi lambasted the UID program as a candidate but in July did an about-face, calling for the enrollment process to be expedited and supporting a UID-linked social assistance program. In all likelihood, the world's largest experiment in biometric identification will continue.

There are still a number of unanswered questions about the future of the program. Although created in large part as a way of more efficiently and less corruptly dispersing government subsidies, last year the Supreme Court ruled that the Aadhaar card could not be made mandatory to receive government assistance. The Unique Identification Authority of India (UIDAI) operates in a kind of legal limbo. Modi is said to have instructed his Finance Minister Arun Jaitley to resolve these legal problems.

Sorting out the legal issues is imperative if UID numbers are going to be linked to Modi's proposed financial inclusion program that aims to bring 75 million additional households into the country's banking system by 2018.

There is also the possibility that UID will be merged, absorbed or superseded by the National Population Register (NPR), yet another biometric identification system. The NPR, unlike Aadhaar, is mandatory for all residents. In addition to fingerprints and iris scans, NPR collects information on familial relationships, nationality, occupation and education level. There is a great deal of overlap between the two programs, which has been a source of conflict between government agencies in the past. The home ministry, for example, argues that government subsidies should be disbursed through NPR, not UID.

There is also speculation that UID could be picked up as part of Digital India, Modi's ambitious plan to modernize India by building national broadband infrastructure, ensuring universal mobile service access, creating e-government services, and establishing a “cradle-to-grave digital identity for every citizen of the country—unique, lifelong, online and authenticable [sic].”

In spite of UID's tenuous position and uncertain future, it has become “essential” in nearly every facet of life. The Delhi government is rolling out a suite of e-government services, starting with marriage registration, that will require a UID. Fishermen in Gujarat have been told they cannot go out to sea without biometric identification.

Then there is Kora Balakrishna, the 11-year-old who committed suicide after being denied an Aadhaar card because he has webbed fingers. His school headmaster had instructed him to get one as a prerequisite for study and, per one news outlet, a mid-day meal. An investigation into the incident has been ordered. Pravin Kumar, a local administrative official, said webbed fingers are not a legitimate reason for rejection from the program.

For more details visit https://cis-india.org/internet-governance/news/tech-president-jessica-mckenzie-august-28-2014-the-uncertain-future-of-indias-plan-to-biometrically-identify-everyone

The UK DNA Database and the European Court of Human Rights

praskrishna — 2012-10-10T10:19:35Z

A presentation by Dr. Helen Wallace, Director, GeneWatch, UK

For more details visit https://cis-india.org/internet-governance/blog/uk-dna-database-and-european-court-of-human-rights.ppt

The trouble with trolls

praskrishna — 2014-07-28T05:42:36Z

Social networking sites give trolls the ability to hide their real identity and cause grief to others. Here is what you need to do if you face an online attack.

The article by Vishal Mathur was published in Livemint on July 22, 2014. Sunil Abraham gave his inputs.

Social networking sites give trolls the ability to hide their real identity and cause grief to others. Here is what you need to do if you face an online attack.

Though social networks were not designed with the intention of letting someone anonymously abuse another online, the reality is that people utilize the ability to hide behind online identities to threaten other users. These could be veiled attacks, direct abuse, or even threats to “cause bodily harm”. What can you do if you’re trolled and threatened on any social network? Follow our five-step guide. Avoid conversation if you can The responses could come in relation to something you may have just posted online. Or perhaps it could be just a random trolling attempt, to get a response from you. It is important to understand and identify such intentions. And as difficult as it may be, do not respond. Getting into a direct interaction with a bully only makes things worse. Report to the social network You should report any instance of cyber bullying or harassment to the host social network—the website or forum on which the interaction happened. There are various methods of getting in touch with the moderators—customer support email, contact submission forms or even via phone, in certain locations. Describe the problem in detail, and persist till the offending account is blocked from the platform. “Most social networks have systems that allow you to report abusive content and users. However, there is great variance in the speed with which they respond across different platforms, jurisdictions, etc.,” says Sunil Abraham, executive director at the Bangalore-based non-profit research organization Centre for Internet and Society. New Delhi-based Anja Kovacs, project director, at civil society organization Internet Democracy Project, adds: “Blocking and reporting an account can be two ways to stop harassment on some social networks, but on other platforms, such as Twitter, it is possible for the person to immediately make a new account under a different username, meaning that these measures do not necessarily stop the harassment.” Ankhi Das, director, public policy, India and South Asia at social network Facebook, says: “Every reported piece of content is reviewed. Serial offenders are notified for non-compliance.” Facebook’s Community Standards, that prevent harassment and offensive posts, have an 11-point categorization for reported content—violence and threats, hate speech, graphic content, bullying and harassment, to name some. Raheel Khursheed, head of news, politics and government at Twitter India, did not respond to our mail about how Twitter handles trolls at the time of going to press. On blogs and forums, it may be a bit easier to deal with trolling and abuse. If it is your own blog, you can delete comments and block users. If it is a forum, the administrator can do it for you. But, with social networks having millions of users, it is not possible to have one administrator managing it all. And it is not just Facebook and Twitter, all social networks have a method by which you can register your complaint. LinkedIn, for example, automatically blocks a user who gets multiple “I don’t know” responses to invitations to connect. There is a strong monitoring policy where any reported content (recommendations or direct messages) is examined and immediate warnings are sent out to offending parties. Keep a copy of the offensive posts Be it a post, or a series of posts, direct message or even an offending photograph, always save it for future reference. Never assume that the matter will end soon, and always prepare for the worst. Don’t ignore privacy settings Most people start using Facebook, Twitter and other social networks without paying much attention to the privacy settings—what content people can see on your page, and who can directly contact you. Be conservative in sharing information—the less you share, the lower the chances of someone picking on you. “Avoid friending or linking to people whom you don’t know in real life unless you are certain of the chain of trust that exists between you and the unknown person,” says Abraham. New Delhi-based cyber lawyer Apar Gupta, adds: “The privacy settings on most social networking platforms allow users to prevent (restrict) the audience for their posts as well as strangers from contacting them. This will prevent most cases of online harassment.” Get help from the law In case social networks are not able to effectively block a user, or are in some way unwilling to do so, take help from the law-enforcement authorities. File an FIR in the nearest police station. Unfortunately, the progress may not be very smooth. The reality is that not every law-enforcement officer may know about social networking sites. “You could try and go to the police, but without support from the social network platform, they are often at a loss to do much themselves,” warns Kovacs. The police may look for hints of threat to cause bodily harm or worse still, to life. In such cases, they may recommend the case to the Cyber Crime Cell of the Central Bureau of Investigation. “Generally, while the substantive offences do exist under law, the process for having them enforced is deficient. These are deeper structural problems of delay, investigation and conviction which are prevalent across criminal justice or civil litigation,” clarifies Gupta. Officials at the Cyber Crime Cell say they take up cases after reference from the local police, who file the report first and do a preliminary level of investigation. But it is important to realize that only the police and the law-enforcement agencies have the right to demand further details about the perpetrator from the social networks, starting with profile details and Internet Protocol (IP) addresses, which will help track the person down. Das clarifies: “Facebook has a point-of-contact system through which the law-enforcement agencies tell us what the actual case is, depending on severity. The police may ask us to take down particular content, or even ask for user information like IP info, to prevent real crime.” According to Facebook’s Government Requests Report for July-December 2013, the network restricted access to 4,765 pieces of content after requests from the Indian government and law-enforcement agencies.

Though social networks were not designed with the intention of letting someone anonymously abuse another online, the reality is that people utilize the ability to hide behind online identities to threaten other users. These could be veiled attacks, direct abuse, or even threats to “cause bodily harm”. What can you do if you’re trolled and threatened on any social network? Follow our five-step guide.

Avoid conversation if you can
The responses could come in relation to something you may have just posted online. Or perhaps it could be just a random trolling attempt, to get a response from you. It is important to understand and identify such intentions. And as difficult as it may be, do not respond. Getting into a direct interaction with a bully only makes things worse.

Report to the social network
You should report any instance of cyber bullying or harassment to the host social network—the website or forum on which the interaction happened. There are various methods of getting in touch with the moderators—customer support email, contact submission forms or even via phone, in certain locations. Describe the problem in detail, and persist till the offending account is blocked from the platform. “Most social networks have systems that allow you to report abusive content and users. However, there is great variance in the speed with which they respond across different platforms, jurisdictions, etc.,” says Sunil Abraham, executive director at the Bangalore-based non-profit research organization Centre for Internet and Society. New Delhi-based Anja Kovacs, project director, at civil society organization Internet Democracy Project, adds: “Blocking and reporting an account can be two ways to stop harassment on some social networks, but on other platforms, such as Twitter, it is possible for the person to immediately make a new account under a different username, meaning that these measures do not necessarily stop the harassment.” Ankhi Das, director, public policy, India and South Asia at social network Facebook, says: “Every reported piece of content is reviewed. Serial offenders are notified for non-compliance.” Facebook’s Community Standards, that prevent harassment and offensive posts, have an 11-point categorization for reported content—violence and threats, hate speech, graphic content, bullying and harassment, to name some. Raheel Khursheed, head of news, politics and government at Twitter India, did not respond to our mail about how Twitter handles trolls at the time of going to press. On blogs and forums, it may be a bit easier to deal with trolling and abuse. If it is your own blog, you can delete comments and block users. If it is a forum, the administrator can do it for you. But, with social networks having millions of users, it is not possible to have one administrator managing it all. And it is not just Facebook and Twitter, all social networks have a method by which you can register your complaint. LinkedIn, for example, automatically blocks a user who gets multiple “I don’t know” responses to invitations to connect. There is a strong monitoring policy where any reported content (recommendations or direct messages) is examined and immediate warnings are sent out to offending parties.

Keep a copy of the offensive posts
Be it a post, or a series of posts, direct message or even an offending photograph, always save it for future reference. Never assume that the matter will end soon, and always prepare for the worst.

Don’t ignore privacy settings
Most people start using Facebook, Twitter and other social networks without paying much attention to the privacy settings—what content people can see on your page, and who can directly contact you. Be conservative in sharing information—the less you share, the lower the chances of someone picking on you. “Avoid friending or linking to people whom you don’t know in real life unless you are certain of the chain of trust that exists between you and the unknown person,” says Abraham. New Delhi-based cyber lawyer Apar Gupta, adds: “The privacy settings on most social networking platforms allow users to prevent (restrict) the audience for their posts as well as strangers from contacting them. This will prevent most cases of online harassment.”

Get help from the law
In case social networks are not able to effectively block a user, or are in some way unwilling to do so, take help from the law-enforcement authorities. File an FIR in the nearest police station. Unfortunately, the progress may not be very smooth. The reality is that not every law-enforcement officer may know about social networking sites. “You could try and go to the police, but without support from the social network platform, they are often at a loss to do much themselves,” warns Kovacs. The police may look for hints of threat to cause bodily harm or worse still, to life. In such cases, they may recommend the case to the Cyber Crime Cell of the Central Bureau of Investigation. “Generally, while the substantive offences do exist under law, the process for having them enforced is deficient. These are deeper structural problems of delay, investigation and conviction which are prevalent across criminal justice or civil litigation,” clarifies Gupta. Officials at the Cyber Crime Cell say they take up cases after reference from the local police, who file the report first and do a preliminary level of investigation. But it is important to realize that only the police and the law-enforcement agencies have the right to demand further details about the perpetrator from the social networks, starting with profile details and Internet Protocol (IP) addresses, which will help track the person down. Das clarifies: “Facebook has a point-of-contact system through which the law-enforcement agencies tell us what the actual case is, depending on severity. The police may ask us to take down particular content, or even ask for user information like IP info, to prevent real crime.” According to Facebook’s Government Requests Report for July-December 2013, the network restricted access to 4,765 pieces of content after requests from the Indian government and law-enforcement agencies.

For more details visit https://cis-india.org/news/livemint-july-22-2014-vishal-mathur-the-trouble-with-trolls

The Trouble with Hurried Solutions

chinmayi — 2012-12-20T04:23:08Z

The World Conference on International Telecommunication showed that countries are not yet ready to arrive at a consensus on regulation and control of the Internet

Chinmayi Arun's Op-ed was published in the Hindu on December 15, 2012.

The World Conference on International Telecommunication (WCIT) that concluded on December 14 saw much heated debate. Some countries wanted to use the International Telecommunication Union (ITU) to gain intergovernmental control of the World Wide Web. Some saw it as an opportunity to democratise the Internet, by replacing U.S. and corporate domination of Internet policy, with a more intergovernmental process. Others insisted that the Internet must be left alone.

The result is that after many days’ deliberations, there was no consensus. The amended International Telecommunication Regulations (ITRs) document has not yet been signed by over 50 countries, of which some like the United States have refused to sign altogether, while others have said that they will need to consult with their national governments before signing.

This article discusses the broader issue under question, which is, whether ITU is the best forum to solve the cross-border problems that arise in relation to the Internet.

WCIT, ITU and ITRs

The ITU has been creating international policy from the days in which the telegraph was prevalent. Although it is now a United Nations agency, its existence predates the U.N. As technology evolved, forcing the telegraph to give way to the telephone, the ITU created new standards for telephony. It even rechristened itself from ‘International Telegraph Union’ to ‘International Telecommunications Union’.

The ITU performs an essential role in ensuring that multiple states with their varying technology, standards and legal systems, are able to interconnect and co-ordinate. Its harmonising rules and standards make co-ordination easier and cheaper than having each state come to an agreement with every other state. The ITRs within the ITU framework facilitate co-ordination by creating binding rules for member states.

Some countries’ proposals for the amendment of the ITRs would have affected content on the Internet substantially. However, after prolonged negotiation, the final draft that was under consideration contained an explicit statement excluding such content from the ITRs’ purview. This draft also came with a resolution that made reference to states’ elaborating their Internet related public policy positions in ITU fora, which was a source of controversy.

Some of the initial suggestions like Russia’s controversial proposal would have given the ITU greater sway over the Internet, permitting it to lay down global standards. These standards may have encouraged countries to inspect data transmitted across the Internet to check whether it is undesirable content raising serious privacy and freedom of speech concerns, especially in countries that do not protect these rights.

