We are anonymous, we are legion

Summary of the CIS workshop on the Draft Human DNA Profiling Bill 2012

maria — 2013-07-12T15:33:25Z

On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!

Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill[1], with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India[2]. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.

However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…

DNA databases...and Justice for All?

Source: Libertas Academica on flickr

During the workshop [3]on the 2012 draft Human DNA Profiling Bill, DNA[4] was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling[5] was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:

Should DNA databases be created at all?

The following concerns were raised and discussed during the workshop:

● The myth of the infallibility of DNA evidence

The Innocence Project[6], which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is not infallible[7].

False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides probabilities of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles[8].

● The non-criteria of DNA data collection

How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that all offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under ´any other law as may be specified by the regulations made by the Board´. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.

● The DNA Profiling Board´s power

The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses[9]. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.

No human rights experts

Despite the various amendments[10] to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.

Vague authorisation for communication of DNA profiles

The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies´[11]. Although the 2007 Bill [12]restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.[13] This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.

Protecting the public

The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´[14]. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate[15]. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.

Sharing data with international agencies…and regulating DNA laboratories

In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies[16]. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.

The Board would also be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories[17]. The draft 2012 Bill ultimately gives monopolistic control to the DNA Profiling Board over all the procedures related to the handling of DNA data!

● The DNA Data Bank Manager

According to the 2012 draft Human DNA Profiling Bill[18], it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

The Bill also empowers the Manager to determine appropriate instances for the communication of information[19]. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.

DNA access restrictions

Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill [20]states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.

● Availability of DNA profiles and DNA samples

According to the amended draft 2012 Bill[21], DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a population statistics database´. This is controversial because it remains unclear how such a database would be used.

● Data destruction

According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.

Workshop conclusions

Source: micahb37 on flickr

The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.

During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.

A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.

However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:

Should DNA databases be created at all?

[1] Draft DNA Profiling Bill 2007, http://dbtindia.nic.in/DNA_Bill.pdf

[2] Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,

[3] Centre for Internet and Society, Analyzing the Draft Human DNA Profiling Bill 2012, 25 February 2013, http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill

[4] Genetics Home Reference: Your Guide to Understanding Genetic Conditions, What is DNA?, http://ghr.nlm.nih.gov/handbook/basics/dna

[5] Shanna Freeman, How DNA profiling Works, http://science.howstuffworks.com/dna-profiling.htm

[6] Innocence Project, DNA exoneree case profiles, http://www.innocenceproject.org/know/

[7] Australian Law Reform Commission (ALRC), Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), ´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence

[8] Ibid.

[9] Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[10] Ibid: Section 4(q)

[11] Ibid: Section 12(j)

[12] Draft DNA Profiling Bill 2007, Section 13, http://dbtindia.nic.in/DNA_Bill.pdf

[13] : Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(j), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[14] Ibid: Section 12(l)

[15] Schneier, B.(2008), Schneier on Security, ´CCTV cameras´, http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html

[16] Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(u) and 12(v), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[17] Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´

[18] Ibid: Section 33

[19] Ibid: Section 35

[20] Ibid: Section 43

[21] Ibid: Section 40

For more details visit https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012

Suicide videos: Facebook beefs up team to monitor content

praskrishna — 2017-05-20T02:59:14Z

Responding to the spate of suicides being livestreamed, social media giant Facebook has announced it will add another 3,000 people to its 4,500-strong review team that moderates content. The review team will also work in tandem with law enforcement agencies on this issue.

The article by Kim Arora was published in the Times of India on May 5, 2017.

"Over the last few weeks, we've seen people hurting themselves and others on Facebook, either live or in video posted later. It's heartbreaking, and I've been reflecting on how we can do better for our community," Facebook co-founder and CEO Mark Zuckerberg wrote in a status update and added, "Over the next year, we'll be adding 3,000 people to our community operations team around the world, on top of the 4,500 we have today, to review the millions of reports we get every week, and improve the process for doing it quickly."

"...we'll keep working with local community groups and law enforcement who are in the best position to help someone if they need it, either because they're about to harm themselves, or because they're in danger from someone else," Zuckerberg added announcing the move.

Over the last year, several violent incidents and suicides have been streamed live on Facebook. In India last April, a young student went live on Facebook minutes before he jumped off the 19th floor of Taj Lands End hotel in Mumbai. The same month saw similar news coming out of the US and Thailand as well. A 49-year-old from Alabama went live on Facebook before shooting himself in the head. Another man from Bangkok made a video of hanging his 11-month-old daughter, and uploaded it to Facebook. He was later discovered to have killed himself too.

"It's a positive development that Facebook is adding human power and tools for dealing with hate speech, child abuse and suicide attempts. It would be interesting to see how Facebook coordinates with the Indian police departments to get an emergency response to a potential suicide attempt or attempt to harm someone else," says Rohini Lakshane, program officer, Center for Internet and Society, though she warns against false reports clogging up reviewers' feeds and police notifications.

On Facebook, a video, picture or any other piece of content reaches the review team after it is reported by users for flouting its "community guidelines".

Chinmayi Arun, research director at the Centre for Communication Governance, National Law University, Delhi, says Facebook must be transparent about this process. "Facebook should also announce how it is keeping this process accountable. It is a public platform of great importance which has been guilty of over-censorship in the past. It should be responsive not just to government censorship requests but also to user requests to review and reconsider its blocking of legitimate content," she says.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-kim-arora-may-5-2017-suicide-videos-facebook-beefs-up-team-to-monitor-content

Suckfly Attacks National Stock Exchange Tech Vendor, Among Others

praskrishna — 2016-05-29T08:07:00Z

A cyber espionage group attacked an Indian IT firm that provides support to India’s largest stock exchange. It’s one of many attacks in the recent past.

The blog post by Rohit Pathak was published in the Quint on May 21, 2016. Pranesh Prakash was quoted.

For 24 months now, several Indian government and private organisations have been victims of highly-targeted and sustained cyberattacks by Suckfly. Cyber security firm Symantec has been tracking Suckfly since April 2014 and believes it is a Chinese cyber-espionage group. According to Symantec, Suckfly uses stolen digital certificates to breach the internal networks of Indian organisations.

While Symantec has declined to name any of the victims, it says the high-profile targets include one of India’s largest financial institutions, an e-commerce company and its primary shipping vendor, a leading Indian IT company, two government organisations, and an American health care provider’s Indian business unit.

So far, the highest infection rate has been at a government organisation responsible for implementing network software across various ministries and departments of the Indian central government. Symantec’s investigation report says Suckfly uses custom malware called Backdoor.Nidiran to orchestrate the attacks. While Suckfly had used the same backdoor in its previous campaigns in other countries, in India the post-infection activity was significantly higher.

“We should be aware that this attack isn’t yet over. Suckfly has been targeting organisations since at least May 2014, and it very likely continues to have access to governmental and corporate servers in India thanks to the Nidiran backdoor,” says Pranesh Prakash, Policy Director, Centre for Internet and Society.

He added that, “Depending on what access Suckfly got, the damage could be anything from them having conducted fraudulent financial transactions to obtaining classified governmental secrets.”

It is as yet unclear what data has been exfiltrated by Suckfly, but the fact that no organisations have reported this to their customers shows that the current laws with regard to data security and data breaches are inadequate.

Pranesh Prakash, Policy Director, Centre for Internet and Society

In a detailed email exchange with Bloomberg Quint, Symantec’s security experts describe how Suckfly operates, its motives, and what Indian entities can do to protect themselves.

