We are anonymous, we are legion

Sixth Meeting of the two Sub-Groups on Privacy Issues under the Chairmanship of Justice AP Shah

praskrishna — 2012-08-23T09:48:55Z

The sixth meeting of the two sub-groups on privacy issues will be held on August 31, 2012 at 10.00 a.m. in Committee Room No. 228, Yojana Bhawan, Sansad Marg, New Delhi under the chairmanship of Justice AP Shah, former chief justice of Delhi High Court.

No. M-13040/43/2012-CIT&I (Pt. File)
Government of India
Planning Commission
(CIT&I Division)

Yojana Bhawan, Sansad Marg,
New Delhi, dated the 23rd August, 2012

Meeting Notice

Subject: Meeting of the Group of Experts on Privacy Issues to be held on 31st August, 2012 under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court.

The meeting of the Group of Experts on Privacy Issues under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court is scheduled to be held on 31st August, 2012, at 10.00 AM in the Committee Room No. 228, Yojana Bhawan, Sansad Marg, New Delhi - 110001.

The agenda of the meeting is to discuss and finalize the draft report prepared on the basis of the recommendations of the two Sub-Groups of the Expert Group (Copy enclosed).

You are requested to kindly make it convenient to attend the meeting.

(S. Bose)
Deputy Secretary (CIT&I)

Through e-mail to:

Justice A.P. Shah, Chairman
Shri R. S. Sharma, D.G., UIDAI
Dr. Gulshan Rai, D.G. CERT-In, DeITy
Shri Manoj Joshi, J.S. DOPT
Shri R. Ragupathi,Additional Secretary, Department of Legal Affairs
Shri Som Mittal, Nasscom
Ms. Barkha Dutt, NDTV
Ms. Usha Ramanathan
Shri Sunil Abraham, CIS
Dr. Kamlesh Bajaj
Ms. Mala Dutt
Shri R.K. Gupta

Copy for information to:
Dr. C.M. Kumar, Sr. Adviser (CIT&I)
PS to MOS (Planning, S&T and Earth Sciences)

(S. Bose)
Deputy Secretary (CIT&I)

For more details visit https://cis-india.org/news/sixth-meeting-of-sub-groups-on-privacy-issues

Sixth Annual Meeting of the Internet Governance Forum, Nairobi: A Summary

praskrishna — 2011-10-24T09:09:14Z

The sixth annual meeting of the Internet Governance Forum was held from 27 to 30 September 2011 at the United Nations Office in Nairobi, Kenya. Sunil Abraham participated in six workshops: Privacy, Security, and Access to Rights: A Technical and Policy Analyses, Use of Digital Technologies for Civic Engagement and Political Change: Lessons Learned and Way Forward, The Impact of Regulation: FOSS and Enterprise, Proprietary Influences in Free and Open Source Software: Lessons to Open and Universal Internet Standards, Access and Diversity of Broadband Internet Access and Putting Users First: How Can Privacy be Protected in Today’s Complex Mobile Ecosystem?

Privacy, Security, and Access to Rights: A Technical and Policy Analyses

Workshop No. 219
The workshop was moderated by Kim Pham, Expression Technologies, Civil Society (United States). The panel members included Carlos Affonso Pereira de Souza, Centro de Technologica e Socieda (Brazil), Christopher Soghoian, Indiana University (United States), Karen Reilly, Tor Project, Technical/Civil Society (United States) and Sunil Abraham, Centre for Internet and Society (India).
See the workshop details here

Use of Digital Technologies for Civic Engagement and Political Change: Lessons Learned and Way Forward

Workshop No. 184
The workshop was moderated by Katim S Touray Council Vice Chair, Free Software and Open Source Foundation for Africa and Member, ICANN Board of Directors. Fouad Bajwa of Gerry Morgan Foundation (Pakistan) was the remote moderator. Nnenna Nwakanma of Nnenna.org, Simeon Oriko of @TheKuyuProject &@StorySpaces, Wael Khalil, Activist and Sunil Abraham of the Centre for Internet & Society were the panel members. Nishant Shah from the Centre for Internet & Society participated remotely from Bangalore.
See the workshop details here
See the entire transcription here

The Impact of Regulation: FOSS and Enterprise

Workshop No. 211
The workshop was moderated by Dorothy Gordon, Director General, AITI-KACE, Judy Okite was the remote moderator. The panel members were Satish Babu, ICFOSS, India, Yves Miezan Ezo, Smile Training, Manager, (France), Sunil Abraham, Executive Director, Centre for Internet & Society, Bangalore, Evans Ikua, FOSS Certification Manager, ict@innovation program.
See the workshop details here
See the entire transcription here

Proprietary Influences in Free and Open Source Software: Lessons to Open and Universal Internet Standards

Workshop No. 201
The workshop was moderated by Alejandro Pisanty, Director General for Academic Computing Services of the National University of Mexico (UNAM), Mexico. Tracy Hackshaw, Computer Society of Trinadad and Tobago, Trinadad and Tobago, Venkatesh Hariharan, Head of Public Policy and Government Affairs at Google, India and Scott O Bradner, University Technology Security Officer, Harvard University, USA were the panel members.
See the workshop details here
See the entire transcription here

Access and Diversity of Broadband Internet Access

Workshop No. 113
The workshop was moderated by N Ravi Shanker, Addl Secy, Department of Information Technology, Ministry of Information Technology, Government of India (Chair). Abhishek Singh, Director, Department of Information Technology, Ministry of Information Technology, Government of India, Venkatesh Hariharan, Head of Public Policy and Government Relations, Google India and Sunil Abraham, Executive Director, The Centre for Internet and Society, India were the panel members.
See the workshop details here
See the entire transcription here

Putting users First: How can Privacy be Protected in Today’s Complex Mobile Ecosystem?

Workshop No. 75
This workshop was moderated by Ambassador David Gross, Partner, Wiley Rein LLP, Yiannis Theodorou, Regulatory Policy Manager, GSMA was the remote moderator. The panel members included Pat Walshe, Director of Privacy-GSMA), Jeff Brueggeman (Vice President-Publiy Policy AT&T), Patrick Ryan, Policy Counsel, Open Internet for Google Inc, Ms Juliana Rotich, Executive Director of Ushahidi Inc, Sunil Abraham, Executive Director, The Centre for Internet and Society (India) and Ian Brown, co-director of Oxford University's Information Security and Privacy Programme.
See the workshop details here
See the entire transcription here

For more details visit https://cis-india.org/internet-governance/blog/sixth-annual-meeting-igf

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing

Admin — 2018-03-25T03:21:24Z

Amber Sinha participated as a panelist in the discussion on adapting privacy to new technologies organised by the USIBC on March 6, 2018 in New Delhi.

The way consumers interact with technology is quickly evolving, and there are distinct implications for privacy as these new applications and products become embedded in our daily lives. Many new technologies eliminate the need for consumers to interface with a screen, relying on sensor data, verbal interactions, or innate human communications – a grin or hand gesture. As technology evolves, so must the privacy protections.

Moderator: Ashutosh Chadha, Group Director, government Affairs & Public policy, Microsoft India

Panelists:

Shaundra Watson, Director, Policy, BSA | The Software Alliance
Betsy Broder, Counsel for International Consumer Protection, U.S. FTC
Amber Sinha, Senior Programme Manager, Centre for Internet and Society (CIS)
Riccardo Masucci, Global Director of Privacy Policy, Intel
Srinivas Poosarla, Vice President & Head (Global), Privacy & Data Protection, Infosys Limited

For more details visit https://cis-india.org/internet-governance/news/siri-did-you-hear-me-adapting-privacy-to-new-technologies-automated-decision-making-and-cloud-computing

Silence on the Dera Front

Sat Singh — 2017-12-20T15:58:44Z

Strap: How DSS followers, accused of violent protests after their leader was sentenced, manage without the internet.

Sirsa, Haryana: Raj Rani’s two expensive smartphones are her whole world. But the 32-year-old entrepreneur from Haryana’s Hisar district found them entirely useless when she needed them most – on August 25, during the violent protests by members of the spiritual group Dera Sacha Sauda (DSS) after their leader Gurmeet Ram Rahim was convicted of rape.

