We are anonymous, we are legion

State Surveillance and Human Rights Camp: Summary

elonnai — 2013-07-12T16:02:51Z

On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.

The camp also served as a platform for collaboration on the Draft International Principles on Communications Surveillance and Human Rights. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.

The draft principles were institutionalized for a number of reasons including:

Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data.
Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated.
New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.
Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual.

This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.

A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed here .

Summary of the Draft International Principles on Communications Surveillance and Human Rights

Legality: Any surveillance of communications undertaken by the government must be codified by statute.

Legitimate Purpose: Laws should only allow surveillance of communications for legitimate purposes.

Necessity: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.

Adequacy: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes.

Competent Authority: Any authorization for surveillance of communications must be made by a competent and independent authority.

Proportionality: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose.

Due process: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.

User notification: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information.

Transparency about use of government surveillance: The governments ability to survey communications and the process for surveillance should be transparent to the public.

Oversight: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications.

Integrity of communications and systems: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.

Safeguards for international cooperation: When governments work with other governments across borders to fight crime, the higher/highest standard should apply.

Safeguards against illegitimate access: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications.

Cost of surveillance: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.

Types of Data

The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.[1]

Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.[2]

It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.

Ways of Accessing Data

Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.

Access and Technology

In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.[3]

In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).[4] Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.[5] With this information it is possible to read the actual content of packets, and identify the program or service being used.[6]

DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.[7]

Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".[8]

Access and Legislation

The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.

1]. EFF. Mandatory Data Retention: United States. Available at: https://www.eff.org/issues/mandatory-data-retention/us
[2].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/
[3]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0
[4]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html
[5]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works
[6]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609
[7]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138
[8].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/

For more details visit https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary

State Surveillance and Human Rights Camp

praskrishna — 2012-12-21T07:19:55Z

A two-day conference was held in Rio on December 13 and 14 at Sheraton Rio Hotel & Resort. Elonnai Hickok participated in the event and made a presentation on MLATS and International Cooperation for Law Enforcement Purposes.

Click here to see the Wiki page of the event. See Elonnai's presentation here [PDF, 313 Kb].

DAY 1: Mapping Out Government Surveillance Problems

8:30 - 9:00 Registration

9:00 - 9:10 Welcome/Introduction

Katitza Rodriguez, Electronic Frontier Foundation [Peru, ES]

Simultaneous interpretation from Spanish to English and Portuguese.

Plenary: Kinds of Data, Ways of Getting It

09:10 - 10:30

Chair: Enrique Chaparro, Fundacion Via Libre [Argentina, ES]

Metadata, online identifiers, and technologies of surveillance

Seth Schoen, Electronic Frontier Foundation [United States, EN]

Simultaneous interpretation from English to Spanish and Portuguese.

Surveillance is getting easier and cheaper for many reasons, not least because people are using electronic communications more than ever before, and there are so many facts out there to be noticed about the ways devices are talking to each other.
I will talk about the kinds of things that refer to people and their devices, with a particular focus on telecommunications metadata and transactional records that are described as "non-content" and may receive lower levels of legal protection. I'll discuss who is in a position to record this information, some of the things that can be learned from it, and why traffic analysis is powerful and difficult to defend against.
I'll try to explain concepts like MAC address, IP address, account name and number, telephone number, IMEI, IMSI, transient identifiers, log files, transactional records, locational privacy, and associational privacy.

How law enforcement agencies use cell phone location tracking technology in criminal cases

Hanni Fakhoury, Electronic Frontier Foundation [United States, EN]

With the rise of smartphones, the U.S. government's use of cell site location data to pinpoint our exact location has grown more widespread (and precise) over time. For years, U.S. courts permitted the government to get this location data without a search warrant under a tortured interpretation of federal electronic privacy statutes and an even more alarming constitutional argument: that we don't have any privacy in data we turn over to third parties, like cell phone companies. This talk will review what location data is and why the police want it, how they can get it under U.S. law, and legal and practical steps that need to be taken to safeguard our privacy.

Simultaneous interpretation from English to Spanish and Portuguese.

Deep packet inspection: What it is, how it works, and how it is used for surveillance

Chris Parsons, Doctoral Candidate, University of Victoria [Canada, EN]

Simultaneous interpretation from English to Spanish and Portuguese.

We are in the midst of a standardization revolution, a mass translation of discordant analogue signal types to interoperable digital transmission standards. All this digitized consumer traffic passes through the gateways of Internet Service Providers’ (ISPs). ISPs function as communicative bottlenecks, ideally positioning them to monitor, mine, and modify data using the Deep Packet Inspection (DPI) appliances situated within their networks. Some uses of these appliances could reshape the conditions of communication in democracies, blocking or modifying data transmissions in near real time.
In this presentation I discuss the technical capabilities of deep packet inspection and its significance for increased private and public surveillance capabilities. Drawing from case material from academic and advocacy work, I identify how the technology has been used for ISP-level surveillance, for copyright purposes, for national security purposes, and for advertising purposes. Moreover, I address how advocates in differing nations have opposed various uses of the technology, why they have done so, and conditions that facilitate domestic resistance to deep packet inspections' uses.

Advances in online spying: Commercial surveillance software, targeted hacking and beyond

Morgan Marquis-Boire, Google [New Zealand, EN]

Eva Galperin, Electronic Frontier Foundation [United States, EN]

Simultaneous interpretation from English to Spanish and Portuguese.

Against an increasingly security-aware online community, the traditional tools of blocking, filtering, and wiretapping have become less effective. Nervous regimes turn to the largely unregulated $5 billion a year industry in Internet surveillance tools.
Once the realm of the black market and intelligence agencies, the latest computer spyware is now sold at trade shows for dictator pocket change.
This talk will detail the cat and mouse game between authoritarian regimes and dissidents, as well as ongoing efforts to map out the relationship between surveillance software companies and governments.

10:30 - 10:40 Coffee Break

Workshops: Round I

10:40 - 11:50

Format: Interactive sessions with active participat0ion from the audience.

Workshop 1: Mobile privacy threats

This workshop addresses the ways governments are tracking mobile devices’ location and use, and why it’s been harder to protect communications privacy on mobile devices than on PCs.

Facilitators:
Hanni Fakhoury, Electronic Frontier Foundation [United States, EN]
Seth Schoen, Electronic Frontier Foundation [United States, EN/PT]

Rapporteur:
Enrique Chaparro, Fundación Vía Libre [Argentina, EN/ES]

Workshop 2: Training activists about state surveillance capabilities

In this workshop we’ll talk about some of new surveillance technologies that states are deploying, and the tactics that are used to legitimize the surveillance.
Going beyond just ‘what is used and how’, we speak to some political tactics that advocates have used to resist these tools on practical and principled levels, some of the conditions that contribute to successes, and ways of mobilizing effective strategies against expansions of state surveillance.