The global standards created by the ITU would have permeated to the companies that create the web-based applications that we use, and the resulting law and technological choices would have affected individual users.

Internet governance

The ITU makes its decisions using a traditional model that only seeks consensus between governments, and this is far removed from the way in which the Internet has been governed thus far. Therefore, although expanding the ITU’s mandate to the Internet may seem natural to those who have followed its evolution mirroring the evolution of information technology, the ITU’s manner of functioning is viewed by many as being at odds with the more multi-stakeholder and ad hoc system used to build Internet policy.

In the 1990s, John Perry Barlow proclaimed that cyberspace was outside national borders, and questioned the authority and legitimacy of a national government’s attempts to govern it. Over the years, it has become clear that national governments can exert jurisdiction in cyberspace: filtering content, launching surveillance of users, and creating law that impacts citizens’ behaviour online directly and indirectly.

However, governments’ exertion of will on Internet users is tempered greatly by the other forces that have a strong influence on the Internet. User-behaviour and content often depend on the policies of major service providers like Google, Yahoo, Twitter and Facebook.

Key standards and functions like the allocation of domain names and developing of Internet standards are managed by organisations like ICANN and IETF, which are not governmental organisations. Features like user anonymity are based on technological choices on the World Wide Web. Therefore, governments face significant obstacles and counterbalancing power when they attempt to impose their will on citizens online.

The ITU can weigh this power balance in favour of governments. Many fear that more government power will lead to more censorship, surveillance and stifling of the innovation that is integral to the evolution of Internet. But others support ITU intervention, in the belief that an international inter-governmental regulatory body would be more accountable, and would prevent corporate abuse of power.

Several of the aforementioned corporations, as well as regulatory bodies under question, are headquartered in the United States. There are those who see this as excessive U.S. influence on the Internet, eroding the sovereignty of other states, which have relatively limited influence over what their citizens can transmit and access online. These people see the ITU as a forum that can democratise Internet Governance, giving states shared influence over the web. However, this shared influence is resisted by those who find that the U.S. influence offers them more leverage and protection for their freedom of speech, than increased influence of countries that threaten this internationally accepted human right.

Powerful arguments in favour of increased ITU involvement include highlighting the dangers of abandoning the Internet to the free market. It is true that markets need some regulation to guard against malfunction and abuse of power by stronger players. However, the significant question is not whether these markets should be regulated, but how they should be regulated. Unfortunately, many of the arguments that supported expansion of the ITU’s mandate failed to establish why the ITU is the best solution to the problems plaguing the Internet, rather than being the most readily available reaction.

Any regulatory intervention must have very clear objectives, and some estimate of its likely impact. The intervention must not be considered in isolation but in contrast with other ways to achieve the same goals. Although some of the serious transnational issues plaguing the Internet need international solutions, the ITU, at least in its current avatar, is not necessarily the best remedy. It also remains unclear exactly what effect ITU intervention would have on the Internet — whether it would really offer solutions as intended, or whether it would prove more detrimental than useful, condoning of human rights violations and slowing the blistering innovation that is characteristic of the Internet.

Lack of consensus

Therefore, some of the initial concerns expressed by the countries that refused to sign the ITRs were legitimate. However, the final ITRs document addressed many of these concerns. The dissent emerged over the insertion of text in the preamble that recognised member states’ rights to access international telecommunication networks. These rights, being expressed only in the preamble, are not enforceable, even if they express intentions that are unacceptable to some.

The debates at the WCIT made it clear that the world is not yet ready to come to a unified position on this subject. Perhaps the ITU’s continuation in its path towards increasing, and making effective, multi-stakeholder participation will be the unifying factor some day, if it evolves into a forum which everyone sees as sufficiently democratic, transparent and accountable for Internet policy.

(The writer is Assistant Professor of Law at National Law University, Delhi, and a Fellow of the Centre for Internet and Society, Bangalore. She attended the WCIT from December 3-14)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-opinion-lead-december-15-2012-chinmayi-arun-the-trouble-with-hurried-solutions

The Transformative Power of Online Activism

praskrishna — 2015-06-18T16:00:52Z

Rohini Lakshané was a panelist at this event organized by Hertie School of Governance on May 4, 2015.

Panelists

Alissa Wahid, National coordinator of the GUSDURian Network Indonesia
Renata Avila, Member of Creative Commons Board of Directors and a member of the Web Index Science Council, Guatemala
Rohini Lakshané, Researcher at the Centre for Internet and Society, India
Georgia Popplewell, Writer and media producer from Trinidad and Tobago

Moderation: Dilek Kurban J.D., Marie Curie Fellow, Hertie School of Governance

The lightning spread of communication technologies has enabled the dissemination of information and ideas that mainstream media have been unwilling or unable to publish. While the Internet empowers individuals to engage in advocating, mobilizing and reacting on behalf of the disempowered, it also raises significant issues of privacy and hate speech when used by the wrong people for the wrong reasons.

Are we at a stage where we can argue that online activism challenges the balance of power between governments and citizens, giving rise to a new form of deliberative and participatory democracy? Or is the transformative power of virtual civil disobedience blown out of proportion? To what extent is the Internet a level playing field where gender, ethnicity or class do not matter? What kinds of legal and political instruments are available to governments and corporations in their efforts to control the Internet? This panel discussion will bring together four female jury members of The BOBS Award 2015 who will seek answers to these and other questions regarding Internet activism, citizen journalism and grassroots mobilization.

re:thinking tomorrow is a discussion series hosted by Deutsche Welle and the Hertie School of Governance.

For more information see here.

For more details visit https://cis-india.org/internet-governance/news/the-transformative-power-of-online-activism

The thrill of saving India from cybercrime

praskrishna — 2016-11-21T02:42:48Z

Geeks seize the chance to help the government, defence forces and banks draw up fences against tech crimes.

The article by Peerzada Abrar was published in the Hindu on November 20, 2016.

Saket Modi loves long flights. The 26-year-old hacker likes to do most of his reasoning while criss-crossing the world. It was on one such flight from the United States to India that the co-founder of cybersecurity start-up Lucideus Tech read about India's largest data security breaches. While surfing the in-flight Internet he came to know that the security of about 3.2 million debit cards had been compromised.

“I was not surprised but I started thinking about how it would have happened. What was the ‘exploit’ used, how long was it there,” said Mr. Modi. Soon after reaching New Delhi, he received multiple requests from several banks and organisations to protect them from the hacking incident, which is just one of the thousands of cybercrimes that the country is facing.

In India, there has been a surge of approximately 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015, noted the Assocham-PwC joint study.

Ethical hackers

Mr. Modi is among a new breed of ethical hackers-turned-entrepreneurs who are betting big on this opportunity. An ethical hacker is a computer expert who hacks into a computer network on the behalf of its owner in order to test or evaluate its security, rather than with malicious or criminal intent.

“You cannot live in a world where you think that you can't be hacked. It doesn’t matter who you are,” said Mr. Modi who cofounded Lucideus four years ago. The company clocked revenues of Rs.4 crore in the last fiscal. This compares with the Rs.2.5 lakh revenues in the first year. The New Delhi-based firm now counts Reserve Bank of India, Ministry of Defence and Standard Chartered among its top clients.

Mr. Modi, who is also a pianist, discovered his skills for hacking into secure computer systems while preparing for his board exams. He hacked into his school computer and stole the chemistry question paper, after realising that he would not be able to clear the test conducted by his school. However, a guilty conscience compelled him to confess to his teacher who permitted him to still take the test. The incident transformed him to use his skills to protect and not misuse them. This year, Lucideus was hired by National Payments Corporation of India (NPCI) along with other information security specialists to protect its most ambitious project, the Unified Payment Interface (UPI) platform, from cyber attacks. UPI aims to bring digital banking to 1.2 billion people in the country. Lucideus has a team of 70 people mostly fresh college graduates who do hacking with authorisation.

“The reason behind choosing Lucideus was their young, energetic and knowledgeable team," said Bhavesh Lakhani, chief technology officer of DSP BlackRock, one of the premier asset management companies. Mr. Lakhani said that India is currently the epicentre of financial and technological advancements which make it a probable target of cyber-attacks.

Hacking lifeline

Indeed, a new breed of cyber criminals has emerged, whose main aim is not just financial gains but also cause disruption and chaos to businesses in particular and the nation at large, according to the Assocham-PwC study. Attackers can gain control of vital systems such as nuclear plants, railways, transportation and hospitals. This can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.

“The hacker doesn’t care whether he is attacking an Indian or a U.S. company. It is bread and butter for him and he wants to eat it wherever he gets it from,” said Trishneet Arora, a 22-year-old ethical hacker. In an office tucked away in Mohali, a commercial hub lying adjacent to the city of Chandigarh in Punjab, Mr.Arora fights these cyberattacks on a daily basis to protect his clients. His start-up TAC Security provides an emergency service to customers who have been hacked or are anticipating a cyberattack. It alerted a hospital in the U.S. after detecting vulnerabilities in their computer network.

Mr.Arora said that the hackers could have easily shut down the intensive care unit which was connected to it and remotely killed the patients. TAC said the data server of a bank in the UAE containing critical information got hacked recently. The bank also lost access to the server. TAC said that it not only helped the organisation to get back access to the server but also traced the hacker’s identity.

A school drop out, Mr.Arora founded TAC three years ago. But he initially found it tough to convince enterprises about his special skills. “I was a backbencher in the classroom and not good in studies, but I loved playing video games and hacking,” he said. He conducted workshops on hacking and provided his expertise to law enforcement agencies such as the Central Bureau of Investigation and various State police departments. His firm now provides its services to customers such as Reliance Industries, dairy brand Amul and tractor manufacturer Sonalika.

“We were surprised by their expertise,” said R.S. Sodhi, managing director of Amul. “We wanted to be sure that the company’s vital IT infrastructure is in the right hands – the big question was, ‘Who can that be?’ In TAC, we found that team.”

TAC expects to cross revenues of $5 million (Rs.33 crore) and employ about 100 ethical hackers by next year.

Budget woes

Security watchers such as Sunil Abraham, executive director of Bengaluru-based think tank Centre for Internet and Society said that India’s cybersecurity budget is woefully inadequate when compared to the spending by other countries. In 2014-15, the government doubled its cybersecurity budget by earmarking Rs.116 crore. “We require a budget of $1 billion per annum or every two years to build the cybersecurity infrastructure. The current cyber security policy has no such budget,” said Mr. Abraham.

According to Data Security Council of India (DSCI), India's cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.

The Cyber Security Task Force (CSTF) set up by DSCI and industry body Nasscom expects to create a trained base of one million certified and skilled cybersecurity professionals. It also aims to build more than 100 successful security product companies from India. Investors who normally focus on e-commerce ventures or public markets are now taking note of this opportunity and are betting on such ventures. Amit Choudhary, director, MotilalOswal Private Equity and an investor in Lucideus, said he saw tremendous opportunity in the cybersecurity market as hackers are shifting their focus from developed countries to emerging countries like India.

“There is a huge opportunity. The recent security breaches of a few Indian banks are an example,” said Vijay Kedia an ace stock picker and an investor in TAC Security. He said that organisations are still unaware of the widespread damage that can be caused by hackers. “The next war will be a ‘cyberwar’,” he said.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime

The Technology behind Big Data

Geethanjali Jujjavarapu and Udbhav Tiwari — 2016-12-04T09:53:43Z

The authors undertakes a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes.

Download the Paper (PDF, 277 kb)

Introduction

Defining big data is a disputed area in the field of computer science^{^[1]}, there is some consensus on a basic structure to its definition^{^[2]}. Big data is data that is collected in the form of datasets that has three main criteria: size, variety & velocity, all of which operate at an immense scale^{^[3]}. It is ‘big’ in size, often running into petabytes of information, has vast variety within its components, and is created, captured and analysed at an incredibly rapid velocity. All of this also makes big data difficult to handle using traditional technological tools and techniques.

This paper will attempt to perform a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes. The big data life cycle consists of four components, which will also be the key structural points of the paper, namely: Data Acquisition, Data Awareness, Data Analytics & Data Governance.⁴ The paper will focus on the aspects that the author believes are relevant for analysing the technological impact of big data on both technology itself and society at large.

Scope: The scope of the paper is to study the technology used in big data using the "Life Cycle of Big Data" as model structure to categorise & study the vast range of technologies that are involved in big data. However, the paper will be limited to the study of technology related directly to the big data life cycle. It shall specifically exclude the use/utilisation of big data from its scope since big data is most often being fed into other, unrelated technologies for consumption leading to rather limitless possibilities.

Goal: Goal of the paper is twofold: a.) to use the available literature on the technological aspects of big data, to perform a brief overview of the technology in the field and b.) to frame the relevant research questions for studying the technology of big data and its possible impact on society.

Data Acquisition

Acquiring big data has two main sub components to it, the first being sensing the existence of the data’ itself and the second, the stage of collecting and storing this data. Both of these subcomponents are incredibly diverse fields, with lots of rapid change occurring in the technology utilised to carry out these tasks. The section will provide a brief overview of the subcomponents and then discuss the technology used to fulfil the tasks.

Data Sensing

Data does not exist in a vacuum and is always created as a part of a larger process, especially in the aspect of modern technology. Therefore, the source of the data itself plays a vital role in determining how it can be captured and analysed in the larger scheme of things. Entities constantly emit information into the environment that can be utilised for the purposes of big data, leading to two main kinds of data: data that is “born digital” or “born analogue.”^{^[4]}

Born Digital Data

Information that is “born digital,” is created, by a user or by a digital system, specifically for use by a computer or data‐processing system. This is a vast range of information and newer fields are being added to this category on a daily basis. It includes, as a short, indicative list: email and text messaging, any form of digital input, including keyboards, mouse interactions and touch screens, GPS location data, data from daily home appliances (Internet of Things), etc. All of this data can be tracked and tagged to users as well as be aggregated to form a larger picture, massively increasing the scope of what may constitute the ‘data’ in big data.