“My family follows DSS, and had gone to attend the monthly congregation on August 15 (which also happened to be Ram Rahim’s birthday), when were told that ‘Pitaji’ asked us to stay back in the premises, in case of an adverse verdict by the court in rape cases against him,” she says. This is understood to have been done as a show of support that could put pressure on the judiciary and state for a favourable verdict.

Along with lakhs of other followers, Rani was present in Dera’s Sirsa headquarters with her two children. She stayed in constant touch with her husband Sunny Kumar, a businessman based in New Delhi. "Every day, I showed him the Dera premises and religious activities through WhatsApp video calls,” she says.

She recalls “the nightmarish moment” on the night of August 24 when the Haryana police and the Indian army surrounded the Dera. They imposed a curfew in the town, and restricted people from coming in and going outside the premises spread over 700 acres.

Rani says that the government blocked the internet on August 24 – a day before the self-styled godman appeared in the Panchkula court. Service providers of different companies, including mobile phone and landline services, were also barred at the Dera Sacha Sauda headquarters. As a result, Rani lost all contact with her husband. “I was confident until I was connected with my family over WhatsApp call and video chat, but as soon as this went away, I started losing faith, and felt afraid,” she says.

After the curfew was imposed and internet was shut down, Rani says the devotees started to panic. They demanded that the DSS management permit them to go to their respective homes after Gurmeet’s arrest on August 25. After his conviction for rape, Rani says the politically influential and funds-flushed DSS fell like a house of cards. “There was chaos all around,” she says.

Fearing that Dera followers would vandalise public property to protest their leader’s conviction, the police had restricted public transport. Private vehicles were being allowed to move only after multiple security checks. On the morning of August 27, hundreds of devotees started to leave the Dera premises by foot. Rani walked about 50 kms along the national highway 10 (Hisar-Sirsa) up to Fatehabad district.

It was a coordination committee of police, legislators, and bureaucrats from Haryana, Punjab and Chandigarh, under the chairmanship of Punjab governor and union territory administrator VP Singh Badnore, that took the decision to ban the internet. After the order on August 24, all the SMSes, dongle, and data services provided on mobile network were suspended. The government only allowed phone calls during the internet shutdown in affected districts in these states.

Dissing the police’s claims that Dera followers started the violence first, provoking the cops to fire, 32-year-old shopkeeper Gaurav Soni, an ardent DSS follower for seven years, insists that things went out of control because the internet connection was snapped. He says that senior members in the Dera’s internal WhatsApp groups couldn’t send messages to calm angry followers. “Whatever happened was a result of a communication gap,” says Soni, who joined the protests. “No one asked the followers to get violent, and followers never attempt such things without proper instructions. But since there was a leadership gap, thanks to the break in communication, all this occurred.”

Vikas Kumar, an IT expert of the Dera Sacha Sauda agrees, "As soon as we came to know about the conviction, we tried to send a message from Dera chairperson Vipasana Insan, requesting followers to maintain peace, and keep faith in the judicial process. But we couldn’t upload this message because mobile internet and broadband services were banned." They also tried to call key Dera leaders. “But it was too late by then, and followers clashed with law enforcement agencies," Vikas adds.

The Dera’s protests, and the related internet and transport shutdown seemed to have impacted the group’s own followers too.

Those outside Haryana received misleading or panic-inducing forwards and videos, worrying them, but also worsening the anger against the state administration. Rajat Singh, a 65-year-old Dera follower from Mansa district, Punjab, says his son Rishipal Singh, had gone with several followers to the court in Panchkula, Haryana, where Gurmeet’s case was being heard. Rajat Singh says that since the internet was not banned at Punjab’s Mansa, he continuously received photographs of bullet-ridden bodies, charred cars, massive fires, and vandalism on WhatsApp. It’s unclear how Dera members from Haryana were able to send these pictures, overriding the blocked internet. “I was so disturbed,” he says. “As soon as we came to know that the Haryana police had opened fire on the followers, I started calling my son,” he says. But phone networks were constantly busy or spotty. “My son’s phone was not reachable. I asked relatives to send him text messages, or messages on WhatsApp, but the internet was not working.” It was much later, when Rishipal made a rushed call, that they were assured of his well-being.

Unaware of the violence at the Dera, 37-year-old Rakesh Kumar, a DSS follower from Ghaziabad, Uttar Pradesh, was visiting Sirsa on August 24. “I booked a hotel in Sirsa district through an app, and chose to pay at the hotel. When I reached Sirsa, the internet was off.” Kumar went to the Dera taking lifts from a few vehicles plying on the sly, but soon returned to his hotel after followers went on a rampage. He wanted to leave Sirsa, but “got stuck” because the hotel didn’t allow him to leave without paying. ATMs were closed, vandalised, or not working, and it was generally unsafe to go out. “I had some balance on PayTM, but that was also not working as there was no internet connection,” he says.

Without Facebook or Twitter accounts, the Sirsa police had no way to counter rumours, discourage violence, or call for peace, says additional deputy commissioner (ADC) Sirsa, Munish Nagpal. A ban, he says, was the only way for them to nip crowd mobilisation in the bud, and curb rumours from spreading to Dera followers in other states of north India.

“The ban controlled the situation to a certain extent, but it handicapped us, and slowed the process of our communication with seniors in Chandigarh,” admitted Ashwin Shenvi, the superintendent of police (SP).

The Haryana police, chief minister and health minister are usually active on social media, and the government too prides itself on being digitally savvy, but during the ban, every account was inactive. This despite the state offices having broadband.

It is worth pointing out that DSS is credited for the Bharatiya Janata Party’s first ever win in Haryana in the 2014 state elections. Gurmeet Ram Rahim and CM Manohar Lal Khattar have even shared stages multiple times for photo-ops. Many believe this to be the reason behind the state government not being very vocal, online or offline, in condemning the violence by Gurmeet’s followers. It could have ticked off DSS’s over 50 million followers, a large votebank. The political dynamics, hence, were also responsible for internet becoming a victim of the violence unleashed.

Sat Singh is a Rohtak-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/silence-on-the-dera-front

Shreya Singhal and 66A

sunil — 2015-04-19T08:09:42Z

Most software code has dependencies. Simple and reproducible methods exist for mapping and understanding the impact of these dependencies. Legal code also has dependencies --across court orders and within a single court order. And since court orders are not produced using a structured mark-up language, experts are required to understand the precedential value of a court order.

The article was published in the Economic and Political Weekly Vol-L No.15. Vidushi Marda, programme officer at the Centre for Internet and Society, was responsible for all the research that went into this article. PDF version here.

As a non–lawyer and engineer, I cannot authoritatively comment on the Supreme Court’s order in Shreya Singhal vs Union of India (2015) on sections of the Information Technology Act of 2000, so I have tried to summarise a variety of views of experts in this article. The Shreya Singhal order is said to be unprecedented at least for the last four decades and also precedent setting as its lucidity, some believe, will cause a ripple effect in opposition to a restrictive understanding of freedom of speech and expression, and an expansiveness around reasonable restrictions. Let us examine each of the three sections that the bench dealt with.

The Section in Question

Section 66A of the IT Act was introduced in a hastily-passed amendment. Unfortunately, the language used in this section was a pastiche of outdated foreign laws such as the UK Communications Act of 2003, Malicious Communications Act of 1988 and the US Telecommunications Act, 1996.¹ Since the amendment, this section has been misused to make public examples out of innocent, yet uncomfortable speech, in order to socially engineer all Indian netizens into self-censorship.²

Summary: The Court struck down Section 66A of the IT Act in its entirety holding that it was not saved by Article 19(2) of the Constitution on account of the expressions used in the section, such as "annoying," "grossly offensive," "menacing,", "causing annoyance." The Court justified this by going through the reasonable restrictions that it considered relevant to the arguments and testing them against S66A. Apart from not falling within any of the categories for which speech may be restricted, S66A was struck down on the grounds of vagueness, over-breadth and chilling effect. The Court considered whether some parts of the section could be saved, and then concluded that no part of S66A was severable and declared the entire section unconstitutional. When it comes to regulating speech in the interest of public order, the Court distinguished between discussion, advocacy and incitement. It considered the first two to fall under the freedom of speech and expression granted under Article 19(1)(a), and held that it was only incitement that attracted Article 19(2).