Facilitator:
Chris Parsons, University of Victoria [Canada, EN]

Rapporteur:
Katarzyna Szymielewicz, European Digital Rights [Poland, EN]

Workshop 3: Tactics for opposing state sponsored malware and surveillance

This workshop will review the different tactics government and non-government actors have employed to stop authoritarian regimes from making use of surveillance technology built in the United States and Europe to spy on their citizens.
We will discuss corporate responsibility, export controls, as well as the role of security research and user education campaigns. The workshop will end with a brainstorm of at least one concrete action each workshop attendee can take.

Facilitators:

Eva Galperin, Electronic Frontier Foundation [United States, EN]
Morgan Marquis-Boire [New Zealand, EN]

Rapporteur:
Silvio Rhatto, Sarava Group [Brazil, PT]

Reporting Back Session

11:50 - 12:40 Chair:

Katitza Rodriguez, Electronic Frontier Foundation [Peru, ES]

Rapporteurs:
Enrique Chaparro, Fundación Vía Libre [Argentina, EN/ES]
Katarzyna Szymielewicz, European Digital Rights [Poland, EN]

Report: Training Activists about State Surveillance Capabilities

Silvio Rhatto, Sarava Group [Brazil, PT]

Format: Each rapporteur has 10 minutes to report back about the results of their workshop discussion and 20 minutes to answer questions.

12:40 - 2:00 Lunch

Legal and Policy Plenary: Government Access to People’s Data

2:00 - 3:20

Chair: Pedro Paranaguá, Advisor for Internet Policy to the Workers’ Party in the Brazilian Chamber of Deputies [Brazil, PT/EN]

Different data, different rules? How the law has assigned varying levels of privacy protection to different categories of personal information

Kevin Bankston, Center for Democracy and Technology [United States, EN]

Using the example of US law, this presentation will map the different legal protections that have traditionally been applied to different types surveillance of different types of data, and consider how to redraw that map in light of new technologies.
Speaking generally, US surveillance law has been written based on the assumptions that: (1) surveillance of data on your computer is more invasive than access to your data in the cloud;(2) real-time surveillance is more invasive than access to stored data; (3) surveillance of the content of communications is more invasive than surveillance of non-content meta-data; (4) surveillance of newer communications is more invasive than surveillance of older communications.
These assumptions have long defined which types of surveillance are most strongly regulated against and which types of data are most strongly protected by law. Changing technology has made these assumptions about invasiveness and privacy increasingly obsolete, assuming that they ever made sense at all. But if these distinctions are outdated, what if any legal distinctions between different types of surveillance or data should replace them? How, if at all, can the law sensibly distinguish between personal communications and communications data in which we have a reasonable expectation of privacy, and that which we do not?

Simultaneous interpretation from English to Spanish and Portuguese.

Internet companies as an agent of the state & european mandatory telecommunications data retention

Katarzyna Szymielewicz, European Digital Rights [Poland, EN]

In this short presentation I will introduce European (i.e. based on EU legislation) regime of mandatory retention of telecommunication data for law enforcement purposes, explaining its political context, implementation and negative impact on human rights standards (not just privacy-related!).
Using case studies of Poland and Germany I will present two strikingly different approaches to storing telecommunication data and law enforcement, thus questioning the necessity and proportionality of this controversial measure. I will also touch briefly on pending political developments (including the revision of the Data Retention Directive and the reform of data protection law in the EU), explaining what the stakes are, what European civil society organisations are fighting for and why it is such an important fight. Finally, I will explain how the debate about mandatory data retention feeds into a broader discussion about the role of Internet intermediaries, including both their independence from political pressure and protection of their clients from surveillance executed by “private police.”

Simultaneous interpretation from English to Spanish and Portuguese.

Crossborder access to citizen's data and cloud computing in the investigation of criminal cases: Regional trends

Marcos Salt, profesor de derecho penal y procesal penal de la universidad de Buenos Aires (UBA) [Argentina, ES]

During the brief presentation, I will present practical examples of the problems caused by the application by analogy of the rules on physical evidence to obtain digital evidence.
I try to show that this trend is inconvenient to both for efficiency in the investigation of crimes by the state as to the validity of individual rights. I will place special reference to cross-border access to citizen's data in the cloud.

Simultaneous interpretation from Spanish to English and Portuguese.

Background on lawful interception mandates and government access to encryption keys

Seth Schoen, Electronic Frontier Foundation [United States, EN]

Simultaneous interpretation from English to Spanish and Portuguese.

In this session, I'll discuss some of the history of fights over government surveillance powers and government access in the United States, starting in the early 1990s and continuing to the present day. These issues have centered on three main themes: restrictions on cryptography and privacy tools, obligations for communications intermediaries to acquire and implement surveillance capabilities, and mandatory retention of telecommunications data.
One interesting point is that many of the same themes keep recurring: the powers that the government is seeking today are often similar to those it sought two decades ago.
Another interesting point is that the government has not always been successful in expanding its surveillance powers. Many of its proposals never became law and there are still plenty of issues left to fight over. But governments around the world are continuing to having a major effect on the design of technology, getting wiretapping interfaces and backdoors added to communications systems and discouraging deployments of strong encryption.

MLATS and International Cooperation for Law Enforcement Purposes

Elonnai Hickok, Center for Internet & Society India [India, EN]

In this session I will be looking at the challenges, requisite safeguards, and possible solutions in the context of international cooperation for fighting crime. In doing so I will look closely at the proposed principle of safeguards for international cooperation.
The objective of this session will be to explore ways of improving MLATS and international law enforcement cooperation in order to ensure that basic safeguards can be built into the process of international cooperation.

Simultaneous interpretation from English to Spanish and Portuguese.

Format: 10-15 minutes for each five speakers to introduce legal issues and 20 minutes of discussions

3:10 - 3:20 Coffee Break

Workshops: Round II

3:20 - 4:30

Workshop 1: Electronic surveillance demonstrations

In this workshop, we'll take a look at a few electronic surveillance devices (including an ordinary laptop) and look at some of what they can intercept. Technological infrastructure permitting, we may have a live demonstration of intercepting or modifying users' Internet communications.
We'll also consider low-cost surveillance techniques and discuss what kinds of demonstrations have the most pedagogical value for making users aware of particular threats.

Facilitator:
Seth Schoen, Electronic Frontier Foundation [United States, EN]

Rapporteur:
Eva Galperin, Electronic Frontier Foundation [United States, EN/ES/PT]

Simultaneous interpretation from English to Spanish and Portuguese.

