We are anonymous, we are legion

RFCs We Love meetup

Admin — 2019-02-02T13:43:36Z

In collaboration with India Internet Engineering Society (IIESoc), CIS hosted the a 'RFCs We Love' meetup, where we discussed some IETF specifications and standards. The event was held on January 19 at the CIS office, Bangalore.

The theme of the meetup was data centres and service providers. The agenda was:

10:00 - 10:10 Introduction
10:10 - 11:00 Link State Vector Running for DC Routing (Kannan)
11:00 - 11:50 Multicast via Bit Index Explicit Replication (Senthil)
11:50 - 12:40 Traffic Engineering in WAN (Shraddha)
12:40 - 13:00 Open Discussion and planning for Feb meetup
13:00 - 14:00 Lunch and networking

Dhruv Dhody has written about the meetup at the IIESoc blog, where you can also find slides used by the presenters and some photos of the event.

For more details visit https://cis-india.org/internet-governance/news/rfcs-we-love-meetup

Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data?

Admin — 2019-02-02T13:57:40Z

Is it merely an exercise in nostalgia? Or is it providing fodder for facial recognition algorithms on ageing?

The blog post by Devarsi Ghosh was published in Scroll.in on January 18, 2019. Pranesh Prakash was quoted.

“I like to look back at old memories and smile,” said the 25-year-old Kolkata resident Smitakshi Chowdhury. That’s what prompted her to upload a decade-old photo of herself alongside a recent one on Facebook last week without much thought. Chowdhury is among tens of thousands of people who have participated in the “ten year challenge” that has gone viral in recent days as social media users nostalgically display “then” and “now” images of themselves to the world.

Among the prominent Indian personalities who showed how they’d changed over the decade were movie stars Sonam Kapoor, Diana Penty and Shruti Haasan.

But is there a darker design to this initiative to get social media users to sportlingly show what a difference a decade can make? On January 15, an article in Wired suggested that the fad could be an ingenious ploy to gather data on a person’s age or how people age over time. The article by technology writer Kate O’Neill noted that data obtained in this way could be put to a variety of purposes, some benign such as targeted advertising, and some not so harmless.

“Age progression could someday factor into insurance assessment and health care,” O’Neill writes. “For example, if you seem to be ageing faster than your cohorts, perhaps you’re not a very good insurance risk. You may pay more or be denied coverage.”

This hypothesis set off a frenzy, as social media users issued warnings against participating in the challenge. But others noted that Facebook already has photographs of many long-time users from 10 years ago or more. It was also pointed out that the metadata of images posted online contains information about the date on which the photo was taken, where it was shot and the unique identification number of the photo device – even though most people don’t realise this. With so much information already out there, there isn’t much the 10-Year Challenge could add.

“Facebook has spookily sophisticated face-recognition technology, as anyone who’s seen Facebook’s automatic tagging software at work will tell you,” wrote Max Read in New York Magazine.

The debate has revolved around not only what tech companies know about social media users but how they share this information. For instance, Facebook’s facial tagging system identifies people in images to third parties, making it susceptible to misuse. In fact, Facebook had been storing data obtained through facial recognition software since 2011, without notifying or obtaining consent from its users. It was only in February 2018 that it gave users the chance to opt out of the system.

Facebook, on its part, in an official statement, said that it was not involved with the 10-Year Challenge.

Possibilities of misuse

While personal information uploaded online could potentially be misused in several ways, that does not mean just about any doomsday scenario is feasible, said Pranesh Prakash of the Centre for Internet and Society.

“Insurance companies always try to gather as much information as they can about a person to weed out bad risks but governments regulate these companies on the matter of what they can or cannot use,” he said.

For example, in 2018, the Delhi High Court ruled that insurance companies could not deny coverage to a person based on their genetic history, he noted. However, the contradictory ruling also said that if a disorder was established after genetic testing, the insurance company could deny coverage or demand higher premiums.

Prakash suggested a more dire situation. “Suppose the data produced from the 10-Year Challenge is used to improve the quality of deepfakes and that is put into making pornography about you against your will?” he said. “That business, unlike insurance, is unregulated.”

On the other hand, the prospect of a person’s rate of ageing being calculated by algorithms could also be beneficial. “If a medical AI [artificial intelligence] company figures out your health looking at the data based on your face and detects early skin cancer, would anyone be complaining about this?” asked Shashank Bijapur, co-founder of SpotDraft, a Gurgaon-based company that creates and manages legal contracts using artificial intelligence.

He noted that while it is impractical to expect businesses to ignore the opportunity to use such data to their advantage, social media users should make informed decisions while signing up on platforms. “Every such app online has a privacy policy which is made available to whoever is using it right at the beginning,” Bijapur said.

For more details visit https://cis-india.org/internet-governance/news/scroll-in-january-18-2019-devarsi-ghosh-is-the-viral-10yearchallenge-just-another-sneaky-way-for-tech-firms-to-gather-users-personal-data

Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears

Admin — 2019-01-18T02:26:50Z

Oyo Hotels’ pilot to maintain a real-time digital database of guests and plan to share it with law-enforcement agencies has triggered privacy concerns.

The article by Nishant Sharma was published by Bloomberg Quint on January 16, 2019. Pranesh Prakash was quoted.

The digital check-in and check-out database of guests will do away with the conventional arrival and departure registers, Aditya Ghosh, chief executive India and South Asia at the hotel chain said at a CII event, according to a report in Business Standard. That will make the process efficient and transparent and the SoftBank-backed startup has received acceptance from governments of Haryana, Rajasthan and Telangana for the proposed digitisation of guest entry and departure records, the report said quoting Ghosh.

That triggered an outrage on social media, with users calling it invasion of privacy.

Oyo, in an emailed statement to BloombergQuint, said it will provide information to the law-enforcement agencies about who is staying only after an information order is issued by the police. The company said it will create “stronger data security net”. Oyo, however, didn't clarify who will maintain the data centres.

Centralisation of data of any kind isn't good and will make data more fragile, Sunil Abraham, founder of research think tank Center for Internet and Society, told BloombergQuint. “If someone manages to break into the police data, or where the data is stored then they will be able to have the access to the data. It is always good to store data locally.”