Some indicative uses of how such born digital data is catalogued by technological solutions on the user side, prior to being sent for collection/storage are:

a.) Cookies - There are small, often just text, files that are left on user devices by websites in order to that visit, task or action (for example, logging into an email account) with a subsequent event.^{^[5]} (for example, revisiting the website)

b.) Website Analytics^{^[6]} - Various services, such as Google Analytics, Piwik, etc., can use JavaScript and other web development languages to record a very detailed, intimate track of a user's actions on a website, including how long a user hovers above a link, the time spent on the website/application and in some cases, even the time spent specific aspects of the page.

c.) GPS^{^[7]} - With the almost pervasive usage of smartphones with basic location capabilities, GPS sensors on these devices are used to provide regular, minute driven updates to applications, operating systems and even third parties about the user's location. Modern variations such as A-GPS can be used to provide basic positioning information even without satellite coverage, vastly expanding the indoor capabilities of location collection.

All of these instances of sensing born digital data are common terms, used in daily parlance by billions of people from all over the world, which is a symbolic of just how deeply they have pervaded into our daily lifestyle. Apart from privacy & security concerns this in turn also leads to an exponential increase in the data available to collect for any interested party.

Sensor Data

Information is said to be “analogue” when it contains characteristics of the physical world, such as images, video, heartbeats, etc. Such information becomes electronic when processed by a “sensor,” a device that can record physical phenomena and convert it into digital information. Some examples to better illustrate information that is born analogue but collected via digital means are:

a.) Voice and/or video content on devices - Apart from phone calls and other forms communication, video and voice based interactions have started to regularly be captured to provide enhanced services. These include Google Now^{^[8]}, Cortana^{^[9]} and other digital assistants as well as voice guided navigation systems in cars, etc.

b.) Personal health data such as heartbeats, blood pressure, respiration, velocity, etc. - This personal, potentially very powerful information is collected by dedicated sensors on devices such as Fitbit^{^[10]}, Mi Band^{^[11]}, etc. as well as by increasingly sophisticated smartphone applications such as Google Fit that can do so without any special device.

c.) Camera on Home Appliances - Cameras and sensors on devices such as video game consoles (Kinect^{^[12]} being a relevant example) can record detailed human interactions, which can be mined for vast amounts of information apart from carrying out the basic interactions with the devices itself.

While not as vast a category as born digital data, the increasingly lower costs of technology and ubiquitous usage of digital, networked devices is leading to information that was traditionally analogue in nature to be captured for use at a rapidly increasing rate.

Data Collection & Storage

Traditional data was normally processed using the Extract, Transform, Load (ETL) methodology, which was used to collect the data from outside sources, modify the data to fit needs, and then upload the data into the data storage system for future use.^{^[13]} Technology such as spreadsheets, RDBMS databases, Structured Query Languages (SQL), etc. were all initially used to carry out these tasks, more often than not manually. ^{^[14]}

However, for big data, the methodology traditionally followed is both inefficient and insufficient to meet the demands of modern use. Therefore, the Magnetic, Agile, Deep (MAD) process is used to collect and store data^{^[15]}^{^[16]}. The needs and benefits of such a system are: attracting all the data sources regardless of their quality (magnetic), logical and physical contents of storage systems adapting to the rapid data evolution in big data (agile) and complex algorithmic statistical analysis required of big data on a very short notice^{^[17]}. (deep)

The technology used to perform data storage using the MAD process requires vast amount of processing power, which is very difficult to create in a single, physical space/unit for nonstate or research entities, who cannot afford supercomputers. Therefore, most solutions used in big data rely on two major components to store data: distributed systems and Massive Parallel Processing^{^[18]} (MPP) that run on non-relational (in-memory) database systems. Database performance and reliability is traditionally gauged using pure performance metrics (FLOPS per second, etc.) as well as the Atomicity, consistency, isolation, durability (ACID) criteria.^{^[19]} The most commonly used database systems for big data applications are given below. The specific operational qualities and performance of each of these databases is beyond the scope of this review but the common criteria that makes them well suited for big data storage have been delineated below.

Non-relational databases

Databases traditionally used to be structured entities that operated solely on the ability to correlate information stored in them using explicitly defined relationships. Even prior to the advent of big data, this outlook was turning out to be a limiting factor in how large amounts of stored information could be leveraged, this led to the evolution of non relational database systems. Before going into them in detail, a basic primer on their data transfer protocols will be helpful in understanding their operation.

A protocol is a model that structures instructions in a particular manner so that it can be reproduced from one system to another^{^[20]}^{^[21]}. The protocols which govern technology in the case of big data have gone through many stages of evolution, starting off with simple HTML based systems^{^[22]}, which then evolved to XML driven SOAP systems^{^[23]}, which led to JavaScript Object Notation, or JSON^{^[24]}, the currently used form for in most big database systems. JSON is an open format used to transfer data objects, using human-readable text and is the basis for most of the commonly used non-relational database management systems. Examples of Non-relational databases also known as NoSQL databases, include MongoDB^{^[25]}, Couchbase^{^[26]}, etc. They were developed for both managing as well as storing unstructured data. They aim for scaling, flexibility, and simplified development. Such databases rather focus on the high-performance scalable data storage, and allow tasks to be written in the application layer instead of databases specific languages, allowing for greater interoperability.^{^[27]}

In-Memory Databases

In order to overcome performance limitation of traditional database systems, some modern databases now use in-memory databases. These systems manage the data in the RAM memory of the server, thus eliminating storage disk input/output. This allows for almost realtime responses from the database, in comparisons to minutes or hours required on traditional database systems. This improvement in the performance is so massive that, entirely new applications are being developed for using IMDB systems.^{^[28]} These IMDB systems are also being used for advanced analytics on big data, especially to increase the access speed to data and increase the scoring rate of analytic models for analysis.^{^[29]} Examples of IMDB include VoltDB^{^[30]}, NuoDB^{^[31]}, SolidDB^{^[32]} and Apache Spark^{^[33]}.

Hybrid Systems

These are the two major systems used to store data prior to it being processed or analysed in a big data application. However, the divide between data storage and data management is a slim one and most database systems also contain various unique attributes that cater them to specific kinds of analysis. (as can be seen from the IMDB example above) One example of a very commonly used Hybrid system that deals with storage as well as awareness of the data is Apache Hadoop³³, which is detailed below.

Apache Hadoop

Hadoop consists of two main components: the HDFS for the big data storage, and MapReduce for big data analytics, each of which will be detailed in their respective section.

The HDFS^{^[34]}^{^[35]} storage function in Hadoop provides a reliable distributed file system, stored across multiple systems for processing & redundancy reasons. The file system is optimized for large files, as single files are split into blocks and spread across systems known as cluster nodes.^{^[36]} Additionally, the data is protected among the nodes by a replication mechanism, which ensures availability even if any node fails. Further, there are two types of nodes: Data Nodes and Name Nodes.^{^[37]} Data is stored in the form of file blocks across the multiple Data Nodes while the Name Node acts as an intermediary between the client and the Data Node, where it directs the requesting client to the particular Data Node which contains the requested data.

This operating structure for storing data also has various variations within Hadoop such as HBase for key/value pair type queries (a NoSQL based system), Hive for relational type queries, etc. Hadoop’s redundancy, speed, ability to run on commodity hardware, industry support and rapid pace of development have led to it being almost co-equivalently associated with big data.^{^[38]}

Data Awareness

Data Awareness, in the context of big data, is the task of creating a scheme of relationships within a set of data, to allow different users of the data to determine a fluid yet valid context and utilise it for their desired tasks.^{^[39]} It is a relatively new field, in which most of the work is currently being done on semantic structures to allow data to gain context in an interoperable format, in contrast to the current system where data is given context using unique, model specific constructs.^{^[40]} (such as XML Schemes, etc.)

Some of the original work on this field was carried out in the form of utilising the Resource Description Framework (RDF), which was built primarily to allow describing of data in a portable manner, especially being agnostic towards platforms and systems for Semantic Web at the W3C. SPARQL is the language used to implement RDF based designs but both largely remain underutilised in both the public domain as well as big data. Authors such as Kurt

Cagle^{^[41]} and Bob DuCharme^{^[42]} predict its explosion in the next couple of years. Companies have also started realising the value of interoperable context, with Oracle Spatial^{^[43]} and IBM’s DB2^{^[44]} already including RDF and SPARQL support in the past 3 years.

While underutilised, the rapid developments taking place in the field will make the impact that data awareness may have on big data as big as Hadoop and maybe even SQL. Some aspects of it are already beginning to be used in Artificial Intelligence, Natural Language Processing, etc. with tremendous scope for development.^{^[45]}

Data Processing & Analytics

Data Processing largely has three primary goals: a. determines if the data collected is internally consistent; b. make the data meaningful to other systems or users using either metaphors or analogy they can understand; and (what many consider most importantly) provide predictions about future events and behaviours based upon past data and trends.^{^[46]}

Being a very vast field with rapidly changing technologies governing its operation, this section will largely concentrate on the most commonly used technologies in data analytics.

Data analytics requires four primary conditions to be met in order to carry out effective processing: fast, data loading, fast query processing, efficient utilisation of storage and adaptivity to dynamic workload patterns. The analytical model most commonly associated with meeting this criteria and with big data in general is MapReduce, detailed below. There are other, more niche models and algorithms (such as Project Voldemort^{^[47]} used by LinkedIn), which are used in big data but they are beyond the scope of the review, and more information about them can be read at article linked in the previous citation. (Reference architecture and classification of technologies, products and services for big data system)

MapReduce

MapReduce is a generic parallel programming concept, derived from the “Map” and “Reduce” of functional programming languages, which makes it particularly suited for big data operations. It is at the core of Hadoop^{^[48]}, and performs the data processing and analytics functions in other big data systems as well.^{^[49]} The fundamental premise of MapReduce is scaling out rather than scaling up, i.e., (adding more numerical resources, rather than increasing the power of a single system)^{^[50]}

MapReduce operates by breaking a task down into steps and executing the steps in parallel, across many systems. This comes with two advantages, a reduction in the time needed to finish the task and also a decrease in the amount of resources one has to expend to perform the task, in both power and energy. This model makes it ideally suited for the large data sets and quick response times required of big data operations generally.

The first step of a MapReduce job is to correlate the input values to a set of keys/value pairs as output. The “Map” function then partitions the processing tasks into smaller tasks, and assigns them to the appropriate key/value pairs.^{^[51]} This allows unstructured data, such as plain text, to be mapped to a structured key/value pair. As an example, the key could be the punctuation in a sentence and the value of the pair could be the number of occurrences of the punctuation overall. This output of the Map function is then passed on “Reduce” function.^{^[52]} Reduce then collects and combines this output, using identical key/value pairs, to provide the final result of the task.^{^[53]} These steps are carried using the Job Tracker & Task Tracker in Hadoop but different systems have different methodologies to carry out similar tasks.

Data Governance

Data Governance is the act of managing raw big data as well as the processed information that arises from big data in order to meet legal, regulatory and business imposed requirements. While there is no standardized format for data governance, there have been increasing call with various sectors (especially healthcare) to create such a format to ensure reliable, secure and consistent big data utilisation across the board. The following tactics and techniques have been utilised or suggested for data governance, with varying degrees of success:

Zero-knowledge systems: This technological proposal maintains secrecy with respect to the low-level data while allowing encrypted data to be examined for certain higherlevel abstractions.^{^[54]} For the system to be zero-knowledge, the client’s system will have to encrypt the data and send it to the storage provider. Due to this, the provider stores the data in the encrypted format and cannot decipher the same unless he/she is in possession of the key which will decrypt the data into plaintext. This allows the individual to store his data with a storage provider while also maintaining anonymity of the details contained in such information. However, these are currently just beginning to be used in simple situations. As of now, they are not expandable to unstructured and complex cases and have to be developed marginally before they can be used for research and data mining purposes.
Homomorphic encryption: Homomorphic encryption is a privacy preserving technique which performs searches and other computations over data that is encrypted while also protecting the individual’s privacy.^{^[55]} This technique has however been considered to be impractical and is deemed to be an unlikely policy alternative for near future purposes in the context of preserving privacy in the age of big data.^{^[56]}
Multi-party computation: In this technique, computation is done on encrypted distributed data stores.^{^[57]} This mechanism is closely related to homomorphic encryption where individual data is kept private using encryption algorithms called “collusion-robust” while the same is used to calculate statistics.^{^[58]} The parties involved are aware of some private data and each of them use a protocol which produces results based on the information they are aware of and the information they are not aware of, without revealing the data they are not already aware of.^{^[59]} Multi-party computations thus help in generating useful data for statistical and research purposes without compromising the privacy of the individuals.

Differential Privacy: Although this technological development is related to encryption, it follows a different technique. Differential privacy aims at maximizing the precision of computations and database queries while reducing the identifiability of the data owners who have records in the database, usually through obfuscation of query results.^{^[60]} This is widely applied today in the existence of big data in order to ensure preservation of privacy while trying to reap the benefits of large scale data collection.^{^[61]}
Searchable encryption: Through this mechanism, the data subject can make certain data searchable while minimizing exposure and maximizing privacy.^{^[62]} The data owner can make his information available through search engines by providing the data in an encrypted format but by adding tags consisting of certain keywords which can be deciphered by the search engine. This encrypted data shows up in the search results when searched with these particular keywords but can only be read when the person is in possession of the key which is required for decrypting the information.

This technique of encryption provides maximum security to the individual’s data and preserves privacy to the greatest possible extent.

K-anonymity: The property of k-anonymity is being applied in the present day in order to preserve privacy and avoid re-identification.^{^[63]} A certain data set is said to possess the property of k-anonymity if individual specific data can be released and used for various purposes without re-identification. The analysis of the data should be carried out without attributing the data to the individual to whom it belongs and should give scientific guarantees for the same.
Identity Management Systems: These systems enable the individuals to establish and safeguard their identities, explain those identities with the help of attributes, follow the activity of their identities and also delete their identities if they wish to.^{^[64]} It uses cryptographic schemes and protocols to make anonymous or pseudonymous the identities and credentials of the individuals before analysing the data.
Privacy Preserving Data Publishing: This is a method in which the analysts are provided with the individual’s personal information with the ability to decipher particular information from the database while preventing the inference of certain other information which might lead to a breach of privacy.^{^[65]} Data which is essential for the analysis will be provided for processing while sensitive data will not be disclosed. This tool primarily focuses on microdata.
Privacy Preserving Data Mining: This mechanism uses perturbation methods and randomization along with cryptography in order to permit data mining on a filtered version of the data which does not contain any form of sensitive information. PPDM focuses on data mining results unlike PPDP.^{^[66]}

Conclusion

Studying the technology surrounding big data has led to two major observations: the rapid pace of development in the industry and the stark lack of industry standards or government regulations directed towards big data technologies. These observations have been the primary motivating factor for framing further research in the field. Understanding how to deal with big data technologically, rather than just the potential regulation of possible harms after the technological processes have been performed might be critical for the human rights dialogue as these processes become even more extensive, opaque and technologically complicated.

