We are anonymous, we are legion

Supreme Court Order is a Good Start, but is Seeding Necessary?

Elonnai Hickok and Rohan George — 2015-09-07T13:21:58Z

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Introduction

On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled  'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2

Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.

What is Seeding?

In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4

According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.

Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8

How does the seeding process work?

The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9

Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10

According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11

In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13

What are the concerns with seeding?

With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access,  consent and choice.  To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.

The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform,  and that profiling of individuals can take place through the linking of data points via the Ginger platform.

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:

The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15

In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.

These include:

The Process of Seeding

Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that  "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".

However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of  proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the  Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:

Access: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.

Consent: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:

"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."

"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number.

"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17

Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of  consenting  to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18

Withdrawing Consent: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.

Verification and liability: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22

The Scope of the UIDAI's mandate and the necessity of seeding

Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.

On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.

In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system,  seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26

Conclusion

Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?

Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.

[1]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[2]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12^th 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/

[3]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf

[4]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf

[5]. Version 1.0 pg. 2

[6]. Version 1.0 pg. 19

[7]. Version 1.1 pg. 3

[8]. Version 1.1 pg. 7

[9]. Version 1.1 pg. 5 -7

[10]. Version 1.1 pg. 7-13

[11]. Version 1.0 pg 19-22

[12]. Version 1.0 pg. 4

[13]. Version 1.1 pg. 5, figure 3.

[14]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf

[15]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[16]. Version 1.1 pg. 18

[17]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf

[18]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27^th 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece

[19]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15^th 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms

[20]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544

[21]. Version 1.1 pg. 3

[22]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf

[23]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[24]. Version 1.0 pg.3

[25]. Version 1.0 pg.4

[26]. Version 1.1 pg. 3

[27]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21^st, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece

[28]. For example see: Salil Tripathi. A dangerous convergence. July 31^st. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html

For more details visit https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary

Supreme Court issues notice to WhatsApp, Centre on data privacy

praskrishna — 2017-01-17T15:06:08Z

Analysts said India lacked data protection laws.

The article by MJ Antony, Ayan Pramanik and Apurva Venkat was published in the Business Standard on January 17, 2017. Sunil Abraham was quoted.

The Supreme Court on Monday issued notices to the Centre and WhatsApp over an appeal alleging the instant messaging service did not ensure the privacy of its users and seeking regulations to protect personal information.

Chief Justice J S Khehar granted urgent hearing when Harish Salve, counsel for the petitioner, submitted that the service provided free by the platform to 155 million subscribers violated constitutional provisions protecting privacy.

The government and WhatsApp would file their replies within two weeks, the court directed after Salve sought its intervention to protect consumer data till India enacted data protection laws.

The Supreme Court heard the petition after the Delhi High Court in September directed WhatsApp not to share its users’ data with its parent Facebook and asked it to provide users with the option to opt out. The court was hearing a public interest litigation over a change in WhatsApp’s user policies that explicitly allowed Facebook to access to WhatsApp users’ data.

A Facebook spokesperson said the company could not comment immediately.

Analysts said India lacked data protection laws that prohibit global Internet firms from harvesting user data for their business. “We used to think that we had some privacy jurisprudence in the country. If you asked a lawyer 1.5 years ago, he would say privacy in India was a constitutionally guaranteed right,” said Sunil Abraham, director of the Centre for Internet Society. “It is not explicitly referenced into the law.”

Saroj Kumar Jha, partner, SRGR Law Offices, said, “Along with the lack of policies and laws, there are very few judgments on privacy issues based on constitutional rights. Thus, it makes it very difficult to judge a case.”

Salve argued that till the government enacted legislation to protect user data, the court should provide protection. The Telecom Regulatory Authority of India should introduce a clause in telecom licences that if calls were intercepted the licence would be cancelled, he said.

The court sought the assistance of Attorney-General Mukul Rohatgi to sort out the issues.

Rohatgi, while arguing an earlier case related to alleged violation of privacy, had taken the stand that the Constitution did not protect the right to privacy. According to him, neither the fundamental rights nor Supreme Court judgments recognises a citizen’s right to privacy. The bench hearing that case referred the question to a constitution bench last year.

For more details visit https://cis-india.org/internet-governance/news/business-standard-mj-antony-ayan-pramanik-apurva-venkat-supreme-court-issues-notice-to-whatsapp-centre-on-data-privacy

Supreme Court extends Aadhaar linking deadline till it passes verdict

Admin — 2018-03-17T15:02:10Z

The Supreme Court, however, allowed the government to seek Aadhaar numbers to transfer benefits of government schemes funded from the consolidated fund of India.

The article by Priyanka Mittal and Komal Gupta was published in Livemint on March 13, 2018. Pranesh Prakash was quoted.

The Supreme Court (SC) on Tuesday extended the deadline for linking of Aadhaar with mobile services, opening of new bank accounts and other services until it passes its verdict on a pending challenge to the constitutional validity of such linkages.

The court also noted that Aadhaar could not be made mandatory for issuance of a Tatkal passport, for now.

The extension would be applicable to the schemes of ministries/departments of the Union government as well as those of state governments, the court ruled in an interim order.

It was however, clarified that the extension would not be applicable for availing services, subsidies and benefits under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.

A Constitution bench comprising Chief Justice Dipak Misra and justices D.Y. Chandrachud, A.K. Sikri, A.M. Khanwilkar and Ashok Bhushan is hearing a challenge to the constitutional basis of the 12-digit unique identification project, which is now likely to conclude after 31 March, the earlier deadline for Aadhaar linking.

“Even where Aadhaar hasn’t been mandated by the government, and even though the Supreme Court has extended the deadline for some mandatory linkages, if the software systems used by various governmental and private entities don’t make ‘Aadhaar number’ and authentication optional, then the SC’s orders gets nullified, effectively,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society (CIS).

Similar concerns over the extent of Tuesday’s interim protection were also expressed by the Software Freedom Law Centre (SFLC), an organization working to protect freedom in the digital world. “While the extension is certainly welcome, it is also important to note that there is currently some uncertainty about this extension and how it applies to linkages made mandatory under Section 7 of the Aadhaar Act. If the latest order does indeed exclude Aadhaar linkages mandated under Section 7, a large number of central and state government schemes (such as PDS, LPG, MNREGA and many more) would still need to be linked to Aadhaar by the end of the month, significantly diminishing the relief brought by today’s order, ” said the organization.

“The deadline for Aadhaar holders to link their PAN cards for taxation purposes will also be extended until disposal of the case as this linkage was mandated by Section 139AA of the Income Tax Act, 2000 and not Section 7 of the Aadhaar Act,” SFLC added.

Last week, attorney general K.K. Venugopal had told the apex court that the centre would consider extending the linking deadline since arguments in the case were likely to proceed beyond the earlier deadline of 31 March.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict

Sunil Abraham: Honorary steward September 2017

praskrishna — 2017-04-20T13:30:23Z

Shuttleworth Foundation has announced Sunil Abraham as Honorary Steward for its September 2017 fellowship round.

Sunil Abraham is the Executive Director of Bangalore based research organisation, the Centre for Internet and Society.

“I have admired the stewardship of the Shuttleworth Foundation towards the access to knowledge and free culture movements ever since I interviewed Mark Shuttleworth at WSIS 2005. Many of my personal heroes have become Fellows over the years and it is therefore my privilege to contribute a southern perspective to this fellowship round.” – Sunil Abraham

Applications close 15 May 2017 for a 1 September 2017 fellowship start date. Read the original post on Shuttleworth Foundation website here

For more details visit https://cis-india.org/internet-governance/news/shuttleworth-foundation-april-19-2017-sunil-abraham-honorary-steward-september-2017

Sunil Abraham, CIS : "Avec l’e-G8, Nicolas Sarkozy veut promouvoir de nouvelles restrictions à la liberté d’expression"

praskrishna — 2011-05-25T11:54:51Z

Le débat continue de faire rage en Inde au sujet d’une nouvelle législation posant des limites floues et, selon certains, potentiellement dangereuses, à la liberté d’expression sur Internet. Et alors que s’ouvre à Paris l’e-G8, sur fond de polémiques autour des intentions de son principal supporteur, le président de la République Française, Nicolas Sarkozy, Sunil Abraham, directeur exécutif de l’ONG Center for Internet & Societies, a accepté de partager son regard sur l’événement, depuis Bangalore. This news was published in LE MAG IT on May 24, 2011.

LeMagIT: L’Inde vient de se doter d’une nouvelle législation relative aux technologies de l’information et de la communication. Que dénoncez-vous dans cette législation ?