Just last year, Marriott International Inc. reported a hack in which passport numbers, emails and mailing addresses of 327 million of its 500 million Starwood guests was leaked.

To be sure, police always have access to data of customers staying at hotels, one way or the another. As per existing regulations, all hotels, bed and breakfasts and guest-houses have to make an entry of guests checking in and out in a register. This can be checked by the local police when an information order is presented.

Chances of manipulating information in such a register is high, and at times police go through the data without having an information order as well, said an industry executive requesting anonymity.

Srinivas Kodali, a cybersecurity expert, said such a centralised database makes business sense for Oyo because they will get access to data not just of people who booked through them but also of others who checked in without booking online. “Because there is no law, the entities can do it.”

Pranesh Prakash, a technology policy analyst and affiliated fellow at CIS, sees this as an invasion of privacy in the absence of law. Digitisation of data can be allowed only after there’s a law on what happens in the case it’s misused. There is no legal framework about how and where the data will be used, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-january-16-2019-oyo-hotels-real-time-digital-record-database-sparks-privacy-fears

Webinar on the draft Intermediary Guidelines Amendment Rules

Admin — 2019-01-18T02:13:23Z

CCAOI and the ISOC Delhi Chapter organised a webinar on January 10 to discuss the draft "The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018". Gurshabad Grover was a discussant in the panel.

The agenda of the discussion was:

A brief introduction to the draft highlighting the key issues[Shashank Mishra]
Invited experts sharing their view on the paper and questions asked [Nehaa Chaudhari, Paul Brooks, Arjun Sinha, Gurshabad Grover]
Open Discussion Q&A
Summarizing the session

A recording of the session can be accessed here

For more details visit https://cis-india.org/internet-governance/news/webinar-on-the-draft-intermediary-guidelines-amendment-rules

They know where you are

Admin — 2019-01-18T02:14:46Z

With hotel-booking app routinely sharing real-time guest data with police and government, lives of those fleeing persecution is in danger, privacy advocates fear.

The article by Tini Sara Anien was published in Deccan Herald on January 17, 2019. Aayush Rathi was quoted.

Oyo Rooms, the online hotel room booking service, has been receiving brickbats since it disclosed this week that it was sharing real-time data of guests with the police and the government.

Internet and legal experts in Bengaluru say it is a breach of informational privacy, granted as a fundamental right by the Constitution. Couples running away from hostile families and individuals escaping religious and political persecution are at huge risk if their whereabouts are shared, they say.

Aayush Rathi, policy officer with Centre for Internet and Society, finds the sharing of live guest data disturbing.

“Hotels have always maintained records. Earlier, when information from hotels was needed, a specific query had to be raised by law enforcement, pursuant to an ongoing case. The registry represents a significant departure by facilitating the collection of this data by law enforcement without cause,” he says.

He also rues the lack of transparency about what the government will do with such data.

“The government is already collecting a lot of data and has little direction on what to do with it. There is no clarity on how this information will be used and protected. The government might say it is necessary for security, a very broad umbrella term, but in the absence of regulations, the data can be used for purposes little to do with security,” says Rathi.

The service had initially marketed itself as a couple-friendly service, while across the country, unmarried, inter-faith couples face various challenges finding a room. “This targeting could get even more enhanced,” he fears.

Recently, passport details were leaked from a popular hotel chain. The leaked data from hotel bookings can be used for multifarious purposes, ranging from selling to potential advertisers to identity theft,” Rathi says.

Lawyer-researcher Nayantara Ranganathan, from the Internet Democracy Project, says the argument that sharing data improves privacy is “absolutely disingenuous.”

“Sharing all guest records in real-time to state governments and law enforcement is shocking and most definitely a breach of privacy,” she says.

With the state getting access to such information with the promise of preventive policing, there is no telling how data is going to be used, she says.

She finds it bizarre that a private company is proactively sharing data, especially at a time when companies are “waking up to the fact that their consumers value their privacy.”

Why it endangers lives

Vinay Sreenivasa, lawyer and member of Alternative Law Forum, says providing access to such information is ‘criminal.’ “A couple could be running away from moral policing after an inter-caste marriage and people might be tracking them, or someone might be going through a divorce and just need some privacy. There could be several reasons why one seeks a room and such data could put lives at risk,” he says.

The Supreme Court has clearly stated one’s data is one’s own and consent has to be taken when any personal information is used. The government has no business accessing such information, he says.

For more details visit https://cis-india.org/internet-governance/news/tini-sara-anien-deccan-herald-january-17-2019-they-know-where-you-are

The DNA Bill has a sequence of problems that need to be resolved

Shweta Mohandas and Elonnai Hickok — 2019-01-15T02:36:11Z

In its current form, it’s far from comprehensive and fails to adequately address privacy and security concerns.

The opinion piece was published by Newslaundry on January 14, 2019.

On January 9, Science and Technology Minister Harsh Vardhan introduced the DNA Technology (Use and Application) Regulation Bill, 2018, amidst opposition and questions about the Bill’s potential threat to privacy and the lack of security measures. The Bill aims to provide for the regulation of the use and application of DNA technology for certain criminal and civil purposes, such as identifying offenders, suspects, victims, undertrials, missing persons and unknown deceased persons. The Schedule of the Bill also lists civil matters where DNA profiling can be used. These include parental disputes, issues relating to immigration and emigration, and establishment of individual identity. The Bill does not cover the commercial or private use of DNA samples, such as private companies providing DNA testing services for conducting genetic tests or for verifying paternity.

The Bill has seen several iterations and revisions from when it was first introduced in 2007. However, after repeated expert consultations, the Bill even at its current stage is far from a comprehensive legislation. Experts have articulated concerns that the version of the Bill that was presented post the Puttaswamy judgement still fails to make provisions that fully uphold the privacy and dignity of the individual. The hurry to pass the Bill by pushing for it by extending the winter session and before the Personal Data Protection Bill is brought before Parliament is also worrying. The Bill was passed in the Lok Sabha with only one amendment: which changed the year of the Bill from 2018 to 2019.