[1] EMC: Data Science and Big Data Analytics. In: EMC Education Services, pp. 1–508 (2012)

[2] Bakshi, K.: Considerations for Big Data: Architecture and Approaches. In: Proceedings of the IEEE Aerospace Conference, pp. 1–7 (2012)

[3] Adams, M.N.: Perspectives on Data Mining. International Journal of Market Research 52(1), 11–19 (2010) ⁴ Elgendy, N.: Big Data Analytics in Support of the Decision Making Process. MSc Thesis, German University in Cairo, p. 164 (2013)

[4] Big Data and Privacy: A Technological Perspective - President’s Council of Advisors on Science and

Technology (May 2014)

[5] Chen, Hsinchun, Roger HL Chiang, and Veda C. Storey. "Business Intelligence and Analytics: From Big Data to Big Impact." MIS quarterly 36.4 (2012): 1165-1188.

[6] Chandramouli, Badrish, Jonathan Goldstein, and Songyun Duan. "Temporal analytics on big data for web advertising." 2012 IEEE 28th international conference on data engineering. IEEE, 2012.

[7] Laurila, Juha K., et al. "The mobile data challenge: Big data for mobile computing research." Pervasive Computing. No. EPFL-CONF-192489. 2012.

[8] Lazer, David, et al. "The parable of Google flu: traps in big data analysis." Science 343.6176 (2014): 12031205.

[9] ibid

[10] Banaee, Hadi, Mobyen Uddin Ahmed, and Amy Loutfi. "Data mining for wearable sensors in health monitoring systems: a review of recent trends and challenges." Sensors 13.12 (2013): 17472-17500.

[11] ibid

[12] Chung, Eric S., John D. Davis, and Jaewon Lee. "Linqits: Big data on little clients." ACM SIGARCH Computer Architecture News. Vol. 41. No. 3. ACM, 2013.

[13] Kornelson, Kevin Paul, et al. "Method and system for developing extract transform load systems for data warehouses." U.S. Patent No. 7,139,779. 21 Nov. 2006.

[14] Henry, Scott, et al. "Engineering trade study: extract, transform, load tools for data migration." 2005 IEEE Design Symposium, Systems and Information Engineering. IEEE, 2005.

[15] Cohen, Jeffrey, et al. "MAD skills: new analysis practices for big data." Proceedings of the VLDB Endowment

[16] .2 (2009): 1481-1492.

[17] Elgendy, Nada, and Ahmed Elragal. "Big data analytics: a literature review paper." Industrial Conference on Data Mining. Springer International Publishing, 2014.

[18] Wu, Xindong, et al. "Data mining with big data." IEEE transactions on knowledge and data engineering 26.1 (2014): 97-107.

[19] Supra Note 17

[20] Hu, Han, et al. "Toward scalable systems for big data analytics: A technology tutorial." IEEE Access 2 (2014):

[21] -687.

[22] Kurt Cagle, Understanding the Big Data Lifecycle - LinkedIn Pulse (2015)

[23] Coyle, Frank P. XML, Web services, and the data revolution. Addison-Wesley Longman Publishing Co., Inc., 2002.

[24] Pautasso, Cesare, Olaf Zimmermann, and Frank Leymann. "Restful web services vs. big'web services: making the right architectural decision." Proceedings of the 17th international conference on World Wide Web. ACM, 2008.

[25] Banker, Kyle. MongoDB in action. Manning Publications Co., 2011

[26] McCreary, Dan, and Ann Kelly. "Making sense of NoSQL." Shelter Island: Manning (2014): 19-20.

[27] ibid

[28] Zhang, Hao, et al. "In-memory big data management and processing: A survey." IEEE Transactions on Knowledge and Data Engineering 27.7 (2015): 1920-1948.

[29] ibid

[30] ibid

[31] Supra Note 20

[32] Ballard, Chuck, et al. IBM solidDB: Delivering Data with Extreme Speed. IBM Redbooks, 2011.

[33] Shanahan, James G., and Laing Dai. "Large scale distributed data science using apache spark." Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2015. ³³ Shvachko, Konstantin, et al. "The hadoop distributed file system." 2010 IEEE 26th symposium on mass storage systems and technologies (MSST). IEEE, 2010.

[34] Borthakur, Dhruba. "The hadoop distributed file system: Architecture and design." Hadoop Project Website

[35] .2007 (2007): 21.

[36] ibid

[37] ibid

[38] Zikopoulos, Paul, and Chris Eaton. Understanding big data: Analytics for enterprise class hadoop and streaming data. McGraw-Hill Osborne Media, 2011.

[39] Bizer, Christian, et al. "The meaningful use of big data: four perspectives--four challenges." ACM SIGMOD Record 40.4 (2012): 56-60.

[40] Kaisler, Stephen, et al. "Big data: issues and challenges moving forward." System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE, 2013.

[41] Supra Note 21

[42] DuCharme, Bob. "What Do RDF and SPARQL bring to Big Data Projects?." Big Data 1.1 (2013): 38-41.

[43] Zhong, Yunqin, et al. "Towards parallel spatial query processing for big spatial data." Parallel and

Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International. IEEE, 2012.

[44] Ma, Li, et al. "Effective and efficient semantic web data management over DB2." Proceedings of the 2008 ACM SIGMOD international conference on Management of data. ACM, 2008.

[45] Lohr, Steve. "The age of big data." New York Times 11 (2012).

[46] Pääkkönen, Pekka, and Daniel Pakkala. "Reference architecture and classification of technologies, products and services for big data systems." Big Data Research 2.4 (2015): 166-186.

[47] Sumbaly, Roshan, et al. "Serving large-scale batch computed data with project voldemort." Proceedings of the 10th USENIX conference on File and Storage Technologies. USENIX Association, 2012.

[48] Bar-Sinai, Michael. "Big Data Technology Literature Review." arXiv preprint arXiv:1506.08978 (2015).

[49] ibid

[50] Condie, Tyson, et al. "MapReduce Online." Nsdi. Vol. 10. No. 4. 2010.

[51] Supra Note 47

[52] Dean, Jeffrey, and Sanjay Ghemawat. "MapReduce: a flexible data processing tool." Communications of the ACM 53.1 (2010): 72-77.

[53] ibid

[54] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[55] Tene, Omer, and Jules Polonetsky. "Big data for all: Privacy and user control in the age of analytics." Nw. J. Tech. & Intell. Prop. 11 (2012): xxvii.

[56] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[57] Privacy by design in big data, ENISA

[58] Big Data and Privacy: A Technological Perspective, White House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[59] Id

[60] Id

[61] Tene, Omer, and Jules Polonetsky. "Privacy in the age of big data: a time for big decisions." Stanford Law Review Online 64 (2012): 63.

[62] Lane, Julia, et al., eds. Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press, 2014.

[63] Crawford, Kate, and Jason Schultz. "Big data and due process: Toward a framework to redress predictive privacy harms." BCL Rev. 55 (2014): 93.

[64] http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[65] Seda Gurses and George Danezis, A critical review of 10 years of privacy technology, August 12th 2010, http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[66] Id

For more details visit https://cis-india.org/internet-governance/blog/technology-behind-big-data

The Take Down of Free Speech Online

praskrishna — 2014-04-06T05:19:50Z

As part of a study to access rate of compliance, in 2011, the Centre for Internet and Society Bangalore sent frivolous “take down” requests to seven prominent intermediaries. The study showed exactly how easy it is to take down online content.

This was published in Newslaundry on April 1, 2014. CIS research on Intermediary Liabilities is quoted.

CIS found that six out of the seven intermediaries “over complied” with the notices. Facts such as these about intermediary liability were discussed in a panel discussion “Intermediary Liability & Freedom of Expression in India” in Delhi on March 27, 2014 organised by Centre for Communication Governance at National Law University in collaboration with the Global Network Initiative.

The panel also included Professor Ranbir Singh, Vice Chancellor of NLU, Jermyn Brooks (Independent Chair – Global Network Initiative, Washington DC), Shyam Divan (Senior Advocate, Supreme Court of India) and SiddharthVaradarajan (Journalist). They discussed proxy censorship by government through private players and how e-business’ lose out on opportunities because of the current legal framework in the country within which intermediaries have to function.

According to Section 2(1)(w) of The Information Technology Act, 2000, “intermediary”- with respect to any particular electronic message -signifies any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.According to Rishab Dara, recipient of the Google policy Fellowship 2011, in an article titled, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet, “intermediaries are widely recognised as essential cogs in the wheel of exercising the right to freedom of expression on the Internet. Most major jurisdictions around the world have introduced legislations for limiting intermediary liability in order to ensure that this wheel does not stop spinning”.

The “safe harbor”or what is also known asIntermediary Liability Laws according to Section 79 of the Information Technology Act are given below:

Intermediaries not to be Liable in Certain Cases

(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

(3) The provisions of sub-section (1) shall not apply if—

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or othorise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

Under the Act, the intermediary needs to act on a complaint within 36 hours of a take down notice -failing which they will be liable to legal action if the case is taken to the court.

Shyam Divan spoke about the absurdity of the 36-hour turnaround time that an intermediary has between receiving a complaint and taking down the content. According to him, without any kind of legal option to fall back on, intermediaries decide to comply with such take down notices fearing “serious penalties and possibility of prosecution” which results in “indirect censorship”. He also said, “Domestic constitution in itself is not going to be sufficient”. “Meta-constitutions” which are transnational and have uniform laws across countries could be a possible solution to the current confusion as the internet is a global phenomenon and it would ensure that “the extent of our online rights would not be limited to the constitution of the country”.

Giving the example of hate speech, Siddharth Varadarajan, mentioned the Indian executive’s different approaches towards different mediums. Referring to hate speeches made during the 1993 Bombay riots by Shiv Sena leaders and those made during the 2002 Gujarat riots, he said, “Hate speech never gets prosecuted when made amid a physical crowd in a volatile situation.I can understand why politicians won’t be prosecuted but why so much sensitivity on online content. This paradox is worth reflecting on.Despite its limited reach, the executive reacts in such a hyper-sensitive manner”.He adds that as the editor of a news website one faces daily problems in taking decisions on online content especially on comment moderation and whether the website would be responsible for a certain comment made by a reader. Echoing Shyam Divan’s views,he said that in India more than the punishment, when a case is filed, the legal process itself becomes a punishment, which forces Internet Service Providers to comply with requests of blocking online content.

The Global Network Initiative is a Washington-based organisation that provides a framework for companies to deal with governments requesting censorship or surveillance of online content, “rooted in international standards legal framework also interesting people”. According to a report released by it, “provided that the existing safe harbour regime is improved, intermediaries can become a significant part of the economy and their GDP contribution may increase to more than 1.3 per cent by 2015. The potential corresponds to $41 billion by 2015”.Jermyn Brooks,Independent Chair of GNI,argued that instead of focusing all efforts on ensuring that the Information Technology (Intermediaries Guidelines) Rules, 2011 gets struck down by Courts for its unconstitutionality, there should also be a movement to effect policy changes through the amendment of the law. According to him, such a proposition would be more lucrative for a government looking for “re-invigoration of economic growth in India”.

The discussion was significant in the light that a number of cases related to the IT Act and freedom of online speech will be heard in the Supreme Court in the coming months. A petition by Mouthshut.com challenges the Information Technology (Intermediaries Guidelines) Rules 2011 “which effectively creates a notice and takedown regime for content hosted by intermediaries”. Another important case up for hearing is a petition by Member of Parliament Rajeev Chandrashekhar,“which also challenges these rules on grounds that they are ambiguous, require private parties to subjectively assess objectionable content, and that they undermine the safe harbour exemptions from liability granted to intermediaries by section 79 of the IT Act”. The People’s Union for Civil Liberties (PUCL) has challenged the Intermediaries Guidelines rules as well as the Procedure and Safeguards for Blocking for Access of Information by the Public Rules 2009. “This petition has pointed to the lack of transparency in the blocking procedure, which does not currently offer the public any notice or reasons for the blocking.”

“The cases pending before the Supreme Court will have a significant impact on the freedom of expression. We should never take our rights for granted – the interpretation of these rights needs to be consistent with their spirit”, said Professor Ranbir Singh.

Citing the recent example of the Wendy Doniger episode, Varadarajan says, “If Penguin chooses to pack up at the District court level, you know how Internet Service Providers would react to take down notices…Specific targeting of online speech would ultimately have a negative impact on the traditional media”. And that is the crux of the matter. In the absence of intermediate liability not being limited, online censorship and the curtailment of the freedom of speech will become far easier and will only worsen.

For more details visit https://cis-india.org/news/newslaundry-april-1-2014-somi-das-the-take-down-of-free-speech-online

The Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!

maria — 2013-07-12T11:59:10Z

Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out!

This blog post has been cross-posted in Medianama on May 8, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

So yes, we live in an Internet Surveillance State. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?

Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it lacks privacy legislation which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.

The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?

A glimpse of the surveillance industry in India

In light of the UID scheme, the National Intelligence Grid (NATGRID), the Crime and Criminal Tracking Network System (CCTNS) and the Central Monitoring System (CMS), who supplies law enforcement agencies the technology to surveille us?

In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies simultaneously produce internet monitoring software and encryption tools! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.

Companies selling surveillance technology in India are listed in Table 1. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.

Table 2 shows the types of surveillance technology produced and sold by these 76 companies.

The graph below is based on Table 2 and shows which types of surveillance are produced the most by the 76 companies.