Between Speech and Harm

Gautam Bhatia, a constitutional law expert, has an optimistic reading of the judgment that will have value for precipitating the ripple effect. According to him, there were two incompatible strands of jurisprudence which have been harmonised by collapsing tendency into imminence.³ The first strand, exemplified by Ramjilal Modi vs State of UP⁴ and Kedar Nath Singh vs State of Bihar,⁵ imported an older and weaker American standard, that is, the tendency test, between the speech and public order consequences. The second strand exemplified byRam Manohar Lohia vs State of UP,⁶ S Rangarajan vs P Jagjivan Ram,⁷ andArup Bhuyan vs Union of India,⁸ all require greater proximity between the speech and the disorder anticipated. In Shreya Singhal, the Supreme Court held that at the stage of incitement, the reasonable restrictions will step in to curb speech that has a tendency to cause disorder. Other experts are of the opinion that Justice Nariman was doing no such thing, and was only sequentially applying all the tests for free speech that have been developed within both these strands of precedent. In legal activist Lawrence Liang's analysis, "Ramjilal Modi was decided by a seven judge bench and Kedarnath by a constitutional bench. As is often the case in India, when subsequent benches of a lower strength want to distinguish themselves from older precedent but are unable to overrule them, they overcome this constraint through a doctrinal development by stealth. This is achieved by creative interpretations that chip away at archaic doctrinal standards without explicitly discarding them."⁹

Compatibility with US Jurisprudence

United States (US) jurisprudence has been imported by the Indian Supreme Court in an inconsistent manner. Some judgments hold that the American first amendment harbours no exception and hence is incompatible with Indian jurisprudence, while other judgments have used American precedent when convenient. Indian courts have on occasion imported an additional restriction beyond the eight available in 19(2)-the ground of public interest, best exemplified by the cases of K A Abbas¹⁰ and Ranjit Udeshi.¹¹ The bench in its judgment-which has been characterised by Pranesh Prakash as a masterclass in free speech jurisprudence¹²-clarifies that while the American first amendment jurisprudence is applicable in India, the only area where a difference is made is in the "sub serving of general public interest" made under the US law. This eloquent judgment will hopefully instruct judges in the future on how they should import precedent from American free speech jurisprudence.

Article 14 Challenge

The Article 14 challenge brought forward by the petitioners contended that Section 66A violated their fundamental right to equality because it differentiated between offline and online speech in terms of the length of maximum sentence, and was hence unconstitutional. The Court held that an intelligible differentia, indeed, did exist. It found so on two grounds. First, the internet offered people a medium through which they can express views at negligible or no cost. Second, the Court likened the rate of dissemination of information on the internet to the speed of lightning and could potentially reach millions of people all over the world. Before Shreya Singhal, the Supreme Court had already accepted medium-specific regulation. For example in K A Abbas, the Court made a distinction between films and other media, stating that the impact of films on an average illiterate Indian viewer was more profound than other forms of communication. The pessimistic reading of Shreya Singhal is that Parliament can enact medium-specific law as long as there is an intelligible differentia which could even be a technical difference-speed of transmission. However, the optimistic interpretation is that medium-specific law can only be enacted if there are medium-specific harms, e g, phishing, which has no offline equivalent. If the executive adopts the pessimistic reading, then draconian sections like 66A will find their way back into the IT Act. Instead, if they choose the optimistic reading, they will introduce bills that fill the regulatory vacuum that has been created by the striking down of S66A, that is, spam and cyberbullying.

Section 79

Section 79 was partially read down. This section, again introduced during the 2008 amendment, was supposed to give legal immunity to intermediaries for third party content by giving a quick redressal for those affected by providing a mechanism for takedown notices in the Intermediaries Guidelines Rules notified in April 2011. But the section and rules had enabled unchecked invisible censorship¹³ in India and has had a demonstrated chilling effect on speech¹⁴ because of the following reasons:

One, there are additional unconstitutional restrictions on speech and expression. Rule 3(2) required a standard "rules and regulation, terms and condition or user agreement" that would have to be incorporated by all intermediaries. Under these rules, users are prohibited from hosting, displaying, uploading, modifying, publishing, transmitting, updating or sharing any information that falls into different content categories, a majority of which are restrictions on speech which are completely out of the scope of Article 19(2). For example, there is an overly broad category which contains information that harms minors in any way. Information that "belongs to another person and to which the user does not have any right to" could be personal information or could be intellectual property. A much better intermediary liability provision was introduced into the Copyright Act with the 2013 amendment. Under the Copyright Act, content could be reinstated if the takedown notice was not followed up with a court order within 21 days.¹⁵ A counter-proposal drafted by the Centre for Internet and Society for "Intermediary Due Diligence and Information Removal," has a further requirement for reinstatement that is not seen in the Copyright Act.¹⁶

Two, a state-mandated private censorship regime is created. You could ban speech online without approaching the court or the government. Risk-aversive private intermediaries who do not have the legal resources to subjectively determine the legitimacy of a legal claim err on the side of caution and takedown content.

Three, the principles of natural justice are not observed by the rules of the new censorship regime. The creator of information is not required to be notified nor given a chance to be heard by the intermediary. There is no requirement for the intermediary to give a reasoned decision.

Four, different classes of intermediaries are all treated alike. Since the internet is not an uniform assemblage of homogeneous components, but rather a complex ecosystem of diverse entities, the different classes of intermediaries perform different functions and therefore contribute differently to the causal chain of harm to the affected person. If upstream intermediaries like registrars for domain names are treated exactly like a web-hosting service or social media service then there will be over-blocking of content.

Five, there are no safeguards to prevent abuse of takedown notices. Frivolous complaints could be used to suppress legitimate expressions without any fear of repercussions and given that it is not possible to expedite reinstatement of content, the harm to the creator of information may be irreversible if the information is perishable. Transparency requirements with sufficient amounts of detail are also necessary given that a human right was being circumscribed. There is no procedure to have the removed information reinstated by filing a counter notice or by appealing to a higher authority.

The judgment has solved half the problem by only making intermediaries lose immunity if they ignore government orders or court orders. Private takedown notices sent directly to the intermediary without accompanying government orders or courts order no longer have basis in law. The bench made note of the Additional Solicitor General's argument that user agreement requirements as in Rule 3(2) were common practice across the globe and then went ahead to read down Rule 3(4) from the perspective of private takedown notices. One way of reading this would be to say that the requirement for standardised "rules and regulation, terms and condition or user agreement" remains. The other more consistent way of reading this part of the order in conjunction with the striking down of 66A would be to say those parts of the user agreement that are in violation of Article 19(2) have also been read down.

This would have also been an excellent opportunity to raise the transparency requirements both for the State and for intermediaries: for (i) the person whose speech is being censored, (ii) the persons interested in consuming that speech, and (iii) the general public. It is completely unclear whether transparency in the case of India has reduced the state appetite for censorship. Transparency reports from Facebook, Google and Twitter claim that takedown notices from the Indian government are on the rise.¹⁷ However, on the other hand, the Department of Electronics and Information Technology (DEITY) claims that government statistics for takedowns do not match the numbers in these transparency reports.¹⁸ The best way to address this uncertainty would be to require each takedown notice and court order to be made available by the State, intermediary and also third-party monitors of free speech like the Chilling Effects Project.