Workshop 2: Legal framework regarding compelled disclosure of communications, subscriber information, and cryptographic keys

In this workshop we will cover various examples of compelled disclosure of private information (from subscriber information and content of communication to cryptographic keys) in the context of law enforcement, focusing on their legal aspects. We will briefly present various legal frameworks, discussing both the examples of legal safeguards (“good practices”) and their shortcomings that allow for government surveillance.
We will also look at various human rights implications of these measures and (potential / existing) role of private companies from the perspective of their compliance with such measures (incl. when requested by non-democratic regimes).

Facilitators:
Katarzyna Szymielewicz, European Digital Rights [Poland, EN]
Elonnai Hickok, Center for Internet & Society India [India, EN]

Rapporteur:
Hanni Fakhoury, Electronic Frontier Foundation [United States, EN]

Workshop 3: What data is most private? What surveillance is most invasive? How if at all should laws treat them differently?

This workshop will build on the discussion that began in the law & policy plenary, discussing how certain surveillance laws have applied different legal protections to different types of data and surveillance, and questioning whether such distinctions make sense in light of new technology.
The workshop will address that question from legal, personal, and political perspectives. Participants will share with each other details of how the laws in their countries treat different types of data and different types of surveillance, to facilitate shared understanding of the existing legal frameworks and to identify existing gaps and discrepancies in current legal protections.
Based on their own personal experiences as Internet users and as advocates, participants will then discuss what data in their lives they consider most private and what types of surveillance they find most invasive, and reflect on how if at all the law should distinguish between them. Finally, participants will discuss the politics of these different frameworks: both how gaps and weaknesses in existing frameworks threaten the ability of advocates to politically organize in the face of government surveillance, and how we can best work through the political process and change those frameworks to better reflect current technology and human rights norms.

Facilitators:
Kevin Bankston, Center for Democracy and Technology [United States, EN]
Danilo Doneda, Fundação Getúlio Vargas [Brazil, PT/EN]

Rapporteur:
Beatriz Busaniche, Fundación Vía Libre [Argentina, ES]

Reporting Back Session & Closing Meeting Day 1

4:30 - 5:20

Chair:
Katitza Rodriguez, Electronic Frontier Foundation [Peru, ES]

Rapporteurs:
Eva Galperin, Electronic Frontier Foundation [United States, EN/ES/PT]

Report: Demonstrating Surveillance

Hanni Fakhoury, Electronic Frontier Foundation [United States, EN]

Report: Compelled Disclosure of Communications, Subscriber Information & Cryptographic Keys

Beatriz Busaniche, Fundación Vía Libre [Argentina, ES]

Report: What Data is Most Private? What Surveillance is Most Invasive? Should Laws Treat Different Data Differently?

8:30 pm Dinner

DAY 2: Challenges and Mapping Out Possible Solutions
8:55 - 9:00 Welcome

Plenary: Surveillance in Latin America
9:00 - 10:20

Chair: Camila Marques, Lawyer, ARTIGO 19 [Brazil, PT]

Surveillance in Colombia
Carlos Eduardo Huertas, Semana [Colombia, ES]

Surveillance in Cuba
“Mario Hernandez” [Cuba, ES]

Surveillance in the Northern Triangle
Renata Avila, Global Voices [Guatemala, ES]

Surveillance in Peru
Yonsi Solis, Global Voices [Peru, ES]

Surveillance in Mexico
Caracol Azul, [Mexico, ES]
This session will have simultaneous interpretation from Spanish to English and Portuguese

Keynote: Challenges Posed By Electronic Surveillance

10:20 - 10:40
Frank La Rue, United Nations Special Rapporteur on Freedom of Expression [Guatemala, ES]
Increasing pressure (legal and political) on private parties to help carry out the state’s surveillance mandate.

Simultaneous interpretation from Spanish to English and Portuguese

10:40 - 11:00 Coffee Break

Plenary: International Surveillance & Human Rights Principles: Challenges and Opportunities in Latin America

11:00 - 11:50

Chair: Carly Nyst, Privacy International [Australia/UK, EN]
Simultaneous interpretation from English to Spanish and Portuguese.

Explanation of the Principles: Background, purpose, need, challenges and opportunities

Chilean and Latin American perspectives

Alberto Cerda, Derechos Digitales [Chile, ES]
Simultaneous interpretation from Spanish to English and Portuguese

Expansion of Brazilian law enforcement powers to access users’ digital information

Pablo Ortellado, GPOPAI [Brasil, PT/EN]
Simultaneous interpretation from Portuguese to Spanish and English

Surveillance and regional human rights standards

Juan Camilo Rivera, Comisión Colombiana de Juristas [Colombia, ES]
Simultaneous interpretation from Spanish to English and Portuguese

Workshops: Round III

11:50 - 1:00

Workshop 1: International surveillance and human rights principles: Perspectives from Latin America

Facilitator:
Alberto Cerda, Derechos Digitales [ES] & Carly Nyst, Privacy International [UK, EN]

Rapporteur:
Juan Camilo Rivera, Comisión Colombiana de Juristas [Colombia, ES]

Workshop 2: Technical community activism
What is the technology community doing to defend privacy?

Facilitators:

Enrique Chaparro, Fundación Vía Libre [Argentina, ES ]
João Carlos Caribé, Movimento Mega (aka Mega Não) [Brazil, PT/EN]

Rapporteur:
Eva Galperin, Electronic Frontier Foundation [USA, EN]

Plenary: Hands-on Activism

2:40 - 3:50 p.m.

Chair: Rebecca Bowe, Electronic Frontier Foundation [United States, EN]

Simultaneous interpretation from English to Spanish and Portuguese.

What is meant by Hands-On Activism? As you’ll learn from our panelists, there are many strategies that can be utilized to push back against a surveillance practice or proposal. We’ll cover the most effective ways to obtain public records; strategies for generating interest in digital rights issues; fresh and extraordinary approaches to creative campaigning, and tactics used by an international nonprofit to tackle privacy issues with online campaigns.

Raising digital awareness in Peru

Marco Sifuentes, Instituto Prensa y Sociedad [Peru, ES]

Peru has a very active and influential online community. It can affect the course of elections, prove the president wrong and stop law projects. It can work very well on "real world" matters. But when it comes to online issues, it's been hard to raise awareness on the Peruvian general public and even on the media. What went wrong? However, in the past year, some digital topics have received a lot of coverage. Some not. What changed? I’ll share Peru's experience in the hope that every participant can compare it with his or her own country's situation.