Graph on types of surveillance sold to law enforcement agencies by 76 companies in India

Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the UID scheme which is rapidly expanding across India. Only one company from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the Central Monitoring System (CMS), especially since the project would have to monitor and mine Big Data.

On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since the majority of the population in India does not even have Internet access. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while more than half the population owns mobile phones. Seeing as companies, such as ClearTrail Technologies and Shoghi Communications, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.

Did you Know:

CARLOS62 on flickr

WSS Security Solutions Pvt. Ltd. is north India´s first CCTV zone
Speck Systems Limited was the first Indian company to design, manufacture and fly a micro UAV indigenously
Mobile Spy India (Retina-X Studios) has the following mobile spying features:

SniperSpy: remotely monitors smartphones and computers from any location

Mobile Spy: monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces

4. Infoserve India Private Limited produces an Internet monitoring System with the following features:

Intelligence gathering for an entire state or a region
Builds a chain of suspects from a single start point
Data loss of less than 2%
2nd Generation Interception System
Advanced link analysis and pattern matching algorithms
Completely Automated System
Data Processing of up to 10 G/s
Automated alerts on the capture of suspicious data (usually based on keywords)

5. ClearTrail Technologies deploys spyware into a target´s machine
6. Spy Impex sells Coca Cola Tin Cameras!
7. Nice Deal also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and Lighter Video Cameras to name a few...
8. Raviraj Technologies is an Indian company which supplies RFID and biometric technology to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?

Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further oppression within these countries

Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards

“I´m not a terrorist, I have nothing to hide!”

r1chardm on flickr

It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:

“I´m not a terrorist, I have nothing to hide!”

Indeed. You may not be a terrorist...and you may think you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?

Last year at the linux.conf.au, Jacob Appelbaum stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. Bruce Schneier has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.

That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, we are all potentially suspects. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called ´risky information´. As long as our data is being surveilled, we are all suspects, which means that we can all potentially be arrested, interrogated and maybe even tortured, just like any other criminal suspect.

But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.

Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The market appears to demand for surveillance technologies because a pre-existing surveillance culture has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as 3M, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that surveillance is being socially integrated. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.

By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as NATGRID and the CMS in India- or by handing over our data, we are fuelling the surveillance state. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution and of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.

Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because India lacks privacy legislation which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.

Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as Raviraj Technologies, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus export controls are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.

Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even murdered in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.

For more details visit https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers

The Surveillance Industry in India – An Analysis of Indian Security Expos

divij — 2015-03-08T12:25:15Z

The author talks about the surveillance industry in India and analyses Indian security expos.

Introduction

The 'Spy Files', a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world - a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals.[1] These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites. Moreover, the unregulated and undiscerning nature of the industry means that it has enabled governments (and also private agencies) across the world - from repressive dictatorships to governments in western democracies with a growing track record of privacy and civil liberties infringements - to indulge in secretive, undemocratic and often illegal surveillance of their citizens. The Spy Files and related research have revealed how the mass surveillance industry utilizes the rhetoric of national security and counter-terrorism to couch technologies of surveillance.

'Security' and the Normalization Of Surveillance

New technologies undoubtedly create a potential for both malicious as well as beneficial use for society. Surveillance technologies are a prime example, having both enabled improvements in law enforcement and security, but at the same time creating unresolved implications for privacy and civil liberties. These technologies expose what Lawrence Lessig describes as 'latent ambiguities' in the law - ambiguities that require us to assess the implications and effects of new technologies and how to govern them, and most importantly, to choose between conflicting values regarding the use of technologies, for example, increased security as against decreased privacy.[2]

Unfortunately, In India, the ambiguity seems to have been resolved squarely in favour of surveillance - under the existing regulatory regime, surveillance is either expressly mandated or unregulated, and requires surveillance to be built into the architecture and design of public spaces like internet and telephone networks, or even public roads and parks. Most of these regulations or mechanisms are framed without democratic debate, through executive mechanisms and private contracts with technology providers, without and public accountability or transparency.

For example, under the telecom licensing regime in India, the ISP and UASL licenses specifically require lawful interception mechanisms through hardware or software to be installed by the licensees, for information (Call Data Records, Packet Mirroring, Call Location) to be provided to 'law enforcement agencies', as specified by the Government.[3] Section 69 of the Information Technology Act, the main legislation governing the Internet in India, read with the rules framed under the Act, makes it incumbent upon 'intermediaries' to provide surveillance facilities at the behest of government agencies.[4]

Beyond this, the State and its agencies Section 69 and 69B of the IT Act empower the government to intercept and monitor any data on the Internet. The Telegraph Act also permits wiretapping of telephony.[5] The proposed Central Monitoring System by the Central Government would give state agencies centralized access to all telecommunications in real time, on telephony or on the Internet. Other surveillance schemes include the Keyword Tracking system NETRA, as well as several state government proposed comprehensive CCTV-surveillance schemes for cities. [6] Clearly, therefore, there is a massive market for surveillance technologies in India.

Tracking the Surveillance Market

The Mass surveillance industry by its very nature is closed, secretive and without democratic oversight, Insights into the prevalence, nature and scope of the companies that form this industry, or the technologies that are utilized are far and few. No democratic debate about surveillance can take place in such a paradigm. In this context, security expos and exhibitions provide critical insight into this industry. Several of the important revelations about the industry in the past have been from examinations of large exhibitions in which the various governmental and industry actors participate, and therefore, such analysis is critical to the debate surrounding mass surveillance. Such exhibitions are a logical starting point because they are one of the few publically accessible showcases of surveillance-ware, and are also a congregation of most major players who are part of this market both as suppliers and purchasers.

Our research identified at least 13 exhibitions in India that specifically cater to the surveillance industry. A brief outline of each of these exhibitions is provided below:

1. Secutech India (Brochures: 2015 -http://www.secutechindia.co.in/pdf/secutech%20brochure.pdf)

The Secutech Expo is an exhibition held in Bombay and Delhi since 2011, to showcase Information Security, Electronic Security and Homeland Security technologies. Secutech also organizes the Global Digital Surveillance Forum, a conference amongst the stakeholders of digital surveillance industry in India.[7]

Exhibitors: Ivis; Matrix Comsec; Neoteric; Smartlink; Kanoe; Micro Technologies; Aditya Infrotech; CoreTech Solutions; Merit Lilin; Schneider Electric; Pash systems; Nettrack Technologies Pvt Ltd.; QNAP; Axxonsoft; Hk Vision (China); Alhua; Axis; Vivotech (Taiwan); Endroid (USA); Vantge (UK); Pelco (France); Advik; Hi Focus (UK); ESMS; Keeper (China); Neoteric; Vizor, etc

Visitors: The visitor profile and target audience consists of government and defense agencies, besides private agencies.

Technologies on display: Digital surveillance, biometrics, CCTV and RFID are some categories of the technologies which are showcased here.

2. IFSEC India (Brochures: 2013 - http://www.ifsecindia.com/uploads/IFSEC%20INDIA%20brochure%202013.pdf; 2014 - http://www.ubmindia.in/ifsec_india/uploads/IFSEC_INDIA_Brochure_CS5_new_low.pdf.)

IFSEC India, an extension of IFSEC UK, the 'worlds largest security exhibition', proclaims to be South Asia's largest security exhibition with 15,000 participants in its latest edition, including a special segment on surveillance. It has been held in either Bombay or Delhi since 2007.

Exhibitors: Honeywell; Infinova; Radar Vision; QNAP; Ensign; Winposee; Bosch; Comguard; Verint; ACSG; Ensign etc.

Visitors: Visitors include government agencies such as the Central Industrial Security Force, Border Security Force, Department of Internal Security, Railway Protection Force and the Department of Border Management.

Technologies on display: RFID, Video Surveillance, Surveillance Drones, IP Surveillance, Digital Surveillance and Monitoring were some of the categories of technologies on display.

3. India International Security Expo (Brochures: 2014 - http://www.indiasecurityexpo.com/images/e_brochure.pdf)

Held in New Delhi since 1996, and organized by the Ministry of Home Affairs, the expo is described as "India's largest show case of goods and services related to Homeland Security, Fire Safety, Traffic Management, Industrial Safety and Public Safety, Hospitality and Reality Security." With specific reference to the changing 'modus operandi of crime by using technology', the Expo focuses on using surveillance technologies for law enforcement purposes.

Exhibitors: Intellivision (USA); Intex (India); ESC Baz (Israel); Sparsh Securitech; Source Security (USA); Intellivision (USA); Interchain Solutions; ESSI; Kritikal; Matrix; Pace Solutions etc.

Visitors: According to the show's brochure, visitors include Central & State Police Organisations, Paramilitary Forces, Policy-makers from the Government, Industrial Establishments, Security Departments of Educational, Retail, Hospitality, Realty & other sectors, Colonisers, Builders, RWAs, System Integrators Large business houses and PSU's.

Technologies on display: Access control systems, surveillance devices, RFID, traffic surveillance and GPS Tracking.

4. Secure Cities Expo (Brochures: 2013 - http://securecitiesindia.com/Secure_Cities_2013_Brochure.pdf; 2014 - http://securecitiesindia.com/images/2014/SC_2014_Brochure.pdf.)

Secure Cities Expo has been organized since 2008, on the platform of providing homeland security solutions and technologies to government and private sector participants.

Exhibitors: Dell; Palo Alto Networks; Motorola; Konnet; Vian Technologies; Quick Heal; Intergraph, GMR, Tac Technologies, Steria, Teleste, Elcom, Indian Eye Security; Mirasys; CBC Group; Verint (USA); IBM (USA); Digitals; EyeWatch; Kanoe; NEC (Japan); ACSG Corporate; ESRI (USA), etc.

Visitors: Visitors include government and law enforcement agencies including the Ministry of Home Affairs as well as systems integrators and private firms including telecom firms.

Technologies on display: CCTV, Biometrics, Covert Tracking and Surveillance Software, Communication Interception, Location and Tracking systems, and IT Security.

5. Defexpo India (Brochures: No publically available brochures)

By far India's largest security exposition, the Ministry of Defense has organized Defexpo India since 1999, showcasing defense, border, and homeland security systems from technology providers internationally.

Exhibitors: Aurora Integrated; Airbus Defence (France); Boeing (USA); Hacking Team (Italy); Kommlabs (Germany); Smoothwall; Atlas Electronik; Cyint; Audiotel International; Cobham; Tas-Agt; Verint; Elsira (Elbit) (Israel); IdeaForge; Comint; Controp; Northrop Gruman; Raytheon; C-DoT; HGH Infrared (Israel); Okham Solutions (France); Septier (Israel); Speech Technology Centre (Russia); Aerovironment (USA); Textron; Sagem (France); Amesys (France); Exelis; ITP Novex (Israel), etc.

Visitors: The latest edition of the Expo saw participation from governmental delegations from 58 countries, besides Indian governmental and law enforcement authorities.

Technologies on display: The entire spectrum of surveillance and homeland security devices is on display at Defexpo, from Infrared Video to Mass Data Interception.

6. Convergence India Expo (Brochures: 2012 - http://convergenceindia.org/download/CI2012-PSR.pdf; 2014 -http://www.convergenceindia.org/pdf/CI-2014-Brochure.pdf; 2015 - http://www.convergenceindia.org/pdf/brochure-2015.pdf.)

Convergence India, being held in New Delhi since 1991, is a platform for interaction between Information and Communication Technology providers and purchasers in the market. In recent years, the expo has catered to the niche market for IT surveillance.

Exhibitors: ELT (UK); Comguard; Fastech; Synway (China); Saltriver; Anritsu (Japan); Cdot; Fastech; Rahul Commerce; Deviser Electronics; RVG Diginet; Blue Coat (USA); Cyberoam (USA); ZTE (China); Net Optics (USA); Controp; Comint etc.

Visitors: Visitors include Paramilitary Forces, Cable Operators, Government Ministries and PSU's and Telecom and Internet Service Providers.

Technologies on Display: Biometrics, Content Filtering, Data Mining, Digital Forensics, IP-Surveillance, Embedded Softwares, Network Surveillance and Satellite Monitoring were some of the technologies on display.

7. International Police Expo (Brochures: 2014 - http://www.nexgengroup.in/exhibition/internationalpoliceexpo/download/International_Police_Expo_2014.pdf.)

The International Police Expo held in New Delhi focuses on providing technologies to police forces across India, with specific focus on IT security and communications security.

Exhibitors: 3G Wireless Communications Pvt Ltd; Motorola Solutions; Cyint; Matrix Comsec; Cellebrite; Hayagriva; MKU; CP Plus etc.

Visitors: Visitors include State Police, Procurement Department, CISF, CRPF, RAF, BSF, Customs, GRPF, NDRF, Special Frontier Force, Para Commandos, Special Action Group, COBRA and PSU's and educational institutes, stadiums and municipal corporations, among others.

Technologies on display: Technologies include RFID and surveillance for Internal Security and Policing, CCTV and Monitoring, Vehicle Identification Systems, GPS, Surveillance for communications and IT, Biometrics and Network surveillance.

8. Electronics For You Expo (EFY Expo) ( 2014 - http://2013.efyexpo.com/wp-content/uploads/2014/03/efy_PDFisation.pdf; 2015 - http://india.efyexpo.com//wp-content/uploads/2014/03/5th%20EFY%20Expo%20India_Brochure.pdf.)

EFY Expo is a electronics expo which showcases technologies across the spectrum of electronics industry. It has been held since 2010, in New Delhi, and is partnered by the Ministry of Communications and IT and the Ministry of Electronics and IT.

Exhibitors: Vantage Security; A2z Securetronix; Avancar Security; Digitals security; Securizen Systems; Vision Security; Mangal Security Systems, etc.

Visitors: The visitors include Government Agencies and ministries as well as systems integrators and telecom and IT providers.

Technologies on display: Identification and Tracking Products and Digital Security Systems are a specific category of the technologies on display.

9. Indesec Expo (Brochures: 2009 - http://www.ontaero.org/Storage/14/897_INDESEC_Oct11-13_2009.pdf. )

An exhibition focused on homeland security, and sponsored by the Ministry of Home Affairs, the expo has been held since 2008 in New Delhi, which includes a specific category for cyber security and counter terrorism.

