We are anonymous, we are legion

Spy in the Web

nishant — 2012-03-26T06:38:51Z

The government’s proposed pre-censorship rules undermine the intelligence of an online user and endanger democracy.

Kapil Sibal’s recent remarks demanding that private social media companies like Google, Microsoft and Facebook remove "objectionable" content from their social networks has created a lot of furore. It should not come as a surprise to us that just like any other platform of publication and content creation, several rules and regulations already regulate online content while still respecting our constitutional right for freedom of speech and expression in India.

From terms of services of the different web 2.0 products that seek to moderate "offensive" or "harmful" material to strictly defined punishable offences as defined in the Information Technologies Act, framed by the Government of India, there are various ways by which material that might incite violence, hatred or pain is systemically removed from the digital space.

Largely, this happens silently. Unless you are particularly keen on certain spurious websites, you wouldn’t even realise that there is a list of blacklisted websites that remain inaccessible to us in India. Once in a while, we realise the regulatory nature of state censorship when certain actions come to light. In 2006, the Indian government blocked Blogspot, the popular blogging platform, because they had detected "anti-national" activities by certain groups using the blog.

More recently, India’s first home-grown erotic comic series Savita Bhabhi was banned and taken off its Indian servers, without realising that in the era of cloud-computing, the comic still remains available through different containers and spaces. In both these cases, while one might be able to provide a critique of the Indian government’s attempts at censoring and regulating information, there is reasonable sympathy to the idea that some control on information is possibly a good thing.

It is in the very nature of information to be filtered. I am sure everybody will agree that censoring, controlling and regulating information of certain kinds — involving child pornography, calls for violence and vandalism aimed at insulting and offending vulnerable sections of the society — is probably in the interest of a healthier information society. And hence, one nods one’s head, rather grudgingly at some of the censorship laws (print, TV, internet, et al) and accepts that we need them, at least in principle, if not in execution.

However, what Sibal is asking for is not in the same vein. Censorship laws have always been very cautious of what constitutes "offensive" content and have relied both on the larger opinions of the community as well as the informed expertise of legal bodies to censor information. More often than not, an act of censorship is implemented when certain sections of the society, in their interaction with certain information, find it offensive or insulting and ask for a block. Pre-emptive censorship, the kinds performed by the Central Board of Film Certification, is in service of existing legal infrastructure around production and distribution of information.

Protective guidelines for censoring information, as was recently seen in the Broadcast Editors’ Association’s mandate around not intruding into the privacy of the Bachchan baby and the mother, during the birth of the child, are demonstrably for the protection of a person’s private life.

Sibal’s new calls for censorship against material “that would offend any human being” is separate from all these instances in three ways. First, while Sibal is an important political figure in this country, he is not the lord of information production. Using the power of his office to call for taking down of content that he found offensive (fortunately it did not incite him to violence and moral decrepitude) is undemocratic and possibly extra-legal (as in not within the boundaries of law, but who will bell the cat?).

To ask private companies and use his influence to bully them into curtailing the constitutionally provided freedom of speech and expression is in bad taste. There is enough regulation that could be invoked to seek arbitration between Sibal’s opinion and somebody else’s about how Sonia Gandhi should be represented online.

Second, Sibal might pretend that he is only asking for censorship of online content the way in which we have for other media, but that is a fallacy. What he is advocating is an ethos of pre-censorship, where, even before the material becomes public, it is screened through human agents who, through some divine right would know the right from wrong — read as what the powers to be want and don’t. To override existing regulation and ask for this extra layer of human scrutiny of all information being produced online is the equivalent of certain unnamed people in Mumbai, who, when Mani Ratnam was about to release his film Bombay, asked for a private screening of the film and then recommended some friendly cuts in it.

Third, is perhaps, and I write this with regret, Sibal has undermined the critical intelligence and engagement of the social media’s ardent users. He has fallen into the trap of suggesting that impressionable minds will be easily corrupted if they are introduced to "undesirable" information online, the same information that will apparently not drive human pre-screeners to prurient activities because they will be protected by the mantle of government sanction. Instead of drawing upon the wisdom of crowds, which invites communities and people to flag information that they find offensive and asks for independent arbitration, he has asked for an undemocratic and unconstitutional call for censorship which threatens the very structures of political protest, resistance and dialogue in the country.

If such draconian measures are going to be carried through, we might soon regress to a dystopia where all information is censored, filtered and reshaped only to suit the interests of those in power.

Nishant Shah, Director-Research wrote this article for the Indian Express. It was published on December 18, 2011. The original can be read here

For more details visit https://cis-india.org/internet-governance/spy-in-web

Spy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry

maria — 2013-11-14T16:21:00Z

In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights.

Last month, WikiLeaks released “Spy Files 3”, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.

So what do the latest Spy Files reveal about India?

When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, India is once again on the list with some of the most controversial spyware.

ISS World Surveillance Trade Shows

The latest Spy Files include a brochure of the ISS World 2013 -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. This years ’ ISS World Asia will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The leaked ISS World 2013 brochure entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.

The following table lists the Indian attendees at last years ’ ISS World:

Law Enforcement, Defense and Interior Security Attendees	Telecom Operators and Private Enterprises Attendees	ISS Vendors and Technology Integrators Attendees
Andhra Pradesh India Police	BT	AGC Networks
CBI Academy	Cogence Investment Bank	Aqsacom India
Government of India, Telecom Department	India Reliance Communications	ClearTrail Technologies
India Cabinet Secretariat	Span Telecom Pvt. Ldt.	Foundation Technologies
India Centre for Development of Telematics (C-DOT)		Kommlabs
India Chandigarh Police		Paladion Networks
India Defence Agency		Polaris Wireless
India General Police		Polixel Security Systems
India Intelligence Department		Pyramid Cyber Security
India National Institute of Criminology		Schleicher Group
India office LOKAYUKTA NCT DELHI		Span Technologies
India Police Department, A.P.		TATA India
India Tamil Nadu Police Department		Tata Consultancy Services
Indian Police Service, Vigilance		Telecommunications India
Indian Telecommunications Authority		Vehere Interactive
NTRO India
SAIC Indian Tamil Nadu Police

17 4 15

According to the above table - which is based on data from the WikiLeaks ’ ISS World 2013 brochure- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.