Online organizing for human rights

Fabiola Carrion, Access [Peru, ES/EN]

A recent addition to the Access Team, Fabiola will begin her presentation by talking about her own experiences in organizing and advocacy, arguing that the struggle for human rights is increasingly moving online. She will discuss new tools of organizing, and the importance of combining technology, policy, and grassroots advocacy tactics to affect holistic change in internet policy debates. Her presentation will include a series of short case studies from around the world where Access, along with its various allies, have successfully campaigned for a free and open internet. Her presentation will conclude with a discussion of lessons learned and best practices for online organizing, particularly around issues of surveillance and due process.

Surveillance and secrecy: Strategy and tactics - Using the law to uncover abuse of LEAs’ surveillance powers

Geoff King, Lawyer [United States, EN]

Open government laws, though riddled with exemptions, are powerful tools for shedding light on the governmental operations. One way in which these laws can be used is to uncover the existence of law enforcement surveillance, as well details about the tools used to achieve such surveillance. This portion of the presentation will explore how journalists and activists can employ successful transparency strategies in the face of various procedural pitfalls. It will also give concrete examples of how such strategies have paid off in the recent past.
Presentation Materials

Creative campaigning: tactical media mashup
Vladan Joler, Share Foundation [Serbia, EN]

Explore the beautiful world of tactical media as a creative tool for getting your message out there.
From creative campaigning during Serbian protests in the 90s to “lo fi” media interventions, protests inside computer games, media pranks and parasite media tactics to social media bots and Twitter bombs.
Presentation Materials

Simultaneous interpretation from English to Spanish and Portuguese Return to Top

3:50 - 4:10 Coffee Break

Workshops: Round IV

4:10 - 5:10

Workshop 1: What the international surveillance and human rights principles are asking the governments to do?

This session will be used to call out exactly what the International Surveillance and Human Rights Principles are asking governments to change or legislative/policy actions they are asking governments to take. This will hopefully be useful in helping individuals and organizations understand what aspects to highlight and push when proposing the principles and why.

Facilitators:

Katitza Rodriguez, Electronic Frontier Foundation [Peru, ES]
Elonnai Hickok, Center for Internet & Society India [India, EN]

Rapporteur:
Graciela Selaimen, NUPEF [Brasil, EN/ES/PT]

Workshop 2: Creative campaigning: tactical media mashup & anti-surveillance campaigns

What are activists around the world doing to counter surveillance proposals and practices? And what could they be doing, with just a little more knowledge and inspiration? At this session, workshop facilitators will share stories about successful campaigns launched around the world in response to government surveillance. How did a humorous Twitter hashtag about a proponent of surveillance legislation rise to “trending” status on Twitter? How did a small team of digital rights activists in Argentina manage to position themselves as one of the most trusted media sources on issues relating to privacy in the digital realm? How did a small group of activists manage to reach biggest world media and how are activists creating their own media? We’ll then open it up for a group discussion in which participants can share their own stories of effective tactics from around the world, and explore ideas for collaborating and harnessing the knowledge gleaned from our collective experiences.

Facilitators:

Rebecca Bowe, Electronic Frontier Foundation [United States, EN]
Vladan Joler, Share Foundation [Serbia, EN]

Rapporteur:
Hisham Almiraat, Global Voices Advocacy [Morocco, EN]

Reporting Back Session & Closing Remarks

5:10 - 6:00

Chair:
Katitza Rodriguez, Electronic Frontier Foundation [Peru, ES]

Rapporteurs:
Graciela Selaimen, NUPEF [Brasil, EN/ES/PT]

Renzo Lavin, Asociación Civil por la Igualdad y la Justicia [Argentina, ES]
Hisham Almiraat, Global Voices Advocacy [Morocco, EN]

Each breakout session will have one designated rapporteur, one note-taker, and a module to work around.

For more details visit https://cis-india.org/news/state-surveillance-and-human-rights-camp

State of Work in India

Admin — 2018-10-09T14:25:37Z

Aayush Rathi and Ambika Tandon attended a panel discussion organized by Bangalore International Centre (TERI) and Azim Premji University, on Wednesday, October 3, 2018 in Bengaluru. A report titled 'State of Working India' by the Centre for Sustainable Employment was released on the occasion.

The report can be accessed here

For more details visit https://cis-india.org/internet-governance/news/state-of-work-in-india

State of Digital Rights in India (Delhi, March 24)

Japreet Grewal and Sumandro Chattapadhyay — 2017-03-27T13:21:20Z

The Centre for Communication Governance at National Law University, Delhi and the Internet Freedom Foundation, in association with Access Now, are hosting a discussion on The State of Digital Rights in India on March 24, 2017 (Friday) from 6.00 pm onwards at Lecture Room-I, India International Centre- Annexe, New Delhi. Japreet Grewal and Sumandro Chattapadhyay will participate in the panel discussions.

Registration: Eventbrite

March 24, 2017 marks the two year anniversary of the landmark Shreya Singhal judgment. This was a very significant ruling on freedom of speech and expression and occupies an important place in the Supreme Court’s discourse on civil liberties. The judgment traces out the contours of free speech on the Internet in India and unequivocally holds that the right to freedom of expression provided under Article 19(1)(a) applies to speech over the Internet, making it clear that this is a medium-neutral right.

The event aims to shed some light on this key judgment and discuss ongoing discussions regarding our civil liberties and freedoms online before courts and the Parliament. We would also like to take this opportunity to discuss some of the other pressing issues like Network Neutrality, Internet shutdowns, Privacy and User Security which need immediate attention and engagement of our democratic institutions. We hope to formulate effective strategies which will further shape the legal and policy framework in India, and facilitate better collaborative efforts between stakeholders.

We hope to bring together everyone who contributed to the judgment, and those who do work connected with it, so that we may build on it to seek a better legal framework to protect online speech and to discuss the threats surrounding digital rights and how best build on the foundations of the judgment.

We would be grateful if you could take out some time on Friday evening (6PM) and be a part of this important discussion. The discussion will be followed by dinner and an Open Bar for an Open Internet, which will start from 9.00 pm at the Annexe Court in the India International Centre - Annexe. In case you are unable to attend the seminar, please do join us for dinner!

Featuring:

A keynote address on our online freedoms and policymaking, by Shri Tathagata Satpathy (Member of Parliament, Lok Sabha)
A legal panel analysing the legacy of the Shreya Singhal v. Union of India judgment
Beyond Shreya Singhal: A conversation with women on the future of our digital rights
Briefings on the state of digital rights in our courts and in Parliament
A conversation on the path ahead for our civil liberties and digital rights community

For more details visit https://cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24

State of Consumer Digital Security in India

pranav — 2021-07-05T11:07:24Z

This report attempts to identify the existing state of digital safety in India, with a mapping of digital threats, which will aid stakeholders in identifying and addressing digital security problems in the country. This project was funded by the Asia Foundation.