Suckfly’s Modus Operandi

In 2015, between 22 April and 4 May, Suckfly conducted a multistage attack on an Indian e-commerce company.

It first identified a user – an employee of the e-commerce company – to attempt its initial breach into the e-commerce company’s internal network.

Symantec says, “We don’t have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. The target’s job function, corporate email address, information on work-related projects, and publicly accessible personal blog could all be freely found online.’

Suckfly then exploited a vulnerability in the employee’s operating system (Windows) that allowed it to bypass the User Account Control and install the malware. It’s likely that Suckfly used a spear-phishing email to gain entry.

Having entered the employee’s system, Suckfly gained access to the employee’s account credentials and then used them to access the victim’s account and navigate the e-commerce company’s internal corporate network as though it were the employee.

Suckfly’s final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure.

Weekends Off

The attack took place over 13 days, but Symantec discovered that Suckfly was active only Monday to Friday. There was no activity from the group on weekends. This could be because the attackers’ hacktools are command line driven and can provide insight into when operators are behind keyboards actively working.

Suckfly’s Motives?

According to Symantec, “Suckfly targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of India’s largest financial organizations, and an IT firm that provides support for India’s largest stock exchange. All of these targets are large corporations that play a major role in India’s economy. By targeting all of these organisations together, Suckfly could have had a much larger impact on India and its economy. While we don’t know the motivations behind the attacks, the targeted commercial organisations, along with the targeted government organisations, may point in this direction. Symantec’s research shows that Suckfly is well-equipped to carry out targeted attacks for years while staying off the radar of security organisations.”

Symantec refused to name the victims and when contacted, the National Stock Exchange (NSE) said its systems were secure and that it had not heard of any such attack on any of its tech vendors.

In the last two years, from 2013 to 2015, the total number of reported cyber breaches worldwide have increased 25%. India is amongst the most vulnerable – ranking third on the list of countries that have faced financial intrusion.

Smokescreen is a cybersecurity firm and CEO Sahir Hidayatullah claims virtually every large company in India has been compromised to varying degrees already.

Strategic economic advantage and intellectual property theft are the primary motivators for nation state attackers targeting energy, pharma, and manufacturing. Attacks against the financial sector are more commonly done by financially-motivated cybercriminals, however, nation state attackers have an interest here as well – being deeply embedded into critical systems affords opportunities for both mass data collection as well as the ability to cripple financial systems if required. All major governments aspire to have this offensive capability and are in various stages of having developed it already.Sahir Hidayatullah, CEO, Smokescreen

Over the last few months, our decoy detection network in India has seen an up-tick in targeted attacks specifically aimed at companies in banking, energy, pharmaceuticals and manufacturing. Manufacturing has seen the single largest increase in targeted attempts to compromise infrastructure. We have seen a large increase in ‘malware-less’ attacks including the use of stolen credentials on VPN systems.

More worrisome is that over the last year, we have conducted breach-readiness assessments for many of the large names in these verticals, and in every instance, the internal controls were unable to detect and respond to our simulated attacks in time. According to our assessment, none of them are prepared to withstand a targeted attack.

According to a 2015 survey conducted by PWC spanning 250 Indian companies, 72% of the respondents claimed they faced some sort of cyberattack over the last year. 63% claimed intrusions lead to financial losses and 55% claimed there was loss of sensitive information. But the worrying number is this – 78% have no cyber incident response plan. That’s good news for Suckfly and its comrades.

For more details visit https://cis-india.org/internet-governance/news/the-quint-rohit-pathak-may-21-2016-suckly-attacks-national-stock-exchange-tech-vendor-among-others

Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data

Admin — 2019-02-02T02:09:56Z

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

The blog post by Vidya Raja was published in the Better India on January 24, 2019. Pranesh Prakash was quoted.

Imagine someone hacking into your Netflix account – all you have to do is change the password. However, if there is a security breach with respect to your biometric details, there is no reversing it. So think carefully about how and where you submit your details. While the Supreme Court has said that it is no longer mandatory to link Aadhaar with your bank accounts or your telecom service provider, it does not lessen the importance of Aadhaar.

Pranesh Prakash, Policy Director, The Centre for Internet & Society, in a report published in The Mint, says, “Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner’s finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.” Over the last year, there has been so much chatter about the Aadhaar number and how one can protect one’s information.

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

In this article, we explain how you can do that.

Locking biometrics online:

Visit UIDAI’s online portal to lock or unlock your biometrics
Once there, you will need to click on ‘My Aadhaar’ and under the Aadhaar Services tab, click on Lock/Unlock Biometrics
You will then be redirected to a new page and prompted to enter the 12-digit Aadhaar number and the security code
Once the details have been entered, click on ‘Send OTP’
You will receive an OTP on your registered mobile number
Enter this and click on the Login button
This feature will allow you to lock your biometrics
Enter the 4-digit security code mentioned on the screen and click on the ‘Enable’ button
Your biometrics will be locked, and you will have to unlock it in case you want to access it again

Unlocking biometrics online:

To unlock your biometrics, click on the ‘Login’ button
Enter your Aadhaar number and the security code in the designated spaces
Now click on ‘Send OTP’
An OTP will be sent to your registered mobile number
Enter it in the space provided and click on ‘Login’
In case you want to temporarily unlock the biometrics, enter the security code and click on the unlock button
Your biometrics will be unlocked for 10 minutes
The locking date and time is mentioned on the screen after which biometrics will be automatically locked
When you do not want to lock your biometrics, you can disable the lock permanently.

Using mAadhaar to lock/unlock biometrics:

mAadhaar is the official mobile application developed by the Unique Identification Authority of India (UIDAI). Presently, it is available on the Android platform.

Once the mAadhaar app has been downloaded, the user must use their Aadhaar card registered mobile number to login.
You will then be sent an OTP that you are required to enter for authentication. Do remember to change your password once registered.
On the top right side, tap on ‘Biometric lock’, and enter your password to lock the biometrics. Once locked, it will show a small lock icon next to your profile.
To unlock, tap on the same icon followed by your password. The information will unlock for 10 minutes. After that, it will be locked again.
Once you lock this information, it ensures that even the Aadhaar holder will not be able to use their biometric data (iris scan and fingerprints) for authentication, until unlocked.
If you try to use this information without unlocking, it will show you an error code 330.

Remember to lock and unlock your biometrics through a trusted channel. The fact that there is no fee involved in either exercise will make this easier. Also, even with the biometric locked, you can continue to use the OTP-based authentication process for transactions, where you will receive the OTP on your registered mobile number and e-mail address.

(Edited by Shruti Singhal)

For more details visit https://cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india

Submission to the Facebook Oversight Board: Policy on Cross-checks

2022-02-09T05:31:32Z

The Centre for Internet & Society (CIS) submitted public comments to the Facebook Oversight Board on a policy consultation.

Whether a cross-check system is needed?

Recommendation for the Board: The Board should investigate the cross-check system as part of Meta’s larger problems with algorithmically amplified speech, and how such speech gets moderated.

Explanation: The issues surrounding Meta’s cross-check system are not an isolated phenomena, but rather a reflection of the problems of algorithmically amplified speech, as well the lack of transparency in the company’s content moderation processes at large. At the outset, it must be stated that the majority of information on the cross-check system only became available after the media reports published by the Wall Street Journal. While these reports have been extensive in documenting various aspects of the system, there is no guarantee that the disclosures obtained by them provides the complete picture regarding the system. Further, given that Meta has been found to purposely mislead the Board and the public on how the cross-check system operates, it is worth investigating the incentives that necessitate the cross-check system in the first place.