Sunil Abraham: Il y a trois principales préoccupations, pour la société civile. Tout d’abord, cette nouvelle législation va au-delà de son périmètre légitime et définit des limites vagues et inconstitutionnelles à la liberté d’expression sur Internet. Par exemple, un discours dénigrant, relevant du harcèlement, blasphématoire ou haineux n’a jamais été criminel ou considéré comme tel par la justice indienne. Mais du fait de cette nouvelle législation, cela peut être puni de 3 ans de prison. Ensuite, ces règles introduisent un biais contre la participation citoyenne à toute forme de publication en ligne, en particulier dans les médias sociaux ou la production de contenus collective. Ainsi, une fois qu’un ordre de retrait a été notifié, le contenu contestable visé doit être supprimé dans un délai de 36 heures. Ou c’est l’intermédiaire concerné qui est susceptible de voir engagée sa responsabilité. De grandes entreprises telles que Google seront en mesure de gérer de telles injections et d’engager des procédures en justice mais de simples individus seront écrasés par la censure privée sans application équitable de la loi. En outre, les individus ne seront pas notifiés de l’application d’une telle censure et aucune pénalité n’est prévue pour ceux qui abuseraient du système en émettant des ordres de retrait de contenu en masse de manière automatisée. Enfin, l’État a créé un système de surveillance à plusieurs niveaux impliquant cyber-cafés, FAI et fournisseurs de services en ligne. Les garde-fous sur les réquisitions judiciaires émises par les agences de renseignement ont été dilués. La rétention de logs redondante à plusieurs niveaux fournit en outre des cibles multiples avec des vulnérabilités multiples aux criminels à la fois au sein et en dehors de ces institutions. Les violations de la vie privée vont se multiplier et ne feront que distraire les agents du renseignement de leurs missions de fond pour lutter contre la criminalité et le terrorisme.

En clair, nous pensons que ces nouvelles règles vont réfréner la liberté d’expression sur Internet en Inde en stimulant l’auto-censure, la censure privée et la surveillance. Cela va nuire à l’exercice démocratique, à la liberté des médias, et à la transparence des institutions publiques, à la culture et à la créativité, à la recherche et au développement, et enfin - mais ce n’est pas rien - à l’entrepreneuriat.

LeMagIT: Dans un contexte de suspicion sur les objectifs du forum e-G8, et avec la perspective de la nouvelle législation indienne, quel regard portez-vous sur le sommet international qui s’ouvre ce mardi 24 mai en France ?

Sunil Abraham: Nicolas Sarkozy et les nations développées de l’Ouest ont complètement perdu leur légitimité morale dans le débat sur la liberté sur Internet. Leur duplicité et leur double-langage ont été mis en lumière - d’un côté, ils critiquent la Birmanie, l’Arabie Saoudite et la Chine mais, dans le même temps, à l’intérieur de leurs frontières, ces nations ont courbé l’échine pour satisfaire aux demandes des ayants-droits. Rétention de données, exigence de justification d’identité dans les cyber-cafés, riposte graduée, investigations transnationales, etc... sont en train de devenir la norme. Nicolas Sarkozy semble avoir oublié que l’accès au savoir est le prérequis de la liberté d’expression. Le partage de l’information est une composante essentielle des activités quotidiennes des citoyens du Net. Criminaliser ces actes afin de soutenir les modèles économiques moribonds des éditeurs de logiciels et des sociétés de production de médias ne fera que réduire Internet à une télévision interactive.

En tant que personne mariée à un ayant-droit en quête de rente, Nicolas Sarkozy n’a naturellement que peu de sympathie pour l’accès [libre] à la connaissance et peut ainsi se faire le champion vocal des régimes de riposte graduée. Il serait bien capable d’interdire à quelqu’un de lire sous un livre prétexte que cette personne aurait partagé les photocopies de ce livre avec trois de ses amis. Il n’y a aucune proportionnalité entre le préjudice et la punition.

Avec l’e-G8, Nicolas Sarkozy essaie de pousser d’autres restrictions à la liberté d’expression avec son concept “d’Internet civilisé” - les régimes répressifs du monde entier ont de quoi se réjouir. Leur régulation draconienne a été importée par le pays de “liberté, égalité, fraternité.” J’espère que le peuple français se joindra aux sociétés civiles du monde entier pour rejeter les propositions de Nicolas Sarkozy.

Sunil's original response in English

What is wrong with the latest IT Rules 2011 [Intermediary Due Diligence, Cyber Cafe and Reasonable Security Measures) under the IT Act [Amendment 2008]

There are 3 broad concerns that civil society has with the latest IT rules. One, they go beyond the the scope of the IT Act and place unconstitutional and vague limits on freedom of expression online. For example speech that is harmful, harassing, disparaging, blasphemous or hateful has never been criminal or defined by Indian courts. But thanks to the latest rules, they are punishable with 3 years of imprisonment. Two, the rules are biased against citizen participation in online publication especially in the form of social media and commons based peer production. Once a take down notice is received the objectionable content has to be deleted within 36 hour otherwise the intermediary looses immunity. Large corporations like Google will be able to manage due diligence and also fight court battles but individual users will becrushed by private censorship sans due process of law. This individuals will not be notified when such censorship occurs and there is no penalty for those who abuse the system by sending bulk machine generated take-downs. Three, the state has mandated a multi-tier blanket surveillance regime - by cyber-cafes, ISPs and application service providers. Safeguards for information requests by intelligence agencies have been diluted. Redundant multi-level retention of logs provides multiple targets with multiple vulnerabilities to criminals both inside and outside these institutions. Privacy violations will multiply only serving a big distraction from the real intelligence work required to stop criminals and terrorists.

In brief - we believe the latest rules have a chilling effect on online freedom of expression in India via self-censorship, private censorship and blanket surveillance. This will undermine - democratic governance, free media, transparency and accountability in public institutions, culture and creativity, research and development and last but not least entrepreneurship.

What is wrong with Sarkozy's agenda at the e-G8

Sarkozy and developed western nations have completely lost their higher moral ground on net freedom. Their duplicity and double-speak has been exposed - on the one hand they criticise Burma, Saudi Arabia and China. But simultaneously at home these nations have bent backwards to please rights-holders. Blanket data retention, real ID requirements at cyber-cafes, three strikes regime, cross-border searches, etc are becoming the norm. Sarkozy appears to have forgotten that access to knowledge is the precondition for freedom of expression. Sharing of information is an essential component of the everyday Internet use of ordinary netizens. Criminalising these acts in order to prop up extinct business models of media houses and software companies will only reduce the Internet to interactive television.

Read the original published by LeMagIT here

For more details visit https://cis-india.org/news/avec-i-e-g-8

Sunil Abraham | The online warrior

praskrishna — 2014-08-12T16:04:21Z

With a vision that combines free speech with digital privacy, this policymaker has redefined the role of the internet in society.

The article by Anirban Sen was published in Livemint on August 9, 2014

Freedom of digital security | Sunil Abraham

Tucked away in a neighbourhood in Bangalore’s upscale Indiranagar residential area is an innocuous, three-storeyed, white building. A grassy empty plot lies opposite. It could be just another house in a neighbourhood dotted by similar structures.

The scene changes dramatically inside. People talk animatedly, poring over computer screens, wired in like it is a hackers’ lair. It has a “secret command centre” kind of room in the basement.

In the midst of what looks like a geek utopia, a bespectacled man rattles off facts and figures on Internet laws, cyber-security and digital privacy. Forty-year-old Sunil Abraham started the non-profit research think tank Centre for Internet and Society (CIS) in 2008.

The venture, which focuses primarily on Internet governance, has attracted investment from philanthropist Rohini Nilekani (ironical, considering Abraham has been an outspoken critic of the Unique Identification Authority of India, or UIDAI, project that was spearheaded by her husband and Infosys co-founder Nandan Nilekani). Over the years, Abraham has become an authority on issues related to freedom of expression, Internet privacy and security, free software and cyber laws.

His efforts have yielded results. The best example is the Justice A.P. Shah committee report released in October 2012. It puts a stamp of authority on Indian privacy principles, and ensures privacy protections “do not have a chilling effect on the freedom of expression and transparency enabled by the RTI (right to information)”, as Abraham wrote in Forbes India magazine last year.

“We’re not regulatory hawks,” explains Abraham, an engineer by education. “We don’t have an ideology—we don’t have people who are either left or right. And therefore we don’t want to regulate the private sector for the sake of it, just to cause them more grief. We have great appreciation for the role the private sector plays in the economy.” He adds that their design principles are conservatism, forbearance and equivalence. “With these broad principles, we believe we can get Internet regulation right,” he says.

Abraham has actively advocated free speech and privacy of individuals. Last year, in an interview with Mint, he spoke about the need to upgrade the country’s draconian information technology laws. Abraham’s Twitter timeline is full of posts related to open source software, the National Security Agency, hackers, accessibility, and the UIDAI project.