Since 2006, successive Union governments in India have shown increased focus on digital governance. The National e-Governance Plan was launched by the UPA government in2006, and several digital projects led by the state such as digitisation of the filing of taxes, appointment process for passports, corporate governance, and the Aadhaar programme(India’s unique digital identity system that utilises biometric and demographic data) arose under it, in the form of mission mode projects (projects that are part of a broader National e-governance initiative, each focusing on specific e-Governance aspects, like banking, land records, or commercial taxes). In 2014, when the NDA government came to power, the National e-Governance Plan was subsumed under the government’s flagship project of Digital India, and several mission mode projects were added. In the meantime, the internet connectivity, first in the form of wire connectivity, and later in the form of mobile connectivity has increased greatly. In the same period, use of digital services, first in new services native to the Internet such as email, social networking, instant messaging, and later the platformization and disruption of traditional business models in transportation, healthcare, finance and virtually every sector, has led to a deluge of digital private service providers in India.

Currently, India has 500 million internet users — over a third of its total population — making it the country with the second largest number of Internet users after China. The uptake of these technological services has also been accompanied by several kinds of digital threats that an average digital consumer in India must regularly contend with. This report is a mapping of consumer-facing digital threats in India and is intended to aid stakeholders in identifying and addressing digital security problems. The first part of the report categorises digital threats into four kinds, Personal Data Threats, Online Content Related Threats, Financial Threats, and Online Sexual Harassment Threats. Threats under each category are then defined, with detailed consumer-facing consequences, and past instances where harm has been caused because of these threats.

Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/state-of-consumer-digital-security-in-india

Start-up India turns the heat on Facebook Free Basics

praskrishna — 2015-12-29T15:54:30Z

Facebook launched its "Save Free Basics" campaign last week, asking users to support "digital equality" in India.

The article by Anita Babu was published in Business Standard on December 22, 2015. Pranesh Prakash gave inputs.

Nearly a week after Facebook launched its controversial "Save Free Basics" campaign in India, the net neutrality debate has come to the fore again. This time around, India's star internet entrepreneurs such as Vijay Shekhar Sharma, founder and chief executive of Paytm, and Dippak Khurana of Vserv have joined the crusade for free internet.

"Oh my fellow Indians, either choose this and do a jihad for independent internet later or pick net neutrality today," Sharma of Paytm, India's largest digital wallet, tweeted on Tuesday. "Digital world war heads! We have to load http://www.savetheinternet.in for #NetNeutrality," said Sharma in another tweet. Savetheinternet.in, a volunteer group, has urged people to lend their support for an unfettered internet in India.

Facebook launched its "Save Free Basics" campaign last week, asking users to support "digital equality" in India, in response to a paper by the telecom regulator which is seeking comments on differential pricing practices like Airtel Zero of Facebook's Free Basics, which was earlier called Internet.org.

Facebook launched a print and digital media campaign for a "connected India" asking users to give a missed call, automatically sending a message to the regulator in support of Free Basics.

Facebook has also been asking its users to send an e-mail to Telecom Regulatory Authority of India (TRAI) supporting "essential internet for all". The social network claims to have gained support from 3.2 million of its 130 million users in India.

On Tuesday, the social media giant earned flak for soliciting support from international users for the campaign. Later, Facebook withdrew the campaign outside India claiming it was an "accident".

However, some net neutrality volunteers said that many of Facebook's 3.2 million supporters for Free Basics were non-Indians.

Activists and tech leaders are calling the Facebook campaign "misleading" and "destructive".

"People are being tricked into supporting Free Basics under the guise of digital equality," wrote Amol Malviya, former chief technology officer at Flipkart, India's largest e-commerce firm, on his blog. "Notice the language on the page? It makes any critic of Free Basics appear to be an enemy of digital equality. People will listen to the critics' arguments much lesser when there's a question mark on their intent."

Nikhil Pahwa, editor and publisher of MediaNama, said India should question the intent of Facebook and its campaign. "There is misrepresentation in the language they have used. It makes people assume that we can't have universal internet access without net-neutrality violating services such as Free Basics. It is important for a country to take note of how much power a platform with as much reach as Facebook has to influence an important government process," said Pahwa, who led a fight against TRAI's move to allow telecom firms charge for internet services like WhatsApp and Hike.

The basic premise of net neutrality is that of freedom - an open internet that protects and enables free communication. Anything that takes away this freedom violates the fundamentals of free Internet. "Facebook's Free Basics is neither free nor basic - it is a cleverly disguised way of walling a garden, and hardly the philanthropic initiative that it is marketed to be," said Khurana of Vserv. He urged internet users to uninstall the Facebook App from their mobile phones in protest.

Pranesh Prakash, policy director at the Centre for Internet and Society, said, "Facebook, a foreign company, is allowed to campaign with impunity, but NGOs receiving funding from foreign trusts are subject to all manners of restrictions and may not campaign in India."

For more details visit https://cis-india.org/internet-governance/news/business-standard-anita-babu-december-23-2015-start-up-india-turns-the-heat-on-facebook-free-basics

Stand up for Digital Rights

elonnai — 2016-06-13T15:30:12Z

The Centre for Internet & Society (CIS) invites you to a discussion on a set of recommendations for Ethical Tech, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The event will be held at CIS office in Bangalore on June 15, 2016 from 5 p.m. to 7 p.m.

The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of recommendations for Ethical Tech. This work is the culmination of a year long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:

General Human Rights Responsibilities and Private Online Intermediaries
Expanding Access
Net Neutrality
Content Moderation
Privacy
Transparency and Informed Consent
Responding to State Interferences

We look forward to meeting you and making this forum for knowledge exchange a success.

For more details visit https://cis-india.org/internet-governance/events/stand-up-for-digital-rights

Stand up for Digital Rights

praskrishna — 2016-07-25T15:29:41Z

The Centre for Internet & Society (CIS) invites you to a discussion on a set of Recommendations for Ethical Research, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The discussion is on coming Friday, July 29, 2016 at the Centre for Internet & Society's Delhi office from 3.00 p.m. to 5.00 p.m.

The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of Recommendations for Ethical Tech. This work is the culmination of a year-long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:

General Human Rights Responsibilities and Private Online Intermediaries
Expanding Access
Net Neutrality
Content Moderation
Privacy
Transparency and Informed Consent
Responding to State Interferences

We look forward to meeting you and making this a forum for knowledge exchange a success.