Exhibitors: Rohde and Schwarz; Salvation Data; AxxonSoft; KritiKal; Shyam Networks; Teledyne Dalsa; Honeywell; General Dynamics; Northrop Grumman; Interchain Solutions, etc.

Visitors: Visitors include officials of the central government, central police and paramilitary forces, Ministry of Defence, central government departments, institutes and colleges, state government and police and ports and shipping companies.

10. Next Generation Cyber Threats Expo

Held since 2012 in New Delhi and Mumbai, the Next Generation Cyber Threats Expo focuses on securing cyber infrastructure and networks in India.

Exhibitors: Ixia, CheckPoint, etc.

Visitors: Visitors include Strategic Planning Specialists, Policy Makers and Law Enforcement among others.

11. SmartCards/RFID/e-Security/Biometrics expo (Brochures: 2013 - http://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013 ; 2015 - http://www.smartcardsexpo.com/pdf/SmartCards_Expo_2015_Brochure_$.pdf)

These expos are organized by Electronics Today in Delhi or Mumbai since 1999 and supported by the Ministries of Commerce, Home Affairs and External Affairs. They showcase various identification solutions, attended by hundreds of domestic and international exhibitors.

Visitors: Target audiences include central and local level law enforcement and government organizations, Colleges and Universities, and defense forces.

12. Com-IT Expo (Brochure: 2014 - http://www.comitexpo.in/doc/Brochure.pdf)

This expo has been organized by the Trade Association of Information and Technology in Mumbai since 2008, and focuses on software and hardware Information Technology, with specific focus on IT security and surveillance.

Visitors: Visitors include Government Agencies, Airport Authorities, Police and Law Enforcement, Urban Planners, etc.

Technologies Displayed: CCTV's, Surveillance Devices and IP Cameras, etc.

13. GeoIntelligence India (Brochures: 2013 - http://www.geointelligenceindia.org/2013/Geointelligence%20India%20Brochure.pdf; 2014 - http://geointworld.net/Documents/GeoInt_Brochure_2014.pdf.)

It is an exposition held in New Delhi since 2014, organized by Geospatial Media and Communications Pvt Ltd, and is 'dedicated to showcasing the highest levels of information exchange and networking within the Asian defense and security sector.'

Exhibitors: ESRI (USA); BAE Systems (UK); Leica (Switzerland); Helyx (UK); Digital Globe; Intergraph; Trimble (USA); RSI Softech; Silent Falcon etc.

Visitors: Visitors included the Director General of Information Systems, CRPF, Manipur, Delhi, Haryana and Nagaland Police, CBI, ITBP, NSDI, SSB, National Investigation Agency, Signals Intelligence Directorate among others.

Surveillance Wares in India - The Surveillance Exhibits and what they tell us about the Indian Surveillance Industry

An analysis of the above companies and their wares give us some insight into what is being bought and sold in the surveillance industry, and by whom. Broadly, the surveillance technologies can be grouped in the following categories:

Video Surveillance and Analysis

IP Video Surveillance and CCTV are quickly becoming the norm in public spaces. Emerging video surveillance tools allow for greater networking of cameras, greater fields of vision, cheaper access and come with a host of tools such as facial recognition and tracking as well as vehicle tracking. For example, IBM has developed an IP Video Analytics system which couples monitoring with facial recognition.[8] USA's Intellivision also offers analytics systems which enable licence plate tracking, facial recognition and object recognition.[9] HGH Infrared's Spynel system allows infrared wide-area surveillance,[10] and CBC's GANZ allows long-range, hi-resolution surveillance. [11]

Video surveillance is gradually infiltrating public spaces in most major cities, with Governments promoting large-scale video surveillance schemes for security, with no legal sanctions or safeguards for protecting privacy.

Companies showcasing Video Surveillance: 3G Wireless Communications Pvt Ltd, Motorola Solutions (USA), Bosch, CP Plus, Ivis, Aditya Infotech, Micro technologies, Core Tech (Denmark), Merit Lilin , Schneider Electric, Shyam Systems, Dalsa, Honeywell, Teleste, Mirasys, CBC Group, Infinova, Radar Vision, QNAP, Ensign, Winposee, Bosch, Hik Vision (China), Alhua, Axis Communications, Vivotech (Taiwan), Endroid (USA), Vantge (UK), Pelco (France), Advik, Hi Focus (UK), ESMS, Keeper (China), Neoteric, Vizor, Verint (USA), IBM (USA), Digitals Security, Intellivision (USA), Intex, Esc Baz (Israel), Sparsh Securitech, A2zsecuretronix, Avancar Security, Securizen Systems, Vision Security, HGH Infrared (Israel).

RFID/Smart Cards/Biometric Identification

India has begun the implementation of the Unique Identification Programme for its 1.2 billion strong population, combining a host of identification technologies to provide a unique identification number and Aadhar Card - promoted as an all-purpose ID. However, this remains without legislative sanction, and continues in the face of severe privacy concerns. Such centralized, accessible databases of ostensibly private information present a grave threat to privacy. RFID, Smart Cards and Biometric Identification technologies (like the Aadhar) all make individual monitoring and surveillance significantly easier by enabling tracking of individual movements, consumer habits, attendance, etc.

Companies showcasing Identification Technologies:

AxxonSoft, Matrix Comsec, Ensign, Hi focus, Intellivision (USA), Interchain solutions, Inttelix, Kanoe, NEC (Japan), Pace, Realtime, Secugen, Source Security (USA), Spectra, Speech technology centre (Russia), BioEnable Technologies.

(For a more detailed list, see the Smart Cards Expo Brochures, linked above)

Mass Data Gathering, Monitoring and Analysis

The age of Big Data has led to big surveillance. Information and communication technologies now host significant amounts of individual data, and the surveillance industry makes all of this data accessible to a surveyor. Government mandated surveillance means any and all forms of communication and data monitoring are being implemented in India - there are network taps on telephony and deep packet inspection on internet lines, which makes telephone calls, SMS, VoIP, Internet searches and browsing and email all vulnerable to surveillance, constantly monitored through systems like the Central Monitoring System. Moreover, centralized information stores enable data mining - extracting and extrapolating data to enable better surveillance, which is what India's NATGRID aims to do.

Hacking Team Italy, Blue Coat USA and Amesys France, three of the five companies identified as 'enemies of the internet' for enabling dictatorships to use surveillance to quell dissent and violate human rights,[12] have all presented surveillance solutions at Defexpo India. Cyberoam USA and ZTE China also market Deep Packet Inspection technology,[13] while ESRI's Big Data suite allows analysis through mass surveillance and analysis of social media and publically available sources. [14]

Indian companies showcasing mass data monitoring technologies include Cyint, Fastech DPI tools,[15] Kommlabs VerbaProbe packet switching probes,[16] and ACSG's OSINT, which allows Big Data social media surveillance and Call Data Record analysis.[17]

Companies showcasing Data Gathering and Monitoring technologies:

Cobham, Comguard, Cyint, ELT (UK), Fastech, Hacking Team (Italy), Smoothwall (USA), Verint Systems (USA), Cyint technologies, Atlas Electronik (Germany), Audiotel International (UK), Avancar, Cobham (UK), ELT (UK), Eyewatch, Kommlabs, Mangal Security Systems, Merit Lilin (Taiwan), Ockham Solutions (France), Septier (Israel), Synway (China), ACSG Corporate, Amesys (France), Anritsu (Japan), Axis (Sweden), BAE Systems (UK), Blue Coat (USA), C-dot, Comint, Cyberoam (USA), Deviser Electronics, Elsira (Elbit) (Israel), Esri (USA), Exelis, General Dynamics (USA), Helyx (UK), ITP Novex (Israel), Leica (Switzerland), Net Optics (Ixia) (USA), Northrop Gruman (USA), Rahul Commerce, Rohde And Schwarz (Germany), RVG Diginet, Tas-Agt, Trueposition (USA), Zte Technologies (China).

Cell-Phone Location Tracking and Vehicle Monitoring

A number of technologies enable location tracking through vehicle GPS, GLONASS or other location technologies. RFID or optical character recognition further enables Automatic Number Plate Recognition, which can be exploited to enable vehicle surveillance to track individual movements. Embedded hardware and software on mobile phones also allows constant transmission of location data, which is exploited by surveillance agencies to track individual movements and location.

Companies showcasing Cell-Phone Location Tracking technologies: Verint, Eyewatch, Septier (Israel), True Position (USA),

Companies showcasing Vehicle Monitoring technologies: Hi-techpoint technologies pvt ltd, Axxonsoft, Essi, Fareye, Intellivision (USA), Interchain Solutions, ITP Novex (Israel), Kaneo, Kritikal, NEC (Japan), Saltriver Infosystems, Vision Security Systems.

Air/Ground Drones and Satellite Surveillance

The use of unmanned drones for security purposes is being adopted for law enforcement and surveillance purposes across the world, and India is no exception, using UAV's for surveillance in insurgency-hit areas,[18] amongst other uses, while still having no regulations for their use.[19] Drones, both aerial and ground level, are capable of large-scale territorial surveillance, often equipped with high-technology video surveillance that allows for efficient monitoring at the ground level.

Digital Globe offers satellite reconnaissance surveillance coupled with Big Data analysis for predictive monitoring. [20] Controp offers cameras specifically for aerial surveillance, while Sagem's Patroller Drone and Sperwer, and Silent Falcon's Solar Powered surveillance drone are Unmanned Aerial Vehicles (UAV's) for aerial video surveillance. Auruora Integrated, [21] and IdeaForge are Indian companies which have developed UAV surveillance drones in collaboration with Indian agencies.[22]

Companies showcasing Drone Surveillance: Aurora Integrated, Controp (Israel), Aerovironment (USA), Digital Globe (USA), ESRI (USA), Intergraph (USA), RSI Softech, Sagem (France), Silent Falcon (UAS), Textron (USA), Trimble (USA), Northrop Grumman (USA).

[1] Wikileaks, The Spy Files, available at https://www.wikileaks.org/the-spyfiles.html.

[2] Lawrence Lessig, Code V 2.0.

[3] For more information on the licensing regime, see 'Data Retention in India', available at http://cis-india.org/internet-governance/blog/data-retention-in-india.

[4] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[5] Section 5, Indian Telegraph Act, 1885.

[6] See, for example, the Bangalore Traffic Police CCTV Scheme, http://www.bangaloretrafficpolice.gov.in/index.php?option=com_content&view=article&id=66&btp=66 ; the surveillance scheme supported by the MPLAD Scheme, http://mplads.nic.in/circular08112012.pdf; Mumbai's proposed video surveillance scheme, http://www.business-standard.com/article/companies/wipro-tata-ibm-reliance-among-31-bids-for-cctv-scheme-in-mumbai-112112600160_1.html.

[7] Information on the Forum is available at http://gdsf-india.com/Global-Digital-Surveillance-Forum1/images/GDSF-Bengaluru-Conference-program.pdf.

[8] http://www-01.ibm.com/support/knowledgecenter/SS88XH_1.6.0/iva/int_i2frs_intro.dita

[9] http://www.intelli-vision.com/products/recognition-suite

[10] http://www.hgh-infrared.com/Products/Optronics-for-security

[11] http://www.ifsecglobal.com/cbc-high-end-surveillance-tech-on-display-at-ifsec-india/

[12] http://surveillance.rsf.org/en/category/corporate-enemies/

[13] http://www.cyberoam.com/firewall.html

[14] http://www.esri.com/products/arcgis-capabilities/big-data

[15] http://www.fastech-india.com/packetBrokers.html

[16] http://www.kommlabs.com/products-verbaprobe.asp

[17] http://www.acsgcorporate.com/osint-software.html

[18] http://timesofindia.indiatimes.com/india/UAV-proves-ineffective-in-anti-Maoist-operations/articleshow/20400544.cms

[19] http://dronecenter.bard.edu/drones-in-india/

[20] https://www.digitalglobe.com/products/analytic-services

[21] http://www.aurora-is.com/

[22] http://www.ideaforge.co.in/home/

For more details visit https://cis-india.org/internet-governance/blog/surveillance-industry-in-india-analysis-of-indian-security-expos

The Supreme Court Judgment in Shreya Singhal and What It Does for Intermediary Liability in India?

jyoti — 2015-04-17T23:59:34Z

Even as free speech advocates and users celebrate the Supreme Court of India's landmark judgment striking down Section 66A of the Information Technology Act of 2000, news that the Central government has begun work on drafting a new provision to replace the said section of the Act has been trickling in.

The SC judgement in upholding the constitutionality of Section 69A (procedure for blocking websites) and in reading down Section 79 (exemption from liability of intermediaries) of the IT Act, raises crucial questions regarding transparency, accountability and under what circumstances may reasonable restrictions be placed on free speech on the Internet. While discussions and analysis of S. 66A continue, in this post I will focus on the aspect of the judgment related to intermediary liability that could benefit from further clarification from the apex court and in doing so, will briefly touch upon S. 69A and secret blocking.

Conditions qualifying intermediary for exemption and obligations not related to exemption

The intermediary liability regime in India is defined under S. 79 and assosciated rules that were introduced to protect intermediaries for liability from user generated content and ensure the Internet continues to evolve as a “marketplace of ideas”. But as intermediaries may not have sufficient legal competence or resources to deliberate on the legality of an expression, they may end up erring on the side of caution and takedown lawful expression. As a study by Centre for Internet and Society (CIS) in 2012 revealed, the criteria, procedure and safeguards for administration of the takedowns as prescribed by the rules lead to a chilling effect on online free expression.

S. 69A grants powers to the Central Government to “issue directions for blocking of public access to any information through any computer resource”. The 2009 rules allow the blocking of websites by a court order, and sets in place a review committee to review the decision to block websites as also establishes penalties for the intermediary that fails to extend cooperation in this respect.