Meta claims that the cross-check system works as a check for false positives: they “employ additional reviews for high-visibility content that may violate our policies.” Essentially they want to make sure that content that stays up on the platform and reaches a large audience, is following their content guidelines. However, previous disclosures have proven policy executives have prioritized the company’s ‘business interests’ over removing content that violates their policies; and have waited to act on known problematic content until significant external pressure was built up, including in India. In this context, the cross-check system seems less like a measure designed to protect users who might be exposed to problematic content, and more as a measure for managing public perception of the company.

Thus the Board should investigate both how content gains an audience on the platform, and how it gets moderated. Previous whistleblower disclosures have shown that the mechanics of algorithmically amplified speech, which prioritizes engagement and growth over safety, are easily taken advantage of by bad actors to promote their viewpoints through artificially induced virality. The cross-check system and other measures of content moderation at scale would not be needed if it was harder to spread problematic content on the platform in the first place. Instead of focusing only on one specific system, the Board needs to urge Meta to re-evaluate the incentives that drive content sharing on the platform and come up with ways that make the platform safer.

Meta’s Obligations under Human Rights Law

Recommendation for the Board: The Board must consider the cross-check system to be violative of Meta’s obligations under the International Covenant of Civil and Political Rights (ICCPR). Additionally, the cross-check ranker must be incorporated with Meta’s commitments towards human rights, as outlined in its Corporate Human Rights Policy.

Explanation: Meta’s content moderation, and by extension, its cross-check system, is bound by both international human rights law as well as the Board’s past decisions. At the outset, The system fails the three-pronged test of legality, legitimacy and necessity and proportionality, as delineated under Article 19(3) of the International Covenant of Civil and Political Rights (ICCPR). Firstly, this system has been “scattered throughout the company, without clear governance or ownership”, which violates the legality principle, since there is no clear guidance on what sort of speech, or which classes of users, would deserve the treatment of this system. Secondly, there is no understanding about the legitimacy of aims with which this system had been set up in the first place, beyond Meta’s own assertions, which have been countered by evidence to the contrary. Thirdly, the necessity and proportionality of the restriction has to be read along with the Rabat Plan of Action, which requires that for a statement to become a criminal offense, a six-pronged test of threshold is to be applied: a) the social and political context, b) the speaker’s position or status in the society, c) intent to incite the audience against a target group, d) content and form of the speech, e) extent of its dissemination and f) likelihood of harm. As news reports have indicated, Meta has been utilizing the cross-check system to privilege speech from influential users, and in the process, have shielded inflammatory, inciting speech that would have otherwise qualified the Rabat threshold. As such, the third requirement is not fulfilled either.

Additionally, Meta’s own Corporate Human Rights Policy commits to respecting human rights in line with the UN Guiding Principles on Business and Human Rights (UNGPs). Therefore, the cross-check ranker must incorporate these existing commitments to human rights, including:

The right to freedom of expression:, UN Special Rapporteur on freedom of opinion and expression report A/HRC/38/35 (2018); Joint Statement of international freedom of expression monitors on COVID-19 (March, 2020).

The Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression addresses the regulation of user-generated online content.

The Joint Statement issued regarding Governmental promotion and protection of access to and free flow of information during the pandemic.

The right to non-discrimination: International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), Articles 1 and 4.

Article 1 of the ICERD defines racial discrimination.

Article 4 of the ICERD condemns propaganda and organisations that attempt to justify discrimination or are based on the idea of racial supremacism.

Participation in public affairs and the right to vote: ICCPR Article 25.
The right to remedy: General Comment No. 31, Human Rights Committee (2004) (General Comment 31); UNGPs, Principle 22.

The General Comment discusses the nature of the general legal obligation imposed on State Parties to the Covenant.

Guiding Principle 22 states that where business enterprises identify that they have caused or contributed to adverse impacts, they should provide for or cooperate in their remediation through legitimate processes.

Meta’s obligations to avoid political bias and false positives in its cross-check system

Recommendation for the Board: The Board must urge Meta to adopt and implement the Santa Clara Principles on Transparency and Accountability to ensure that it is open about risks to user rights when there is involvement from the State in content moderation. Additionally, the Board must ask Meta to undertake a diversity and human rights audit of its existing policy teams, and commit to regular cultural training for its staff. Finally, the Board must investigate the potential conflicts of interest that arise when Meta’s policy team has any sort of nexus with political parties, and how that might impact content moderation.

Explanation: For the cross-check system to be free from biases, it is important for Meta to come clear to the Board regarding the rationale, standards and processes of the cross check review, and report on the relative error rates of determinations made through cross check compared with ordinary enforcement procedures. It also needs to disclose to the Board in which particular situations it uses the system and in which it does not. Principle 4 under the Foundational Principles of the Santa Clara Principles on Transparency and Accountability in Content Moderation encourage companies to realize the risk to user rights when there is involvement from the State in processes of content moderation and asks companies to makes users aware that: a) a state actor has requested/participated in an action on their content/account, and b) the company believes that the action was needed as per the relevant law. Users should be allowed access to any rules or policies, formal or informal work relationships that the company holds with state actors in terms of content regulation, the process of flagging accounts/content and state requests to action.

The Board must consider that erroneous lack of action (false positives) might not always be a system's flaw, but a larger, structural issue regarding how policy teams at Meta functions. As previous disclosures have proven, the contours of what sort of violating content gets to stay up on the platform has been ideologically and politically coloured, as policy executives have prioritized the company’s ‘business interests’ over social harmony. In such light, it is not sufficient to simply propose better transparency and accountability measures for Meta to adopt within its content moderation processes to avoid political bias. Rather, the Board’s recommendations must focus on the structural aspect of the human moderator and policy team that is behind these processes. The Board must ask Meta to a) urgently undertake a diversity and human rights audit of its existing team and its hiring processes, b) commit to regular training to ensure that their policy staffs are culturally literate in the socio-political regions they work in. Further, the Board must seriously investigate the potential conflicts of interest that happen when regional policy teams of Meta, with nexus to political parties, are also tasked with regulating content from representatives of these parties, and how that impacts the moderation processes at large.

Finally, in case decision 2021-001-FB-FBR, the Board made a number of recommendations to Meta which must be implemented in the current situation, including: a) considering the political context while looking at potential risks, b) employment of specialized staff in content moderation while evaluating political speech from influential users, c) familiarity with the political and linguistic context d) absence of any interference and undue influence, e) public explanation regarding the rules Meta uses when imposing sanctions against influential users and f) the sanctions being time-bound.

Transparency of the cross-check system

Recommendation for the Board: The Board must urge Meta to adopt and implement the Santa Clara Principles on Transparency and Accountability to increase the transparency of its cross-check system.

Explanation: There are ways in which Meta can increase the transparency of not only the cross-check system, but the content moderation process in general. The following recommendations draw from The Santa Clara Principles and the Board’s own previous decisions:

Considering Principle 2 of the Santa Clara Principles: Understandable Rules and Policies, Meta should ensure that the policies and rules governing moderation of content and user behaviors on Facebook are clear, easily understandable, and available in the languages in which the user operates.

Drawing from Principle 5 on Integrity and Explainability and from the Board’s recommendations in case decision 2021-001-FB-FBR which advises Meta to“Provide users with accessible information on how many violations, strikes and penalties have been assessed against them, and the consequences that will follow future violations”, Meta should be able to explain the content moderation decisions to users in all cases: when under review, when the decision has been made to leave the content up, or take it down. We recommend that Meta keeps a publicly accessible running tally of the number of moderation decisions made on a piece of content till date with their explanations. This would allow third parties (like journalists, activists, researchers and the OSB) to keep Facebook accountable when it does not follow its own policies, as has previously been the case.