A free software advocate, Abraham’s journey in the area of freedom of expression and speech was thrust on him. “I’m a fraud, and a charlatan,” he says, laughing. “I only have a degree in industrial production engineering. I have never been trained to do what I’m able to do today.”

In 1998, at the behest of T. Pradeep, founder of the non-governmental organization Samuha, Abraham started an organization called Mahiti. It aimed to reduce the cost and complexity of information and communication technology by using free software. In 2008, Bangalore-based legal researcher Lawrence Liang came to him with the idea for CIS. Philanthropist Anurag Dikshit provided the initial seed funding and CIS was born. Dikshit still continues to fund and support CIS.

“I’ve always surrounded myself with competent people,” Abraham says.

At CIS, Abraham’s core team is composed mostly of lawyers, social scientists and mathematicians such as Nishant Shah, Pranesh Prakash and Nirmita Narasimhan. “Initially we were like four individual fingers, but after that increasingly we started to punch like a single fist,” says Abraham, who was born and raised in Bangalore.

For the first 25 years of his life, Abraham never stepped out of the south. In the next 15 years, he would travel across the world and visit more than a dozen countries. Abraham completed his degree in industrial and production engineering from the Dayananda Sagar College of Engineering in Bangalore and during second year of college, organized a peaceful demonstration of 5,000 college and school students against the 1992 Babri Mosque demolition and the Mumbai riots of 1993.

As he talks about the key influences during his days at Mahiti and CIS, one name stands out—noted Internet hacktivist Aaron Swartz, who committed suicide last year. “His courage is something we might aspire towards,” says Abraham of the computer programmer who was posthumously inducted into the Internet Hall of Fame. Other names include Michael Geist, professor at the University of Ottawa, Canada, and an authority on issues related to intellectual property. “Geist is a gold standard on how to precipitate advocacy change,” says Abraham.

Before starting CIS, Abraham had taken up an assignment with the United Nations that helped him develop international acquaintances. While there, he managed the International Open Source Network project backed by the United Nations Development Programme (UNDP). Since then, he has been working with the governments of countries such as Myanmar and Iraq on issues like open data and open standards. Such policies help upgrade redundant technologies, help in transparency and promote e-governance.

For the Moldovan government, Abraham wrote the open standards policy, which the country’s Parliament did not approve and execute. A similar policy for the Iraqi government became law, and more recently, he has been working with the government of Myanmar. “For Myanmar, I will be working on a national open data policy. Governments also often ask for our help on copyright laws, IT acts, international Internet governance, etc—but most of them come through back-channels and informally,” says Abraham, who spends the little spare time he gets with his daughter.

For CIS, one of the biggest achievements over the past five years was being part of the policy framework for the Union government’s draft national policy on standardizing e-governance. The organization has been working to increase Internet penetration in the country, especially in rural areas. Over the past five years, CIS has been part of the Justice A.P. Shah committee, which focuses on privacy laws in India, and is also working on the country’s telecom policy.

Colleagues at CIS describe Abraham as a workaholic who doesn’t get in the way of fellow workers. Abraham advocates the management ethos of three sources—that of Al Qaeda, Mahatma Gandhi and Scott Adams, who has written books on management and created the Dilbert comic strip. “The first principle in the Al Qaeda school of management is subsidiarity,” explains Abraham. “The Al Qaeda stands for ‘The Hub’. Al means The, Qaeda means Hub. If you think of the hub in a network, it’s a very important component of a network. It brings various nodes together and helps different nodes connect with one another.” He adds, “Nothing that I say should be misunderstood as an endorsement of the terrorist organization. We have no sympathies for what they do.”

For more details visit https://cis-india.org/news/livemint-august-9-2014-anirban-sen-sunil-abraham-the-online-warrior

Sunil Abraham on Aadhaar's misuse during demonetisation

praskrishna — 2017-01-19T01:35:02Z

Sunil Abraham spoke to Economic Times on the misuse of Aadhaar during demonetisation.

Sunil Abraham said:

"We saw Aadhaar being misused at large-scale during the demonetization, criminals had created a black market in Aadhaar identity cards and photocopies of Aadhaar. Those interested in converting black money were purchasing these photocopies from the black market and giving them to bank officials so that they could maintain fake records that tried to prove that ordinary people came in photos' cash transactions.

Whenever we try to introduce technological measures we must always think of the human systems that are at work and the human procedures that are at work. Another example is today telcos giving sim cards based on Aadhaar authentication to meet their sales targets some of these telcos are giving multiple sim cards for a single Aadhaar based KYC. Those sim cards are often resold into black market or given to persons that are not familiar with the aadhaar number holder and this has only makes the security situation in the country worse. It has not improved." Watch the Video

For more details visit https://cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation

Summer School on Disinformation

Admin — 2018-08-23T13:27:37Z

Sunil Abraham will participate as a speaker at the event organized by Digital Asia Hub, Hans-Bredow-Institut, University of Hamburg, Institute for Technology & Society of Rio de Janeiro - ITS Rio and Berkman Klein Center for Internet and Society at Harvard University from August 22 - 24, 2018 at Azure Room, Pullman, Jakarta in Indonesia.

Sunil Abraham will make a presentation on Disinformation and Online Recruitment. He will also be chairing the Roundtable on Platforms, Publics and Policies.

For more details visit https://cis-india.org/internet-governance/news/summer-school-on-disinformation

Summary Report Internet Governance Forum 2015

jyoti — 2015-11-30T10:47:13Z

Centre for Internet and Society (CIS), India participated in the Internet Governance Forum (IGF) held at Poeta Ronaldo Cunha Lima Conference Center, Joao Pessoa in Brazil from 10 November 2015 to 13 November 2015. The theme of IGF 2015 was ‘Evolution of Internet Governance: Empowering Sustainable Development’. Sunil Abraham, Pranesh Prakash & Jyoti Panday from CIS actively engaged and made substantive contributions to several key issues affecting internet governance at the IGF 2015. The issue-wise detail of their engagement is set out below.

INTERNET GOVERNANCE

I. The Multi-stakeholder Advisory Group to the IGF organised a discussion on Sustainable Development Goals (SDGs) and Internet Economy at the Main Meeting Hall from 9:00 am to 12:30 pm on 11 November, 2015. The discussions at this session focused on the importance of Internet Economy enabling policies and eco-system for the fulfilment of different SDGs. Several concerns relating to internet entrepreneurship, effective ICT capacity building, protection of intellectual property within and across borders were availability of local applications and content were addressed. The panel also discussed the need to identify SDGs where internet based technologies could make the most effective contribution. Sunil Abraham contributed to the panel discussions by addressing the issue of development and promotion of local content and applications. List of speakers included:

Lenni Montiel, Assistant-Secretary-General for Development, United Nations
Helani Galpaya, CEO LIRNEasia
Sergio Quiroga da Cunha, Head of Latin America, Ericsson
Raúl L. Katz, Adjunct Professor, Division of Finance and Economics, Columbia Institute of Tele-information
Jimson Olufuye, Chairman, Africa ICT Alliance (AfICTA)
Lydia Brito, Director of the Office in Montevideo, UNESCO
H.E. Rudiantara, Minister of Communication & Information Technology, Indonesia
Daniel Sepulveda, Deputy Assistant Secretary, U.S. Coordinator for International and Communications Policy at the U.S. Department of State
Deputy Minister Department of Telecommunications and Postal Services for the republic of South Africa
Sunil Abraham, Executive Director, Centre for Internet and Society, India
H.E. Junaid Ahmed Palak, Information and Communication Technology Minister of Bangladesh
Jari Arkko, Chairman, IETF
Silvia Rabello, President, Rio Film Trade Association
Gary Fowlie, Head of Member State Relations & Intergovernmental Organizations, ITU

Detailed description of the workshop is available here http ://www .intgovforum .org /cms /igf 2015-main -sessions

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2327-2015-11-11-internet-economy-and-sustainable-development-main-meeting-room

Video link Internet economy and Sustainable Development here https://www.youtube.com/watch?v=D6obkLehVE8

II. Public Knowledge organised a workshop on The Benefits and Challenges of the Free Flow of Data at Workshop Room 5 from 11:00 am to 12:00 pm on 12 November, 2015. The discussions in the workshop focused on the benefits and challenges of the free flow of data and also the concerns relating to data flow restrictions including ways to address them. Sunil Abraham contributed to the panel discussions by addressing the issue of jurisdiction of data on the internet. The panel for the workshop included the following.