There are two key aspects of both these provisions that must be noted:

a) S. 79 is an exemption provision that qualifies the intermediary for conditional immunity, as long as they fulfil the conditions of the section. The judgement notes this distinction, adding that “being an exemption provision, it is closely related to provisions which provide for offences including S. 69A.”

b) S. 69A does not contribute to immunity for the intermediary rather places additional obligations on the intermediary and as the judgement notes “intermediary who finally fails to comply with the directions issued who is punishable under sub-section (3) of 69A.” The provision though outside of the conditional immunity liability regime enacted through S. 79 contributes to the restriction of access to, or removing content online by placing liability on intermediaries to block unlawful third party content or information that is being generated, transmitted, received, stored or hosted by them. Therefore restriction requests must fall within the contours outlined in Article 19(2) and include principles of natural justice and elements of due process.

Subjective Determination of Knowledge

The provisions for exemption laid down in S. 79 do not apply when they receive “actual knowledge” of illegal content under section 79(3)(b). Prior to the court's verdict actual knowledge could have been interpreted to mean the intermediary is called upon its own judgement under sub-rule (4) to restrict impugned content in order to seek exemption from liability. Removing the need for intermediaries to take on an adjudicatory role and deciding on which content to restrict or takedown, the SC has read down “actual knowledge” to mean that there has to be a court order directing the intermediary to expeditiously remove or disable access to content online. The court also read down “upon obtaining knowledge by itself” and “brought to actual knowledge” under Rule 3(4) in the same manner as 79(3)(b).

Under S.79(3)(b) the intermediary must comply with the orders from the executive in order to qualify for immunity. Further, S. 79 (3)(b) goes beyond the specific categories of restriction identified in Article 19(2) by including the term “unlawful acts” and places the executive in an adjudicatory role of determining the illegality of content. The government cannot emulate private regulation as it is bound by the Constitution and the court addresses this issue by applying the limitation of 19(2) on unlawful acts, “the court order and/or the notification by the appropriate government or its agency must strictly conform to the subject matters aid down in Article 19(2).”

By reading down of S. 79 (3) (b) the court has addressed the issue of intermediaries complying with takedown requests from non-government entities and has made government notifications and court orders to be consistent with reasonable restrictions in Article 19(2). This is an important clarification from the court, because this places limits on the private censorship of intermediaries and the invisible censorship of opaque government takedown requests as they must and should adhere, to the boundaries set by Article 19(2).

Procedural Safeguards

The SC does not touch upon other parts of the rules and in not doing so, has left significant procedural issues open for debate. It is relevant to bear in mind and as established above, S. 69A blocking and restriction requirements for the intermediary are part of their additional obligations and do not qualify them for immunity. The court ruled in favour of upholding S. 69A as constitutional on the basis that blocking orders are issued when the executive has sufficiently established that it is absolutely necessary to do so, and that the necessity is relatable to only some subjects set out in Article 19(2). Further the court notes that reasons for the blocking orders must be recorded in writing so that they may be challenged through writ petitions. The court also goes on to specify that under S. 69A the intermediary and the 'originator' if identified, have the right to be heard before the committee decides to issue the blocking order.

Under S. 79 the intermediary must also comply with government restriction orders and the procedure for notice and takedown is not sufficiently transparent and lacks procedural safeguards that have been included in the notice and takedown procedures under S. 69. For example, there is no requirement for committee to evaluate the necessity of issuing the restriction order, though the ruling does clarify that these restriction notices must be within the confines of Article 19(2). The judgement could have gone further to directing the government to state their entire cause of action and provide reasonable level of proof (prima facie). It should have also addressed issues such as the government using extra-judicial measures to restrict content including collateral pressures to force changes in terms of service, to promote or enforce so-called "voluntary" practices.

Accountability

The judgement could also have delved deeper into issues of accountability such as the need to consider 'udi alteram partem' by providing the owner of the information or the intermediary a hearing prior to issuing the restriction or blocking order nor is an post-facto review or appeal mechanism made available except for the recourse of writ petition. Procedural uncertainty around wrongly restricted content remains, including what limitations should be placed on the length, duration and geographical scope of the restriction. The court also does not address the issue of providing a recourse for the third party provider of information to have the removed information restored or put-back remains unclear. Relatedly, the court also does not clarify the concerns related to frivolous requests by establishing penalties nor is there a codified recourse under the rules presently, for the intermediary to claim damages even if it can be established that the takedown process is being abused.

Transparency

The bench in para 113 in addressing S. 79 notes that the intermediary in addition to publishing rules and regulations, privacy policy and user agreement for access or usage of their service has to also inform users of the due diligence requirements including content restriction policy under rule 3(2). However, the court ought to have noted the differentiation between different categories of intermediaries which may require different terms of use. Rather than stressing a standard terms of use as a procedural safeguard, the court should have insisted on establishing terms of use and content restriction obligations that is proportional to the role of the intermediary and based on the liability accrued in providing the service, including the impact of the restriction by the intermediary both on access and free speech. By placing requirement of disclosure or transparency on the intermediary including what has been restricted under the intermediary's own terms of service, the judgment could have gone a step further than merely informing users of their rights in using the service as it stands presently, to ensuring that users can review and have knowledge of what information has been restricted and why. The judgment also does not touch upon broader issues of intermediary liability such as proactive filtering sought by government and private parties, an important consideration given the recent developments around the right to be forgotten in Europe and around issues of defamation and pornography in India.

The judgment, while a welcome one in the direction of ensuring the Internet remains a democratic space where free speech thrives, could benefit from the application of the recently launched Manila principles developed by CIS and others. The Manila Principles is a framework of baseline safeguards and best practices that should be considered by policymakers and intermediaries when developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries for third-party content.

The court's ruling is truly worth celebrating, in terms of the tone it sets on how we think of free speech and the contours of censorship that exist in the digital space. But the real impact of this judgment lies in the debates and discussions which it will throw open about content removal practices that involve intermediaries making determinations on requests received, or those which only respond to the interests of the party requesting removal. As the Manila Principles highlight a balance between public and private interests can be obtained through a mechanism where power is distributed between the parties involved, and where an impartial, independent, and accountable oversight mechanism exists.

For more details visit https://cis-india.org/internet-governance/blog/sc-judgment-in-shreya-singhal-what-it-means-for-intermediary-liability

The state. And the rage of the cyber demon

praskrishna — 2012-09-03T11:03:53Z

The Internet might be a Pandora’s box. But should the government be wasting time regulating the cacophony?

Shougat Dasgupta's article was published in Tehelka, Vol 9, Issue 36, Dated September 8, 2012. Pranesh Prakash is quoted.

SOME YEARS ago a cartoon was doing the rounds that caught in a few sharp strokes the selfimportance and self-righteousness of the Internet warrior. A man sits hunched at his computer, the keyboard lit with his fervour. Not looking away from the screen, he has a terse, impatient exchange with his partner off-panel: ‘Are you coming to bed?’ ‘I can’t. This is important.’ ‘What?’ ‘Someone is wrong on the Internet.’ It is the anonymous exchange that gives cyber debates their peculiar animus; that anonymity coupled with the low stakes, as is famously said of academic politics, is what makes the sniping so bitter and vicious. The complaints about social media like Twitter or the comment sections on blogs have mostly centred on the incivility of the discourse, on ‘trolls’ too eager to throw rotting vegetables at journalists, politicians, celebrities unused to such irreverence. But action taken by the government in the last fortnight to block content from over 300 websites and a dozen Twitter accounts imputes a far more vitiating effect on society than the mere puncturing of already overinflated egos.

Kapil Sibal, Minister for Communications & Information Technology, has said in interviews that the government’s intent was to “protect the victims” from these “mischievous acts happening through these sites and blogs”. There is, by now, little doubt that the threats and fake pictures of slain Muslims spread through mobile phones and social media, “disseminating misinformation” in the minister’s phrase, helped exacerbate tensions and fears. There is equally little doubt that what action the government took was both late and clumsy: blocking blogs that debunked the rumours and morphed images that the government held responsible for causing panic; blocking web pages of international news organisations such as The Telegraph and Al-Jazeera; blocking Twitter accounts of journalists, the government’s political opponents, accounts parodying the prime minister, even people who tweeted mostly about information technology and cricket. Like a giant in clown shoes chasing a sprite, the government has looked lumbering and foolish, led a merry dance by light-footed ‘netizens’, while the rest of us pointed and laughed.

Can the government’s actions be at all justified? Appearing on NDTV’s ‘We the People’, R Chandrashekhar, Secretary, Department of Information Technology, argued that “once a law enforcement agency has made an assessment you act first and then make corrections as you go along”. In essence, extraordinary times call for extraordinary measures, which along with concern for ‘national security’ is trotted out by every democratic government accused of ignoring civil liberties. Congress spokesperson Manish Tewari, on the same programme, claimed that the “mandate of section 69a of the Information Technology Act and the rules with regard to safeguards and blocking is fairly clear and rule 9 allows the government, if it thinks that there’s an expedient situation in order to protect the sovereignty of the State or public order, to go ahead with this blocking on an interim basis”.

We will discuss the section being referred to and the 2011 guidelines for intermediaries later but for now let’s accept the government’s argument that it acted in the face of a clear and present danger, to borrow from Oliver Wendell Holmes, the famous 19th-century US Supreme Court Justice. Kharan Thapar, citing another of Holmes’s shopworn phrases, wrote that “[ j]ust as it’s not acceptable to shout fire in a crowded cinema hall for the fun of it, it cannot be permitted to deliberately frighten helpless innocent people who, for whatever reason, believe you and panic”. Thapar is making the point that free speech is not without its responsibilities. He does so, however, using a long discredited cliché and compounds this error with condescension, refusing to grant people (“helpless”, “innocent”, like babies) their full agency. Besides, the government only acted from 18 August to limit text messaging, already months after initial images of supposed Burmese atrocities against Muslims had been widely circulated to stir anger. It also chose to block webpages and Twitter handles, some for spurious, even mystifying reasons. The result has been embarrassment. Acting arbitrarily in the name of communal harmony to prevent damage after terrible damage has already been done, does little to convince the people you are supposedly protecting that you have the situation in hand.

The government has left itself open to being serially lectured about free speech by the US government, by journalists (particularly Kanchan Gupta, whose apparently blocked Twitter account has made him a patron saint of free speech), by hysterical twitterers (ok, ‘tweeple’) drawing an entirely ridiculous parallel to the Emergency, and most egregiously by Narendra Modi. Presumably, Modi, by blackening his display picture was not commenting on the black irony of a man who bans books mourning constraints on freedom of speech. Pranesh Prakash of the Bengaluru-based Centre for Internet and Society (CIS), a trenchant critic of the government’s recent blocks (social media not coal) and the “horrendously drafted” legislation that permits the leeway for such indiscriminate action, says that “people [were] losing a sense of reality”.

	He points to the criticism of the government’s blocking of parodies of the prime minister’s Twitter account. “An underreported part of this whole controversy,” he says,“is Twitter’s own terms of service and one parody account in particular violates those terms.” He confesses to “having to look quite closely” to tell the PMO account from PMO, which substitutes a zero for the letter ‘o’. Also, according to sources, a letter sent last year by the government to the likes of Google and Facebook asking them to screen for offensive content specifically excepted parody and satire. If accurate, this underscores that the Prime Minister’s Office did not have a problem with parody but a genuine, if peculiar, fear of misinformation stemming from the six accounts it asked Twitter to remove.

He points to the criticism of the government’s blocking of parodies of the prime minister’s Twitter account. “An underreported part of this whole controversy,” he says,“is Twitter’s own terms of service and one parody account in particular violates those terms.” He confesses to “having to look quite closely” to tell the PMO account from PMO, which substitutes a zero for the letter ‘o’. Also, according to sources, a letter sent last year by the government to the likes of Google and Facebook asking them to screen for offensive content specifically excepted parody and satire. If accurate, this underscores that the Prime Minister’s Office did not have a problem with parody but a genuine, if peculiar, fear of misinformation stemming from the six accounts it asked Twitter to remove.

NONE OF this is to say that the government, in its haste, acted with reason. Certainly, it has since last year been working assiduously to exert at least some control over online content. The rules from April last year updating sections of the Information Technology Act, 2000, requires “due diligence” from companies like Twitter, or Facebook, to not “host, display, upload, modify, publish, transmit, update or share any information that… is grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever…” Disparaging? Encouraging gambling? Well, gambling, at least in casinos, is lawful in Goa and Sikkim. No wonder Kapil Sibal felt he was on firm legal ground when he complained in December about “derogatory pictures” of Sonia Gandhi and Manmohan Singh that the government had culled from Facebook accounts.

Prakash, of the CIS, describes the Information Technology Act, particularly sections 69a and 66 as “having issues and being badly worded”. The powers it gives the government are too intrusive and that the prison sentences for offenders “are greater than those for death by negligence”. What he finds most troubling is how little transparency exists around issues of censorship; how, for instance, there is no easily accessible central list of banned books. “How,” he asks, “are people even supposed to know if their website or Twitter account is blocked if the government won’t issue proper notices and lists?” Our democratically elected government appears fond of the aristocratic maxim to never contradict, never explain, never apologise, as if hauteur and bluster are adequate substitutes for communication and we are subjects rather than citizens.

Seen in isolation, the blocking of websites and rationing of text messages is just a comical bungle by an unwieldy, Luddite administration. In the context of the last 12 months though, the government’s recent actions are a logical extension of its drive to bring the Internet to heel. The unregulated nature of the Internet is a particular bugbear of this government. It had already made a proposal to the United Nations in October last year, at the 66th session of the General Assembly, for the institution of a Committee for Internet- Related Policies. This 50-nation body would be tasked not to control the Internet, “or allow Governments to have the last word in regulating the Internet, but to make sure that the Internet is governed not unilaterally, but in an open, democratic, inclusive and participatory manner, with the participation of all stakeholders”. For all the incompetence the government has displayed, both most recently and in previous attempts to censor Internet content, it asks an important question about the future of Internet regulation, about the need for multilateral debate and international consensus.

TEHELKA, as cyber chatter about the blocked sites grew increasingly frenzied, asked its online readers to define the forum provided by social media. Most agreed that Twitter, for instance, was a public space, a place to give vent to private thoughts publicly with, if wanted or needed, the comfort of anonymity. The metaphor used is often that of a public square or town hall. I’ve always thought of Twitter as a carnival — a space, as defined by the Russian literary theorist Mikhail Bakhtin, where the existing social order is overturned, where social pieties are profaned. Twitter, like carnival, appeared to me an exhilarating space. This is utterly naïve. The fact is that Twitter is not a public space, it is privately owned and its investors are in the business of revenue generation and profit. This means Twitter’s terms of service are subject to change, as is its cooperation with governments over the private information it controls and owns.