Section 69A

The Court upheld S69A which deals with website blocking, and found that it was a narrowly-drawn provision with adequate safeguards, and, hence, not constitutionally infirm. In reality, unfortunately, website blocking usually by internet service providers (ISPs) is an opaque process in India. Blocking under S69A has been growing steadily over the years. In its latest response to an RTI (right to information)¹⁹ query from the Software Freedom Law Centre, DEITY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014. On 30 December 2014 alone, the centre blocked 32 websites to curb Islamic State of Iraq and Syria propaganda, among which were "pastebin" websites, code repository (Github) and generic video hosting sites (Vimeo and Daily Motion).²⁰ Analysis of leaked block lists and lists received as responses to RTI requests have revealed that the block orders are full of errors (some items do not exist, some items are not technically valid web addresses), in some cases counter speech which hopes to reverse the harm of illegal speech has also been included, web pages from mainstream media houses have also been blocked and some URLs are base URLs which would result in thousands of pages getting blocked when only a few pages might contain allegedly illegal content.²¹

Pre-decisional Hearing

The central problem with the law as it stands today is that it allows for the originator of information to be isolated from the process of censorship. The Website Blocking Rules provide that all "reasonable efforts" must be made to identify the originator or the intermediary who hosted the content. However, Gautam Bhatia offers an optimistic reading of the judgment, he claims that the Court has read into this "or" and made it an "and"-thus requiring that the originator must also be notified of blocks when he or she can be identified.²²

Transparency

Usually, the reasons for blocking a website are unknown both to the originator of material as well as those trying to access the blocked URL. The general public also get no information about the nature and scale of censorship unlike offline censorship where the court orders banning books and movies are usually part of public discourse. In spite of the Court choosing to leave Section 69A intact, it stressed the importance of a written order for blocking, so that a writ may be filed before a high court under Article 226 of the Constitution. While citing this as an existing safeguard, the Court seems to have been under the impression that either the intermediary or the originator is normally informed, but according to Apar Gupta, a lawyer for the People's Union for Civil Liberties, "While the rules indicate that a hearing is given to the originator of the content, this safeguard is not evidenced in practice. Not even a single instance exists on record for such a hearing."²³ Even worse, block orders have been unevenly implemented by ISPs with variations across telecom circles, connectivity technologies, making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.

Rule 16 under S69A requires confidentiality with respect to blocking requests and complaints, and actions taken in that regard. The Court notes that this was argued to be unconstitutional, but does not state their opinion on this question. Gautam Bhatia holds the opinion that this, by implication, requires that requests cannot be confidential. Chinmayi Arun, from the Centre for Communication Governance at National Law University Delhi, one of the academics supporting the petitioners, holds the opinion that it is optimism carried too far to claim that the Court noted the challenge to Rule 16 but just forgot about it in a lack of attention to detail that is belied by the rest of the judgment.

Free speech researchers and advocates have thus far used the RTI Act to understand the censorship under S69A. The Centre for Internet and Society has filed a number of RTI queries about websites blocked under S69A and has never been denied information on grounds of Rule 16.²⁴ However, there has been an uneven treatment of RTI queries by DEITY in this respect, with the Software Freedom Law Centre²⁵ being denied blocking orders on the basis of Rule 16. The Court could have protected free speech and expression by reading down Rule 16 except for a really narrow set of exceptions wherein only aggregate information would be made available to affected parties and members of the public.

Conclusions

In Shreya Singhal, the Court gave us great news: S66A has been struck down; good news: S79(3) and its rules have been read down; and bad news: S69A has been upheld. When it comes to each section, the impact of this judgment can either be read optimistically or pessimistically, and therefore we must wait for constitutional experts to weigh in on the ripple effect that this order will produce in other areas of free speech jurisprudence in India. But even as free speech activists celebrate Shreya Singhal, some are bemoaning the judgment as throwing the baby away with the bathwater, and wish to reintroduce another variant of S66A. Thus, we must remain vigilant.

Notes

1 G S Mudur (2012): "66A 'Cut and Paste Job,'" The Telegraph, 3 December, visited on 3 April, 2015, http://www.telegraphindia.com/1121 203/jsp/frontpage/story_16268138.jsp

2 Sunil Abraham (2012): "The Five Monkeys and Ice Cold Water," Centre for Internet and Society, 26 September, visited on 3 April 2015, http://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-201...

3 Gautam Bhatia (2015): "The Striking Down of 66A: How Free Speech Jurisprudence in India Found Its Soul Again," Indian Constitutional Law and Philosophy, 26 March, visited on 4 April 2015, https://indconlawphil.wordpress.com/2015/03/26/the-striking-down-of-sect...

4 Ramjilal Modi vs State of UP, 1957, SCR 860.

5 Kedar Nath Singh vs State of Bihar, 1962, AIR 955.

6 Ram Manohar Lohia vs State of UP, AIR, 1968 All 100.

7 S Rangarajan vs P Jagjivan Ram, 1989, SCC(2), 574.

8 Arup Bhuyan vs Union of India, (2011), 3 SCC 377.

9 Lawrence Liang, Alternative Law Forum, personal communication to author, 6 April 2015.

10 K A Abbas vs Union of India, 1971 SCR (2), 446.

11 Ranjit Udeshi vs State of Maharashtra,1965 SCR (1) 65.

12 Pranesh Prakash (2015): "Three Reasons Why 66A Verdict Is Momentous"/ Times of India/(29 March). Visited on 6 April 2015, http://timesofindia.indiatimes.com/home/sunday-times/all-that-matters/Th...

13 Pranesh Prakash (2011): "Invisble Censorship: How the Government Censors Without Being Seen," The Centre for Internet and Society, 14 December, visited on 6 April 2015, http://cis-india.org/internet-governance/blog/invisible-censorship

14 Rishabh Dara (2012): "Intermediary Liability in India: Chilling Effects on Free Expression on the Internet," The Centre for Internet and Society, 27 April, visited on 6 April 2015, http://cis-india.org/internet-governance/chilling-effects-on-free-expres... .

15 Rule 75, Copyright Rules, 2013.

16 The Draft Counter Proposal is available at http://cis-india.org/internet-governance/counter-proposal-by-cis-draft-i...

17 According to Facebook's transparency report, there were 4,599 requests in the first half of 2014, followed by 5,473 requests in the latter half. Available at https://govtrequests.facebook. com/country/India/2014-H2/ also see Google's transparency report available at http: //www.google. com/transparencyreport/removals/government/IN/?hl=en and Twitter's report, available at https:// transparency.twitter.com/country/in

18 Surabhi Agarwal (2015): "Transparency Reports of Internet Companies are Skewed: Gulashan Rai," Business Standard, 31 March, viewed on 5 April 2015, http://www.business-standard.com/article/current-affairs/transparency-re... .

19 http://sflc.in/deity-says-2341-urls-were-blocked-in-2014-refuses-to-reve...

20 "32 Websites Go Blank," The Hindu, 1 January 2015, viewed on 6 April 2015, http://www.thehindu.com/news/national/now-modi-govt-blocks-32-websites/a...

21 Pranesh Prakash (2012): "Analysing Latest List of Blocked Sites (Communalism and Rioting Edition)," 22 August, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/analysing-blocked-sites-ri... . Also, see Part II of the same series at http://cis-india.org/internet-governance/analyzing-the-latest-list-of-bl... and analysis of blocking in February 2013, at http://cis-india.org/internet-governance/blog/analyzing-latest-list-of-b...

22 Gautam Bhatia (2015): "The Supreme Court's IT Act Judgment, and Secret Blocking," Indian Constitutional Law and Philosophy, 25 March, viewed on 6 April 2015, https://indconlawphil.wordpress.com/2015/03/25/the-supreme-courts-it-act...

23 Apar Gupta (2015): "But What about Section 69A?," Indian Express, 27 March, viewed on 5 April 2015, http://indianexpress. com/article/opinion/ columns/but-what-about-section-69a/

24 Pranesh Prakash (2011): DIT's Response to RTI on Website Blocking, The Centre for Internet and Society, 7 April, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/rti-response-dit-blocking ). Also see http://cis-india.org/internet-governance/blog/analysis-dit-response-2nd-... and http://cis-india.org/internet-governance/resources/reply-to-rti-applicat...

25 http://sflc.in/wp-content/uploads/2015/04/RTI-blocking-final-reply-from-...