In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.

ClearTrail Technologies

ClearTrail Technologies is an Indian company based in Indore. The document titled “Internet Monitoring Suite ” from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:

1. ComTrail: Mass Monitoring of IP and Voice Networks

ComTrail is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.

ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.

Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.

In short, ComTrail’s key features include the following:

- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links

- Doubles up as Targeted Monitoring System

- On demand data retention, capacity exceeding several years

- Instant Analysis across thousands of Terabytes

- Correlates Identities across multiple networks

- Speaker Recognition and Target Location

2. xTrail: Targeted IP Monitoring

xTrail is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.

Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.

In short, xTrail’s key features include the following:

- Pure passive probe

- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways

- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic

- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location

- Huge data retention, rich analysis interface and tamper proof court evidence

- Easily integrates with any existing centralized monitoring system for extended coverage

3. QuickTrail: Tactical Wi-Fi Monitoring

Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.

QuickTrail is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.

According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.

In short, QuickTrail’s key features include the following:

- Conveniently housed in a laptop computer

- Intercepts Wi-Fi and wired LANs in five different ways

- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks

- Deploys spyware into a target’s machine

- Monitor’s Gmail, Yahoo and all other HTTPS-based communications

- Reconstructs webmails, chats, VoIP calls, news groups and social networks

4. mTrail: Off-The-Air Interception

mTrail offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.

The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.

Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.

In short, mTrail’s key features include the following:

- Designed for passive interception of GSM communications

- Intercepts Voice and SMS “off-the-air”

- Detects the location of the target

- Can be deployed as a fixed unit or mounted in a surveillance van

- No support required from GSM operator

5. Astra: Remote Monitoring and Infection framework

“Astra ” is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.

The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment without requiring any physical access to the target device.

In particular, Astra can push bot to any targeted machine sharing the same LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.

Astra’s key features include the following:

- Proactive intelligence gathering

- End-to-end remote infection and monitoring framework

- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots

- Designed for centralized management of thousands of targets

- A wide range of deployment mechanisms to optimize success ration

- Non-traceable, non-detectable delivery mechanism

- Intrusive yet stealthy

- Easy interface for handling most complex tasks

- Successfully tested over the current top 10 anti-virus available in the market

- No third party dependencies

- Free from any back-door intervention

ClearTrail Technologies argue that they meet lawful interception regulatory requirements across the globe. In particular, they claim that their products are compliant with ETSI and CALEA regulations and that they are efficient to cater to region specific requirements as well.

The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as Telesoft Technologies, AGT International and Verint Systems. In particular, Verint Systems has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:

- Impact 360 Speech Analytics

- Impact 360 Text Analytics

- Nextiva Video Management Software (VMS)

- Nextiva Physical Security Information Management (PSIM)

- Nextiva Network Video Recorders (NVRs)

- Nextiva Video Business Intelligence (VBI)

- Nextiva Surveillance Analytics

- Nextiva IP cameras

- CYBERVISION Network Security

- ENGAGE suite

- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)

- RELIANT

- STAR-GATE

- VANTAGE

While Verint Systems claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, Verint Systems has participated in ISS World Trade shows which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.

And what do the latest Spy Files mean for India?

Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3...and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS ). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UAS ) License Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs . 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systems , such as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

However, data monitored and collected through the CMS will be stored in a centralised database, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that the bigger the amount of data , the bigger the probability of an error in matching profiles, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The UAS License Agreement regarding the CMS mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.

Interestingly enough, Indian law enforcement agencies which attended last years ’ ISS World trade shows are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies which will have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years ’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides solutions for targeted and mass monitoring of IP and voice networks, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.

In fact, ClearTrail states in its brochure that its ComTrail product is equipped to handle millions of communications per day, while its xTrail product can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s “Astra ” is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is not equipping the CMS? And what are the odds that such technology is not being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?

Spy Files 3...and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.

India has five laws which regulate surveillance:

1. The Indian Telegraph Act, 1885

2. The Indian Post Office Act, 1898

3. The Indian Wireless Telegraphy Act, 1933

4. The Code of Criminal Procedure (CrPc ), 1973: Section 91

5. The Information Technology (Amendment ) Act, 2008

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology (Amendment ) Act cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a public emergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

The interception of Internet communications is mainly covered by the 2009 Rules under the Information Technology Act 2008 and Sections 69 and 69 B are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. In other words, ClearTrail’s products, such as ComTrail, which enable the mass interception of IP networks, lack legal backing. However, the Unified Access Services (UAS ) License Agreement regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.

Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content even without a warrant, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s mTrail product.

More importantly, following allegations that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a compete ban on use of such equipment and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it.

ClearTrail’s “Astra ” product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such licenses mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s QuickTrail is technically legal or not. The UAS License agreement mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.

The issue of data retention arises from ClearTrail ’s leaked brochure. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Section 7 of the Information Technology (Amendment) Act, 2008, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether ClearTrail ’s spy products are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the UAS License agreement regarding the Central Monitoring System.

In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the UAS License Agreement mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while India ’s Telegraph Act, Information Technology Act and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.

One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to Saikat Datta, an investigative journalist, a senior privacy telecom official stated:

“Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?”

Spy Files 3...and human rights in India

The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, ClearTrail, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.

In particular, ClearTrail’s ComTrail provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. xTrail enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well QuickTrail proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.

And indeed, carrying a mobile phone is like carrying a GPS device, especially since mTrail provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that we are all suspicious until proven innocent .

And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by Astra. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can remotely push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, we should all have something to hide !