Rahul Bose, the actor, told me in a conversation about social media that he thinks individual freedom is increasingly an “illusion”, that the very idea has become “laughable”. We live our lives, particularly our online lives, under the unblinking gaze of government: “You don’t need a close circuit camera at Flora Fountain to know you’re being watched, that every piece of information is on a file somewhere.” (This is probably not quite true of our dozy government.) It is indisputable that private entities such as Facebook and Twitter hold enormous amounts of information about individuals. In that light, surely, the Indian government is correct about the need for multilateral oversight of a system currently beholden in significant ways to the United States. ICANN, the Internet Corporation for Assigned Names and Numbers, for instance, still makes only a token gesture at global participation and any question of greater United Nations involvement is generally met with US suspicion.

Arguably, the Indian government doesn’t go far enough in its call for greater inclusivity in the governance of the Internet. The academic Jeremy Malcolm, an influential figure in discussions about Internet governance, has written that the World Summit on the Information Society has “established at the level of principle that governance of the Internet should be a transparent, democratic and multilateral process, with the participation of governments, private sector, civil society and international organisations, in their respective roles”. More immediate, perhaps, is the question of how a democratic country, committed to free speech, should regard social media.

This is not a discussion confined to India. During the August 2012 London riots, David Cameron threatened to ban people suspected of planning criminal activity from using Facebook, Twitter, and Blackberry Messenger. In words similar to those used by Sibal, Cameron spoke about reminding these companies of their responsibilities. In an interview with TEHELKA, Congress General Secretary Digvijaya Singh held close to the party line, insisting that “anything that incites violence is problematic, as is anything that is factually incorrect, and must be removed”. He envisages a future where online exchanges are governed by the same rules as public life, governed by similar cultural codes and basic civility. This is, it has to be said, an optimistic view of public life.

There are, as discussed earlier, as many different ways to see online exchanges as there are Internet users. The Internet’s shapelessness, its Moby Dick-like vast blankness, makes it impossible to apply the same standards to conversation on Twitter or Facebook, even if it is in print and in public, as you might apply to a magazine article. Pranesh Prakash points out that “while some people may see Twitter as akin to friends talking in the pub, others use the service as a bulletin board”. When I propose to Prakash the idea of an ombudsman to monitor online dialogue in the same way an independent press commission might monitor newspaper reports, he makes a cogent rebuttal: “There is no ombudsman for regular speech, or to outline what you can or cannot say from a podium. Besides, there are laws that deal with defamation, slander and unless there is a requirement for an extra-legal authority I cannot see the need for an ombudsman.”

Much of the debate over the last couple of weeks has devolved, as so much debate in all our media, mainstream or online, does, into grandstanding — in this instance about ‘freedom of speech’ versus the national security imperative. This is to miss the woods for the trees. For all its heavy-handedness, the Indian government is correct to be concerned about oversight of the Internet and correct that not enough stakeholders are currently involved in its governance. Cant about freedom of speech cannot change the fact that the government is also correct that in a precariously held together democracy comprising various, widely different cultures and religions, certain standards of respectful speech are necessary. Of course, we can and should argue those standards and there needs to be a national conversation about the strictures of Internet legislation in India. Still, let us not pretend that the mob mentality of political discourse on the Internet is not a cause for worry and is not, as are all mobs, subject to manipulation.

With inputs from Ajachi Chakrabarti.
Shougat Dasgupta is an Assistant Editor with Tehelka.

For more details visit https://cis-india.org/news/www-tehelka-com-vol-9-issue-36-sep-8-2012-shougat-dasgupta-the-state-and-the-rage-of-the-cyber-demon

The State is Snooping: Can You Escape?

snehashish — 2019-04-29T15:09:18Z

Blanket surveillance of the kind envisaged by India's Centralized Monitoring System achieves little, but blatantly violates the citizen's right to privacy; Snehashish Ghosh explores why it may be dangerous and looks at potential safeguards against such intrusion.

The Snowden Leaks have made it amply clear that the covert surveillance conducted by governments is no longer covert. Information by its very nature is prone to leaks. The discretion lies completely in the hands of the personnel handling your data or information. Whether it is through knowledge obtained by an intelligence analyst about the US Government conducting indiscriminate surveillance, or hackers infiltrating a secure system and leaking personal information, stored information has a tendency to come out in the open sooner or later.

This raises the question whether, with the advancement of technologies, we should trust our personal information and data with computers. Should we have more stringent laws and procedural safeguards to protect our personal information? Of course, the broader question that remains is whether we have a ‘Right to be Forgotten’.

Similar to PRISM in the US, India is also implementing a Centralized Monitoring System (CMS) which would have the capabilities to conduct multiple privacy-intrusive activities, ranging from call data record analysis to location based monitoring. Given the circumstances and the current revelations by a whistleblower in the US, it is more than imperative to take a closer look at the surveillance technologies which are being deployed by India and question what implications it might have in the future.

Technological shift and procedural safeguards
The need for procedural safeguards was brought to light in the Supreme Court case, when news reports surfaced about the tapping of politicians' phones by the CBI. The Court while deciding on the issue of phone tapping in the case of People’s Union of Civil Liberties v. Union of India (1996), observed that the Indian Telegraph Act, 1885 is an ancient legislation and does not address the issue of telephone tapping. Thereafter, the court issued guidelines, which were implemented by the Government by amending and inserting Rule 419A of the Indian Telegraph Rules, 1951. These procedural safeguards ensure that due process will be followed by any law enforcement agency, while conducting surveillance.

Section 5(2) of the Indian Telegraph Act, 1885 grants the power to the Government to conduct surveillance provided that there is an occurrence of any public emergency or public safety. If and only if the conditions of public safety and public emergency are compromised, and if the concerned authority is convinced that it is expedient to issue such an order for interception in the interest of “the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence” is surveillance legitimized. The same was reaffirmed by the Supreme Court in the 1996 judgment on wire tapping.

Now, as the Government of India is planning to launch a new technology, the Centralized Monitoring System (CMS) which would snoop, track and monitor communication data flowing through telecom and data networks, the question arises: can we have procedural safeguards which would protect our right to privacy against technologies such as the CMS?

The key component of a procedural safeguard is human discretion; either a court authorization or an order from a high ranking government official is necessary to conduct targeted surveillance and the reasons for conducting surveillance have to be recorded in writing. This is the procedure which is ordinarily followed by law enforcement agencies before conducting any form of surveillance. However, with the computational turn, governments have resorted to practices which would do away with the human discretion. Dragnet surveillance allows for blanket surveillance. Before getting to the problems in evolving a due process for systems like CMS, it is imperative to examine the capabilities of the system.

Centralized Monitoring System and death of due process
Setting up of a CMS was conceptualized in India after the 2008 Mumbai attacks. It was further consolidated and found a place in the Report of the Telecom Working Group on the Telecom Sector for the Twelfth Five Year Plan (2012-2017). The Report was published in August, 2011 and goes into the details of the CMS.

When machines and robots are deployed to conduct blanket surveillance and impinge on the most fundamental right to life and liberty, and also violate the basic tenets of due process, then much cannot be done by way of procedures. What then do we resort to, is the primary question. Can there be a compromise between the right to privacy and security?

The Report indicates that the technology will cater to “the requirements of security management for law enforcement agencies for interception, monitoring, data analysis/mining, antiâ€socialâ€networking using the country’s telecom infrastructure for unlawful activities.”

The CMS will also be capable of running algorithms for interception of connection oriented networks, algorithms for interception of voice over internet protocol (VoIP), video over IP and GPS based monitoring systems. These algorithms would be able to intercept any communication without any intervention from the telecom or internet service provider. It would also have the capability to intercept and analyze data on any communication network as well as to conduct location based monitoring by tracking GPS locations. Given such capabilities, it is clear that a computer system will be sifting through the internet/communication data and will conduct surveillance as instructed through algorithms. This would include identifying patterns, profiling and also storing data for posterity. Moreover, the CMS will have direct access to the telecommunication infrastructure and would be monitoring all forms of communication.

With the introduction of CMS, state surveillance will shift to blanket surveillance from the current practice of targeted surveillance which can be carried out under specific circumstances that are well defined in the law and in judgments. Moreover, when it comes to current means of surveillance, there are well-defined procedures under the law which have the ability to prevent misuse of the surveillance systems. This is not to say that the current procedural safeguards under the laws are not prone to abuse, but if implemented properly, there is less chance of them being misused. Furthermore, with strong privacy and data protection laws, unlawful and illegal surveillance can be minimized.

In the current legal framework, with respect to surveillance, if CMS is implemented then it will be in violation of the fundamental right to privacy and freedom of speech as guaranteed under our Constitution. It will be also in contravention of the procedural safeguards laid down in the Supreme Court judgement and the Rule 419A of Indian Telegraph Rules, thereof. Strong privacy laws and data protection laws may be put in place, which are completely absent now. But at the end of the day, a machine will be spying on every citizen of India or anyone using any communication services, without any specific targets or suspects.

In the People’s Union of Civil Liberties v. Union of India (1996), the Supreme Court laid down that “the substantive law as laid down in Section 5(2) of the [Indian Telegraph Act, 1885] must have procedural backing so that the exercise of power is fair and reasonable.” But with technologies such as CMS, it will be very difficult to have any form of procedural backing because the system would do away with human discretion which happens to be a key ingredient of any legal procedure.

The argument which can be made in favour of CMS, if any, is that a machine will be going through personal data and it will not be available to any personnel or law enforcement agency without authorization and therefore, it will adhere to the due process. However, such a system will be keeping track of all personal information. Right to privacy is the right to be left alone and any incursion on this fundamental right can only be allowed in special cases, in cases of public emergency or threat of public safety. So, electronic blanket surveillance without human intervention also amounts to violation of the substantive law, which specifically allows surveillance only to be conducted under certain conditions, and not through a system such as CMS that is designed to keep a constant watch on everyone, irrespective of the fact whether there is a need to do so.

Additionally, there exists a strong, pre-established notion that whatever comes out of a computer is bound to be true and authentic and there cannot be any mistakes. We have witnessed this in the past where an IT professional from Bangalore was arrested and detained by the Maharashtra Police for posting derogatory content on Orkut about Shivaji. Later, it was found that the records acquired from the Internet Service Provider were incorrect and the individual had been arrested and detained illegally.

Telephone bills, credit card bills coming out from a computer system are often held to be authentic and error-free. With UID, our identity has been reduced to a number and biometrics stored in a database corresponding to that number. It is this trust in anything which comes out of a computer or a machine that can lead to massive abuse of the system in the absence of any form of checks and balance in place. Artificial things taking control over human lives and our almost unflinching trust in technology will not only cause gross violations of privacy but will also be the death of due process and basic human rights as we know it.

In this regard, due emphasis should be given to the landmark Supreme Court judgment in the case of Maneka Gandhi v. Union of India (1978) which deals with issues related to due process and privacy. It states that "procedure which deals with the modalities of regulating, restricting or even rejecting a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, ‘procedure’ must rule out anything arbitrary, freakish or bizarre. A valuable constitutional right can be canalised only by canalised processes".

When machines and robots are deployed to conduct blanket surveillance and impinge on the most fundamental right to life and liberty and also violate the basic tenets of due process, then much cannot be done by way of procedures. What then do we resort to, is the primary question. Can there be a compromise between the right to privacy and security?

A no-win situation
In reality, dragnet surveillance or blanket surveillance is not very useful for gathering valuable intelligence to prevent instances of threat to national security, public safety and public emergency. For example, if the CMS is used to mine data, analyse content related to anti-social activities and even if the system is 99 per cent accurate, the remaining 1 per cent which is a false positive happens to be a large set. So, 1 out of every 100 individuals identified as an anti-social element by CMS may actually be an innocent citizen. Given the possibility of false positives and which may be more than 1 per cent, the number of innocent citizens caught in the terrorist net would be much higher.

Even though blanket surveillance or dragnet surveillance can keep a tab on everyone, it is nearly impossible for an algorithm to separate the terrorists from the rest. Moreover, the data set collected by the machine is too big for any human analyst, to actually analyze and identify the terrorist in the midst of a deluge of information. Therefore, the argument that a system like CMS will ensure security in lieu of minor intrusions of privacy is a flawed one. Implementation of CMS will not really ensure security but will be a case of blatant violation of individual’s right to privacy anyway.

What is perhaps more shocking is that not only will CMS be futile in preventing security breaches or neutralizing security threats, it will on the contrary expose individual Indian citizens to breach of personal security. If personal data and information are stored for future reference through a centralized mechanism, which is also the case with UID, it will be highly susceptible to attacks and security threats. It will be a Pandora’s Box with a potential to create havoc the moment someone is able to gain access to the information with intention to misuse that. Leaking of personal information and data on a large scale can be detrimental to society and give rise to instances of public emergency.

The ‘Right to be Forgotten’

Currently, the European Union is engulfed in the debate on the “Right to be Forgotten” laws. The Right to be Forgotten finds its origins in the French Law le droit Ã l’oubli or the right of oblivion, where a convict who has served his sentence can object to the publication of facts of his conviction and imprisonment or penalty. This law has a new found meaning in the context of social media and the internet, where we have the right to delete all our personal information permanently. This is an important issue which India should debate and discuss, as we live in an era where privacy comes at a cost.

On the one hand, technology has made it easier to track, trace, monitor and snoop, on the other it has also seen innovation in the field of encryption and anonymity tools. Encryption tools such as Open PGP exist online, which can secure information from third party access. Tor Browser, allows an user to surf the web anonymously. The use of such technologies should be encouraged as there is no law which prohibits their use. If systems are being built to spy on us, it will be better if we use technologies which protect our personal information from such surveillance technologies.

For more details visit https://cis-india.org/internet-governance/blog/india-together-june-26-2013-snehashish-ghosh-the-state-is-snooping-can-you-escape