Need for a better-drafted legislation

Although the Schedule of the Bill includes certain civil matters under its purview, some important provisions are silent on the procedure that is to be followed for these civil matters. For example, the Bill necessitates the consent of the individual for DNA profiling in criminal investigation and for identifying missing persons. However, the Bill is silent on the requirement for consent in all civil matters that have been brought under the scope of the Bill.

The omission of civil matters in the provisions of the Bill that are crucial for privacy is just one of the ways the Bill fails to ensure privacy safeguards. The civil matters listed in the Bill are highly sensitive (such as paternity/maternity, use of assisted reproductive technology, organ transplants, etc.) and can have a far-reaching impact on a number of sections of society. For example, the civil matters listed in the Bill affect women not just in the case of paternity disputes but in a number of matters concerning women including the Domestic Violence Act and the Prenatal Diagnostic Techniques Act. Other matters such as pedigree, immigration and emigration can disproportionately impact vulnerable groups and communities, raising raises concerns of discrimination and abuse.

Privacy and security concerns

Although the Bill makes provisions for written consent for the collection of bodily substances and intimate bodily substances, the Bill allows non-consensual collection for offences punishable by death or imprisonment for a term exceeding seven years. Another issue with respect to collection with consent is the absence of safeguards to ensure that consent is given freely, especially when under police custody. This issue was also highlighted by MP NK Premachandran when he emphasised that the Bill be sent to a Parliamentary Standing Committee.

Apart from the collection, the Bill fails to ensure the privacy and security of the samples. One such example of this failure is Section 35(b), which allows access to the information contained in the DNA Data Banks for the purpose of training. The use of these highly sensitive data—that carry the risk of contamination—for training poses risks to the privacy of the people who have deposited their DNA both with and without consent.

An earlier version of the Bill included a provision for the creation of a population statistics databank. Though this has been removed now, there is no guarantee that this provision will not make its way through regulation. This is a cause for concern as the Bill also covers certain civil cases including those relating to immigration and emigration.

Conclusion

In July 2018, the Justice Sri Krishna Committee released the draft Personal Data Protection Bill. The Bill was open for public consultation and is now likely to be introduced in Parliament in June. The PDP Bill, while defining “sensitive personal data”, provides an exhaustive list of data that can be considered sensitive, including biometric data, genetic data and health data. Under the Bill, sensitive personal data has heightened parameters for collection and processing, including clear, informed, and specific consent. Ideally, the DNA Bill should be passed after ensuring that it is in line with the PDP Bill.

The DNA Bill, once it becomes a law, will allow for law enforcement authorities to collect sensitive DNA data and database the same for forensic purposes without a number of key safeguards in place with respect to security and the rights of individuals. In 2016 alone, 29,75,711 crimes under various provisions the Indian Penal Code were reported. One can only guess the sheer number of DNA profiles and related information that will be collected from both criminal and specified civil cases. The Bill needs to be revised to reduce all ambiguity with respect to the civil cases, and also to ensure that it is in line with the data protection regime in India. A comprehensive privacy legislation should be enacted prior to the passing of this Bill.

There are still studies and cases that show that DNA testing can be fallible. The Indian government needs to ensure that there is proper sensitisation and training on the collection, storage and use of DNA profiles as well as the recognition and awareness of the fact that the DNA tests are not infallible amongst key stakeholders, including law enforcement and the judiciary.

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-and-shweta-mohandas-january-14-2019-dna-bill-has-a-sequence-of-problems-that-need-to-be-resolved

How to make EVMs hack-proof, and elections more trustworthy

pranesh — 2019-01-14T15:34:48Z

Free and fair elections are the expression of democratic emancipation. India has always led by example: the Nehru Committee sought universal adult franchise in 1928, at a time when France didnât let women vote, and laws in the USA allowed disqualification of poor, illiterate, and African-American voters. But how reliable are our voting systems, particularly in terms of security?

The article was published in Times of India on December 9, 2018.

Electronic voting machines (EVM) have been in use for general elections in India since 1999 having been first introduced in 1982 for a by-election in Kerala. The EVMs we use are indigenous, having been designed jointly by two public-sector organisations: the Electronics Corporation of India Ltd. and Bharat Electronics Ltd. In 1999, the Karnataka High Court upheld their use, as did the Madras High Court in 2001.

Since then a number of other challenges have been levelled at EVMs, but the only one that was successful was the petition filed by Subramanian Swamy before the Supreme Court in 2013. But before we get to Swamy's case and its importance, we should understand what EVMs are and how they are used.

The EVM used in India are standardised and extremely simple machines. From a security standpoint this makes them far better than the myriad different, and some notoriously insecure machines used in elections in the USA. Are they 'hack-proof' and 'infallible' as has been claimed by the ECI? Not at all.

Similarly simple voting machines in the Netherlands and Germany were found to have vulnerabilities, leading both those countries to go back to paper ballots.

Because the ECI doesn't provide security researchers free and unfettered access to the EVMs, there had been no independent scrutiny until 2010. That year, an anonymous source provided a Hyderabad-based technologist an original EVM. That technologist, Hari Prasad, and his team worked with some of the world's foremost voting security experts from the Netherlands and the US, and demonstrated several actual live hacks of the EVM itself and several theoretical hacks of the election process, and recommended going back to paper ballots. Further, EVMs have often malfunctioned, as news reports tell us. Instead of working on fixing these flaws, the ECI arrested Prasad (for being in possession of a stolen EVM) and denied Princeton Prof Alex Halderman entry into India when he flew to Delhi to publicly discuss their research. Even in 2017, when the ECI challenged political parties to âhackâ EVMs, it did not provide unfettered access to the machines.

While paper ballots may work well in countries like Germany, they hadn't in India, where in some parts ballot-stuffing and booth-capturing were rampant. The solution as recognised by international experts, and as the ECI eventually realised, was to have the best of both worlds and to add a printer to the EVMs.

These would print out a small slip of paper containing the serial number and name of the candidate, and the symbol of the political party, so that the sighted voter could verify that her vote has been cast correctly. This paper would then be deposited in a sealed box, which would provide a paper trail that could be used to audit the correctness of the EVM. They called this VVPAT: voter-verifiable paper audit trail. Swamy, in his PIL, asked for VVPAT to be introduced. The Supreme Court noted that the ECI had already done trials with VVPAT, and made them mandatory.