For more details visit https://cis-india.org/internet-governance/blog/economic-and-political-weekly-sunil-abraham-april-11-2015-shreya-singhal-and-66a

Should you worry about identity theft?

Admin — 2017-11-26T11:24:56Z

Laws in India regarding data protection may be weak, but following basic cyber hygiene rules can make your own defences stronger.

The article by Shaikh Zoaib Saleem was published in Livemint on September 20, 2017. Pranesh Prakash quoted.

Earlier this month, US-based credit information company Equifax Inc. said its systems had been struck by a cybersecurity incident that may have affected about 143 million US consumers. A report by Bloomberg said the incident could be ranked among one of the largest data breaches in history. The intruders accessed names, social security numbers, birth dates, addresses, driver’s licence numbers and also credit card numbers, Equifax said in a statement.

While this reiterates what cyber security professionals say, that nothing is hack proof, it does remind us of the range of cyber crimes, which revolve around identity theft and frauds. It gives us a chance to reflect upon how well prepared we are, if a cyber attack strikes us, or if our personally identifiable data gets leaked.

According to the Norton Cyber Security Insights Report 2016, 49% of India’s online population, or more than 115 million Indians, are affected by cybercrime at some point with the country ranking second in terms of highest number of victims. “No government or organisation creates something that is designed to fail deliberately. People find the gaps in that system and then try to misuse it,” said Ritesh Chopra, country manager, consumer business unit, Symantec India, a cyber security company.

While it can be debated as to who should take the blame in different instances, one underlying theme is following basic cyber hygiene. “There are several mobile apps that leak data. While downloading and installing an app, you may give out access to several other things in your device,” said Chopra.

Most cyber crimes involve leak or breach of public information, which leads to identity fraud. Let’s take a look at what an identity fraud could mean.

Identity theft and frauds

Everything that we do online is linked to a digital identity—an email ID, a phone number or even an IP address of a device. Harshil Doshi, strategy security consultant, Forcepoint India, a cyber security firm, said that as long as the leaked information is limited to names, email addresses, addresses and mobile numbers, there may not be a reason for worrying. “There needs to be a distinction between what information is publicly available and what can be used only privately. People also talk about Aadhaar leaks. As long as it is not my fingerprint and retina scan, there is no cause of concern, because information like name and address are anyway public,” he said.

However, not everyone agrees with this point of view. Pranesh Prakash, policy director at advocacy group Centre for Internet and Society, said email addresses, date of birth and mobile phone number of an individual are not necessarily public information. “Work-related email addresses may be publicly available online but personal ones are not,” he said. Prakash, however, added that our notion of public information keeps changing.

Identity fraud impact

The concept of identity theft has become complicated as our digital lives expand. “Everything about you as an individual is your identity, including something personal like blood group and medical history. Your social media profile, bank transactions, blogs or online comments are also a part of this. From a fraud perspective, it is equally complex,” said Chopra.

Your identity can be impersonated in several ways. “The most common methods of identity fraud all require collecting publicly-available information about you,” said Prakash. For example, celebrity leaks in the US (cloud storage was hacked) happened also because there is more information about celebrities publicly available than for an average individual, he said.

Another example could be misuse of information regarding foreign exchange. “In India, there is a limit of buying foreign exchange worth $30,000 for an individual in a year. If information on how many times you exhaust that limit falls in the wrong hands, it can be used for money laundering in your name. How many people think about how PAN and passport copy that one shares to buy foreign exchange, can be misused?” said Chopra.

Further, health insurance can be fudged and somebody can use the benefit under your name or buy restricted medicines misusing your medical prescription.

What the law says

There are provisions in the Indian Penal Code that deal with issues like cheating by impersonation to some extent. “There isn’t anything that adequately covers activities such as getting access to your personal data, which leads to identity fraud, or sufficiently penalizes things like data breaches or data leaks that facilitate identity fraud,” said Prakash.

The government is working towards data protection laws. A committee for data protection framework has been constituted under Justice B.N. Srikrishna, former judge of Supreme Court.

But it needs to be seen what comes out of these deliberations. “I am quite apprehensive, yet hopeful, about what the committee will produce, especially because they will need to deal with protection of biometric data, leaks of which will be far worse than any other leaks because biometrics is something that cannot be changed at will subsequent to a leak, unlike one’s phone number, email address or password,” said Prakash.

According to cyber security professionals, prevention seems the only way out. “We have forgotten the difference between the real and virtual worlds. In the real world, if somebody knocks at your door, you will check before opening the door ,” said Chopra. The problem for individuals starts when we click on a malicious link or download a file like a song or an image which could have a malware loaded on it. Once it enters our system, it immediately starts stealing information.

While the law may take some time to evolve and address the issues arising out of larger data breaches from corporate entities or even from the government, it is important to be vigilant, which includes having complex passwords, not sharing passwords, being aware of suspicious emails and messages and downloading files and software only from reputed sources. While this alone may not guarantee you protection online, it certainly minimises the risk.

For more details visit https://cis-india.org/internet-governance/news/livemint-shaikh-zoaib-saleem-september-20-2017-should-you-worry-about-identity-theft

Should online political advertising be regulated?

P.J. George — 2019-11-13T15:12:46Z

Micro-targeting could have potentially damaging results in the context of political advertising.

The article by P.J. George was published in the Hindu on November 8, 2019. Pranesh Prakash was interviewed.

On October 31, Twitter announced that it will no longer carry political advertisements as the power of Internet advertising “brings significant risks to politics, where it can be used to influence votes”. On the other hand, Facebook has said it will not fact-check political advertisements as it does not want to stifle free speech. In a conversation moderated by P.J. George, Pranesh Prakash (board member, The Centre for Internet and Society) and Kiran Chandra (General Secretary, Free Software Movement of India) discuss how platforms and constitutional authorities can deal with the challenges posed by online political advertising to democracies. Edited excerpts:

We have always had political advertising. What is it that makes online political advertisements different or maybe even problematic?

Pranesh Prakash: There are two things that make online political advertising different. One is targeting. Online advertising allows, especially on social networks, for a kind of targeting that wasn’t possible at the same level before. Earlier, if you wanted to target a particular segment of people for your political messaging, you could find out what kind of magazines they subscribe to and put fliers in those magazines. But you couldn’t engage in personalised targeting based on multiple attributes that is possible through platforms like Facebook and Twitter. The second is the invisibility of this kind of advertising. If there’s a billboard in the real world, everyone gets to see it. However, if there’s targeted advertising on a social media platform, not everyone gets to know of it.

Kiran Chandra: App-based organisations have designed advertisement models to specifically allow targeting. Facebook, for instance, allowed you to choose a person from a particular caste and also from a particular class in the same caste. If somebody wants to look at an advertisement for an Audi, they can go to one class of newspapers or look at billboards in some localities; the very existence of the product is not opaque to society. But targeted advertising makes it possible for two people connected to the Internet from the same source, using the same equipment, studying in the same school or college, working in the same workplace, and living in the same habitat to get two different advertisements. And micro-targeting has got potentially damaging results in the context of political advertising, particularly for elections. These platforms make it possible to go from manufacturing consent to manipulating consent. A person is continuously fed with information to vote for a particular party.

Twitter said it will no longer carry political advertisements, considering the repercussions seen in the U.S. in the past elections. On the contrary, Facebook says political advertisements are necessary and that people should see if their politicians are lying. How culpable is a platform in the case of a problematic online political advertisement?

KC: Platforms, particularly Facebook, have been washing their hands of the issue saying they are only intermediaries providing space; that the content is being generated by the people to be consumed by the people, and they have no role to play. But this is false. If you look at the complete business model of Facebook, Google, or any of the platforms, they clearly provide micro-targeting, or allow people to be manipulated for a particular purpose. So, these platforms can’t just wash their hands of the issue. In the Maharashtra election, you saw a lot of advertisements coming out which are untraceable. How can this happen without the platform itself allowing for such a possibility? The Election Commission (EC) needs to step in on all these issues. These corporations need to be very transparent in the context of elections. They need to bring out all the ways in which advertisements are displayed and also the money associated with it.