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by ClearTrail ’s products - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, a UK student studying Islamic terrorism for his Masters dissertation was detained for six days . The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always “have something to hide ”, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by ClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

This article was cross-posted in Medianama on 6th November 2013.

For more details visit https://cis-india.org/internet-governance/blog/spy-files-three

Spy agencies, IB and RAW, put spanner in proposed privacy law

praskrishna — 2013-11-19T09:50:05Z

The country’s intelligence agencies are out to scuttle a law that’s being drafted to protect your privacy.

The article by Nagender Sharma and Aloke Tikku was published in the Hindustan Times on November 2, 2013. Sunil Abraham is quoted.

The Intelligence Bureau and the Research and Analysis Wing (RAW) have told the government to water down the proposed law that makes it a crime to leak sensitive personal information collected by government departments and the private sector.

The agencies conveyed their views to national security adviser Shivshankar Menon at a recent meeting at the prime minister’s office. With home secretary Anil Goswami backing the spooks, even arguing that “the very need for such a bill” should be reviewed, Menon has called for revisiting the provisions the agencies have objected to.

The Right to Privacy Bill 2013 lays down privacy principles and standards, and stipulates jail terms and fines for leak of sensitive personal data.

“If such a bill was to be considered, intelligence agencies should be exempted from its purview,” Goswami argued at the meeting.

The intelligence agencies also spoke about how the bill would “adversely affect or compromise” the functioning of many agencies and projects, such as the Central Monitoring System that is used to intercept phone calls and internet communication, and the National Intelligence Grid that would give law enforcement agencies access to information combat terror threats.

The proposed privacy law was initially conceptualised to address data privacy, particularly in the context of data handled by the Indian IT industry for foreign clients.

But the Department of Personnel and Training – that drew up the bill – expanded its scope to cover information collected by the government and interception by intelligence agencies.

Sunil Abraham of the Centre for Internet and Society, a Bangalore-headquartered advocacy group, said the security establishment’s attempts to scuttle the privacy law were a step back.

“Civil society isn’t against surveillance by security agencies. All that we ask for is due process and oversight,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-november-2-2013-nagender-sharma-alok-tikku-spy-agencies-ib-and-raw-put-spanner-in-proposed-privacy-law

Spreadsheet data on sample of 50 security companies

maria — 2014-02-28T16:13:39Z

For more details visit https://cis-india.org/internet-governance/blog/data-on-surveillance-technology-companies

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

Spending too much time on social media? Tech abuse may lead to mental health issues

Admin — 2018-10-18T00:55:46Z

Technology is a boon, no doubt. But where can we, in ourdigital lives, draw the line between convenience and addiction? ET’s Divya J Shekhar finds out how the IT city is dealing with internet addiction and how collective social effort might help find the sweet spot.

The article by Divya Shekhar was published in Economic Times on October 13, 2018. Sunil Abraham was quoted.

Fifty-odd residents in Hebbal switched off all their digital devices between 7 and 9 pm two days ago on World Mental Health Day. This Saturday, they will join other members in their 1,200-strong group to plug out once again. They plan to make this a weekly ritual.

At the centre of this initiative, which is called 'Time Out from Plugins', is a mother who started researching on technology addiction after observing her 16-year-old son play online games for long hours. Tejaswi Uthappa, a freelance writer, said that her otherwise wellbehaved son becoming irritable and snappy after being glued to the gaming console for hours got her thinking about the ill-effects of letting technology take over our lives.

Types of Technology Addiction

“As parents, we might casually complain about our children spending most of their time on television, digital games or laptops. But this is actually far more serious because it impacts their brain, and eventually, their behaviour,” said Uthappa, who now wants to reach out to schools and colleges to help create awareness about technology-addiction among youngsters.

An increasing number of Bengalureans are getting addicted to technology. Just last week, a 26-year-old checked in to the National Institute of Mental Health and Neurosciences (Nimhans) to seek treatment as he had watched Netflix for over seven hours a day for the past six months in order to escape the reality of his unemployment. From excessive PUBG (online game) and social media overdose to need for virtual validation and incessant online shopping, psychiatrists are treating a gamut of technology addictions.

How Much is Too Much?

According to experts at Nimhans, eight out of 10 technology addiction cases are related to online gaming. This is in line with a 2013 survey conducted by the Indian Council for Medical Research in Bengaluru, which revealed that 4.1% people in the IT city between 18 and 60 years of age were addicted to their mobile phones, while 1.3% were internet addicts. This number might have increased with the Telecom Regulatory Authority of India (Trai) stating that as on March 2018, there were 1.18 billion wireless subscribers and 493 million internet or broadband subscribers in the country.

Manoj Kumar Sharma, a clinical psychologist at the Service for Healthy Use of Technology (SHUT) Clinic at Nimhans, said that he caters to almost six-seven patients every week, up from two-three people who checked into the clinic when it launched in 2014. “It goes to show that people are conscious and are actively taking action to correct their addictive tendencies,” he said. Most people between ages 16 and 20 are addicted to social media, Sharma explained, tend to develop body image issues if their online activity or post does not garner enough attention or ‘likes’. This need for validation from virtual friends to make up for their lonely reality is also directly proportional to the number of cosmetic surgeries.

IT City's Tech Addiction

For those between 24 and 28 years of age, the addiction is usually in the form of pornography or online streaming platforms like Netflix. Experts have also coined the term ‘online infidelity’ to describe a condition where adults satisfy themselves using online platforms rather than through physical intimacy with their respective partners.

“There is a bidirectional relationship between depression and use of technology. The latter can be used as a coping mechanism for stress and anxiety. Conversely, technology abuse can also intensify depression,” said Sharma.

Medical professionals state that ideally, an individual’s daily social media consumption should be broken down to brief 20 minute sessions. “When a digital screen is the last thing you look at before going to sleep, it messes with your hormones. For instance, the heart and pulse rate increase, blood pressure for those with hypertension tends to increase and the body’s response to diabetes medication will vary,” said consulting physician and cardiologist Dr B Ramana Rao.