Vint Cerf, Google
Lawrence Strickling, U.S. Department of Commerce, NTIA
Richard Leaning, European Cyber Crime Centre (EC3), Europol
Marietje Schaake, European Parliament
Nasser Kettani, Microsoft
Sunil Abraham, CIS India

Detailed description of the workshop is available here http ://www .intgovforum .org /cms /workshops /list -of -published -workshop -proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2467-2015-11-12-ws65-the-benefits-and-challenges-of-the-free-flow-of-data-workshop-room-5

Video link https://www.youtube.com/watch?v=KtjnHkOn7EQ

III. Article 19 and Privacy International organised a workshop on Encryption and Anonymity: Rights and Risks at Workshop Room 1 from 11:00 am to 12:30 pm on 12 November, 2015. The workshop fostered a discussion about the latest challenges to protection of anonymity and encryption and ways in which law enforcement demands could be met while ensuring that individuals still enjoyed strong encryption and unfettered access to anonymity tools. Pranesh Prakash contributed to the panel discussions by addressing concerns about existing south Asian regulatory framework on encryption and anonymity and emphasizing the need for pervasive encryption. The panel for this workshop included the following.

David Kaye, UN Special Rapporteur on Freedom of Expression
Juan Diego Castañeda, Fundación Karisma, Colombia
Edison Lanza, Organisation of American States Special Rapporteur
Pranesh Prakash, CIS India
Ted Hardie, Google
Elvana Thaci, Council of Europe
Professor Chris Marsden, Oxford Internet Institute
Alexandrine Pirlot de Corbion, Privacy International

Detailed description of the workshop is available here http ://www .intgovforum .org /cms /worksh o ps /list -of -published -workshop -proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2407-2015-11-12-ws-155-encryption-and-anonymity-rights-and-risks-workshop-room-1

Video link available here https://www.youtube.com/watch?v=hUrBP4PsfJo

IV. Chalmers & Associates organised a session on A Dialogue on Zero Rating and Network Neutrality at the Main Meeting Hall from 2:00 pm to 4:00 pm on 12 November, 2015. The Dialogue provided access to expert insight on zero-rating and a full spectrum of diverse views on this issue. The Dialogue also explored alternative approaches to zero rating such as use of community networks. Pranesh Prakash provided a detailed explanation of harms and benefits related to different approaches to zero-rating. The panellists for this session were the following.

Jochai Ben-Avie, Senior Global Policy Manager, Mozilla, USA
Igor Vilas Boas de Freitas, Commissioner, ANATEL, Brazil
Dušan Caf, Chairman, Electronic Communications Council, Republic of Slovenia
Silvia Elaluf-Calderwood, Research Fellow, London School of Economics, UK/Peru
Belinda Exelby, Director, Institutional Relations, GSMA, UK
Helani Galpaya, CEO, LIRNEasia, Sri Lanka
Anka Kovacs, Director, Internet Democracy Project, India
Kevin Martin, VP, Mobile and Global Access Policy, Facebook, USA
Pranesh Prakash, Policy Director, CIS India
Steve Song, Founder, Village Telco, South Africa/Canada
Dhanaraj Thakur, Research Manager, Alliance for Affordable Internet, USA/West Indies
Christopher Yoo, Professor of Law, Communication, and Computer & Information Science, University of Pennsylvania, USA

Detailed description of the workshop is available here http://www.intgovforum.org/cms/igf2015-main-sessions

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2457-2015-11-12-a-dialogue-on-zero-rating-and-network-neutrality-main-meeting-hall-2

V. The Internet & Jurisdiction Project organised a workshop on Transnational Due Process: A Case Study in MS Cooperation at Workshop Room 4 from 11:00 am to 12:00 pm on 13 November, 2015. The workshop discussion focused on the challenges in developing an enforcement framework for the internet that guarantees transnational due process and legal interoperability. The discussion also focused on innovative approaches to multi-stakeholder cooperation such as issue-based networks, inter-sessional work methods and transnational policy standards. The panellists for this discussion were the following.

Anne Carblanc Head of Division, Directorate for Science, Technology and Industry, OECD
Eileen Donahoe Director Global Affairs, Human Rights Watch
Byron Holland President and CEO, CIRA (Canadian ccTLD)
Christopher Painter Coordinator for Cyber Issues, US Department of State
Sunil Abraham Executive Director, CIS India
Alice Munyua Lead dotAfrica Initiative and GAC representative, African Union Commission
Will Hudsen Senior Advisor for International Policy, Google
Dunja Mijatovic Representative on Freedom of the Media, OSCE
Thomas Fitschen Director for the United Nations, for International Cooperation against Terrorism and for Cyber Foreign Policy, German Federal Foreign Office
Hartmut Glaser Executive Secretary, Brazilian Internet Steering Committee
Matt Perault, Head of Policy Development Facebook

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2475-2015-11-13-ws-132-transnational-due-process-a-case-study-in-ms-cooperation-workshop-room-4

Video link Transnational Due Process: A Case Study in MS Cooperation available here https://www.youtube.com/watch?v=M9jVovhQhd0

VI. The Internet Governance Project organised a meeting of the Dynamic Coalition on Accountability of Internet Governance Venues at Workshop Room 2 from 14:00 – 15:30 on 12 November, 2015. The coalition brought together panelists to highlight the challenges in developing an accountability framework for internet governance venues that include setting up standards and developing a set of concrete criteria. Jyoti Panday provided the perspective of civil society on why acountability is necessary in internet governance processes and organizations. The panelists for this workshop included the following.

Robin Gross, IP Justice
Jeanette Hofmann, Director Alexander von Humboldt Institute for Internet and Society
Farzaneh Badiei, Internet Governance Project
Erika Mann, Managing Director Public PolicyPolicy Facebook and Board of Directors ICANN
Paul Wilson, APNIC
Izumi Okutani, Japan Network Information Center (JPNIC)
Keith Drazek , Verisign
Jyoti Panday, CIS
Jorge Cancio, GAC representative

Detailed description of the workshop is available here http://igf2015.sched.org/event/4c23/dynamic-coalition-on-accountability-of-internet-governance-venues?iframe=no&w=&sidebar=yes&bg=no

Video link https://www.youtube.com/watch?v=UIxyGhnch7w

VII. Digital Infrastructure Netherlands Foundation organized an open forum at Workshop Room 3 from 11:00 – 12:00 on 10 November, 2015. The open forum discussed the increase in government engagement with “the internet” to protect their citizens against crime and abuse and to protect economic interests and critical infrastructures. It brought together panelists topresent ideas about an agenda for the international protection of ‘the public core of the internet’ and to collect and discuss ideas for the formulation of norms and principles and for the identification of practical steps towards that goal. Pranesh Prakash participated in the e open forum. Other speakers included

Bastiaan Goslings AMS-IX, NL
Pranesh Prakash CIS, India
Marilia Maciel (FGV, Brasil
Dennis Broeders (NL Scientific Council for Government Policy)

Detailed description of the open forum is available here http://schd.ws/hosted_files/igf2015/3d/DINL_IGF_Open%20Forum_The_public_core_of_the_internet.pdf

Video link available here https://www.youtube.com/watch?v=joPQaMQasDQ

VIII. UNESCO, Council of Europe, Oxford University, Office of the High Commissioner on Human Rights, Google, Internet Society organised a workshop on hate speech and youth radicalisation at Room 9 on Thursday, November 12. UNESCO shared the initial outcome from its commissioned research on online hate speech including practical recommendations on combating against online hate speech through understanding the challenges, mobilizing civil society, lobbying private sectors and intermediaries and educating individuals with media and information literacy. The workshop also discussed how to help empower youth to address online radicalization and extremism, and realize their aspirations to contribute to a more peaceful and sustainable world. Sunil Abraham provided his inputs. Other speakers include

1. Chaired by Ms Lidia Brito, Director for UNESCO Office in Montevideo

2.Frank La Rue, Former Special Rapporteur on Freedom of Expression

3. Lillian Nalwoga, President ISOC Uganda and rep CIPESA, Technical community

4. Bridget O’Loughlin, CoE, IGO

5. Gabrielle Guillemin, Article 19

6. Iyad Kallas, Radio Souriali

7. Sunil Abraham executive director of Center for Internet and Society, Bangalore, India

8. Eve Salomon, global Chairman of the Regulatory Board of RICS

9. Javier Lesaca Esquiroz, University of Navarra

10. Representative GNI

11. Remote Moderator: Xianhong Hu, UNESCO

12. Rapporteur: Guilherme Canela De Souza Godoi, UNESCO

Detailed description of the workshop is available here http://igf2015.sched.org/event/4c1X/ws-128-mitigate-online-hate-speech-and-youth-radicalisation?iframe=no&w=&sidebar=yes&bg=no

Video link to the panel is available here https://www.youtube.com/watch?v=eIO1z4EjRG0

INTERMEDIARY LIABILITY

IX. Electronic Frontier Foundation, Centre for Internet Society India, Open Net Korea and Article 19 collaborated to organize a workshop on the Manila Principles on Intermediary Liability at Workshop Room 9 from 11:00 am to 12:00 pm on 13 November 2015. The workshop elaborated on the Manila Principles, a high level principle framework of best practices and safeguards for content restriction practices and addressing liability for intermediaries for third party content. The workshop saw particpants engaged in over lapping projects considering restriction practices coming togetehr to give feedback and highlight recent developments across liability regimes. Jyoti Panday laid down the key details of the Manila Principles framework in this session. The panelists for this workshop included the following.