For more details visit https://cis-india.org/internet-governance/events/stand-up-for-digital-rights-1

Stakeholder Consultation on Digital Assets for Women’s Economic Empowerment | UN Women + SEWA

Admin — 2020-04-07T13:14:40Z

On December 06, 2019, Ambika Tandon and Aayush Rathi participated in a "Stakeholder Consultation on Digital Assets for Women’s Economic Empowerment: Addressing Barriers and Enhancing Opportunities for Women in Informal Economy and in Agriculture".

Aayush and Ambika participated upon the invite of UN Women and Self Employed Women's Association (SEWA), who were the organisers of the consultation. The consultation was from 9:30 am to 4:30 pm on 6th December, 2019 at the Claridges Hotel, New Delhi.

Former UN Secretary-General Mr. Ban Ki Moon established the UN High-Level Panel on Women’s Economic Empowerment (UNHLP-WEE) to make action oriented recommendations on how to improve economic outcomes for women in the context of the Sustainable Development Agenda 2030.The panel submitted its final report to the UN Secretary General in 2017, identifying seven drivers for women’s economic empowerment and laying out concrete actions for accelerating progress towards women’s full and equal economic participation.

In February 2019, SEWA Bharat and UN Women had organized a National consultation on “Taking Action Towards Transformative Change for Women in the Informal Sector in India” in India with civil society organizations, researchers, philanthropists and international organizations to prioritize action on the drivers for women’s economic empowerment in the context of India. Four drivers, amongst seven, were prioritized through the consultative process. Driver 4 on Building Assets – Digital, Financial and Property is one of the critical drivers for Women’s Economic Empowerment in India and has been prioritized for the first stakeholder consultation in the roadmap development process to contextualize the recommendation of HLP in the Indian context.

The primary objectives, then, of this consultation were as follows:

To provide a platform for sharing of experiences in research, programming and policy to ensure digital assets for women in the informal economy and in agriculture;
To identify proven and promising practices in this regard;
To develop an action agenda including identification of areas for research, programming and policy to reduce the gender digital divide.

*Detailed agenda*

Download the detailed agenda here.

*Participation*

At the consultation, Aayush contributed to the breakout group on DBT while Ambika contributed to the one on employment. The consultation led to rich discussions as on-ground experiences and learning from implementation programs were shared widely to devise a roadmap and policy recommendations.

For more details visit https://cis-india.org/internet-governance/news/stakeholder-consultation-on-digital-assets-for-women2019s-economic-empowerment-un-women-sewa

Srikrishna panel upset at timing of Trai suggestions

Admin — 2018-07-19T14:17:19Z

The Justice BN Srikrishna Committee, which is drafting a model data protection and privacy law for India, is upset by the timing of recommendations made by the country’s telecom regulator this week, according to a senior member of the panel, as it fears this will delay the submission of its own report, due later this month.

The article by Megha Mandavia was published in Economic Times on July 19, 2018. Swaraj Paul Barooah was quoted.

On Monday, Telecom Regulatory Authority of India (Trai) in a surprise move recommended rules that give users control of their data and personal information while severely restricting ways in which telecom and internet firms can use customer data. Its rules are applicable for apps, browsers, operating systems and handset makers.

“Next week somebody will make some recommendations and that will have to be merged, then again somebody will make some other recommendations,” the person told ET. He added that the committee will look into Trai’s submissions.

On Wednesday, ET reported that officials of ministry of electronics and information technology (MeitY), besides industry groupings such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) were unhappy with Trai’s move.

“Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for Trai as sectoral regulator but the basics of privacy will be governed by the data protection Act,” a MeitY official told ET.

Legal experts and industry analysts also questioned the need for the regulatory announcement just before the Justice Srikrishna committee releases its report, after a year of deliberations.

The high-powered group — consisting of jurists, academicians and policymakers — was formed last July with a brief to suggest principles for data privacy and a draft data protection bill for the country.

“Why is Trai then pre-empting the law?” said Kartik Maheshwari, leader for technology companies at law firm Nishith Desai Associates.

“Now that Trai has published its recommendations in public domain, the government may not be able to completely ignore them. But it’s so late in the day that it may not have any real impact on the final recommendations of the Justice Srikrishna committee,” he said.

The ten-member panel may incorporate some of Trai’s suggestions even as it submits its report to the union government next week. Trai chairman RS Sharma said the regulatory body has jurisdiction to tackle data protection under consumer interest, and those who feed off the industry — content providers, or apps, browsers, operating systems, and devices — were only custodians.

“We will send these recommendations to the committee, but we did not time it to coincide. We’re not dependent on the committee and we had issued this suo moto, since we felt the need to rigorously deliberate on the issue,” Sharma told ET on Tuesday.

There could be sector-specific laws within the general data protection framework for the telecom sector, he added.

Analysts say that regulators making public their recommendations before the data framework only adds to the confusion. “Industry was looking forward to a common primary framework. There are many independent suggestions coming from various regulators. It is creating confusion and chaos. I do expect considerable delay in finalising the law. Once the draft is out, there will be public consultation; all regulators will also have a say,” said Vidur Gupta, partner, government and public sector, EY India.

Others say that while there is clarity on what Trai is expecting, it has to be bound by the panel’s recommendations.

“It is good that a regulator has an eye on the market. It gives us an idea about what Trai has on its mind. The Reserve Bank of India also had not waited for Srikrishna Committee report before issuing a directive on data localisation,” said Swaraj Paul Barooah, policy director at Centre for Internet and Society.

“But the major point is that Trai’s recommendations are not binding; the data privacy law will be influenced by Justice Srikrishna committee only.”

For more details visit https://cis-india.org/internet-governance/news/economic-times-megha-mandavia-july-19-2018-srikrishna-panel-upset-at-timing-of-trai-suggestions

Spy in the Web

nishant — 2012-03-26T06:38:51Z

The government’s proposed pre-censorship rules undermine the intelligence of an online user and endanger democracy.

Kapil Sibal’s recent remarks demanding that private social media companies like Google, Microsoft and Facebook remove "objectionable" content from their social networks has created a lot of furore. It should not come as a surprise to us that just like any other platform of publication and content creation, several rules and regulations already regulate online content while still respecting our constitutional right for freedom of speech and expression in India.

From terms of services of the different web 2.0 products that seek to moderate "offensive" or "harmful" material to strictly defined punishable offences as defined in the Information Technologies Act, framed by the Government of India, there are various ways by which material that might incite violence, hatred or pain is systemically removed from the digital space.