Increased exposure to technology, he explained, affects eyesight, causes mood alterations, and makes individuals angry and irritable. There are four main criteria, experts said, through which addiction can be determined: if use of technology affects your sleep, productivity, interpersonal relationships and makes you isolate yourself from social activities.

Open Communication

Parents, counsellors, schools and colleges are recognising the need to work together to find solutions and disconnect those vulnerable to internet overuse. Mansoor Ali Khan, member, board of management, Delhi Public School, said that while schools are often considered “uncool” if they do not use technology in classrooms, it is necessary to understand that sometimes, simple, conventional learning works best.

“Children who have been handed iPads and smartphones when they are as young as three years old, have lower concentration levels and learning capability. Moreover, the conversations they have with friends also restricted to TV shows and games,” he said.

Do you have Nomophobia?

The school plans to increase cyber literacy and make the discourse around technology addiction more transparent. Sharma of SHUT Clinic, who launched a Digital Detox app earlier this year, is now developing an intervention module that he wants to take to schools and colleges. This, he said, will help academicians study how to control use of technology as a coping mechanism for peer pressure, boredom and stress. It would also help, he
added, if parents and elders are less judgmental about those needing help.

Sunil Abraham, executive director, The Centre for Internet and Society, told ET that parents must understand the concept of introducing incremental screen time to avoid addiction. This means, children between ages 1 and 3 must have zero screen time, those between 3 and 9 must have one hour of screen time every day, while adolescents between 9 and 15 years of age can access internet only for two hours daily.

“Parents todayccessed by children need to be kept in common areas like the living room,” said Abraham, stressing that parents should never use gadgets to distract children or keep them busy.

Tejaswi Uthappa agrees. According to her, open lines of communication about internet usage and cyberspace helps people seek help. “Our initiative, for instance, started with just me. But now, there are over a thousand adults — parents, working professionals or homemakers - who come on-board the moment they hear that we combat internet addiction. Only our intent and not our method, matters to them,” she said. “So it is a question of stakeholders acknowledging that this as a problem and coming together to find ways to solve it.”

For more details visit https://cis-india.org/internet-governance/news/economic-times-divya-shekhar-october-13-2018-spending-too-much-time-on-social-media

Speculative Futures Lab on Artificial Intelligence in Media, Entertainment, and Gaming

Admin — 2018-12-05T03:12:58Z

Pranav Manjesh Bidare attended the event organised by Quicksand between November 16 and 18, 2018 in Bangalore as a panelist.

Pranav was a panelist in the session discussing "Ethics of AI in the Creative spaces" on November 17, alongside Urvashi Aneja, and Abishek Reddy from Tandem Research. For more info see this.

For more details visit https://cis-india.org/internet-governance/news/speculative-futures-lab-on-artificial-intelligence-in-media-entertainment-and-gaming

Speak Easy: Citizenship, Freedom of Expression and Online Governance

praskrishna — 2012-08-01T04:56:36Z

The event organised by the YP Foundation, Youth Ki Awaaz, Change.Org and RTI Anonymous was held at the American Centre in Kasturba Gandhi Marg, Connaught Place, New Delhi on July 31, 2012. Chinmayi Arun, a Fellow at the Centre for Internet & Society

The event focused on exploring the freedom of expression vis-a-vis its impact on accessibility and connectivity across multiple youth movements focused on gender, speciality, education, governance and arts.

There were group discussions with Venkatesh Nayak (Commonwealth Human Rights Initiative), Anja Kovacs (Internet Democracy Project), Chinmayi Arun (Centre for Internet & Society) among others.

Agenda

2.00 2.30	Registrations open for workshops!
2.30 2.45	Getting started – ‘Why Speak Easy?’
2.45 4.30	Speak Easy \| Learn: Workshops on advocating online, citizenship journalism, filing the Right to Information (RTI) application, and participating in online legislation with Youth Ki Awaaz, Change.Org, Get Up 4 Change, The YP Foundation and PRS Legislative.
4.30 6.00	Speak Easy \| Converge: Exploring the Freedom of Expression vis-à-vis its impact on accessibility and connectivity across multiple youth movements focused on gender, sexuality, education, governance and arts. Group Discussions with Venkatesh Nayak (Commonwealth Human Rights Initiative), Anja Kovacs (Founder, Internet Democracy Project), Chinmayi Arun (Centre for Internet and Society) and many others.
6.00 7.00	Speak Easy \| Demand: How can young people dialogue with decision makers?

Venue Partner: The American Center
Read the original published in the YP Foundation here

For more details visit https://cis-india.org/news/speak-easy

SpaceX Explosion Slows Facebook & Israeli Efforts To Control Online Content

praskrishna — 2016-09-14T11:24:47Z

In their ‘space race’ to expand internet access to remote, impoverished areas of the world, Facebook and Google are actually vying for control o fthe online experiences of millions of people.

The article by Kit O' Connell published by Mint Press News on September 13, 2016 has quoted Pranesh Prakash.

When a rocket operated by space startup SpaceX burned up on the launch pad, it was a setback to the prospects of commercial space travel, as well as efforts by Facebook to control the online experiences of millions of rural internet users.

Facebook’s project, Internet.org, is described by founder Mark Zuckerberg in charitable terms, but critics have accused it of spreading “techno-colonialism.”

The Sept. 1 fire in Cape Canaveral, Florida, destroyed a $200 million satellite owned by SpaceCom, an Israeli communications satellite firm, and co-leased by Facebook. The satellite, Amos-6, was built by Israel Aerospace Industries, a government-owned aviation and aerospace manufacturer.

Facebook’s partnership with SpaceCom is another sign of the corporation’s deepening ties with Israel. In June, Facebook appointed Jordana Cutler, a close advisor to Israeli Prime Minister Benjamin Netanyahu, as head of policy and communications at Facebook’s Israeli office.