Kelly Kim Open Net Korea,
Jyoti Panday, CIS India,
Gabrielle Guillemin, Article 19,
Rebecca McKinnon on behalf of UNESCO
Giancarlo Frosio, Center for Internet and Society, Stanford Law School
Nicolo Zingales, Tilburg University
Will Hudson, Google

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2423-2015-11-13-ws-242-the-manila-principles-on-intermediary-liability-workshop-room-9

Video link available here https://www.youtube.com/watch?v=kFLmzxXodjs

ACCESSIBILITY

X. Dynamic Coalition on Accessibility and Disability and Global Initiative for Inclusive ICTs organised a workshop on Empowering the Next Billion by Improving Accessibility at Workshop Room 6 from 9:00 am to 10:30 am on 13 November, 2015. The discussion focused on the need and ways to remove accessibility barriers which prevent over one billion potential users to benefit from the Internet, including for essential services. Sunil Abraham specifically spoke about the lack of compliance of existing ICT infrastructure with well established accessibility standards specifically relating to accessibility barriers in the disaster management process. He discussed the barriers faced by persons with physical or psychosocial disabilities. The panelists for this discussion were the following.

Francesca Cesa Bianchi, G3ICT
Cid Torquato, Government of Brazil
Carlos Lauria, Microsoft Brazil
Sunil Abraham, CIS India
Derrick L. Cogburn, Institute on Disability and Public Policy (IDPP) for the ASEAN(Association of Southeast Asian Nations) Region
Fernando H. F. Botelho, F123 Consulting
Gunela Astbrink, GSA InfoComm

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2438-2015-11-13-ws-253-empowering-the-next-billion-by-improving-accessibility-workshop-room-3

Video Link Empowering the next billion by improving accessibility https://www.youtube.com/watch?v=7RZlWvJAXxs

OPENNESS

XI. A workshop on FOSS & a Free, Open Internet: Synergies for Development was organized at Workshop Room 7 from 2:00 pm to 3:30 pm on 13 November, 2015. The discussion was focused on the increasing risk to openness of the internet and the ability of present & future generations to use technology to improve their lives. The panel shred different perspectives about the future co-development of FOSS and a free, open Internet; the threats that are emerging; and ways for communities to surmount these. Sunil Abraham emphasised the importance of free software, open standards, open access and access to knowledge and the lack of this mandate in the draft outcome document for upcoming WSIS+10 review and called for inclusion of the same. Pranesh Prakash further contributed to the discussion by emphasizing the need for free open source software with end‑to‑end encryption and traffic level encryption based on open standards which are decentralized and work through federated networks. The panellists for this discussion were the following.

Satish Babu, Technical Community, Chair, ISOC-TRV, Kerala, India
Judy Okite, Civil Society, FOSS Foundation for Africa
Mishi Choudhary, Private Sector, Software Freedom Law Centre, New York
Fernando Botelho, Private Sector, heads F123 Systems, Brazil
Sunil Abraham, CIS India
Pranesh Prakash, CIS India
Nnenna Nwakanma- WWW.Foundation
Yves MIEZAN EZO, Open Source strategy consultant
Corinto Meffe, Advisor to the President and Directors, SERPRO, Brazil
Frank Coelho de Alcantara, Professor, Universidade Positivo, Brazil
Caroline Burle, Institutional and International Relations, W3C Brazil Office and Center of Studies on Web Technologies

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2468-2015-11-13-ws10-foss-and-a-free-open-internet-synergies-for-development-workshop-room-7

Video link available here https://www.youtube.com/watch?v=lwUq0LTLnDs

For more details visit https://cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015

Summary of the Public Consultation by Vigyan Foundation, Oxfam India and G.B. Pant Institute, Allahabad

vipul — 2016-01-28T15:22:56Z

On December 22nd and 23rd a public consultation was organized by the Vigyan Foundation, Oxfam India and G.B. Pant Institute, Allahabad at the GB Pant Social Science Institute, Allahabad to discuss the issues related to making Allahabad into a Smart City under the Smart On December 22nd and 23rd a public consultation was organized by the Vigyan Foundation, Oxfam India and G.B. Pant Institute, Allahabad at the GB Pant Social Science Institute, Allahabad to discuss the issues related to making Allahabad into a Smart City under the Smart City scheme of the Central Government. An agenda for the same is attached herewith. City scheme of the Central Government.

The Centre for Internet and Society, Bangalore (CIS) is researching the 100 Smart City Scheme from the perspective of Big Data and is seeking to understand the role of Big Data in smart cities in India as well as the impact of the generation and use of the same. CIS is also examining whether the current legal framework is adequate to deal with these new technologies. It was in this background that CIS attended a part of the workshop.

At the outset the organizers had noted that there will be no discussion on technology and its adoption in this particular workshop.. The format involved a speaker providing his/her viewpoint on the topic concerned and the discussion revolved mainly around problems relating to traffic, parking, roads, drainage, etc. and there was no discussion of technology or how to utilise it to solve these problems. From the discussions CIS has had with certain people who are quite involved with these public consultations, the impression that we have is that the solutions to these problems were not very complicated and required only some intent and execution, and if that was achieved it would go a long way in improving the infrastructure of the city. This perspective raises the question of whether or not India needs 'Smart Cities' to improve the life of residents or if basic urban solutions are adequate and are in fact needed to lay the foundation for any potential smart city that might be established in the future.

It is quite interesting to see the difference in the levels at which the debate on smart cities is happening, in that when the central government talks about smart cities they try to highlight technology and other aspects such as smart meters, smart grids, etc. while the discussion on the ground in the actual cities is currently at a much more basic stage. For example the government website for the smart city project, while describing a smart city, mentions a number of “smart solutions” such as “electronic service delivery”, “smart meters” for water, “smart meters” for electricity, “smart parking”, Intelligent Traffic Management”, “Tele-medicine”, etc. Even in all the major public service announcements on the smart city project, the government effort seems to be to focus on these “smart solutions”, projecting technology as the answer to urban problems. However those in the cities themselves appear to be more concerned with adequate parking, adequate water supply, proper roads, waste disposal, etc. This difference in approach is only representative of the yawning gap between the mindspace of those who conceive these schemes and market them on the one hand and those who are tasked with implementing the schemes on the other hand as well as the realities of what cities in India need to address problems related to infrastructure and functioning. However the silver lining in this scenario, atleast on a personal level, is that the people on the ground, are not blindly turning to technology to solve their problems but actually trying to look for the best solutions regardless of whether it is a technology based solution or not.

Agenda

For more details visit https://cis-india.org/internet-governance/blog/summary-of-the-public-consultation-by-vigyan-foundation-oxfam-india-and-g-b-pant-institute-allahabad

Summary of the CIS workshop on the Draft Human DNA Profiling Bill 2012

maria — 2013-07-12T15:33:25Z

On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!

Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill[1], with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India[2]. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.

However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…

DNA databases...and Justice for All?

Source: Libertas Academica on flickr

During the workshop [3]on the 2012 draft Human DNA Profiling Bill, DNA[4] was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling[5] was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:

Should DNA databases be created at all?

The following concerns were raised and discussed during the workshop:

● The myth of the infallibility of DNA evidence

The Innocence Project[6], which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is not infallible[7].

False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides probabilities of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles[8].

● The non-criteria of DNA data collection

How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that all offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under ´any other law as may be specified by the regulations made by the Board´. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.

● The DNA Profiling Board´s power

The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses[9]. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.

No human rights experts

Despite the various amendments[10] to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.

Vague authorisation for communication of DNA profiles

The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies´[11]. Although the 2007 Bill [12]restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.[13] This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.

Protecting the public

The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´[14]. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate[15]. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.

Sharing data with international agencies…and regulating DNA laboratories

In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies[16]. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.

The Board would also be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories[17]. The draft 2012 Bill ultimately gives monopolistic control to the DNA Profiling Board over all the procedures related to the handling of DNA data!

● The DNA Data Bank Manager

According to the 2012 draft Human DNA Profiling Bill[18], it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

The Bill also empowers the Manager to determine appropriate instances for the communication of information[19]. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.