Largely, this happens silently. Unless you are particularly keen on certain spurious websites, you wouldn’t even realise that there is a list of blacklisted websites that remain inaccessible to us in India. Once in a while, we realise the regulatory nature of state censorship when certain actions come to light. In 2006, the Indian government blocked Blogspot, the popular blogging platform, because they had detected "anti-national" activities by certain groups using the blog.

More recently, India’s first home-grown erotic comic series Savita Bhabhi was banned and taken off its Indian servers, without realising that in the era of cloud-computing, the comic still remains available through different containers and spaces. In both these cases, while one might be able to provide a critique of the Indian government’s attempts at censoring and regulating information, there is reasonable sympathy to the idea that some control on information is possibly a good thing.

It is in the very nature of information to be filtered. I am sure everybody will agree that censoring, controlling and regulating information of certain kinds — involving child pornography, calls for violence and vandalism aimed at insulting and offending vulnerable sections of the society — is probably in the interest of a healthier information society. And hence, one nods one’s head, rather grudgingly at some of the censorship laws (print, TV, internet, et al) and accepts that we need them, at least in principle, if not in execution.

However, what Sibal is asking for is not in the same vein. Censorship laws have always been very cautious of what constitutes "offensive" content and have relied both on the larger opinions of the community as well as the informed expertise of legal bodies to censor information. More often than not, an act of censorship is implemented when certain sections of the society, in their interaction with certain information, find it offensive or insulting and ask for a block. Pre-emptive censorship, the kinds performed by the Central Board of Film Certification, is in service of existing legal infrastructure around production and distribution of information.

Protective guidelines for censoring information, as was recently seen in the Broadcast Editors’ Association’s mandate around not intruding into the privacy of the Bachchan baby and the mother, during the birth of the child, are demonstrably for the protection of a person’s private life.

Sibal’s new calls for censorship against material “that would offend any human being” is separate from all these instances in three ways. First, while Sibal is an important political figure in this country, he is not the lord of information production. Using the power of his office to call for taking down of content that he found offensive (fortunately it did not incite him to violence and moral decrepitude) is undemocratic and possibly extra-legal (as in not within the boundaries of law, but who will bell the cat?).

To ask private companies and use his influence to bully them into curtailing the constitutionally provided freedom of speech and expression is in bad taste. There is enough regulation that could be invoked to seek arbitration between Sibal’s opinion and somebody else’s about how Sonia Gandhi should be represented online.

Second, Sibal might pretend that he is only asking for censorship of online content the way in which we have for other media, but that is a fallacy. What he is advocating is an ethos of pre-censorship, where, even before the material becomes public, it is screened through human agents who, through some divine right would know the right from wrong — read as what the powers to be want and don’t. To override existing regulation and ask for this extra layer of human scrutiny of all information being produced online is the equivalent of certain unnamed people in Mumbai, who, when Mani Ratnam was about to release his film Bombay, asked for a private screening of the film and then recommended some friendly cuts in it.

Third, is perhaps, and I write this with regret, Sibal has undermined the critical intelligence and engagement of the social media’s ardent users. He has fallen into the trap of suggesting that impressionable minds will be easily corrupted if they are introduced to "undesirable" information online, the same information that will apparently not drive human pre-screeners to prurient activities because they will be protected by the mantle of government sanction. Instead of drawing upon the wisdom of crowds, which invites communities and people to flag information that they find offensive and asks for independent arbitration, he has asked for an undemocratic and unconstitutional call for censorship which threatens the very structures of political protest, resistance and dialogue in the country.

If such draconian measures are going to be carried through, we might soon regress to a dystopia where all information is censored, filtered and reshaped only to suit the interests of those in power.

Nishant Shah, Director-Research wrote this article for the Indian Express. It was published on December 18, 2011. The original can be read here

For more details visit https://cis-india.org/internet-governance/spy-in-web

Spy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry

maria — 2013-11-14T16:21:00Z

In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights.

Last month, WikiLeaks released “Spy Files 3”, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.

So what do the latest Spy Files reveal about India?

When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, India is once again on the list with some of the most controversial spyware.

ISS World Surveillance Trade Shows

The latest Spy Files include a brochure of the ISS World 2013 -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. This years ’ ISS World Asia will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The leaked ISS World 2013 brochure entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.

The following table lists the Indian attendees at last years ’ ISS World:

Law Enforcement, Defense and Interior Security Attendees	Telecom Operators and Private Enterprises Attendees	ISS Vendors and Technology Integrators Attendees
Andhra Pradesh India Police	BT	AGC Networks
CBI Academy	Cogence Investment Bank	Aqsacom India
Government of India, Telecom Department	India Reliance Communications	ClearTrail Technologies
India Cabinet Secretariat	Span Telecom Pvt. Ldt.	Foundation Technologies
India Centre for Development of Telematics (C-DOT)		Kommlabs
India Chandigarh Police		Paladion Networks
India Defence Agency		Polaris Wireless
India General Police		Polixel Security Systems
India Intelligence Department		Pyramid Cyber Security
India National Institute of Criminology		Schleicher Group
India office LOKAYUKTA NCT DELHI		Span Technologies
India Police Department, A.P.		TATA India
India Tamil Nadu Police Department		Tata Consultancy Services
Indian Police Service, Vigilance		Telecommunications India
Indian Telecommunications Authority		Vehere Interactive
NTRO India
SAIC Indian Tamil Nadu Police

17 4 15

According to the above table - which is based on data from the WikiLeaks ’ ISS World 2013 brochure- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.

In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.

ClearTrail Technologies

ClearTrail Technologies is an Indian company based in Indore. The document titled “Internet Monitoring Suite ” from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:

1. ComTrail: Mass Monitoring of IP and Voice Networks

ComTrail is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.

ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.

Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.

In short, ComTrail’s key features include the following:

- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links

- Doubles up as Targeted Monitoring System

- On demand data retention, capacity exceeding several years

- Instant Analysis across thousands of Terabytes

- Correlates Identities across multiple networks

- Speaker Recognition and Target Location

2. xTrail: Targeted IP Monitoring

xTrail is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.

Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.

In short, xTrail’s key features include the following:

- Pure passive probe

- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways

- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic

- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location

- Huge data retention, rich analysis interface and tamper proof court evidence

- Easily integrates with any existing centralized monitoring system for extended coverage

3. QuickTrail: Tactical Wi-Fi Monitoring

Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.

QuickTrail is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.

According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.

In short, QuickTrail’s key features include the following:

- Conveniently housed in a laptop computer

- Intercepts Wi-Fi and wired LANs in five different ways

- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks

- Deploys spyware into a target’s machine

- Monitor’s Gmail, Yahoo and all other HTTPS-based communications

- Reconstructs webmails, chats, VoIP calls, news groups and social networks

4. mTrail: Off-The-Air Interception

mTrail offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.