Another setback for Facebook’s Internet.org

“Facebook was counting on [the satellite] to beam internet service to sub-Saharan Africa as part of its ambitious Internet.org project,” noted Will Oremus, Slate’s senior technology writer.

The Los Angeles Times reported that SpaceCom’s stock fell 9 percent on the Tel Aviv Stock Exchange after the explosion. Zuckerberg shared his dismay in a post on his facebook page, writing:

“As I’m here in Africa, I’m deeply disappointed to hear that SpaceX’s launch failure destroyed our satellite that would have provided connectivity to so many entrepreneurs and everyone else across the continent.”

Internet.org would help users get online in areas lacking conventional internet access, and the service, which works in partnership with local mobile phone companies, has launched, at least provisionally, in 48 countries in Africa, Asia, and Latin America. In addition to satellites, Internet.org plans to use cutting edge solar-powered drones to expand internet access in remote parts of the world.

The service is not without controversy, though. An offering called “Free Basics” would provide users who can’t afford full internet access with a curated selection of websites, tailored for use on low bandwidth devices such as older smartphones. Free Basics generated international protests after it was rolled out in India, and was eventually blocked by the Telecom Regulatory Authority of India in March 2015 for violating the principle of net neutrality.

In a May 12 analysis for The Guardian, Mumbai-based journalist Rahul Bhatia suggested the failure of Free Basics was also due to Zuckerberg’s dismissive attitude toward the Indian government and people.

An unnamed Facebook executive told Bhatia that Zuckerberg made the “mistake of thinking that a third-world country is a banana republic. So institutions, the public, the press — they can be bypassed.”

Colonialism or philanthropy?

Indian students gather for a protest against Facebook’s “Free Basics” in Hyderabad, India. A central element of Facebook’s Internet.org campaign was controversial even before it was shut down in a key market this month. Indian regulators banned one of the pillars of the campaign, a service known as Free Basics, because it provided access only to certain pre-approved services – including Facebook – rather than the full Internet.

Google and its parent company, Alphabet, also intend to spread internet to rural, underserved areas through the unique balloon-based Project Loon. Tech site Pocket-Lint reported in March 2015 that SpaceX hoped to offer internet service through its satellites, in what reporter Luke Edwards called an “internet space race.”

Pranesh Prakash, a representative of the Centre for Internet & Society, an NGO based in Bangalore, India, questioned the company’s motivation in a June 2015 interview with Al-Jazeera.

“They’re doing it out of their self-interest,” Prakash told Tarek Bazley, Al-Jazeera’s science and technology editor.

“They are not doing it because they are charities, because they believe in altruism etc. They’re doing it because having more people online benefits them.”

And Aral Balkan, a human rights activist, told Bazley, “I wouldn’t call it philanthropy I would call it colonialism.”

In an August 2013 post on his homepage, Balkan went into more detail about his “strong reservations about why Google and Facebook want to be the ones providing this service.”

Noting that both tech corporations profit primarily from collecting and selling information about their users, he continued:

“Google and Facebook want to give everyone access to the Internet because they need more raw materials. More data. Your data. So they can cultivate more Digital Serfs to sell to their customers.”

For more details visit https://cis-india.org/internet-governance/news/mint-pressnews-september-13-2016-kit-o-connell-spacex-explosion-slows-facebook-israeli-efforts-to-control-online-content

South African Protection of Personal Information Act, 2013

divij — 2014-05-05T06:59:51Z

As the rapid spread of technology in developing countries allows exponentially increasing availability of and access to personal data through automatic data processing, governments are beginning to recognize the necessity to evolve policies addressing data security and privacy concerns.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368

For more details visit https://cis-india.org/internet-governance/blog/south-african-protection-personal-information-act-2013

SOTM Asia 2018

Admin — 2018-11-28T01:22:44Z

Saumyaa Naidu, Aayush Rathi and Ambika Tandon attend State of the Map 2018 conference co-organized by the Centre for Internet & Society and Indian Institute of Management in Bangalore on November 17 and 18, 2018.

State of the Map Asia 2018 featured two full days of talks, workshops, an opening and closing keynote. It was an exciting two days! The program was created by curating proposals from the community and through a scoring process by the committee.

The program was held at the Indian Institude of Management campus in Bangalore. Much of the program was between two auditoriums. We also had plenty of space set aside for breakout sessions and birds of a feather meetups. (Click here to download the program.)

Click here to see the agenda

For more details visit https://cis-india.org/internet-governance/events/sotm-asia-2018

Sorry, Business Closed until Internet is Back On

Nalanda Tambe — 2017-12-19T16:25:24Z

Strap: Exporters say they lose face with international clients when internet shutdowns block deliveries.

Vadodara, Gujarat: A household name in Vadodara, Jagdish Farshan has been famous for Gujarati snacks like Leelo Chevdo and Bakarwadi since 1938. Since the year 2000, they started exporting their snacks to the millions of Gujaratis settled across the globe, especially in Africa, USA, Australia, Canada and New Zealand. It is one of the many indigenous businesses that helps Gujarat contribute 25% of the total exports from India. But the outfit synonymous with both tradition and modernity for 79 years, was also one of the many exporters to receive an unexpected jolt in August 2015, during the week-long internet shutdown during the Patidar protests for reservations across the state.

Kalpesh Kandoi, the chairman of Jagdish Farshan Pvt Ltd says, “Gujaratis in various countries buy our snacks online through our website, or through email. During the internet ban, we suffered quite a lot due to the blockage of orders and failure of deliveries.” Since nearly 50% of their annual revenue comes from exports, the shutdown threw a significant spanner in the works. Although the government claims it banned only mobile data, many businesses admit to their broadband and WiFi also being hit, or seeing debilitating delays.