In the same case decision, the Board has also previously recommended that Meta “Produce more information to help users understand and evaluate the process and criteria for applying the newsworthiness allowance, including how it applies to influential accounts. The company should also clearly explain the rationale, standards and processes of the cross-check review, and report on the relative error rates of determinations made through cross-checking compared with ordinary enforcement procedures.” Thus, Meta should publicly explain the cross check system in detail with examples, and make public the list of attributes that qualify a piece of content for secondary review.

The Operational Principles further provide actionable steps that Meta can take to improve the transparency of their content moderation systems. Drawing from Principle 2: Notice and Principle 3: Appeals, Meta should make a satisfactory appeals process available to users - whether they be decisions to leave up or takedown content. The appeals process should be handled by context aware teams. Meta should then publish the results of the cross check system and the appeals processes as part of their transparency reports including data like total content actioned, rate of success in appeals and cross check process, decisions overturned and preserved etc, which would also satisfy the first Operational Principle: Numbers.

Resources needed to improve the system for users and entities who do not post in English

Recommendations for the Board: The Board must urge Meta to urgently invest in resources to expand Meta’s content moderation services into the local contexts in which the company operates and invest in training data for local languages.

Explanation: The cross-check system is not a fundamentally different problem than content moderation. It has been shown time and time again that Meta’s handling of content from non-Western, non-English language contexts is severely lacking. It has been shown how content hosted on the platform has been used to inflame existing tensions in developing countries, promote religious hatred in India, genocide in Mynmar, and continue to support human traffickers and drug cartels on the platform even when these issues have been identified.

There is an urgent need to invest resources to expand Meta’s content moderation services into the local contexts in which the company operates. The company should make all policies and rule documents available in the languages of its users; invest in creating automated tools that are capable of flagging content that is not posted in English; and add people familiar with the local contexts to provide context aware second level reviews. The Facebook Files show that even according to company engineering, automated content moderation is still not very effective in identifying hate speech and other harmful content. Meta should focus on hiring, training and retaining human moderators who have knowledge of local contexts. Bias training of all content moderators, but especially those who will participate in the second level reviews in the cross check system is also extremely important to ensure acceptable decisions.

Additionally, in keeping with Meta’s human rights commitments, the company should develop and publish a policy for responding to human rights violations when they are pointed out by activists, researchers, journalists and employees as a matter of due process. It should not wait for a negative news cycle to stir them into action as it seems to have done in previous cases.

Benefits and limitations of automated technologies

Meta recently changed its moderation practice wherein it uses technology to prioritize content for human reviewers based on their severity index. Facebook has not specified the technology it uses to prioritize high-severity content but its research record shows that it uses a host of automated frameworks and tools to detect violating content, including image recognition tools, object detection tools, natural language processing models, speech models and reasoning models. One such model is the Whole Post Integrity Embeddings (“WPIE”) which can judge various elements in a given post (caption, comments, OCR, image etc.) to work out the context and the content of the post. Facebook also uses image matching models (SimSearchNet++) that are trained to match variations of an image with a high degree of precision and improved recall; multi-lingual masked language models on cross-lingual understanding such as XLM-R that can accurately identify hate-speech and other policy-violating content across a wide range of languages. More recently, Facebook introduced its machine translation model called the M2M-100 whose goal is to perform bidirectional translation between 7000 languages.

Despite the advances in this field, there are inherent limitations of such automated tools. Experts have repeatedly maintained that AI will get better at understanding context but it will not replace human moderators for the foreseeable future. One such instance where these limitations were exposed was during the COVID-19 pandemic, when Facebook sent its human moderators home - the number of removals flagged as hate speech on its platform more than doubled to 22.5 million in the second quarter of 2020 but the number of successful content appeals was dropped to 12,600 from the 2.3 million figure for the first three months of 2020.

The Facebook Files show that Meta’s AI cannot consistently identify first-person shooting videos, racist rants and even the difference between cockfighting and car crashes. Its automated systems are only capable of removing posts that generate just 3% to 5% of the views of hate speech on the platform and 0.6% of all content that violates Meta’s policies against violence and incitement. As such, it is difficult to accept the company’s claim that nearly all of the hate speech it takes down was discovered by AI before it was reported by users.

However, the benefits of such technology cannot be discounted, especially when one considers automated technology as a way of reducing trauma for human moderators. Using AI for prioritizing content for review can turn out to be effective for human moderators as it can increase their efficiency and reduce harmful effects of content moderation on them. Additionally, it can also limit the exposure of harmful content to internet users. Moreover, AI can also reduce the impact of harmful content on human moderators by allocating content to moderators on the basis of their exposure history. Theoretically, if the company’s claims are to be believed, using automated technology for prioritizing content for review can help to improve the mental health of Facebook’s human moderators.

Click to download the file here.

For more details visit https://cis-india.org/internet-governance/blog/submission-to-the-facebook-oversight-board-policy-on-cross-checks

Submission to the Committee of Experts on a Data Protection Framework for India

amber — 2018-02-05T13:39:00Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ (“White Paper”) released by the Ministry of Electronics and Information Technology. The White paper was drafted by a Committee of Expert (“Committee”) constituted by the Ministry. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. The submission was made on January 31, 2018.

For more details visit https://cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india

Submission to IGF 2025 Call for Thematic Inputs

Amrita Sengupta, Yesha Tshering Paul, and Pallavi Bedi — 2025-03-06T06:36:10Z

Below are CIS's inputs submitted in response to the IGF 2025 Call for Thematic Inputs. They will inform the MAG’s discussions and assist them in determining the thematic priorities of the IGF 2025 programme.

On AI governance, AI risks and AI and data:
In the past many years, there has been rapid advances in the use of AI, most recently with the use of generative AI by end users and citizens. While questions of ethical use of AI, need for fairness, accountability and transparency are not new, the very rapid scale deployment of AI across different fields and also the easy use of AI across different users, have raised questions of exacerbated harms, infringement of copyright among others and a lot of focus currently is on developing governance for AI. Somewhere, there has been an acceptance of inevitability and almost omnipresence of AI across different contexts which has furthered deliberations around harnessing AI for good. We ask that while “AI for good” as an issue is being mainstreamed, it is most critical that there are avenues to discuss and understand areas where AI should not be used (because of the outsized harms as compared to its benefits) or can be used through limited use of resources (given the wide ranging environmental impacts associated with AI and the resource intensive areas of computational power and data centers) and mechanisms to actualize that. This means that not only do we discuss AI governance in the context of where it is already deployed but also discuss conditions in which it should not be deployed.
There also needs to be greater and more specific regional conversations around data use for AI, especially for developing predictive AI systems, in sensitive settings such as healthcare and financial services. The challenges of using different data for different geographical settings have been well documented (consider for example training data from global north to develop and deploy AI diagnostics for a country in global south). There needs to be more specific conversations and transparency around data sources that are being used and how they can be both ethically sourced but also made contextually relevant. IGF can support these conversations by inviting specific inputs from the multi-stakeholder community on these specific issues.