However, VVPATs are of no use unless they are actually counted to ensure that the EVM tally and the paper tally do match. The most advanced and efficient way of doing this has been proposed by Lindeman & Stark, through a methodology called (RLAs), in which you keep auditing until either you've done a full hand count or you have strong evidence that continuing is pointless. The ECI could request the Indian Statistical Institute for its recommendations in implementing RLAs. Also, it must be remembered, current VVPAT technology are inaccessible for persons with visual impairments.

While in some cases, the ECI has conducted audits of the printed paper slips, in 2017 it officially noted that only the High Court can order an audit and that the ECI doesn't have the power to do so under election law. Rule 93 of the Conduct of Election Rules needs to be amended to make audits mandatory.

The ECI should also create separate security procedures for handling of VVPATs and EVMs, since there are now reports of EVMs being replaced 'after' voting has ended. Having separate handling of EVMs and VVPATs would ensure that two different safe-houses would need to be broken into to change the results of the vote. Implementing these two changes, changing election law to make risk-limiting audits mandatory, and improving physical security practices would make Indian elections much more trustworthy than they are now, while far more needs to be done to make them inclusive and accessible to all.

For more details visit https://cis-india.org/internet-governance/blog/the-times-of-india-december-9-2018-pranesh-prakash-how-to-make-evms-hack-proof-and-elections-more-trustworthy

Civic activism over WhatsApp and stories of and from cab drivers are part of a new narrative in Bengaluru

Admin — 2019-02-02T14:48:10Z

Does a city have a pulse? And can that pulse be felt in its technological interactions?

The article by Sowmya Rajaram was published in Bangalore Mirror on January 13, 2019.

In Silicon Plateau Vol 2, Bengaluru comes alive through the ways its inhabitants interact with, and are impacted by, mobile apps and cloud services. Published by the Institute of Network Cultures, Amsterdam, in collaboration with the Centre for Internet and Society in December 2018, this art project and publishing series explores the intersection of technology, culture and society in Bengaluru. Perusing the 16 contributions, you wonder when and how Garden City become Silicon City, and how that has changed us fundamentally.

The city has hurtled into an uncertain space – one that “offers a fertile terrain for research, having become the Silicon Valley of India and a demographically diverse metropolis in less than three decades,” as co-editors Marialaura Ghidini (art curator and researcher) and Tara Kelton (artist and designer) put it.

Unique structure

Ghidini links to Yashas Shetty’s contribution, ‘Aadhaar Cards of Great Leaders’. “One of the formal narratives behind [Aadhaar] (you can look at the latest proceedings of the Asian Development Bank conference, Financial Inclusion in the Digital Economy) is that it has facilitated access to services to whom they define as ‘a broad range of people, especially in rural areas and illiterate’, facilitating government-to-person transfer to low-income people for example. Now, many countries in the West don’t have such a stark separation between rural and urban environment,” she explains.

In her piece ‘Environmental Apptivism: WhatsApp and Digital Public Spheres in Bangalore’, Nicole Rigillo, a Canadian anthropologist who did her research as a Postdoctoral Fellow with IIMB and the University of Edinburgh, investigates how WhatsApp amplifies the civic activism of Bengaluru’s activists. While the app enables easy and fast communication and resolution, it is not always accessible to a lower socio-economic bracket. Yet, Rigillo believes that many city activists do not focus only on middle class concerns. “Many groups are concerned with the preservation of common resource goods – lakes, trees. Others advocate on behalf of the poor – Citizens for Bengaluru and others have pressuring government officials to ensure pourakarmika salaries are paid. One activist offered vegetable cart sellers bags made of stapled newspapers, and offered to provide paper and staplers to them so they could make their own. The focus was not only on protecting the environment, but also on ensuring that the cart seller was able to maintain his livelihood,” she says. Citizens use WhatsApp groups – often with government functionaries added to them – over official government apps, because it gets the job done better and faster. “And we can all recognise how this is a useful way of organising politically in Bengaluru, where the average traffic speed (17 km/hr) is the slowest of all Indian cities.” And unlike urban improvement apps across the world that “rely on one-way, black-boxed forms

of communication, placing citizens in the position of making demands of government officials”, Rigillo says Bengaluru’s proactive citizen groups are instead, actively involved in day-to-day municipal governance. “HSR Layout is a shining example here, with their citizen-led waste management protocols, community gardens, and lake revitalisation efforts, and even participating in the on-the-ground enforcement of government directives, such as Karnataka’s 2016 Plastic Ban.”

Still, questions must be asked of our involvement with apps and technology. In her piece ‘Terms of Service’, Sruthi Krishnan, writer and co-founder of Fields of View, a not-for-profit research organisation, points out how the “sanitised vocabulary of the platform economy masks and deliberately obfuscates complex, often harsh realities”. For instance, the term ‘service partner’ actually means little when the partnership is nonexistent and decisions are taken arbitrarily by the management. Ghidini agrees, because calling someone a ‘partner’ creates, as she says, “a distorted narrative around the condition of the ‘freelance’ worker, which is quite precarious, especially if your work is dictated by an algorithm that does not care if you have been driving 16 hours a day to make your daily target”.

Then, in his interview, Vir Kashyap, co-founder of Babjob.com (job platform for blue- and grey-collar job seekers, acquired by Quikr in 2017) discusses not-so-fantastic possibility of seeing the city of Bengaluru outsource public transport services to private companies such as Uber and Ola in the future. His explanation is that unlike abroad, where ride-sharing apps fit into an existing city infrastructure, in Bengaluru, for instance, “ride-sharing apps are actually filling a gap that exists in the public transport infrastructure, which is still very patchy in the city, making it difficult to travel using a public transport system”. She adds: “So the problem you have here is that of having a private company in the position of being able to replace what the city is supposed to offer to its tax payers as a default.” In addition, being a contractor or freelancer in a city such as Bengaluru is very different than a city in Europe. “For many, being a contractor with a service such as Ola or UrbanClap means freedom from having to work seven days a week for a fixed, and very small, amount of money. In a way the sharing economy is offering a better pay, so the wave of app-based companies has allowed many to emancipate themselves in a way,” Ghidini says.