DNA access restrictions

Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill [20]states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.

● Availability of DNA profiles and DNA samples

According to the amended draft 2012 Bill[21], DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a population statistics database´. This is controversial because it remains unclear how such a database would be used.

● Data destruction

According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.

Workshop conclusions

Source: micahb37 on flickr

The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.

During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.

A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.

However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:

Should DNA databases be created at all?

[1] Draft DNA Profiling Bill 2007, http://dbtindia.nic.in/DNA_Bill.pdf

[2] Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,

[3] Centre for Internet and Society, Analyzing the Draft Human DNA Profiling Bill 2012, 25 February 2013, http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill

[4] Genetics Home Reference: Your Guide to Understanding Genetic Conditions, What is DNA?, http://ghr.nlm.nih.gov/handbook/basics/dna

[5] Shanna Freeman, How DNA profiling Works, http://science.howstuffworks.com/dna-profiling.htm

[6] Innocence Project, DNA exoneree case profiles, http://www.innocenceproject.org/know/

[7] Australian Law Reform Commission (ALRC), Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), ´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence

[8] Ibid.

[9] Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[10] Ibid: Section 4(q)

[11] Ibid: Section 12(j)

[12] Draft DNA Profiling Bill 2007, Section 13, http://dbtindia.nic.in/DNA_Bill.pdf

[13] : Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(j), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[14] Ibid: Section 12(l)

[15] Schneier, B.(2008), Schneier on Security, ´CCTV cameras´, http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html

[16] Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(u) and 12(v), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[17] Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´

[18] Ibid: Section 33

[19] Ibid: Section 35

[20] Ibid: Section 43

[21] Ibid: Section 40

For more details visit https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012

Suicide videos: Facebook beefs up team to monitor content

praskrishna — 2017-05-20T02:59:14Z

Responding to the spate of suicides being livestreamed, social media giant Facebook has announced it will add another 3,000 people to its 4,500-strong review team that moderates content. The review team will also work in tandem with law enforcement agencies on this issue.

The article by Kim Arora was published in the Times of India on May 5, 2017.

"Over the last few weeks, we've seen people hurting themselves and others on Facebook, either live or in video posted later. It's heartbreaking, and I've been reflecting on how we can do better for our community," Facebook co-founder and CEO Mark Zuckerberg wrote in a status update and added, "Over the next year, we'll be adding 3,000 people to our community operations team around the world, on top of the 4,500 we have today, to review the millions of reports we get every week, and improve the process for doing it quickly."

"...we'll keep working with local community groups and law enforcement who are in the best position to help someone if they need it, either because they're about to harm themselves, or because they're in danger from someone else," Zuckerberg added announcing the move.

Over the last year, several violent incidents and suicides have been streamed live on Facebook. In India last April, a young student went live on Facebook minutes before he jumped off the 19th floor of Taj Lands End hotel in Mumbai. The same month saw similar news coming out of the US and Thailand as well. A 49-year-old from Alabama went live on Facebook before shooting himself in the head. Another man from Bangkok made a video of hanging his 11-month-old daughter, and uploaded it to Facebook. He was later discovered to have killed himself too.

"It's a positive development that Facebook is adding human power and tools for dealing with hate speech, child abuse and suicide attempts. It would be interesting to see how Facebook coordinates with the Indian police departments to get an emergency response to a potential suicide attempt or attempt to harm someone else," says Rohini Lakshane, program officer, Center for Internet and Society, though she warns against false reports clogging up reviewers' feeds and police notifications.

On Facebook, a video, picture or any other piece of content reaches the review team after it is reported by users for flouting its "community guidelines".

Chinmayi Arun, research director at the Centre for Communication Governance, National Law University, Delhi, says Facebook must be transparent about this process. "Facebook should also announce how it is keeping this process accountable. It is a public platform of great importance which has been guilty of over-censorship in the past. It should be responsive not just to government censorship requests but also to user requests to review and reconsider its blocking of legitimate content," she says.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-kim-arora-may-5-2017-suicide-videos-facebook-beefs-up-team-to-monitor-content

Suckfly Attacks National Stock Exchange Tech Vendor, Among Others

praskrishna — 2016-05-29T08:07:00Z

A cyber espionage group attacked an Indian IT firm that provides support to India’s largest stock exchange. It’s one of many attacks in the recent past.

The blog post by Rohit Pathak was published in the Quint on May 21, 2016. Pranesh Prakash was quoted.

For 24 months now, several Indian government and private organisations have been victims of highly-targeted and sustained cyberattacks by Suckfly. Cyber security firm Symantec has been tracking Suckfly since April 2014 and believes it is a Chinese cyber-espionage group. According to Symantec, Suckfly uses stolen digital certificates to breach the internal networks of Indian organisations.

While Symantec has declined to name any of the victims, it says the high-profile targets include one of India’s largest financial institutions, an e-commerce company and its primary shipping vendor, a leading Indian IT company, two government organisations, and an American health care provider’s Indian business unit.

So far, the highest infection rate has been at a government organisation responsible for implementing network software across various ministries and departments of the Indian central government. Symantec’s investigation report says Suckfly uses custom malware called Backdoor.Nidiran to orchestrate the attacks. While Suckfly had used the same backdoor in its previous campaigns in other countries, in India the post-infection activity was significantly higher.

“We should be aware that this attack isn’t yet over. Suckfly has been targeting organisations since at least May 2014, and it very likely continues to have access to governmental and corporate servers in India thanks to the Nidiran backdoor,” says Pranesh Prakash, Policy Director, Centre for Internet and Society.

He added that, “Depending on what access Suckfly got, the damage could be anything from them having conducted fraudulent financial transactions to obtaining classified governmental secrets.”

It is as yet unclear what data has been exfiltrated by Suckfly, but the fact that no organisations have reported this to their customers shows that the current laws with regard to data security and data breaches are inadequate.

Pranesh Prakash, Policy Director, Centre for Internet and Society

In a detailed email exchange with Bloomberg Quint, Symantec’s security experts describe how Suckfly operates, its motives, and what Indian entities can do to protect themselves.

Suckfly’s Modus Operandi

In 2015, between 22 April and 4 May, Suckfly conducted a multistage attack on an Indian e-commerce company.

It first identified a user – an employee of the e-commerce company – to attempt its initial breach into the e-commerce company’s internal network.

Symantec says, “We don’t have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. The target’s job function, corporate email address, information on work-related projects, and publicly accessible personal blog could all be freely found online.’

Suckfly then exploited a vulnerability in the employee’s operating system (Windows) that allowed it to bypass the User Account Control and install the malware. It’s likely that Suckfly used a spear-phishing email to gain entry.

Having entered the employee’s system, Suckfly gained access to the employee’s account credentials and then used them to access the victim’s account and navigate the e-commerce company’s internal corporate network as though it were the employee.

Suckfly’s final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure.

Weekends Off

The attack took place over 13 days, but Symantec discovered that Suckfly was active only Monday to Friday. There was no activity from the group on weekends. This could be because the attackers’ hacktools are command line driven and can provide insight into when operators are behind keyboards actively working.

Suckfly’s Motives?

According to Symantec, “Suckfly targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of India’s largest financial organizations, and an IT firm that provides support for India’s largest stock exchange. All of these targets are large corporations that play a major role in India’s economy. By targeting all of these organisations together, Suckfly could have had a much larger impact on India and its economy. While we don’t know the motivations behind the attacks, the targeted commercial organisations, along with the targeted government organisations, may point in this direction. Symantec’s research shows that Suckfly is well-equipped to carry out targeted attacks for years while staying off the radar of security organisations.”

Symantec refused to name the victims and when contacted, the National Stock Exchange (NSE) said its systems were secure and that it had not heard of any such attack on any of its tech vendors.

In the last two years, from 2013 to 2015, the total number of reported cyber breaches worldwide have increased 25%. India is amongst the most vulnerable – ranking third on the list of countries that have faced financial intrusion.

Smokescreen is a cybersecurity firm and CEO Sahir Hidayatullah claims virtually every large company in India has been compromised to varying degrees already.

Strategic economic advantage and intellectual property theft are the primary motivators for nation state attackers targeting energy, pharma, and manufacturing. Attacks against the financial sector are more commonly done by financially-motivated cybercriminals, however, nation state attackers have an interest here as well – being deeply embedded into critical systems affords opportunities for both mass data collection as well as the ability to cripple financial systems if required. All major governments aspire to have this offensive capability and are in various stages of having developed it already.Sahir Hidayatullah, CEO, Smokescreen

Over the last few months, our decoy detection network in India has seen an up-tick in targeted attacks specifically aimed at companies in banking, energy, pharmaceuticals and manufacturing. Manufacturing has seen the single largest increase in targeted attempts to compromise infrastructure. We have seen a large increase in ‘malware-less’ attacks including the use of stolen credentials on VPN systems.