On digital identity:
There is growing interest in digital public infrastructure and its use for public service delivery and has potential to offer benefits and meaningful governance, if done well, as certain examples may suggest. However, the implementation of digital ID systems for example, particularly when they are the sole means of identification, raises critical questions. Such systems must have robust legislative backing, including privacy and data protection frameworks, if not regulations, along with sufficient legislative and judicial oversight to ensure accountability. Concerns about mission creep—where systems initially introduced for specific purposes gradually expand to other uses without adequate scrutiny—highlight the need for clearly defined objectives and legal safeguards. These systems should proactively assess and mitigate risks and harms before implementation. Furthermore, given that many of these systems rely heavily on private companies with limited oversight, it is crucial to ensure meaningful community participation and accountability throughout the entire process to prioritize public interest over private gains. As we think about DPIs, we urge that its applicability, necessary infrastructural availability, assessment of risks are adequately considered and detailed through the themes and sessions at IGF.

On data governance and youth engagement:
Personal data is being captured by different actors in an unprecedented manner, and at times without any legislative backing or grievance redressal mechanism. With the advent of generative AI- there are also concerns regarding the extent to which data which is publicly available is being used and for what purposes. These concerns are exacerbated when children’s data is being used for generative AI purposes; in most cases without the knowledge or consent of the children. In an increasingly digitised world, how should children navigate the digital world; what is the appropriate age for children to access the internet and should there be age-gating, and if yes, how should that be implemented? What are the mechanisms to determine parental verification? As we have more and more young people online, it will be essential to define and develop frameworks for children’s use and experience of the internet, including having young people participate in these discussions.

We request some steps to be taken at the IGF annual meeting and during its intersessional work:
-Reduce duplication of processes and efforts when it comes to implementation of GDC and continue to look at existing arenas like the WSIS+20 and IGF. Greater coordination and collaboration among various UN bodies.
-Robust support for civil society participation at the IGF and other internet governance processes, especially so from Global South.
-Creation of well resourced working groups that look through the GDC implementation work where relevant.

Given the diverse set of stakeholders and the wide ranging nature topics discussed, it is understandable that the IGF covers a lot of ground. It would be beneficial if there might be deeper reflections on fewer issues if possible, so that there is greater depth in conversations as opposed to a much wider coverage. We understand that this might be difficult given what IGF sets out to do, but a more focused approach might help stakeholders have a better understanding of priorities and areas of focus. It will also be very helpful if all sessions have space for Q&A, even if it is for 10 minutes. It allows for listeners to reflect and also ask questions, where possible.

For all inputs, please visit: https://intgovforum.org/en/igf-2025-proposed-issues (CIS's inputs are under ID322)

For more details visit https://cis-india.org/internet-governance/submission-to-igf-2025-call-for-thematic-inputs

Submission to Global Commission on Stability of Cyberspace on the definition of Cyber Stability

Arindrajit Basu and Elonnai Hickok — 2019-09-11T14:52:25Z

"The Global Commission on the Stability of Cyberspace released a public consultation process that sought to solicit comments and obtain feedback on the definition of “Stability of Cyberspace”, as developed by the Global Commission on the Stability of Cyberspace (GCSC).

The definition of cyberspace the GCSC provided was :

Stability of cyberspace is the condition where individuals and institutions can be reasonably confident in their ability to use cyberspace safely and securely, where the availability and integrity of services in cyberspace is generally assured, where change is managed in relative peace, and where tensions are resolved in a peaceful manner.

CIS gave detailed commentary on the definitions [attached] and suggested a new definition of cyber stability documented below:

Stability of cyberspace is the objective where individuals, institutions and communities are confident in the safety and security of cyberspace; the accessibility,availability and integrity of services in cyberspace can be relied upon and where change is managed and tensions ranging from external interference in sovereign processes to the use of force in cyberspace are resolved peacefully in line with the tenets of International Law,specifically the principles of the UN Charter and universally recognised human rights.

Cyber stability can only be fostered if key stakeholders in cyberspace conform to a due diligence obligation of not undertaking and preventing actions that may prevent cyber stability. The end goal of cyber stability must minimize or eliminate immaterial or peripheral incentives while preserving and potentially legitimizing those cyber offensive operations that can further effective deterrence and thereby foster stability, while also minimising any collateral damage to civilian life or property.

Click to view the detailed submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-september-9-2019-submission-to-global-commission-on-stability-of-cyberspace

Submission on India's Draft Comments on Proposed Changes to the ITU's ITRs

pranesh — 2012-12-07T04:15:56Z

Given below are the responses from the representatives of civil society in India (The Society for Knowledge Commons, Centre for Internet & Society, The Delhi Science Forum, Free Software Movement of India, Internet Democracy Project and Media for Change) to the Government of India's proposals for the upcoming WCIT meeting, in December 2012, in Dubai.

Our detailed comments on India's draft proposals can be found here. Also read the final version of Indian Government's submission to ITU on November 3, 2012.

Background

We believe that, aspects of Internet governance that have been and are presently addressed by bodies other than ITU should not be brought under the mandate of the ITU through the ITRs.

Some of the proposed changes to the ITR's could have a significant negative impact on the openness of the Internet.

In addition, the processes related to the WCIT lack openness and transparency: the WCIT / ITU excludes civil society, academia and other stakeholders from participation in and access to most dialogues and documents, contrary to established principles of Internet governance as laid down in the Tunis Agenda and as supported by the Indian government at several national and international fora. The WCIT process needs to be improved both at the domestic and global level. We urge the Indian government to support a more open process in the future, with respect to deliberations that will have a significant impact on the people.

We recognise that concerns regarding cyber-security, spam, fraud, etc. are real and that some of these concerns require to be addressed at the global level. However, we believe that as a number of parallel processes are working on these specific issues, these need not be brought under the ITRs.

We therefore strongly recommend that the ITRs continue to be restricted to the infrastructure layer that has traditionally been the area of its focus and not the content or the application layer of the Internet. Any measure that impinges on these layers should be kept out of ITRs and taken up at other appropriate (multi-stakeholder) fora.

We note that the proposal ARB/7/24 defines an "operating agency" as "any individual, company, corporation or governmental agency which operates a telecommunication installation intended for an international telecommunication service or capable of causing harmful interference with such a service" and believe that this definition is too broad in scope and ambit. Inclusion of such a term would broaden the mandate of the ITU to regulate numerous actors in the Internet sphere who do not fall under the infrastructure layer of the Internet. We call on the Indian government to ensure that the term "operating agency" is defined in a narrower or more restrictive manner and only used in exceptional cases. Normally, the obligations of member states should be with respect to "recognised operating agencies" and not omnibus all "operating agencies".

Follow-up

We would like to note that we have never officially received this document directly from the Indian government. In view of the support the Indian government continually espouses for multi-stakeholder Internet governance, this is a matter of deep regret.

We are aware that the official closing date for proposals is early November. However, we also know that several governments intend to submit proposals right upto the beginning of the WCIT meeting. In addition, several governments have included civil society representatives on their official delegation.

We therefore call upon the Department of Telecommunications to organise an open consultation with civil society representatives, to discuss both India's proposals and the comments of various civil society representatives on them, in greater depth, as part of DoT’s preparation for the WCIT meeting and in line with India's espoused commitment to multi-stakeholderism. We look forward to discussing our inputs with the Government to make the decision making process on governance more participatory and inclusive.

For more details visit https://cis-india.org/internet-governance/blog/submission-on-indias-draft-comments-on-proposed-changes-to-itus-itrs

Submission by the Centre for Internet and Society on Revisions to ICANN Expected Standards of Behavior

vidushi — 2016-06-30T06:07:37Z

Prepared by Vidushi Marda, with inputs from Dr. Nirmita Narasimhan and Sunil Abraham.

We at the Centre for Internet and Society (“CIS”) are grateful for the opportunity to comment on the proposed revisions to ICANN’s Expected Standards of Behavior (“Standards”).