In ‘The Weight of Cloud Kitchens’ by Aasavri Rai and social entrepreneur Sunil Abraham, the full force of the environmental footprint our rampant food takeaway habits generate, is felt. An analysis of just 15 such platforms tell the story – an average of 67.072 grams of waste is generated for each order of a meal for one person in the price range of `200 to `300. Typically, 46.89 grams of non-biodegradable waste and 33.62 grams of biodegradable waste were generated across all orders. The writers write: ‘What is terrifying is that this investigation forms only a microcosm … With a reduction in dine-in customers and corresponding increase in home delivery across the city, the growth of waste production by this new generation of companies in the food and beverage industry gets magnified.’

Looking ahead

And yet, there is “a high degree of trust that people in India generally have with each other. Interestingly, it’s higher than most other countries of similar income levels,” Kashyap says in his interview. Which is why Krishnan believes the time has come for us to have more meaningful conversations about technology. She cites Time magazine’s 2006 declaration of how the individual controls the information age. “Technology operates in the social context it stems from and speaks to, and existing social iniquities are often exacerbated by technology. And so, instead of looking at technology as a way to solve problems, if the starting point is the issue stemming from the socio-political context, there can be more meaningful conversations on how technology can help.”

For more details visit https://cis-india.org/internet-governance/news/bangalore-mirror-january-13-2019-sowmya-rajaram-civic-activism-over-whatsapp-and-stories-of-and-from-cab-drivers-are-part-of-a-new-narrative-in-bengaluru

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves

Admin — 2019-01-12T02:13:25Z

Several social media users have no idea of how much of their information is stored on the Internet and what kind of information they are allowing the applications to access.

The blog post by Sanyukta Dharmadhikari was published by the New Minute on January 10, 2019. Pranesh Prakash was quoted.

Imagine someone knowing exactly where you are, where you live, what your routine is, where you will be and then waiting there for a ‘chance encounter’ to happen. This near-horror phenomenon is something Netflix’s new show You delves into. It follows a seemingly charming bookstore manager and his ‘love story’ with an aspiring writer – except he stalks her, breaks into her home, steals her phone and keeps tabs on her location in an attempt to be ‘at the right place at the right time’ and weasel into her life.

The nightmarish experience of the woman he pursues in the series led many users to check their own privacy settings on social media. But several users still have no idea of how much of their information is stored on the cloud and what kind of information they are allowing the applications to access.

How social media uses your data

“There might be much more information about you out there on the Internet than you sign up for. People do not really realise how much of their data is out there. Things are made out to be very opaque, so it is difficult to know who stores how much of your data,” says Anja Kovacs, director at Delhi-based Internet Democracy Project.

Pranesh Prakash, a fellow at the Centre for Internet and Society, explains that most websites put the onus of privacy onto the user but recently, there have been some features that social media giants have introduced after privacy concerns were voiced.

“On Twitter, I think you don’t need to use your real name and you do not have to use your location. On Facebook, apart from your name, you can restrict other information to friends only or use the option ‘Only Me’. With these kinds of possibilities existing, one just needs to know how to navigate through these tools,” Pranesh says.

The problem with this, he adds, is that the onus of privacy is put onto the user. “It is a difficult situation for social networks. One of Facebook’s most used feature is the ‘people you may know’ feature. Sometimes, that can go really bad, sometimes it may throw up your ex as a suggestion or let your stalker see your profile or it may allow people who visit a common psychologist to see each other as suggestions without knowing why,” he says.

While it is difficult for social media giants to calibrate such settings, the users have recently been given options to help control what kind of audience sees what information.

After Google Plus was launched, Facebook introduced a feature that allows users to choose who can see their status updates. Pranesh adds that users should make use of such features.

Understanding your data online

Not many users realise that basic information about them can be used against them. Seemingly harmless information like your date of birth, your birthplace or the pages that you follow on social media may contain leads for identity thefts.

“All the information that you put up publicly can be used by police, future employees or even your stalkers as well. For example, your date of birth, which most users add to their social media profiles, is usually used to verify bank accounts. If that is public, anyone can pretend to be you,” says Pranesh.

A way out is to relay this information only to people you trust. Another thing is to remember that on the internet, information received from one website can be used to access information on another website.

“You might upload a picture with your pet and name your pet in that post. However, that name could be the answer to one of the security questions asked on another website. If you use the same email address and username across social media profiles, it is easier to find information about you. Users should be aware that websites can be connected,” Pranesh explains.

Apps and permissions

Another crucial thing to remember is that users must always look into privacy settings of social networks that they use.

When you install new applications on your mobile phones, they often ask for certain permissions – like seeking access to your location – and users usually mechanically click on allow.

Most of these permissions apps request are often based on the type of application – for example, it is natural for Google Maps to ask permission to access your location – and users need to be vigilant if apps ask for absurd permissions.

“I once saw a torchlight app that sought access to my address book. Why would my flashlight need access to my contacts? There are a lot of apps who don't read these permissions. It is quite easy to figure out what kind of permissions an app needs and users need to apply their mind when installing the apps,” Anja adds.

She states that there are a lot of people who do not read through the terms and conditions of a particular website or app or the permissions they seek. And once access is granted, there is no way of taking your data back.

Last year, it was revealed that a Facebook breach had exposed data of 50 million people. Last month, Facebook reported another security breach where nearly 6.8 million users risked their private photos being exposed to third-party apps.

Facebook also found itself refuting serious claims of wrongdoings in giving access to user information to certain device makers, including China-based Huawei, and certain large technology companies and popular apps like Netflix or Spotify.

Anja says users should be more critical of such companies and organisations that store data or sell users' data.

“People feel that things can’t change, but that is because they don't make enough noise. You must ask whether companies can store your data and not just who has what data – ask who can access it,” Anja said. “Think more critically about which companies you trust and why you trust them.”

For more details visit https://cis-india.org/internet-governance/news/news-minute-sanyukta-dharmadhikari-january-10-2019-creeped-out-by-netflixs-you

Registering for Aadhaar in 2019

sunil — 2019-01-03T14:59:04Z

It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

The article was published in Business Standard on January 2, 2019.

Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.

Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.

The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.

Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.

The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.

Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019

The constitutionality of MHA surveillance order

nehaa — 2018-12-31T14:06:04Z

The rules require review committees to examine all surveillance orders issued under this section every couple of months.

The article by Nehaa Chaudhari was published in Asian Age on December 30, 2018.

The MHA notification authorising 10 agencies to intercept, monitor and decrypt “any information” generated, transmitted, received or stored in “any computer” has kicked up a row. One section calls it electronic surveillance at the behest of the Big Brother. This time the qualitative difference is data stored anywhere, not just data in motion, can be intercepted.

Privacy is a fundamental right in India. Nine Supreme Court judges agreed on this in late August, last year. It is “the constitutional core of human dignity” and flows primarily from the “guarantee of life and personal liberty” of our Constitution, they said, in the case of K.S.Puttaswamy vs Union of India. This meant two rules for the Indian state. Rule number 1.) Do not intrude upon a citizen’s right to life and personal liberty; and rule number 2.) Take all necessary steps to safeguard individual privacy.

However, because no fundamental right is absolute, the Indian state is allowed to deviate from rule number 1 in certain situations. It can restrict individual privacy provided that it first fulfills three conditions: The restriction must be backed by law; it must be for a legitimate state aim; and, it must be proportionate.

All laws (including existing ones) and government actions, with consequences for individual privacy, must meet the three conditions listed above to be valid.

Those that fail to do so are unconstitutional, and must be suitably amended, or will be struck down, as was the case with Section 377 of the Indian Penal Code, earlier this year. Section 69 of the Information Technology Act, under which the Ministry of Home Affairs has issued its recent surveillance order, warrants similar scrutiny.

Section 69 empowers the Centre and all state governments to authorise any of their officers to surveil citizens’ electronic communications and information. They may do so for any of the reasons laid down in the same section, including India’s sovereignty, integrity, defence, security and foreign relations, or public order, or to prevent the incitement of certain offences, or to investigate any offence. Government orders issued under this section must be reasoned, and in writing. These orders, and the resultant surveillance activity, must follow the procedure laid down in a set of rules framed under the Information Technology Act in 2009. The rules require review committees to examine all surveillance orders issued under this section every couple of months. The review committee at the Centre examines the Union government’s surveillance orders, while state governments’ orders are examined by committees at their respective states. But, review committees, whether at the Centre, or at any of the states, only have
three members each, tasked with reviewing hundreds of orders every day. Moreover, they consist only of government officials. Neither the Information Technology Act, nor the accompanying 2009 rules, require Parliamentary or judicial oversight of electronic surveillance by the executive.

In the past week, at least two petitions have been filed before the Supreme Court,which claim that the MHA’s surveillance order violates the fundamental right to privacy and is unconstitutional. This order for electronic surveillance is a clear deviation from rule number 1, and so the question before the court will be if it meets each of the conditions above to be valid.

Is the MHA order lawful? Yes, given as it was framed under the framework of the IT Act. There remains however, a larger question of the constitutionality of Section 69 itself. If the court finds Section 69 itself to be unconstitutional, any action taken pursuant to Section 69, including the recent MHA order, will also be unconstitutional.

Is the MHA order pursuant to a legitimate state aim? The order itself does not specify what in particular the government hopes to achieve. However, given as it was issued under Section 69, the government could well argue that it was only for the six purposes laid down in the statute.

Moreover, according to the Supreme Court in the right to privacy judgment, legitimate state aims are “matters of policy to be considered by the Union government.” The court even offered examples of possible legitimate state aims, which included the grounds listed under Section 69.

Is the MHA order proportionate? No; and neither is the IT Act’s framework dealing with electronic surveillance. The IT Act allows government surveillance of citizens, unchecked by either the legislature, or the judiciary. It creates a scenario where tiny government committees must review the government’s own decisions to curtail citizens’ fundamental rights. Moreover, it penalises individuals with up to seven years in jail, in addition to fines, for not complying with any interception, monitoring, or decryption request by an authorised government agency.

In light of the recent MHA order, this means that individuals must comply with surveillance requests by 10 government agencies including tax authorities, the police, and civil and military intelligence agencies, or be prepared to face jail time. This is unethical, undemocratic, and unconstitutional.

Unchecked government surveillance threatens not just an individual’s fundamental right to privacy, but also her fundamental freedoms of speech, movement, and assembly among others, also guaranteed fundamental rights under the Indian Constitution.

These rights and freedoms are the very essence of what it means to be a free citizen in a modern democracy. A democratic state must only exercise its police powers in the narrowest of circumstances, within bright lines, clearly defined.

In August, 2017, the Supreme Court laid down the framework to identify these narrow circumstances and bright lines in so far as the fundamental right to privacy was concerned. But, the promise of Puttaswamy is only as good as its implementation, and here lies its biggest challenge.

As Pranesh Prakash, Fellow at the Centre for Internet and Society, said on a television channel recently, perhaps it is about time that we stopped relying solely on the courts to step in to safeguard our fundamental rights, and started demanding that our elected law-markers did their jobs, or did them better. After all, a general election is but a few months away.

For more details visit https://cis-india.org/internet-governance/news/nehaa-chaudhari-asian-age-december-30-2018-constitutionality-of-mha-surveillance-order

December 2018 Newsletter

praskrishna — 2019-01-08T16:15:38Z

We at the Centre for Internet & Society (CIS) wish you all a great year ahead and welcome you to the twelfth issue of its newsletter (December) for the year 2018:

Highlights

CIS signed a MoU with Odia Virtual Academy to work on drafting an open content policy for the state, to promote use of Wikimedia projects by various user types and to ensure sustainability of Wikimedia projects, and to facilitate development of relevant free and open source software projects. This partnership between OVA and CIS will be carried out from December 2018 to November 2019.
Natalia Khaniejo, in a four-part report has attempted to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same. The literature review was edited by Amber Sinha.
Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah created an infographic which has mapped the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. The authors have stated that broadly policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem.
In April 2018 European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). Vipul Kharbanda has analysed how service providers based in India whose services are also available in Europe would be affected by these proposals.
Feminist research methodology is a vast body of knowledge, spanning across multiple disciplines including sociology, media studies, and critical legal studies. A literature review by Ambika Tandon aims to understand key aspects of feminist methodology across these disciplines, with a particular focus on research on technology and its interaction with society.
CIS and design collective Design Beku came together for a workshop on Illustrations and Visual Representations of Cybersecurity. The authors Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu have stated that images play a vital role in the public’s perception of cybercrime and cybersecurity.
A list of selected sessions and papers for the Internet Researchers' Conference 2019 (IRC19) has been published. IRC19 will be held in Lamakaan, Hyderabad, from Jan 30 to Feb 1, 2019.