More worrisome is that over the last year, we have conducted breach-readiness assessments for many of the large names in these verticals, and in every instance, the internal controls were unable to detect and respond to our simulated attacks in time. According to our assessment, none of them are prepared to withstand a targeted attack.

According to a 2015 survey conducted by PWC spanning 250 Indian companies, 72% of the respondents claimed they faced some sort of cyberattack over the last year. 63% claimed intrusions lead to financial losses and 55% claimed there was loss of sensitive information. But the worrying number is this – 78% have no cyber incident response plan. That’s good news for Suckfly and its comrades.

For more details visit https://cis-india.org/internet-governance/news/the-quint-rohit-pathak-may-21-2016-suckly-attacks-national-stock-exchange-tech-vendor-among-others

Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data

Admin — 2019-02-02T02:09:56Z

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

The blog post by Vidya Raja was published in the Better India on January 24, 2019. Pranesh Prakash was quoted.

Imagine someone hacking into your Netflix account – all you have to do is change the password. However, if there is a security breach with respect to your biometric details, there is no reversing it. So think carefully about how and where you submit your details. While the Supreme Court has said that it is no longer mandatory to link Aadhaar with your bank accounts or your telecom service provider, it does not lessen the importance of Aadhaar.

Pranesh Prakash, Policy Director, The Centre for Internet & Society, in a report published in The Mint, says, “Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner’s finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.” Over the last year, there has been so much chatter about the Aadhaar number and how one can protect one’s information.

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

In this article, we explain how you can do that.

Locking biometrics online:

Visit UIDAI’s online portal to lock or unlock your biometrics
Once there, you will need to click on ‘My Aadhaar’ and under the Aadhaar Services tab, click on Lock/Unlock Biometrics
You will then be redirected to a new page and prompted to enter the 12-digit Aadhaar number and the security code
Once the details have been entered, click on ‘Send OTP’
You will receive an OTP on your registered mobile number
Enter this and click on the Login button
This feature will allow you to lock your biometrics
Enter the 4-digit security code mentioned on the screen and click on the ‘Enable’ button
Your biometrics will be locked, and you will have to unlock it in case you want to access it again

Unlocking biometrics online:

To unlock your biometrics, click on the ‘Login’ button
Enter your Aadhaar number and the security code in the designated spaces
Now click on ‘Send OTP’
An OTP will be sent to your registered mobile number
Enter it in the space provided and click on ‘Login’
In case you want to temporarily unlock the biometrics, enter the security code and click on the unlock button
Your biometrics will be unlocked for 10 minutes
The locking date and time is mentioned on the screen after which biometrics will be automatically locked
When you do not want to lock your biometrics, you can disable the lock permanently.

Using mAadhaar to lock/unlock biometrics:

mAadhaar is the official mobile application developed by the Unique Identification Authority of India (UIDAI). Presently, it is available on the Android platform.

Once the mAadhaar app has been downloaded, the user must use their Aadhaar card registered mobile number to login.
You will then be sent an OTP that you are required to enter for authentication. Do remember to change your password once registered.
On the top right side, tap on ‘Biometric lock’, and enter your password to lock the biometrics. Once locked, it will show a small lock icon next to your profile.
To unlock, tap on the same icon followed by your password. The information will unlock for 10 minutes. After that, it will be locked again.
Once you lock this information, it ensures that even the Aadhaar holder will not be able to use their biometric data (iris scan and fingerprints) for authentication, until unlocked.
If you try to use this information without unlocking, it will show you an error code 330.

Remember to lock and unlock your biometrics through a trusted channel. The fact that there is no fee involved in either exercise will make this easier. Also, even with the biometric locked, you can continue to use the OTP-based authentication process for transactions, where you will receive the OTP on your registered mobile number and e-mail address.

(Edited by Shruti Singhal)

For more details visit https://cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india

Submission to the Facebook Oversight Board: Policy on Cross-checks

2022-02-09T05:31:32Z

The Centre for Internet & Society (CIS) submitted public comments to the Facebook Oversight Board on a policy consultation.

Whether a cross-check system is needed?

Recommendation for the Board: The Board should investigate the cross-check system as part of Meta’s larger problems with algorithmically amplified speech, and how such speech gets moderated.

Explanation: The issues surrounding Meta’s cross-check system are not an isolated phenomena, but rather a reflection of the problems of algorithmically amplified speech, as well the lack of transparency in the company’s content moderation processes at large. At the outset, it must be stated that the majority of information on the cross-check system only became available after the media reports published by the Wall Street Journal. While these reports have been extensive in documenting various aspects of the system, there is no guarantee that the disclosures obtained by them provides the complete picture regarding the system. Further, given that Meta has been found to purposely mislead the Board and the public on how the cross-check system operates, it is worth investigating the incentives that necessitate the cross-check system in the first place.

Meta claims that the cross-check system works as a check for false positives: they “employ additional reviews for high-visibility content that may violate our policies.” Essentially they want to make sure that content that stays up on the platform and reaches a large audience, is following their content guidelines. However, previous disclosures have proven policy executives have prioritized the company’s ‘business interests’ over removing content that violates their policies; and have waited to act on known problematic content until significant external pressure was built up, including in India. In this context, the cross-check system seems less like a measure designed to protect users who might be exposed to problematic content, and more as a measure for managing public perception of the company.

Thus the Board should investigate both how content gains an audience on the platform, and how it gets moderated. Previous whistleblower disclosures have shown that the mechanics of algorithmically amplified speech, which prioritizes engagement and growth over safety, are easily taken advantage of by bad actors to promote their viewpoints through artificially induced virality. The cross-check system and other measures of content moderation at scale would not be needed if it was harder to spread problematic content on the platform in the first place. Instead of focusing only on one specific system, the Board needs to urge Meta to re-evaluate the incentives that drive content sharing on the platform and come up with ways that make the platform safer.

Meta’s Obligations under Human Rights Law

Recommendation for the Board: The Board must consider the cross-check system to be violative of Meta’s obligations under the International Covenant of Civil and Political Rights (ICCPR). Additionally, the cross-check ranker must be incorporated with Meta’s commitments towards human rights, as outlined in its Corporate Human Rights Policy.

Explanation: Meta’s content moderation, and by extension, its cross-check system, is bound by both international human rights law as well as the Board’s past decisions. At the outset, The system fails the three-pronged test of legality, legitimacy and necessity and proportionality, as delineated under Article 19(3) of the International Covenant of Civil and Political Rights (ICCPR). Firstly, this system has been “scattered throughout the company, without clear governance or ownership”, which violates the legality principle, since there is no clear guidance on what sort of speech, or which classes of users, would deserve the treatment of this system. Secondly, there is no understanding about the legitimacy of aims with which this system had been set up in the first place, beyond Meta’s own assertions, which have been countered by evidence to the contrary. Thirdly, the necessity and proportionality of the restriction has to be read along with the Rabat Plan of Action, which requires that for a statement to become a criminal offense, a six-pronged test of threshold is to be applied: a) the social and political context, b) the speaker’s position or status in the society, c) intent to incite the audience against a target group, d) content and form of the speech, e) extent of its dissemination and f) likelihood of harm. As news reports have indicated, Meta has been utilizing the cross-check system to privilege speech from influential users, and in the process, have shielded inflammatory, inciting speech that would have otherwise qualified the Rabat threshold. As such, the third requirement is not fulfilled either.

Additionally, Meta’s own Corporate Human Rights Policy commits to respecting human rights in line with the UN Guiding Principles on Business and Human Rights (UNGPs). Therefore, the cross-check ranker must incorporate these existing commitments to human rights, including:

The right to freedom of expression:, UN Special Rapporteur on freedom of opinion and expression report A/HRC/38/35 (2018); Joint Statement of international freedom of expression monitors on COVID-19 (March, 2020).

The Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression addresses the regulation of user-generated online content.

The Joint Statement issued regarding Governmental promotion and protection of access to and free flow of information during the pandemic.

The right to non-discrimination: International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), Articles 1 and 4.

Article 1 of the ICERD defines racial discrimination.

Article 4 of the ICERD condemns propaganda and organisations that attempt to justify discrimination or are based on the idea of racial supremacism.

Participation in public affairs and the right to vote: ICCPR Article 25.
The right to remedy: General Comment No. 31, Human Rights Committee (2004) (General Comment 31); UNGPs, Principle 22.

The General Comment discusses the nature of the general legal obligation imposed on State Parties to the Covenant.

Guiding Principle 22 states that where business enterprises identify that they have caused or contributed to adverse impacts, they should provide for or cooperate in their remediation through legitimate processes.