Before providing specific comments on the proposed revisions, CIS would like to state for the record our extreme disappointment while noting that there is no indication of the intention to draft and adopt a dedicated anti - harassment policy. We are of the firm opinion that harassment, and particularly sexual harassment, is not only a sensitive topic, but also a deeply complex one. Such a policy should consider scope, procedural questions, redressal and remedies in cases of harassment in general and sexual harassment in particular. A mere change in language to these Standards, however well intentioned, cannot go too far in preventing and dealing with cases of harassment in the absence of a framework within which such instances can be addressed.

Some of the issues that arose at ICANN55 were confusion surrounding the powers and limits of the Ombudsman’s office in dealing with cases of harassment, the exact procedure to be followed for redressal surrounding such incidents, and the appropriate conduct of parties to the matter. There will be no clarity in these respects, even if these proposed changes are to be adopted.

Specifically, the proposed language is problematic and completely inadequate for the following reasons:

Vague

Terms like “professional conduct” and “appropriate behavior” mean little in the absence of a definition that entails such conduct. These terms could mean vastly different things to each community member and such language will only encourage a misalignment of expectation of conduct between community members. The “general” definition of harassment is at best, an ineffective placeholder, as it does not encompass exactly what kind of behavior would fall under its definition.
Fails to consider important scenarios

The proposed language fails to consider situations where some attempts or advances at communication, sexual or otherwise, occur. For example, consider a situation in which one community member stalks another online, and catalogues his/her every move. This is most certainly foreseeable, but will not be adequately covered by the proposed language. Further, terms like “speech or behavior that is sexually aggressive or intimidates” could or could not include types of speech such as art, music, photography etc, depending on who you ask. It also does not explain the use of the word behavior - physical, emotional, professional, online behavior are all possible, but the scope of this term would depend on the interpretation one chooses to apply. In part 4 below, we will demonstrate how ICANN has applied a far more detailed framework for harassment elsewhere.
Ignores complexity

In discussions surrounding the incident at ICANN55, a number of issues of arose. These included, inter alia, the definition of harassment and sexual harassment, what constituted such conduct, the procedure to be followed in such cases, the appropriate forum to deal with such incidents and the conduct that both parties are expected to maintain. These questions cannot, and have not been answered or addressed in the proposed change to the Standards. CIS emphasizes the need to understand this issue as one that must imbibe differences in culture, expectation, power dynamics, and options for redressal. If ICANN is to truly be a safe space, such issues must be substantively and procedurally fair for both the accused and the victim. This proposed definition is woefully inadequate in this regard.
Superficial understanding of harassment, sexual harassment

The proposed changes do not define harassment, and sexual harassment in an adequate fashion. The change currently reads, “Generally, harassment is considered unwelcome hostile or intimidating behavior -- in particular, speech or behavior that is sexually aggressive or intimidates based on attributes such as race, gender, ethnicity, religion, age, color, national origin, ancestry, disability or medical condition, sexual orientation, or gender identity.” These are subject to broad interpretation, and we have already highlighted the issues that may arise due to this in 1, above. Here, we would like to point to a far more comprehensive definition.

ICANN’s own Employment Policy includes within the scope of sexual harassment “verbal, physical and visual conduct that creates an intimidating, offensive or hostile working environment, or interferes with work performance.” The policy also states:

Harassing conduct can take many forms and includes, but is not limited to, the following:

Slurs, jokes, epithets, derogatory comments, statements or gestures;

Assault, impeding or blocking another’s movement or otherwise physically interfering with normal work;

Pictures, posters, drawings or cartoons based upon the characteristics mentioned in the first paragraph of this policy.
Sexually harassing conduct includes all of the above prohibited actions, as well as other unwelcome conduct, such as requests for sexual favors, conversation containing sexual comments, and unwelcome sexual advances.”

This definition is not perfect, it does not comprehensively consider advances or attempts at communication, sexual or otherwise, which are unwelcome by the target. Nonetheless, CIS believes that this is a far more appropriate definition that does not include vague metrics that the proposed changes do. Since it is one ICANN has already adopted, it can act as an important stepping stone towards a comprehensive framework.

Like ICANN, UNESCO’s organisational approach has been to adopt a comprehensive Anti-Harassment Policy which lays down details of definition, prevention, complaint procedure, investigations, sanctions, managerial responsibility, etc. Acknowledging the cultural sensitivity of harassment particularly in international situations, the policy also recognizes advances or attempts at communication, sexual or otherwise. Most importantly, it states that for conduct to come within the definition of sexual harassment, it “must be unwelcome, i.e. unsolicited and regarded as offensive or undesirable by the victim.”

Conclusion

In conclusion, we would like to reiterate the importance of adopting and drafting a dedicated anti-harassment policy and framework. The benefits of safety, certainty and formal redressal mechanisms in cases of harassment cannot be over emphasized.

Importantly, such measures have already been taken elsewhere. The IETF has adopted an instrument to address issues of harassment that occur at meetings, mailing lists and social events. This instrument contemplates in detail, problematic behavior, unacceptable conduct, the scope of the term harassment, etc. It further envisages a framework for redressal of complaints, remediation, and even contemplates issues that may arise with such remediation. It is particularly important to note that while it provides a definition of harassment, it also states that "[a]ny definition of harassment prohibited by an applicable law can be subject to this set of procedures, recognising harassment as a deeply personal and subjective experience, and thus encouraging members to take up issues of harassment as per their cultural norms and national laws, which are then considered as per procedures laid down."

A similar effort within the ICANN community is critical.

For more details visit https://cis-india.org/internet-governance/submission-by-the-centre-for-internet-and-society-on-revisions-to-icann-expected-standards-of-behavior

Submission by Indian Civil Society Organisations on Proposals for the Future ITRs and Related Processes

pranesh — 2012-12-07T08:00:19Z

The Centre for Internet & Society was one of the signatories of this submission which was sent in November 2012, in response to the International Telecommunication Union's call for public comments in relation to the revision of International Telecommunication Regulations that are to take place at the ITU's World Conference on International Telecommunications in Dubai from December 3 to 14, 2012.

We, the undersigned civil society organisations from India, respectfully acknowledge the important role that the ITU has played in the spread of telecommunications around the world. However, we are concerned about the lack of transparency and openness of the processes related to the WCIT: the WCIT/ITU excludes civil society, academia and other stakeholders from participation in and access to most dialogues and documents. The documents that are publicly available show that some of the proposals might deal with Internet governance. According to established principles as laid down in the Tunis Agenda - which process the ITU helped to lead - Internet governance processes are required to be multistakeholder in nature. The WCIT and ITU processes require urgent improvement with regard to openness, inclusiveness and transparency. While we appreciate the current opportunity to share our comments, we would like to encourage the ITU and its Member States to adopt a genuine multistakeholder approach at the earliest.

As mentioned, we do welcome the current opportunity to share our thoughts. Though this list is not exhaustive, some of our major concerns are as follows:

We believe that, given the historical development of present methods of internet regulation, aspects of Internet governance that have been and are presently addressed by bodies other than ITU should not be brought under the mandate of the ITU through the ITRs.

We therefore strongly recommend that the ITRs continue to be restricted to aspects of the physical layer that have traditionally been the areas of its focus. The ITRs scope should not be expanded to other layers, nor to content - any measure that impinges on these layers should be kept out of ITRs and taken up at other appropriate (multi-stakeholder) fora. In addition, it is crucial that “ICTs” and the term “processing” be excluded from the definition of telecommunication as this clearly opens up the possibility for Member States to regulate/attempt to regulate the “content/“application” layer on the internet at the ITU.