When somebody publishes it [an ad] on a Facebook wall, it is as good as publishing it in a newspaper. So, all the legislation that apply now for reasonable restrictions and freedom of speech and the freedom of press also apply to these platforms. These platforms are culpable when the very intent of their business model allows such subversion of the democratic process. They need to be brought in line to ensure that Indian democracy is safe.

PP: I completely disagree with Kiran on a number of points. For instance, those who are running a platform shouldn’t automatically be liable for what people are seeing on those platforms. The people who are actually saying things should be liable, not necessarily those who are carrying it without knowing what they’re carrying most of the time. Kiran also mentioned manipulation. The job of all advertising is to manipulate. The job of newspapers is to manipulate public opinion. And there’s always money associated with this. Newspapers carry advertisements as well. You don’t necessarily know who has paid for each ad in the newspaper. What online platforms are able to provide is actually greater transparency in this regard, at least based on what Facebook is attempting to do with its ad library. Calling this manipulation doesn’t quite work. Because then you have to specify why certain categories of things you think of as manipulating, while other categories you think of as influencing.

Second, as far as I know, Facebook does not ask for your caste. Nor does it actually allow advertisers to use caste as a category for advertising. To address the larger question of whether to carry political advertisements or not, I don’t think there are simple answers. For instance, in different jurisdictions there are different rules as to whether different kinds of media are allowed to carry political advertisements or not. In the U.S., all broadcasters are required by law not to censor on the basis of the content of political advertising. Which means that broadcasters in the U.S. cannot say to a candidate, ‘this advertisement that you’ve sent to us contains a lie and we’re not going to associate ourselves with the lie and we’re not going to carry it’. Now, when a platform like Facebook says that it will voluntarily adopt a similar standard as applies to broadcast organisations by law, all hell breaks loose. And again, there might be good reasons for it. But to say that political advertising should not contain lies, and hence should be censored, is not a viable opinion across the board.

KC: I would like to clarify one thing here. There is a clear distinction between Facebook asking your caste and Facebook allowing you to micro-target people based on their caste and class. In 2016, I created an advertisement with a tag called Brahmin bags and it allowed inclusion and exclusion based on caste and economic status. And now, after this had been made an issue for the last three years, Facebook says that advertisers can select topics that are specific to a particular caste. For instance, Dalit topics, Iyengar topics, etc. So Facebook, in its design, allows such kind of sensitivities to be used for micro-targeting. And one should not confuse general advertising with political advertising. If the advertisement is just about manipulating for buying a particular product, that has something to do with the business houses; even if one agrees with it or not. But when you speak about political advertising, when people come to participate and engage in a democratic process, the EC and The Representation of the People Act (RPA) mandate that people should be allowed to take a very clear stand, to look at what has happened in the last five years, and decide how to vote, freely and fairly. That is why the RPA clearly lists a certain set of things for free and fair elections, where even the use of money and manipulation should not be allowed to happen. Yes, the U.S. has a different context. American democracy is different from Indian democracy. We have got our own statute. This methodology in which these platforms have got their business models and are engaging deeply in subverting the Indian democratic process is a serious cause of concern. The EC should come up with new methodologies, if the existing ones are not sufficient.

Can you elaborate on how the EC can play a role in this?

KC: We brought these issues to the notice of the EC prior to the 2019 general election. The EC said it does not have enough manpower to deal with this situation for now. The EC does not have power over the police or the administration; but once the elections are on, it has the capability to take in different departments and ensure that such subversion of the democratic process does not happen. A fundamental problem with the EC’s method is that it said it was in discussion with the digital platforms to make more people vote in the election. And that itself is problematic. How is it going to be done? The EC should make public the way in which this advertising is being conducted, the money associated with it, and the people who are being reached with it. For instance, if we look at TV channels for ads during primetime, there is a mechanism, like TRP ratings, which allows them to understand and evaluate the target sections. If you look at the Maharashtra election, the advertiser itself is not known. Have people been sent communal messages? Have people been targeted based on caste, which can disqualify the contestant? The EC should reach out to the Government of India and look at the departments that are capable of handling this. If they don’t exist, it should start creating infrastructure that will be able to look into all these aspects. Also, concrete guidelines should be given to these digital platforms. And whatever comes in contradiction, or comes in the way of implementing the RPA, the EC should stop the platforms from doing it.

PP: For me, it’s not clear to what extent I would draw a distinction between advertising and other things which the EC has not been able to curtail, such as paid news and political ownership of media, which allow for very skewed viewpoints to be expressed. But insofar as what can be done about online platforms — and again, only online platforms which deal in advertising — the biggest source of online political messaging in India is WhatsApp. So, excluding the elephant in the room from this discussion, what the EC could do is bring the largest platforms together to get transparency commitments from them. Then this information needs to be made publicly available, so that the invisibility which happens with targeting gets countered. The second thing... Given that elections are geographical in nature in India, if you want to engage in advertising, you have to do it on the basis of geography, not on the basis of specific kinds of attributes of a person. And let’s also be aware that most of these attributes or guesses about people that these platforms are making are based on what people post on social media platforms, what they click. So, the one thing that can be done on a global level is transparency and restrictions on various targeting but anything else such as limitations on, say, lying in political advertising, I don't think that can or should be sold on a global level. It’s dependent far too much on each country and their models and how they interpret freedom of expression.

For more details visit https://cis-india.org/internet-governance/news/hindu-pj-george-november-8-2019-should-online-political-advertising-be-regulated

Should Nandan Nilekani's Aadhaar project, for identity proof and welfare delivery, exist at all?

praskrishna — 2014-04-14T10:27:57Z

The foundation of Aadhaar—a Congress flagship project to give every Indian a unique identity number and then use it to deliver services—has been under assault in the past three months.

The article by M. Rajshekhar was published in the Economic Times on April 3, 2014. Sunil Abraham is quoted.

Political, legal, reputational.

The political backlash is coming from leaders of BJP, the Congress' principal rival. Meenakshi Lekhi and Ananth Kumar are not, by any stretch of the imagination, the first or the last word on policy matters in the BJP, but they mince no words when they say that if their party forms a government, it will trash Aadhaar —a project that has delivered a unique ID to half of India and on which Rs 3,800 crore has been spent.

Even as BJP's loose cannons fired, the Supreme Court repeated on March 24 that the government cannot make Aadhaar mandatory to access welfare services like pensions and LPG subsidy. The same day, investigative journalism portal Cobrapost aired videos that allegedly showed agencies agreeing to enrol people from neighbouring countries for a bribe.

The BJP piled on. "It (Aadhaar) has served no purpose. They have issued cards to illegal migrants. We want citizenship cards," says Prakash Javadekar, spokesperson of BJP. His party does not have an official policy line on Aadhaar as yet, but another of its leaders, Yashwant Sinha, headed the Parliamentary panel that, in 2011, severely criticised and rejected the draft bill that provided the legal framework for Aadhaar. "We are for direct benefit transfer but not on the basis of Aadhaar, which is a very badly-designed scheme," Sinha told CNBC-TV18 on January 31. "We will give it to all citizens of India on the basis of NPR."

On the campaign trail in Bangalore, Nandan Nilekani, the chief architect and implementer of Aadhaar, defends his work as the chairman of Unique Identification Authority of India (UIDAI). "Aadhaar is a pro-development and an anti-corruption platform," says Nilekani, who was brought in by the Congress high command in 2009 and is contesting these elections on a party ticket against BJP's Kumar in Bangalore South. "It is a pity that some vested interests with narrow political and other motives are trying to stall the project."

Lost in those binaries are the objectives of Aadhaar, to universalise identity proof and to use it to plug leakages in delivery of welfare services. UIDAI, led by a hands-on Nilekani, pursued this agenda with a certain authority, great speed and an overriding emphasis on technology, all of which delivered outcomes.