The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.

Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.

In short, mTrail’s key features include the following:

- Designed for passive interception of GSM communications

- Intercepts Voice and SMS “off-the-air”

- Detects the location of the target

- Can be deployed as a fixed unit or mounted in a surveillance van

- No support required from GSM operator

5. Astra: Remote Monitoring and Infection framework

“Astra ” is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.

The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment without requiring any physical access to the target device.

In particular, Astra can push bot to any targeted machine sharing the same LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.

Astra’s key features include the following:

- Proactive intelligence gathering

- End-to-end remote infection and monitoring framework

- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots

- Designed for centralized management of thousands of targets

- A wide range of deployment mechanisms to optimize success ration

- Non-traceable, non-detectable delivery mechanism

- Intrusive yet stealthy

- Easy interface for handling most complex tasks

- Successfully tested over the current top 10 anti-virus available in the market

- No third party dependencies

- Free from any back-door intervention

ClearTrail Technologies argue that they meet lawful interception regulatory requirements across the globe. In particular, they claim that their products are compliant with ETSI and CALEA regulations and that they are efficient to cater to region specific requirements as well.

The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as Telesoft Technologies, AGT International and Verint Systems. In particular, Verint Systems has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:

- Impact 360 Speech Analytics

- Impact 360 Text Analytics

- Nextiva Video Management Software (VMS)

- Nextiva Physical Security Information Management (PSIM)

- Nextiva Network Video Recorders (NVRs)

- Nextiva Video Business Intelligence (VBI)

- Nextiva Surveillance Analytics

- Nextiva IP cameras

- CYBERVISION Network Security

- ENGAGE suite

- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)

- RELIANT

- STAR-GATE

- VANTAGE

While Verint Systems claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, Verint Systems has participated in ISS World Trade shows which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.

And what do the latest Spy Files mean for India?

Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3...and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS ). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UAS ) License Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs . 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systems , such as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

However, data monitored and collected through the CMS will be stored in a centralised database, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that the bigger the amount of data , the bigger the probability of an error in matching profiles, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The UAS License Agreement regarding the CMS mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.

Interestingly enough, Indian law enforcement agencies which attended last years ’ ISS World trade shows are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies which will have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years ’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides solutions for targeted and mass monitoring of IP and voice networks, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.

In fact, ClearTrail states in its brochure that its ComTrail product is equipped to handle millions of communications per day, while its xTrail product can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s “Astra ” is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is not equipping the CMS? And what are the odds that such technology is not being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?

Spy Files 3...and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.

India has five laws which regulate surveillance:

1. The Indian Telegraph Act, 1885

2. The Indian Post Office Act, 1898

3. The Indian Wireless Telegraphy Act, 1933

4. The Code of Criminal Procedure (CrPc ), 1973: Section 91

5. The Information Technology (Amendment ) Act, 2008

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology (Amendment ) Act cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a public emergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

The interception of Internet communications is mainly covered by the 2009 Rules under the Information Technology Act 2008 and Sections 69 and 69 B are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. In other words, ClearTrail’s products, such as ComTrail, which enable the mass interception of IP networks, lack legal backing. However, the Unified Access Services (UAS ) License Agreement regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.

Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content even without a warrant, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s mTrail product.

More importantly, following allegations that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a compete ban on use of such equipment and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it.

ClearTrail’s “Astra ” product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such licenses mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s QuickTrail is technically legal or not. The UAS License agreement mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.

The issue of data retention arises from ClearTrail ’s leaked brochure. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Section 7 of the Information Technology (Amendment) Act, 2008, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether ClearTrail ’s spy products are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the UAS License agreement regarding the Central Monitoring System.

In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the UAS License Agreement mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while India ’s Telegraph Act, Information Technology Act and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.

One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to Saikat Datta, an investigative journalist, a senior privacy telecom official stated:

“Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?”

Spy Files 3...and human rights in India

The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, ClearTrail, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.

In particular, ClearTrail’s ComTrail provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. xTrail enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well QuickTrail proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.

And indeed, carrying a mobile phone is like carrying a GPS device, especially since mTrail provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that we are all suspicious until proven innocent .

And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by Astra. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can remotely push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, we should all have something to hide !

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by ClearTrail ’s products - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, a UK student studying Islamic terrorism for his Masters dissertation was detained for six days . The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always “have something to hide ”, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by ClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

This article was cross-posted in Medianama on 6th November 2013.

For more details visit https://cis-india.org/internet-governance/blog/spy-files-three

Spy agencies, IB and RAW, put spanner in proposed privacy law

praskrishna — 2013-11-19T09:50:05Z

The country’s intelligence agencies are out to scuttle a law that’s being drafted to protect your privacy.

The article by Nagender Sharma and Aloke Tikku was published in the Hindustan Times on November 2, 2013. Sunil Abraham is quoted.

The Intelligence Bureau and the Research and Analysis Wing (RAW) have told the government to water down the proposed law that makes it a crime to leak sensitive personal information collected by government departments and the private sector.

The agencies conveyed their views to national security adviser Shivshankar Menon at a recent meeting at the prime minister’s office. With home secretary Anil Goswami backing the spooks, even arguing that “the very need for such a bill” should be reviewed, Menon has called for revisiting the provisions the agencies have objected to.

The Right to Privacy Bill 2013 lays down privacy principles and standards, and stipulates jail terms and fines for leak of sensitive personal data.

“If such a bill was to be considered, intelligence agencies should be exempted from its purview,” Goswami argued at the meeting.

The intelligence agencies also spoke about how the bill would “adversely affect or compromise” the functioning of many agencies and projects, such as the Central Monitoring System that is used to intercept phone calls and internet communication, and the National Intelligence Grid that would give law enforcement agencies access to information combat terror threats.

The proposed privacy law was initially conceptualised to address data privacy, particularly in the context of data handled by the Indian IT industry for foreign clients.

But the Department of Personnel and Training – that drew up the bill – expanded its scope to cover information collected by the government and interception by intelligence agencies.

Sunil Abraham of the Centre for Internet and Society, a Bangalore-headquartered advocacy group, said the security establishment’s attempts to scuttle the privacy law were a step back.

“Civil society isn’t against surveillance by security agencies. All that we ask for is due process and oversight,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-november-2-2013-nagender-sharma-alok-tikku-spy-agencies-ib-and-raw-put-spanner-in-proposed-privacy-law

Spreadsheet data on sample of 50 security companies

maria — 2014-02-28T16:13:39Z

For more details visit https://cis-india.org/internet-governance/blog/data-on-surveillance-technology-companies

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around