We also recommend that provisions regarding international naming, numbering, addressing and identification resources will be restricted to telephony, as should provisions regarding transit rate, originating identification and end-to-end QoS. Provisions regarding the routing of Internet traffic should not find a place in the ITRs at all.

We recognise that concerns regarding cyber security, spam, fraud, etc. are real and that some of these concerns require to be addressed at the global level. However, as these are being discussed in many other fora, we believe that the ITRs are not the best place to address these. Their inclusion here could inhibit the further evolution and expansion of the Internet. We also believe that any fora discussing cyber security should be multistakeholder, open and transparent.

We note that the proposal ARB/7/24 defines an “operating agency” as “any individual, company, corporation or governmental agency which operates a telecommunication installation intended for an international telecommunication service or capable of causing harmful interference with such a service” and believe that this definition is too broad in scope and ambit. Inclusion of such a term would broaden the mandate of the ITU to regulate numerous actors in the Internet sphere who do not fall under the infrastructure layer of the Internet. The term “operating agency” should be defined in a narrower or more restrictive manner and, irrespective of its exact definition, only be used in exceptional cases. Normally, the obligations of member states should be with respect to “recognised operating agencies” and not omnibus all “operating agencies”.

Signed:

Centre for Internet and Society
Delhi Science Forum
Free Software Movement India
Internet Democracy Project
Knowledge Commons (India)

For more details visit https://cis-india.org/internet-governance/blog/submission-on-proposals-for-future-itrs-and-related-processes

Students lead the way with apps for ideas

praskrishna — 2014-05-28T09:24:30Z

At 1am, the lights are still on in 15-year-old Pratik's room at his house on 80 Feet Road, Indiranagar. The NPS-Koramangala student is busy typing code on his laptop for his latest app called Resolve.

The article published in the Times of India on May 21, 2014 quotes Nishant Shah.

Pratik epitomizes Gen X. Coding and decoding, these school children, barely into their teens, are developing apps drawing attention worldwide.

"I learnt coding by myself with the help of the internet. The world wants things simplified and that's why apps are a hit. The first app I made was a calculator because my dad was unhappy with the one on his phone. My work was initially rejected, but I knew that would happen. But I continued working. When I went to a Microsoft conference, they told me youngsters have ideas to change the world and we have the time," said Pratik.

He was felicitated with a Nokia Lumia 1520 at the Windows Azure Conference 2014 for his work in developing apps for Windows and Windows Phone store.

Rahul Yedida, a Class 12 student at the National Centre for Excellence, has around 18,000 downloads for the app he and his friend created. "I wasn't too happy with the amount of Maths homework. I started wondering whether an app could do it. At the same time, I had learnt a new language and wanted to test my skills. That's how I started working on it," said Rahul.

"Programming is fun. Seeing a computer work the way you want it to gives you special joy," said Vaisakh M, Rahul's co-developer. They sent a letter to Bill Gates about the app and got a reply lauding their achievement.

Quote hanger
* During my free time, I read about programming which helps me when I write programs. My friends in the colony join me when I watch videos about it. They do programs in other languages. I play games and used to wonder how they're made. My dad promised to get me a laptop if I start programming and that's how it started.

Thrisha Mohan| 12, Vidyashilp Academy, now working on a jewellery app

* Apps are the cool things to do now. With the kind of access possible thanks to smart phones, they have gone to the masses. I wouldn't be surprised at the number of apps being created. When an app is created in a college dormitory, 1,000 students in the college will download it. That's instant gratification. The ecosystem is such that with social networking sites, you become an instant hero. The question is: How many can be successful and have a long life?

S Sadagopan | director, IIIT-B

* Apps are more relevant for those growing up with interfaces which are mobile and wearable. We also need to realise there is a growing generation of people whose first point of access to the digital as well as to the connected worlds of the internet is through mobile devices. And apps are a natural way of interaction. It is a positive trend because it allows users to think of themselves not only as 'users' but as active producers of the digital world. They look beyond platforms made available by multi-national companies or private enterprises, and it allows them to build communities of interaction and learning between them. We need to make sure they are safe and not susceptible to invasive presence of others who might exploit their presence on the web.

Nishant Shah | director- research, The Centre for Internet and Society

For more details visit https://cis-india.org/news/times-of-india-may-21-2014-sruthy-susan-ullas-students-lead-the-way-with-apps-for-ideas

Stop the Haphazard Internet Shutdown Says MP Jay Panda

praskrishna — 2017-04-27T16:44:27Z

In just one year India lost $968M due to Internet shutdowns; “Cops may not be the right decision makers when it comes to imposing what is a digital curfew,” added an entrepreneur journalist.

The article by Regina Mihindukulasuriya was published in the Businessworld on April 26, 2017.

An entrepreneur from the troubled state of Kashmir, Muheet Mehraj, is cofounder and CEO of Kashmirbox.com. He said that businesses that run on the Internet are crippled by Internet shutdowns. “A lot of people's livelihood depends on the Internet. If you shut down the Internet, you shut down their lives. Also, hospitals and academic institutes need constant Internet access and a way must be found to ensure they are never impacted by a shutdown.”

In 2016, Brookings Institution released a survey of 19 countries and the Internet shutdowns each of them experienced. India was in that list and according to the century old research institute, suffered the biggest economic loss to GDP at 968 million dollars all due to Internet shutdowns.

The general secretary of Maha Gujarat Bank Employees Association was quoted in 2016 as saying that an Internet shutdown for 6 days across Gujarat culminated in a loss of rupees 7000 crore for banks in the state.

The Brookings survey recorded the maximum number of disruptions in India at 22. According to IndiaSpend.org, The Centre for Communication Governance at the National Law University of Delhi counts 37 shutdowns across 11 states since 2015 and 22 of them happened in the first 9 months of 2016.

The Software Freedom Law Centre (SFLC) claims there have been 72 instances of Internet shutdown in India since 2012 and that not all of them are justified.

The SFLC.in along with other civil society organizations addressed the increasing frequency of Internet shutdowns in the country. Baijayant 'Jay' Panda, Member of Parliament said that India needs effective checks and balances on the process and power to order Internet Shutdowns in India. He added that, “The power to shut Internet should be exercised by the district's Superintendent of Police only in rare cases when there is imminent threat to breakdown of law and order, and risk of loss of life and property".

He was speaking at a public discussion organized by SFLC.in, in association with Digital Empowerment Foundation (DEF); IT for Change, Internet Democracy Project (IDP); Centre for Internet and Society (CIS), and Foundation for Media Professionals (FMP).

Mr Panda remarked that this power should be limited to 24 or 48 hours. “If Internet must be shut down for a longer duration, the decision must be taken by Director General of Police or the chief secretary of state”, he said.

Abhinandan Sekhri, cofounder and CEO of Newslaundry raised concerns that there is a fundamental flaw in how Indians approach law making, in that they first look at the worst case scenario before taking a liberal and democratic point of view. “Cops may not be the right decision makers when it comes to imposing what is a digital curfew,” Mr. Sekhri said.

Snehashish Ghosh, associate manager for public policy at Facebook said, “Even though we may not have ready data to measure the impact of shutdowns, there is no denying that businesses suffer.” The Facebook Inc. – owned, WhatsApp is often reported as one of the most missed services whenever the Internet is shutdown in Kashmir during days of social unrest.

Mishi Choudhary, president and legal director of SFLC.in said, “According to our Internet Shutdown Tracker, India has experienced at least 72 instances of Internet Shutdowns since 2012. Several communities and states have suffered irreversible socioeconomic losses because they were denied Internet access for extended durations.”