“Of course, if there is an emergency from the importers’ side, they can call us directly,” says Kandoi. “But then again, a kind of inconvenience is created to them from our side, which is very shameful. It destroys our trustworthiness and credibility.” Many of their production centres in Gujarat, especially Vadodara, fell back on meeting orders when bank payments were stuck, or orders weren't accessible. Thankfully for the company, its manufacturing unit in Australia was able to meet at least some of the international orders when most districts of Gujarat couldn't access the internet.

The ban seems to have had a domino effect outside India too. Preeti Shah, who imports snacks and sweets from Jagdish Farshan through her small home-based business in the USA, couldn't meet orders there during the internet ban in Gujarat. She told 101reporters on the phone from Philadelphia that when she started her business of selling Gujarati snacks 3 years ago, she marketed her service by calling her neighbours, friends and acquaintances personally. “I found that in return they emailed me their snack orders,” says Shah. “During the internet blockages in India, I had to apologise for not delivering the snacks to my clients because my orders were not fulfilled by the Gujarat-based exporters.” She lost 12 to 15 clients, most of them regulars. “The government has to realise the impact of the ban. What if I had lost all my clients just because of the internet ban?” she asks.

Gujarat is a major hub for several industries like dairy, automobile, gems, and pharmaceuticals, but its biggest exports are of cotton yarn, oilseeds, and seafood. With its highly advanced and well-equipped marine fish production techniques, it is able to export fish to UAE, Australia, USA, Japan, China, Canada, Brazil, Thailand, and Germany. Gems and jewellery too, though exported from Mumbai, are processed in Surat, Gujarat, one of the largest diamond hubs in the world. Already severely hit by demonetisation in November 2016, with large-scale closures, layoffs and losses, the diamond industry nearly buckled under the internet ban too.

Most of all, it is the unpredictable, ad hoc, and unannounced nature of the internet shutdowns that frustrates exporters, who liken it to annoying roadblocks traffic policemen install to allow VIP movement. For instance, in February 2016, the state suspended mobile internet services suddenly for four hours to prevent cheating during a revenue service exam.

Chandresh Shah, president of the Exporters and Importers (Exim) Club and the founder of Madhav Agro Foods, says that the entire export industry relies on the internet for over 95% of its business. “It is absurd on the part of government to ban internet for any reason especially when they know that it will hamper exporters to a great extent. They have to provide alternatives, or announce beforehand. People who are importing our products consider us unprofessional and we look foolish in the international markets. So such policies need to be revamped and rationalised properly.” He adds that the rising economic cost of such shutdowns must be factored in. A 2016 study by Brookings Institution that looked at 81 instances of internet shutdowns across 19 countries between July 2015 and June 2016 found that they had cost the world economy a total of $2.4 billion. India, at a conservative estimate of $968 million due to 22 shutdowns (as much as Iraq), was one of the biggest losers.

As the digital economy grows, the cost of frequent internet shutdowns will only accelerate. As the central government pushed the ‘Make in India’ initiative, Surat-based Falguni Patel (name changed) was inspired to start an online boutique in late 2014. A textiles student and first-time entrepreneur, she invested nearly Rs 10 lakhs ($15,600) through loans and savings. Unfortunately, a few months into her business, an internet ban was put in place. “It was a sheer coincidence that I received an order from Madhya Pradesh, along with an advance payment, just two days before the week-long internet ban. After that they mailed me four times – first with some requirements, then two follow-up emails and a final one demanding a refund of the advance –but I didn’t receive any of these due to the ban. Meanwhile, I used the advance to purchase raw materials needed.” After the ban was lifted, Patel realised what had happened. “When I called them personally and explained the situation, they called me unprofessional. When I said I would repay their money in 3-4 instalments, they filed a police complaint against me for theft.” Only a single order had turned bad, but it delivered a strong enough blow. Discouraged by the experience, and pressured by her parents who didn't want her to invest in the business anymore, Patel shut her website, and shelved her e-commerce dreams.

Some companies, like Dinesh Mills, one of Vadodara’s oldest textile companies, prevented losses by invoking their brand value and stepping up customer relations during the ban. Uday Shitole, General Manager – Sales, at Dinesh Mills, says the internet is a boon for the export industry due to its speed, web orders, low cost, and proper documentation. But he admits that in India, it's mandatory to have traditional back-up systems, even if this is much costlier, because political realities make even something as advanced as the internet unpredictable. Sudhir Purohit, Vice President (Exports), Dinesh Mills Ltd, says their decade-long relationships with suppliers and purchasers, initiated in the pre-internet days, stood the company in good stead. “We export the materials through digital orders too, but in our system, the negotiation of contracts has to be handled in person and non-negotiable ones can be done wholly through the internet. Without this, we will be vulnerable to any disruption, like internet ban, or accidents, that will definitely lead to delays and losses.”

Nalanda Tambe is a Vadodara- based freelance writer and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/sorry-business-closed-until-internet-is-back-on

SOPA: The bill that could kill the Internet

praskrishna — 2011-11-18T07:26:30Z

As the US government’s House Judiciary Committee begins hearings on the proposed Stop Online Piracy Act, (SOPA), both supporters and opponents are ramping up their campaigning, with big names getting involved. And so they should. SOPA’s stakes are no less than the future of the Internet itself.

The key problem with SOPA is that it seeks to allow any copyright holder to sever any website’s relationship with online advertising networks or credit card processing services, simply by pointing the finger. As Ars Technica explains:

Calling its plan a “market-based system to protect US customers and prevent US funding of sites dedicated to theft of US property,” the new bill gives broad powers to private actors. Any holder of intellectual property rights could simply send a letter to ad network operators like Google and to payment processors like MasterCard, Visa, and PayPal, demanding these companies cut off access to any site the IP holder names as an infringer.

[…] So long as the intellectual property holders include some “specific facts” supporting their infringement claim, ad networks and payment processors will have five days to cut off contact with the website in question.