Articles

Private-public partnership for cyber security (Arindrajit Basu; Hindu Businessline; December 24, 2018).
Is the new ‘interception’ order old wine in a new bottle? (Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare; Newslaundry.com; December 27, 2018).
Digital Native: System Needs a Reboot (Nishant Shah; Indian Express; December 30, 2018).

Media Coverage

Many sites bypass porn ban (Rajitha Menon; Deccan Herald; December 6, 2018).
How data privacy and governance issues have battered Facebook ahead of 2019 polls (Rahul Sachitanand; Economic Times; December 6, 2018).
Is Aadhaar Essential To Achieve Error-Free Electoral Rolls? (Bloomberg Quint; December 16, 2018).
Centre’s order on computer surveillance threatens right to privacy, experts say (Abhishek Dey; Scroll.in; December 22, 2018).
Centre’s order on computer surveillance is backed by law – but the law lacks adequate safeguards (Nehaa Chaudhari and Tuhina Joshi; Scroll.in; December 23, 2018).
Ten Indian government agencies can now snoop on people’s internet data (David Spenser; VPN Compare; December 24, 2018).
Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete' (Keerthana Sankaran; New Indian Express; December 26, 2018).
MHA snoop order & bid to amend IT rules: China-like clampdown or tracking unlawful content? (Fatima Khan; The Print December 28, 2018).
The dark side of future tech: Where are we headed on privacy, security, truth? (Dipanjan Sinha; Hindustan Times; December 29, 2018).
The constitutionality of MHA surveillance order (Nehaa Chaudhari; Asian Age; December 30, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Punjabi Wikisource Training Workshop, Patiala (Jayanta Nath; December 6, 2018).
Indic Wikisource Community Consultation 2018 (Jayanta Nath; December 8, 2019).
CIS Signs MoU with Odia Virtual Academy (Sailesh Patnaik; December 19, 2018).

Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Guest Lecture

Lecture on Open Access and Open Content Licensing at ICAR (short course) (Organized by ICAR-Indian Institute of Horticultural Research (IIHR) a constituent establishment of Indian Council of Agricultural Research; November 13 - 22, 2018). Anubha Sinha delivered a lecture.

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Guest Lecture

Teaching at Shristi Interlude (Organised by Shristi; Bangalore; December 7, 2018). Shweta Mohandas participated as a mentor.

Gender

Research Paper

Feminist Methodology in Technology Research: A Literature Review (Ambika Tandon with contributions from Mukta Joshi; research assistance by by Kumarjeet Ray and Navya Sharma; design by Saumyaa Naidu; December 23, 2018).

Blog Entry

Event Report on Intermediary Liability and Gender Based Violence (Akriti Bopanna; edited by Ambika Tandon; December 20, 2018).

Participation in Event

International Network on Feminist Approaches to Bioethics 2018 (Co-organized by Feminist Approaches to Bioethics and Sama; St. John's Medical College; Bangalore; December 3 - 5, 2018). Aayush Rathi and Ambika Tandon were speakers at the event.

Cyber Security

Research Papers

European E-Evidence Proposal and Indian Law (Vipul Kharbanda; December 23, 2018).
Economics of Cybersecurity: Literature Review Compendium (Natalia Khaniejo; edited by Amber Sinha; December 31, 2018).

Infographic

Mapping cybersecurity in India: An infographic (information contributed by Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah; designed by Saumyaa Naidu; December 23, 2018).

Blog Entry

A Critical Look at the Visual Representation of Cybersecurity (Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu; December 11, 2018).

Participation in Event

India-China Tech Forum 2018 (Organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies; Mumbai; December 11 - 12, 2018). Arindrajit Basu was a speaker.

Artificial Intelligence

Participation in Event

Future Tech and Future Law (Organised by Dept. of IT & BT, Government of Karnataka; Palace Grounds; Bangalore; November 29 - December 1, 2018). Arindrajit Basu was a speaker.
AI for Social Good Summit (Co-organised by Google AI and United Nations ESCAP; Bangkok; December 13, 2018).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Selected Papers

Internet Researchers' Conference 2019 (IRC19): #List - Selected Sessions and Papers (P.P. Sneha; January 2, 2019).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/december-2018-newsletter

Economics of Cybersecurity: Literature Review Compendium

Natallia Khaniejo — 2021-05-01T06:09:09Z

The twenty first century has witnessed an unprecedented conflation of everyday experiences and technosocial practices. The emergence of technologies like the Internet of Things, Cloud Computing, Digital Payment infrastructures are all emblematic of this conflation of technology with economic, social and political modes of existence.

Authored by Natallia Khaniejo and edited by Amber Sinha

Politics and economics are increasingly being amalgamated with Cybernetic frameworks and consequently Critical infrastructure has become intrinsically dependent on Information and Communication Technology (ICTs). The rapid evolution of technological platforms has been accompanied by a concomitant rise in the vulnerabilities that accompany them. Recurrent issues include concerns like network externalities, misaligned incentives and information asymmetries. Malignant actors use these vulnerabilities to breach secure systems, access and sell data, and essentially destabilize cyber and network infrastructures. Additionally, given the relative nascence of the realm, establishing regulatory policies without limiting innovation in the space becomes an additional challenge as well. The lack of uniform understanding regarding the definition and scope of what can be defined as Cybersecurity also serves as a barrier preventing the implementation of clear guidelines. Furthermore, the contrast between what is convenient and what is ‘sanitary’ in terms of best practices for cyber infrastructures is also a constant tussle with recommendations often being neglected in favor of efficiency. In order to demystify the security space itself and ascertain methods of effective policy implementation, it is essential to take stock of current initiatives being proposed for the development and implementation of cybersecurity best practices, and examine their adequacy in a rapidly evolving technological environment. This literature review attempts to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same.