But they also contributed to shortcomings that saw the project stumble on its way and for which it is now being critiqued. "This is the only way transformation takes place," says K Koshy, who was part of the team that conceptualised Aadhaar and is now with Ernst & Young. "When you know the ultimate system is workable, you sort out the problems as you go along."

Except, given the political winds blowing, it's anyone's guess what the new dispensation will feel about Aadhaar and UIDAI, from where Nilekani resigned on March 13 and which is seeing many officers who came from other parts of the government, on deputation, returning. Will the new dispensation see Aadhaar as an idea that is sound but with parts that need strengthening? Or, will they see it as an idea that is, by itself, fallacious? "I don't know where this is going," says Abhijit Sen, member, Planning Commission, under which UIDAI is housed.

At one level, it's a political question. "The next Parliament will have to decide what UIDAI can and cannot do," says Sen. At another level, even that political answer will stem from the answers to three questions that go to the core of what Aadhaar was meant to be and where it fell short.

1. Does Aadhaar Provide a Unique and Definitive Identity?

Yes and no. UIDAI collects two sets of information from an individual. The first is biometrics: prints of all 10 fingers and a scan of the iris in both eyes. Biometric data, which is supposed to be unique to every individual, is used to assign a unique number to the individual. The second set is basic personal information: name, address, father's name, date of birth and address. Individuals can show existing documents—like voter's I-card or passport —as verification. For those who did not have identification documents, UIDAI allowed certain people to attest for them.

Aadhaar is better at identifying individuals through their biometrics than ensuring the accuracy of their add-on data. This is partly due to its design. When Aadhaar was being conceptualised, says Shrikant Nadhamuni, who headed technology for UIDAI: "We wanted to move the ID game—from a state where some people had no ID and others had paper ID to something beyond even what Singapore had, in the form of smart cards, to online. Like biometric. Which is the future.

Here, your presence is enough to vet your ID." This is also partly due to how UIDAI did its enrolments. Shortly after taking charge, Nilekani announced UIDAI would issue 600 million Aadhaar numbers by March 2014. The initial plan was that the National Population Register (NPR), which conducts the decadal Census and which is housed under the ministry of home, would do the enrolments— capturing biometrics and information— and UIDAI would only issue the numbers.

Soon after, Nilekani decided he could not meet his 600 million target if he waited for NPR to give him biometric packets, and offered to do enrolments too. To meet the target, UIDAI wanted to outsource enrolment to multiple vendors. And compared to NPR, UIDAI collected very little demographic data. UIDAI appointed public and private companies as enrolment agencies. Quality issues arose. "90% of the larger enrolment agencies offloaded the work to local, small-time guys," says the head of a Gurgaon-based enrolment agency, not wanting to be named.

Instances of incomplete addresses, spelling mistakes, people bribing enrolment staff to obtain numbers, emerged. "There is always a trade off between inclusion and accuracy," says Nilekani. "And the fact that these errors happened only shows that the gates were kept wide enough to ensure there would be no exclusion." "The Aadhaar database is based on very weak data," says Sunil Abraham, the head of Bangalore-based Centre for Internet and Society, an Internet and governance think-tank. "It is basically linking biometrics to a person and the name/address he claims as his." This weakness started showing up as the government began to deliver welfare services by transferring money directly into bank accounts of beneficiaries, using Aadhaar. The first step was to add the Aadhaar number to the department and bank databases.

Reddy Subramanyam, joint secretary of NREGA, tried to seed Aadhaar numbers into his database of NREGA workers. "The current matching is just 25-30%." The mismatch arises because, say, the name will be S Kumar in one and Sunil Kumar in another. Aadhaar is "less ID project and more identification project," says legal researcher Usha Ramanathan. "The onus for ensuring the demographic information is correct falls on the number-holder."

2. Are Aadhaar-enabled Cash Transfers Delivering?

If giving every Indian a unique ID was Aadhaar's main mandate, revamping welfare delivery became its second. In 2011, Nilekani headed a committee to create a roadmap to move to a system of welfare delivery where money was transferred directly into bank accounts of beneficiaries—or direct benefit transfers (DBTs). The architectures it proposed pivoted around Aadhaar and online, realtime biometric authentication. This was to replace the existing smart-card architecture, which can work even in areas even without connectivity.

UIDAI saw the cloud as the future. "We were not very taken with the smart-card solution," says Nadhamuni. "Farmers have to carry multiple smart cards around. And then, there is the cost of the card." Smart-card companies, staring at the prospect of their investments going waste, protested. "Customers and service providers deserve the right to make a convenient choice. Can someone building a public highway insist that only a certain sort of a vehicle can ply on it?" Abhishek Sinha, CEO of Eko India, a mobile-banking start-up told ET in November 2011.

"The question is whether the model is working better now than what existed before," defends Koshy. It's a question that has not been answered conclusively and credibly: there have been no independent evaluations by the government of Aadhaarbased DBTs till now. "Aadhaar should not have been rolled out on a mission mode till it was tested on some scale," says MS Sriram, visiting faculty at IIM Bangalore's Centre for Public Policy. When asked about this, Sen says: "There was no independent evaluation. Everyone was rushing." From the field came reports about manual labourers and the aged struggling to authenticate using biometrics.

Nor were comparative studies conducted to check alternative ways to improve welfare delivery. Economist Reetika Khera argues that Chhattisgarh has removed corruption from its PDS programme through a mix of computerisation and community supervision. This echoes an observation made by the Parliamentary panel while rejecting the UIDAI bill: the government had not considered comparative costs of Aadhaar and other existing ID documents.

Yet, in November 2012, the Congress decided to make DBTs its calling card for the 2014 elections. At a rally in Dudu, Rajasthan, attended by Congress leaders and Nilekani, it announced DBT rollout in the state. A year later, after a patchy rollout, the Congress lost power in the state. And on January 30, the UPA pressed pause on DBTs for cooking gas.

3. Are there Strong Safeguards to Protect a Person's Privacy?

On February 26, the Mumbai High Court directed UIDAI to share its Goa biometrics with the CBI to help it solve a rape case in the state the agency was struggling to solve. UIDAI refused, saying this would violate the privacy of its number holders. The High Court agreed with the CBI. UIDAI went to the Supreme Court, which ruled that its biometric information cannot be shared with any government agency without the consent of number holders.

But the CBI request had shown what could go wrong. "Once you create an ID system, other things happen," says Sen. "The most inevitable one is that government departments—like the police—want to access it. A database exists and I want to use it." Says a Supreme Court lawyer, not wanting to be named: "You innocently give your fingerprints to UIDAI because you want your scholarship or gas subsidy or something. You volunteer this information and then you realise this can be used as evidence against you in a criminal trial?" In time, more agencies will use Aadhaar. "The moment you start putting the Aadhaar number into multiple databases, you make them comparable," says Abraham. "Land registry, tax records, etc, all become comparable." Adds Sen: "We need to think about who can use the authentication service."

He cites the example of banks using Aadhaar to judge a borrower's credit record as a good thing. Conversely, he adds, an insurer using a customer's Aadhaar to access hospital records, and take a call on premiums or policy issuance, is a bad outcome. "Insurance is supposed to work by pooling risk. Should they (insurers) even have the right to ask for authentication?" asks Sen. UIDAI officials say three things in their defence. One, they collect innocuous information, which they don't share. Two, for authentication queries, they only give 'yes/no' answers. Three, they have safeguards.

What is missing is a legal framework that governs collection, use and retention of biometrics. "India has not passed a data privacy law," says Nadhamuni. "This is a very important legislation we need to draft and enact for projects that use large-scale IT systems, be it Aadhaar, NREGA, voter card, income tax, etc. In the absence of such laws, UIDAI came up with rigorous data privacy and security policies to secure resident data." However, the Parliamentary panel, while rejecting the bill, noted that UIDAI began collecting biometric data even as the government worked on a privacy bill and a data protection bill. "The idea that databases can be used by anyone makes people vulnerable, especially in a state where there is neither law nor much respect for law," says Ramanathan.