Meta’s obligations to avoid political bias and false positives in its cross-check system

Recommendation for the Board: The Board must urge Meta to adopt and implement the Santa Clara Principles on Transparency and Accountability to ensure that it is open about risks to user rights when there is involvement from the State in content moderation. Additionally, the Board must ask Meta to undertake a diversity and human rights audit of its existing policy teams, and commit to regular cultural training for its staff. Finally, the Board must investigate the potential conflicts of interest that arise when Meta’s policy team has any sort of nexus with political parties, and how that might impact content moderation.

Explanation: For the cross-check system to be free from biases, it is important for Meta to come clear to the Board regarding the rationale, standards and processes of the cross check review, and report on the relative error rates of determinations made through cross check compared with ordinary enforcement procedures. It also needs to disclose to the Board in which particular situations it uses the system and in which it does not. Principle 4 under the Foundational Principles of the Santa Clara Principles on Transparency and Accountability in Content Moderation encourage companies to realize the risk to user rights when there is involvement from the State in processes of content moderation and asks companies to makes users aware that: a) a state actor has requested/participated in an action on their content/account, and b) the company believes that the action was needed as per the relevant law. Users should be allowed access to any rules or policies, formal or informal work relationships that the company holds with state actors in terms of content regulation, the process of flagging accounts/content and state requests to action.

The Board must consider that erroneous lack of action (false positives) might not always be a system's flaw, but a larger, structural issue regarding how policy teams at Meta functions. As previous disclosures have proven, the contours of what sort of violating content gets to stay up on the platform has been ideologically and politically coloured, as policy executives have prioritized the company’s ‘business interests’ over social harmony. In such light, it is not sufficient to simply propose better transparency and accountability measures for Meta to adopt within its content moderation processes to avoid political bias. Rather, the Board’s recommendations must focus on the structural aspect of the human moderator and policy team that is behind these processes. The Board must ask Meta to a) urgently undertake a diversity and human rights audit of its existing team and its hiring processes, b) commit to regular training to ensure that their policy staffs are culturally literate in the socio-political regions they work in. Further, the Board must seriously investigate the potential conflicts of interest that happen when regional policy teams of Meta, with nexus to political parties, are also tasked with regulating content from representatives of these parties, and how that impacts the moderation processes at large.

Finally, in case decision 2021-001-FB-FBR, the Board made a number of recommendations to Meta which must be implemented in the current situation, including: a) considering the political context while looking at potential risks, b) employment of specialized staff in content moderation while evaluating political speech from influential users, c) familiarity with the political and linguistic context d) absence of any interference and undue influence, e) public explanation regarding the rules Meta uses when imposing sanctions against influential users and f) the sanctions being time-bound.

Transparency of the cross-check system

Recommendation for the Board: The Board must urge Meta to adopt and implement the Santa Clara Principles on Transparency and Accountability to increase the transparency of its cross-check system.

Explanation: There are ways in which Meta can increase the transparency of not only the cross-check system, but the content moderation process in general. The following recommendations draw from The Santa Clara Principles and the Board’s own previous decisions:

Considering Principle 2 of the Santa Clara Principles: Understandable Rules and Policies, Meta should ensure that the policies and rules governing moderation of content and user behaviors on Facebook are clear, easily understandable, and available in the languages in which the user operates.

Drawing from Principle 5 on Integrity and Explainability and from the Board’s recommendations in case decision 2021-001-FB-FBR which advises Meta to“Provide users with accessible information on how many violations, strikes and penalties have been assessed against them, and the consequences that will follow future violations”, Meta should be able to explain the content moderation decisions to users in all cases: when under review, when the decision has been made to leave the content up, or take it down. We recommend that Meta keeps a publicly accessible running tally of the number of moderation decisions made on a piece of content till date with their explanations. This would allow third parties (like journalists, activists, researchers and the OSB) to keep Facebook accountable when it does not follow its own policies, as has previously been the case.

In the same case decision, the Board has also previously recommended that Meta “Produce more information to help users understand and evaluate the process and criteria for applying the newsworthiness allowance, including how it applies to influential accounts. The company should also clearly explain the rationale, standards and processes of the cross-check review, and report on the relative error rates of determinations made through cross-checking compared with ordinary enforcement procedures.” Thus, Meta should publicly explain the cross check system in detail with examples, and make public the list of attributes that qualify a piece of content for secondary review.

The Operational Principles further provide actionable steps that Meta can take to improve the transparency of their content moderation systems. Drawing from Principle 2: Notice and Principle 3: Appeals, Meta should make a satisfactory appeals process available to users - whether they be decisions to leave up or takedown content. The appeals process should be handled by context aware teams. Meta should then publish the results of the cross check system and the appeals processes as part of their transparency reports including data like total content actioned, rate of success in appeals and cross check process, decisions overturned and preserved etc, which would also satisfy the first Operational Principle: Numbers.

Resources needed to improve the system for users and entities who do not post in English

Recommendations for the Board: The Board must urge Meta to urgently invest in resources to expand Meta’s content moderation services into the local contexts in which the company operates and invest in training data for local languages.

Explanation: The cross-check system is not a fundamentally different problem than content moderation. It has been shown time and time again that Meta’s handling of content from non-Western, non-English language contexts is severely lacking. It has been shown how content hosted on the platform has been used to inflame existing tensions in developing countries, promote religious hatred in India, genocide in Mynmar, and continue to support human traffickers and drug cartels on the platform even when these issues have been identified.

There is an urgent need to invest resources to expand Meta’s content moderation services into the local contexts in which the company operates. The company should make all policies and rule documents available in the languages of its users; invest in creating automated tools that are capable of flagging content that is not posted in English; and add people familiar with the local contexts to provide context aware second level reviews. The Facebook Files show that even according to company engineering, automated content moderation is still not very effective in identifying hate speech and other harmful content. Meta should focus on hiring, training and retaining human moderators who have knowledge of local contexts. Bias training of all content moderators, but especially those who will participate in the second level reviews in the cross check system is also extremely important to ensure acceptable decisions.

Additionally, in keeping with Meta’s human rights commitments, the company should develop and publish a policy for responding to human rights violations when they are pointed out by activists, researchers, journalists and employees as a matter of due process. It should not wait for a negative news cycle to stir them into action as it seems to have done in previous cases.

Benefits and limitations of automated technologies

Meta recently changed its moderation practice wherein it uses technology to prioritize content for human reviewers based on their severity index. Facebook has not specified the technology it uses to prioritize high-severity content but its research record shows that it uses a host of automated frameworks and tools to detect violating content, including image recognition tools, object detection tools, natural language processing models, speech models and reasoning models. One such model is the Whole Post Integrity Embeddings (“WPIE”) which can judge various elements in a given post (caption, comments, OCR, image etc.) to work out the context and the content of the post. Facebook also uses image matching models (SimSearchNet++) that are trained to match variations of an image with a high degree of precision and improved recall; multi-lingual masked language models on cross-lingual understanding such as XLM-R that can accurately identify hate-speech and other policy-violating content across a wide range of languages. More recently, Facebook introduced its machine translation model called the M2M-100 whose goal is to perform bidirectional translation between 7000 languages.

Despite the advances in this field, there are inherent limitations of such automated tools. Experts have repeatedly maintained that AI will get better at understanding context but it will not replace human moderators for the foreseeable future. One such instance where these limitations were exposed was during the COVID-19 pandemic, when Facebook sent its human moderators home - the number of removals flagged as hate speech on its platform more than doubled to 22.5 million in the second quarter of 2020 but the number of successful content appeals was dropped to 12,600 from the 2.3 million figure for the first three months of 2020.

The Facebook Files show that Meta’s AI cannot consistently identify first-person shooting videos, racist rants and even the difference between cockfighting and car crashes. Its automated systems are only capable of removing posts that generate just 3% to 5% of the views of hate speech on the platform and 0.6% of all content that violates Meta’s policies against violence and incitement. As such, it is difficult to accept the company’s claim that nearly all of the hate speech it takes down was discovered by AI before it was reported by users.

However, the benefits of such technology cannot be discounted, especially when one considers automated technology as a way of reducing trauma for human moderators. Using AI for prioritizing content for review can turn out to be effective for human moderators as it can increase their efficiency and reduce harmful effects of content moderation on them. Additionally, it can also limit the exposure of harmful content to internet users. Moreover, AI can also reduce the impact of harmful content on human moderators by allocating content to moderators on the basis of their exposure history. Theoretically, if the company’s claims are to be believed, using automated technology for prioritizing content for review can help to improve the mental health of Facebook’s human moderators.

Click to download the file here.

For more details visit https://cis-india.org/internet-governance/blog/submission-to-the-facebook-oversight-board-policy-on-cross-checks