Click on the below links to read the entire story:

Economics of Cybersecurity Part I

Economics of Cybersecurity Part II

Economics of Cybersecurity Part III

Economics of Cybersecurity Part IV

For more details visit https://cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity

MHA snoop order & bid to amend IT rules: China-like clampdown or tracking unlawful content?

Admin — 2018-12-30T10:08:31Z

An MHA order last week authorised 10 government agencies to scan data on computers. This was followed by the Modi government’s proposal to amend the Information Technology rules for social media platforms like WhatsApp, Facebook and Twitter to “proactively identify, remove or disable access to unlawful information or content” in order to curb fake news online.

The article by Fatima Khan was published in the Print on December 28, 2018. Amber Sinha was quoted.

No concrete steps taken by either NDA or UPA to enact laws for surveillance reform

The MHA order which gives 10 government agencies the power to intercept, monitor and decrypt ‘any information’ generated, transmitted, received, or stored in any computer, reaffirms the sorry state of communication surveillance law in India. This is reflected in the lack of judicial review, minimal legislative oversight and no regard for the principles of necessity, proportionality, user notification and transparency.

Despite detailed recommendations by the Committee of Experts led by Justice AP Shah back in 2013, there have been no concrete steps taken by either the current NDA government or the previous UPA government to enact laws for surveillance reform. The draft bill by the committee led by Justice Srikrishna does refer to the principles of necessity and proportionality, but stops short of recommending an overhaul of the surveillance regime. This notification is but merely the logical next step in the existing framework for communications surveillance.

On the other hand, the draft amendments to the IT Act regulations seek to address the problem of ‘unlawful content’ and seem to stem largely from concerns about the use of platforms like Facebook and WhatsApp to spread disinformation and impact electoral processes in India. To that extent, these steps are misguided and betray a failure to engage with the actual problem. Already, the powers of content moderation exercised by online platforms suffer from problems of transparency and accountability. The draft regulations will only serve to compound this problem while unreasonably expecting the platforms to exercise powers which should require judicial determination.

For more details visit https://cis-india.org/internet-governance/news/the-print-december-28-2018-mha-snoop-order-bid-to-amend-it-rules-china-like-clampdown-or-tracking-unlawful-content

The dark side of future tech: Where are we headed on privacy, security, truth?

Admin — 2018-12-30T09:24:40Z

#2018 Year-End Special: We now live in a time when devices listen, chips track your choices, and governments can watch from behind a barcode. How do we navigate this world?

The article by Dipanjan Sinha was published in the Hindustan Times on December 29, 2018. Pranesh Prakash was quoted.

“One of the definitions of sanity is the ability to tell real from unreal. Soon we’ll need a new definition,” Alvin Toffler, author of the 1970 bestseller Future Shock, once said.

Privacy. Security. Freedom. Democracy. History. News — the lines between the real and unreal are blurring in each of these fields.

Fake news is helping decide elections; history being rewritten as it happens; rumour has become identical in look, feel and distribution to the actual news.

Devices that listen, governments that watch you from behind a barcode, chips that track where you go, what you eat, how you feel — these used to be the stuff of dystopian novels.

In April, the world learnt of the Chinese government’s social credit system, a programme currently in the works that would employ private technology platforms and local councils to use personal data to assign a social score to every registered citizen.

Behave as the state wants you to, and you could get cheaper loans, easier access to education; it’s unclear what the consequences could be for those who do the opposite, but discredits are likely for bad behaviours that range from smoking in non-smoking zones to buying ‘too many’ video games, and being critical of the government.

We’ve seen this before — totalitarian governments where the individual is under constant surveillance by a state that pretends this is for the greater good. But the last time we came across it, it was fiction — George Orwell’s 1984, set in a superstate where thought police took their orders from a totalitarian leader with a friendly name, Big Brother.

CATCH-22

“Just because you’re paranoid doesn’t mean they aren’t out to get you,” Joseph Heller said, in Catch-22, a novel so layered that you’re never sure which bits are true. Who gets access to the data your phone collects? What is the government watching for, after they’ve assigned citizens unique IDs?

It feels good to be able to criticise China, still something of an anomaly in a global community that is largely democratic and free-market, but the UK had a National Identity Cards Act from 2006 to 2010; India has the Aadhar project; Brazil has had the National Civil Identification document since 2017; Germany, a national identity card since 2010, and Colombia has had one since 2013.

They’re collecting biometric data, assigning numbers to citizens and building national registers — with not much word on what’s in them, who has access, or how secure they are.

“To ask what the risk is with accumulating such big data is like asking what the risk is with computers. They are both embedded in our lives,” says Pranesh Prakash, a fellow at the thinktank Centre for Internet and Society.

Security is just the base layer in the pyramid if risks. There is also the risk of discrimination — whether in terms of benefits, employment, or something like marriage, Prakash says. There is the risk of bad data leading to worse discrimination; there is the risk of public profiling.

“The question here is about transparency,” Prakash says. “The questions of what the data contains, who it is accessed by or sold do, how much of it there is, and what the purpose is of collecting it — need to be clearly answered.”

OPERATION THEATRE

New questions are being asked in the field of medicine as well. Where do you draw the line on designer babies? Should parents get to edit the genes of their child-to-be? How much ought we to tinker — do you stop at mutations, or go on to decide hair colour and intellect?

As it becomes cheaper and easier to sequence DNA, the questions over the next steps — of interpreting and analysing the data — will become more complex, says K VijayRaghavan, principal scientific adviser to the government of India, and former director of the National Centre for Biological Sciences. “From here on, with the data deluge, deciding what and how to do it will become fiendishly complex. Especially as commercial interests become involved.”

We have rules and laws for the use of DNA information in research, but corresponding laws that regulate how one can use personal whole genome information in the public space are still being framed. “The data-privacy discussion will soon get to the genomic-data space,” VijayRaghavan says. “Data sharing is needed for patients to benefit. Yet data privacy is needed to prevent exploitative use. It’s a conundrum, and there are no easy answers.”

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-dipanjan-sinha-december-29-2018-the-dark-side-of-future-tech