Mishi continued, “The shutdown of Internet not only restrains basic human rights such as the right to freedom of speech and expression, but also cripples activities like e-commerce, e-governance, e-health and e-learning, entirely reliant on the Internet.”

For more details visit https://cis-india.org/internet-governance/news/business-world-regina-mihindukulasuriya-april-26-2017-stop-the-haphazard-internet-shutdown-says-mp-jay-panda

Stop Press Carousel

praskrishna — 2013-03-06T04:27:15Z

The silent blocking of URLs by the DoT assaults freedom of expression.

Arindam Mukherjee's article was published in the Outlook on February 22, 2013. Sunil Abraham is quoted.

Five Questions

On what grounds did the DoT ask for a ban on the 55 Facebook URLs pertaining to Afzal Guru?
Why did the Gwalior court rush into blocking of 73 URLs related to IIPM even though the content was very old and clearly some of it was even prima facie non-defamatory?
Why is the Gwalior court order not being made public?
Why doesn’t DoT keep the whole process transparent by putting up all its block orders on its website, giving reasons in each case?
How many URLs in all has the DoT asked for a ban on so far?

***

It’s the perfect recipe for a potboiler—a sudden, mysterious and arbitrary blocking of web pages, sparked off by an irate ‘educationist’; several upset publications (Outlook included); a government department with a blocked web page; a ministry trying to figure out how to react to a court order that is at the root of all the action, but which no one has been able to see.

As the cliche goes, truth is often stranger than fiction—as the affected parties discovered on February 15. That’s when it became known that the government had sought to block 78 web pages, reportedly following an order from a court in Gwalior. Around 73 of these articles sought to be blocked are on the controversial Indian Institute of Planning and Management (IIPM), promoted by self-styled management guru Arindam Chaudhuri.

What has taken everyone by surprise is how the blocks were executed—in a clandestine manner, without informing the affected parties, without serving them a notice or a copy of the order, or giving them a chance to react or defend themselves. The enormity of the ban is evident from the list of websites targeted, which include The Economic Times, The Indian Express, The Wall Street Journal, FirstPost, Careers360, Rediff.com and Caravan. When it came to Outlook, there was a clear case of overreach, as not just the web pages, but the entire blogs area was blocked for more than eight hours (see Jump Cut).

What is even more surprising is the smokescreen that is being maintained over the Gwalior court order that has caused this consternation on the Internet. At the time of going to print, no one—the affected websites, authors, lawyers or activists—had access to the order or had seen it, and the government was evading media queries on details of the order and the case. Despite repeated requests, the head of the Computer Emergency Response Team (CERT), Gulshan Rai, did not speak to Outlook.

So, in the absence of the order, no one even knows who the complainant is. Significantly, IIPM’s Chaudhuri has said that one of his ‘channel partners’ approached the court, though he clearly is the chief beneficiary of the episode. What this entire episode serves up is a blatant use of the law to muzzle press criticism while the government and official machinery have been willy-nilly forced to become mute players.

This surreal, Kafkaesque scenario continues apace at Outlook’s website, where on protesting the block on its blogs, the ISP said, “As only some of the URLs are mentioned in the DoT letter, we have reactivated the website and requested you to delete the mentioned contents,” adding that they had “attached the DoT instructions alongwith”. What they had attached was not one but two DoT orders, both dated February 14. One was, of course, the order about the 78 URLs. The other order came as news: an order on 55 Facebook URLs on Afzal Guru that the DoT wanted blocked.

As expected, internet activists and advocates of freedom of speech are livid. Shivam Vij, founder of kafila.org, one of the blogs that was blocked in the IIPM matter, says, “We were never given a chance to defend or explain. If only the DoT had put up the notice on their website, there would have been a healthier debate on regulation or censorship. But this was done in an opaque and arbitrary manner. If a book is banned, everyone gets to know. Why was there so much secrecy here?”

The arbitrariness of the twin government action also stems from the new IT Act which authorises the government or a competent authority to block or take down content considered “harmful”. And, according to the law, there is no obligation on the authorities’ part to inform the defendants. Cyber law expert Apar Gupta says, “Under the blocking rules, there is nothing that says that a copy of the court order has to be given to the affected parties. The rules also do not talk about the authors being given a chance to explain. It permits ad interim injunction to block content.”

Says Nikhil Pahwa, internet activist and editor of Medianama, which first reported about the IIPM blocks, “It is not clear why the DoT has taken this cloak-and-dagger approach. These are legitimate issues being raised by people regarding IIPM and its students. This is an infringement on the freedom of speech and expression. The DoT should have executed the blocks in a transparent manner by sending the affected parties a copy of the court order and making it public.”

That’s important, because legal experts feel that full facts may not have been considered in the IIPM case. “For this kind of a blocking order, the content should have come to the notice of the plaintiff recently. In this case, most of the content was much older. But sometimes plaintiffs also do not provide full details in a case,” says Gupta. Lawyers also feel that the Gwalior court may not be equipped to deal with litigation on new technologies.

There are other issues. In the IIPM case, the issue is primarily of defamation. But it is not clear whether defamation was established in all the articles that were sought to be taken down, especially a University Grants Commission (UGC) notice. Thus, the evidence that was presented to the court is important. Once again, till the court order becomes public, no one will know who the complainant was or what evidence was presented. The temporary ban on UGC’s web page is particularly surprising—and this has been noted by Shashi Tharoor—considering it is an independent regulator. “The regulatory body’s job is to regulate and nobody considers its notice as defamatory,” says Parminder Jeet Singh of IT for Change, an organisation dealing with internet issues.

The real purpose of such exercises, say experts, is to create a scare and embroil people in the legal process so that the process itself becomes a punishment and acts as a deterrent to others to engage in such writing. And that is why such cases are filed in remote and unusual destinations like Gwalior, Silchar, Dehradun and Guwahati. “There is a concept of forum shopping and forum shifting where cases are filed at remote destinations and by asking for huge damages, an attempt is made to scare people away from free speech. There are also many bullies who use defamation to create a scare effect. IIPM seems to have pioneered forum shopping in India,” says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society (CIS).

The problem, everyone agrees, stems from the faulty nature of the Information Technology Act, which is open to interpretation and misuse. Says Singh, “The law tries to cover everything under a single head. It does not look specifically at the nuances of new media and give an appropriate response. So it is misused.” It is time that DoT became transparent and stopped its arbitrary, covert war against freedom of expression.

For more details visit https://cis-india.org/news/outlook-feb-22-2013-arindam-mukherjee-stop-press-counsel

Stockholm Internet Forum 2019

Admin — 2019-06-05T04:15:00Z

Swedish International Development Agency (Sida) organized the Stockholm Internet Forum 2019 in Stockholm from 16 - 17 May 2019. Gurshabad Grover was a panelist in the discussion on 'Influencing Internet Governance' co-organised by Article 19. The other panelists were Sylvie Coudray (UNESCO), Grace Githaiga (Kictanet), J. Carlos Lara (Derechos Digitales) and Charles Bradley (GPD). The discussion was moderated by Mallory Knodel (Article 19).

Gurshabad's primary contributions were around the motivations for civil society organisations to participate in technical internet governance fora, and how their role has matured at such fora in the last couple of years. Gurshabad extends his thanks to the inputs of Akriti Bopanna and Arindrajit Basu primarily for their contributions around the motivations for civil society organisations to participate in technical internet governance fora, and how their role has matured at such fora in the last couple of years.

Click to view the agenda. See the concept note here

For more details visit https://cis-india.org/internet-governance/news/stockholm-internet-forum-2019