The bill also gives the government the power to get an injunction against foreign sites which would force ISPs to, within five days, ”prevent access by its subscribers located within the United States to the foreign infringing site.” Essentially, it obliges ISPs to break their own DNS servers by filtering or redirecting users who try to access an accused site. It would also ban any tools which allow circumvention of such blocks.

It doesn’t take a genius to see how this could be abused: An aggrieved party accuses a site of infringement, with or without reliable evidence, and suddenly that site can no longer accept credit cards or PayPal payments and its advertising revenue dries up completely. And we know that the IP industry isn’t above false accusations of copyright infringement. It’s not just business websites that could be affected, but open source projects too.

Opponents currently include businesses such as Google, Facebook, Zynga, eBay, Twitter, Yahoo!, AOL, and LinkedIn who, together, sent a letter; advocates such as the Electronic Frontier Foundation, Reporters Without Borders, and Human Rights Watch; as well as eleven members of the House of Representatives who have also written a letter to the House Judiciary Committee. Another letter from human rights groups includes India’s Centre for Internet and Society as well as the Church of Sweden.

There are also complaints that the House Judiciary Committee is trying to push the legislation through with undue haste. Says PCWorld:

Critics of the legislation also complained that the US House of Representatives Judiciary Committee appears to be fast-tracking the bill before opposition can build. At a 10 am hearing Wednesday, five of six witnesses are likely to speak in favor of SOPA, with only Google opposed. Witnesses the Motion Picture Association of America, trade union the AFL-CIO and pharmaceutical company Pfizer have all voiced support for the bill.

No public interest groups, Internet engineers or human rights groups have been invited to the hearing, said Gigi Sohn, president of Public Knowledge, a digital rights group. “This is really being railroaded, without a full public debate,” she said.

Indeed, the tone of the Committee’s so-called fact sheet, which lays out a series of ‘myths’ and ‘facts’, gives cause for concern, implying as it does that they have already decided which side of the fence they will land on. What is also disturbing is that the US Copyright Office — which as a part of the Library of Congress, one would expect to be impartial and evidence-led — will be offering an “unqualified endorsement“:

“It is my view that if Congress does not continue to provide serious responses to online piracy, the US copyright system will ultimately fail,” [Copyright Office director Maria] Pallante’s testimony says.

Pallante and representatives from Pfizer, the Motion Picture Association of America, the AFL-CIO, and Mastercard, all of whom support the bill, will be testifying tomorrow before the House Judiciary committee.

For Americans who are unimpressed by this latest move from the content industries to control the Internet, there is a letter writing campaign encouraging people to contact their congressperson. For non-Americans, Avaaz has set up a Save the Internet petition which currently has 70,000 signatures and is racking up hundreds of new signatures every minute.

There’s no doubt that tech journalists, free software advocates and digital rights campaigners and internet businesses worldwide will be glued to coverage of today’s Judiciary hearing. But, given the power of the copyright industry’s lobbying arms, it is hard to expect discussions to conclude satisfactorily. It may just be that the entire Internet will have to rely on the strength of the US Constitution, which SOPA may contravene, to save it.

This article by Suw Charman-Anderson was published in Firspost.Technology on November 16, 2011. The original can be read here

For more details visit https://cis-india.org/news/bill-could-kill-internet

Sony site flaw puts focus on Internet security

praskrishna — 2011-05-30T13:15:07Z

INTERNET security has once again come into sharp focus with Sony discovering a loophole in their website set up to reset passwords for its users affected by the hacking of the PlayStation network. Shayan Ghosh's article was published by Mail Today on Friday,May 20, 2011.

Sony on Thursday announced that it has found a security flaw on its website that could have allowed a hacker access to private details of its gaming buffs.

"We are in the process of continuous restoration of the website loopholes that have been identified and it will be healed pretty soon," said Atindriya Bose, country manager at Sony Computer Entertainment.

Last month, Sony’s PlayStation network was hacked and user data such as email ids and credit card details were possibly stolen in huge numbers, affecting users worldwide.

"Some users could say botnets (a collection of infected computers or those taken over by hackers) are the largest threat today because they have the potential of shutting down websites, online stores and even Governmental websites and critical resources," Costin Raiu, director of the global research and analysis team, Kaspersky Lab, said, explaining the present online threat scenario.

"Others say that a much more serious threat can come from mobile malware, because there are a lot more mobile phones than computer systems," he noted.

"Even though hacking is going on we are prompt to enhance our security measures. But only these won’t help. The Indian users also need to be conscious; they also need to be vigilant about private details such as credit cards when they are on the web," Bose explained.

"A lot of companies are successful in e-commerce and have been in the industry for quite long. But regarding such flaws, it depends on how fast the company reacts to the situation," he said.

Hacking is like an arms race, according to Sunil Abraham executive director, Centre for Internet and Society. "It is going side by side with the security measures that people are taking," he said.

Abraham said there are many reasons behind the recent rise in hacking with data being stolen very often.

Firstly, the information system nowadays is more complex though not mature enough to handle such threats. Secondly, the social networking sites are a key player when it comes to damage undergone due to hacking. The level of data loss is huge when one hacks a social networking site which, was not the case before. Thirdly, new updates of these networking and gaming sites are released very frequently, which leaves little time to check the security flaws in the website.

"New features are more prone to attacks," Abraham said.

"As attackers become more sophisticated and targeted, hacking continues to be a serious threat. In fact, Symantec’s Internet Security Threat Report 16 revealed that an average of 260,000 identities were exposed per data breach caused by hacking in 2010, nearly quadruple that of any other cause," Abhijit Limaye, director, security response, Symantec, said.

However, there are ethical hackers who feel the need for security and also think that hacking will be a major issue worldwide, in a couple of years.

Download the original article published by Mail Today here [PDF, 2.08 MB]

For more details visit https://cis-india.org/news/sony-site-flaw

Some Key Words Are Missing

praskrishna — 2015-09-27T14:22:44Z

Google manipulating search results? The Competition Commission is on its case.

The article by Arindam Mukherjee was published in Outlook on September 21, 2015. Nehaa Chaudhari was quoted.

G’s Global Woes

Google’s problems aren’t restricted to India. It is facing similar cases around the world.

Europe: The search giant has been accused of using its dominant position on the web to dominate the market for online product searches. There’s another probe on possible abuse of dominant position with Android.

Brazil: Is being investigated for favouring its own services over others on the internet

Hong Kong & Argentina: Facing issues about collecting user data

Spain: Had to shut down Google News over copyright issues.

Germany: Its Google Street View navigation service got into problems over privacy issues

Mexico: The local regulator has brought up issues similar to those in Europe

There is an uneasy calm at Google’s India offices these days. Spokespersons are giving measured statements, watched over by an army of lawyers who are busy looking at the finer points. A case against Google’s advertising and search practices with the Competition Commission of India (CCI) has the potential to derail the search giant’s operations in India. Why, a nervous Google has even sought to make hearings in this case in-camera to totally shut out the media.

There is a lot at stake. An investigation report of the CCI has found Google squarely guilty of abusing its dominant position to manipulate search results on the internet and online advertising results to its own advantage and to those of companies paying for it. Google was found to “have abused its dominant position in the relevant markets of online general web search service in India and online search advertising in India in violation of the Competition Act 2002”.

Indeed, the report (which has been reviewed by Outlook) is blunt on many of the issues: “Google is found to be indulging in practices of search bias and by doing so it causes harm to its competitors as well as users.... Google steers users to its own products and services and produces biased results. This structure offers abundant opportunities for leveraging and has also raised issues of conflict of interest.” It says that through such practices Google was adversely affecting the competitive landscape in the markets for online general web search, search advertising as well as adjacent markets like travel, maps, social networking and e-commerce.

The whole brouhaha started with complaints from two parties—Chennai-based matchmaking portal Bharatmatrimony.com and Jaipur-based consumer rights organisation CUTS International—in 2012. “People who are subscribing to Google’s Adwords and are paying Google or are buying keywords are getting preference in their search results. Many of the search results on Google are either ads or sponsored links and not genuine search results. Google is pushing ads as news items which normal users would be unable to distinguish,” says Sharad Bhansali, managing partner, APJ SLG Law Offices which is representing CUTS.

CUTS also complained that Google was promoting its own products through search. Says Udai Singh Mehta, CUTS director, “Preference was being given by Google to its products and subsidiaries in search.” This, being a dominant player in search and online advertising, amounts to abusing its position. According to market estimates, Google enjoys a 93 per cent share of the search market and gets about 85 per cent of the revenues of online advertising. Says Nikhil Pahwa, editor-in-chief of Medianama: “In search cases, Google is clearly the dominant player in the market. So when they start integrating content into search, there is a problem and it becomes an issue.”

In the course of the investigation, the CCI D-G also sought opinion from about 30 companies—most of them gave similar feedback about Google’s practices. The list includes Flipkart, mapmyindia.com, makemytrip.com, Microsoft and Nokia Maps.

Google will now have to appear before the full CCI bench on September 17 for a hearing based on the D-G report. After this, the CCI will take a final call on the issue. Of course, Google can seek an extension of this hearing. According to company insiders, they have not sought an extension yet. Google will have the right to appeal any order the CCI comes out with. The first appeal would be at the court of a competition appellate tribunal headed by a retired SC judge. The final appeal can happen only with the Supreme Court.

As expected, Google denies any wrongdoing and says the abuse of dominant position will need to be proved. Manas Chaudhuri, lawyer with Khaitan & Co which deals with competition cases, told Outlook, “The report says that Google is dominant, which is correct. If it is dominant, there is nothing wrong under the Competition Act. The issue is whether or not it has abused its dominance. The ‘abuse’ is a rule-of-reason argument and as such the CCI will have to assess quite a few international best practices theories eg, ‘objective justification’, ‘analysing the statutory mandate of meeting the competition in the relevant market’, ‘consumer harm’ and ‘counterfactuals’.”

In response to queries, a Google spokesperson said, “We’re currently reviewing the report from the CCI’s ongoing investigation. We continue to work closely with the CCI and remain confident that we comply fully with India’s competition laws. Regulators and courts around the world, including in the US, Germany, Taiwan, Egypt and Brazil, have looked into and found no concerns on many of the issues raised in this report.” Actually, Google is facing a similar case in the EU, while similar issues have been raised in Brazil, Hong Kong, Argentina and Mexico.

Sure, at first blush, the report appears tilted against Google. What may go in its favour is the CCI’s dismal record in treating such cases. Though it is the final investigation report, experts say it is not sacrosanct: the CCI bench might not agree with it. In the last six years, over 20 such investigation reports have been dismissed by the CCI after the final hearing. And Google will try its best to bring forth the fact that it has been exonerated in similar cases in the US, Germany and Taiwan.

But with the D-G’s final investigation report giving a clear verdict against Google’s practices, it might not be so easy for the search giant to come out cleanly from this one. Says Nehaa Chaudhari, lawyer with the Centre for Internet and Society (cis), “Given that India is not the only jurisdiction where Google is using its secret algorithm to promote its own products, there is enough for the CCI to proceed on against it.” What will also help is the testimony of several companies who have said that they have suffered because of Google’s web practices.

The entire world is watching India. Clearly, if the CCI upholds the D-G report and pronounces Google guilty, it could seriously affect the search giant’s growth in India, one of the fastest growing internet markets for Google with over 300 million internet users and an even faster growing Android landscape (where also it is a dominant player). With the final EU verdict on the case yet to come out, will India set a new example for the world to follow?

For more details visit https://cis-india.org/internet-governance/news/outlook-september-21-2015-arindam-mukherjee-some-key-words-are-missing