Aadhaar stands at an uncomfortable junction. A new government, eager to ensure only citizens have unique numbers, could ask all Aadhaar holders to provide address proof and delete the others. Events of the past three months have framed the issues concerning Aadhaar, sometimes with a touch of rhetoric. "This is a good time to open the regulation issue," says Sen.

For more details visit https://cis-india.org/news/economic-times-april-3-2014-m-rajshekhar-should-nandan-nilekani-aadhar-project-for-identity-proof-and-welfare-delivery-exist

Should an Inability to Precisely Define Privacy Render It Untenable as a Right?

amber — 2017-08-04T01:49:56Z

The judges may still be able to articulate the manner in which limits for a right to privacy may be arrived at, without explicitly specifying them.

The article was published in the Wire on August 2, 2017.

Ludwig Wittgenstein wrote in his book, Philosophical Investigations, that things which we expect to be connected by one essential common feature, may be connected by a series of overlapping similarities, where no one feature is common. Instead of having one definition that works as a grand unification theory, concepts often draw from a common pool of characteristics. Drawing from overlapping characteristics that exist between family members, Wittgenstein uses the phrase ‘family resemblances’ to refer to such concepts.

In his book, Understanding Privacy, Daniel Solove makes a case for privacy being a family resemblance concept. Responding to the discontent in conceptualising privacy, Solove attempted to ground privacy not in a tightly defined idea, but around a web of diverse yet connected ideas. Some of the diverse human experiences that we instinctively associate with privacy are bodily privacy, relationships and family, home and private spaces, sexual identity, personal communications, ability to make decisions without intrusions and sharing of personal data. While these are widely diverse concepts, intrusions upon or interferences with these experiences are all understood as infringements of our privacy.

Other scholars too have recognised this dynamic, evolving and difficult to pinpoint nature of privacy. Robert Post described privacy as a concept “engorged with various and distinct meanings.” Helen Nissenbaum advocates a dynamic idea of privacy to be understood in terms of contextual norms.

The ongoing arguments in the Supreme Court on the existence of a constitutional right to privacy can also be viewed in the context of the idea of privacy as a family resemblance concept. In their arguments, the counsels for the petitioners have tried to make a case for privacy as a multi-dimensional fundamental right. Senior advocate Gopal Subramanium argued before the court that privacy inheres in the concept of liberty and dignity under Constitution of India, and is presupposed by various other rights such as freedom of speech, good conscience, and freedom to practice religion. He further goes on say that there are four aspects to privacy – spatial, decisional, informational and the right to develop personality. Shyam Divan, also arguing for the petitioners, further added that privacy includes the right to be left alone, freedom of thought, freedom to dissent, bodily integrity and informational self-determination.

When the chief justice brought up the need to define the extent of the right to privacy, the counsels raised concerns about the right being defined too specifically. This reluctance was borne out of the recognition that by its very nature, the right to privacy is a cluster of rights, with multiple dimensions manifesting themselves in different ways depending on the context. Both advocates, Subramaniam and Arvind Datar, argued that court must not engage in an exercise to definitively catalog all the different aspects of the right, foreclosing the future development of the law on point. This reluctance was also a result of the fact that the court has isolated the question of the existence of the right to privacy and how it may apply in the case of the Aadhaar project. Usually judges are able to ground legal principles in the relevant facts of the case while developing precedents. The referral to this bench is only on the limited question of the existence of a constitutional right to privacy. Therefore, any limits that are articulated by the court on the right exist without the benefit of a context.

On the other hand, the Attorney General (AG) argued that this very aspect of privacy was a rationale for not declaring it a fundamental right. At various points during the arguments, he indicated that the ambiguous and vague nature of the concept of privacy made it unsuitable as a fundamental right. Similarly, Tushar Mehta, arguing for Unique Identification Authority of India, also sought to deny privacy’s existence as a fundamental right as it is too subjective and vague.

The above argument assumes that the inability to precisely define privacy renders its untenable as a right. The key question is whether this lack of a common denominator makes privacy too vague a right, liable to expansive misinterpretations. Conceptions that do not have fixed and sharp boundaries, are not boundless. What it means is that the boundaries can often be fuzzy and in a state of constant evolution, but the limits and boundaries always exist.

At one point during the hearings, Justice Rohinton Nariman wanted the counsels to work on the parameters of challenge for state action with respect to privacy. As mentioned earlier, in the absence of facts to work with, such an exercise is fraught with risks. However, the judges may still be able to articulate the manner in which such limits may be arrived at, without specifying them. Justice Nariman himself later agrees that the judicial examination must proceed on a case by case basis, taking into account not only the tests under Article 14,19 and 21 under which petitioners have tried to locate privacy, but also under any other concurrent rights which may be infringed.

The AG also argued that the infringement of privacy in itself does not amount to a violation of the rights under Article 21, rather in some cases the transgressions on privacy may lead to an infringement of a person’s right to liberty and only in such cases should the fundamental rights be invoked. Thus, the argument made was that there was no need to declare privacy as a fundamental right but only to acknowledge that limiting privacy may sometimes lead to violations of the already existing rights. This argument may have been more cogent had he identified specific dimensions of privacy which, according to him, do not qualify as fundamental rights. However, this might have meant conceding that other dimensions of privacy, in fact do amount to fundamental rights.

It must be remembered that the problem of changing or multiple meanings is not limited to privacy. As the bench noted, drawing comparisons to the concepts of ‘liberty’ and ‘dignity’, these are constitutionally recognised values which equally suffer from a multitude of meanings based on context. The government’s position here is in line with critiques of privacy that Solove seeks to bust in his book. The idea of privacy evolves with time and people. And people, whether from a developed or developing polity, have an instinctive appreciation for it. The absence of a precise definition does not necessarily do great disservice to a concept, especially one that is fundamental to our freedoms.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-august-2-2017-should-an-inability-to-precisely-define-privacy-render-it-untenable-as-a-right

Should Aadhaar be mandatory?

amber — 2017-12-18T15:54:39Z

This week, a constitutional bench of the Supreme Court will adjudicate on limited questions of stay orders in the Aadhaar case. After numerous attempts by the petitioners in the Aadhaar case, the court has agreed to hear this matter, just shy of the looming deadline of December 31 for the linking of Aadhaar numbers to avail government services and benefits.

The article was published in Deccan Herald on December 9, 2017.

Getting their day in the court to hear interim matters is but a small victory in what has been a long and frustrating fight for the petitioners. In 2012, Justice K S Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the Aadhaar project due its lack of legislative basis (the Aadhaar Act was passed by Parliament in 2016) and its transgressions on our fundamental rights.

Over time, a number of other petitions also made their way to the apex court challenging different aspects of the Aadhaar project. Since then, five different interim orders of the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number.

Aadhaar, according to the Supreme Court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to only specific schemes, namely LPG, PDS, MNREGA, National Social Assistance Program, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The then Attorney General, Mukul Rohatgi, in a hearing before the court in July 2015 stated that there is no constitutionally guaranteed right to privacy. But the judgement by the nine-judge bench earlier this year was an emphatic endorsement of the constitutional right to privacy.

In the course of a 547-page judgement, the bench affirmed the fundamental nature of the right to privacy, reading it into the values of dignity and liberty.

Yet months after the judgement, the Supreme Court has failed to hear arguments in the Aadhaar matter. The reference to a larger bench and subsequent deferrals have since delayed the entire matter, even as the government has moved to make Aadhaar mandatory for a number of government schemes.

At this point, up to 140 government services have made linking with Aadhaar mandatory to avail these services. Chief Justice of India Dipak Misra has promised a constitution bench this week, likely to look only into interim matters of stay on the deadline of Aadhaar-linking. It is likely that the hearings for the final arguments are still some months away. The refusal of the court to adjudicate on this issue has been extremely disappointing, and a grave disservice to the court's intended role as the champion of individual rights.

It is worth noting that the interim orders by the Supreme Court that no person should suffer because they do not have an Aadhaar number, and limiting its use only to specified schemes, still stand.

However, since the passage of the Aadhaar Act, which allows the use of Aadhaar by both private and public parties, permits making it mandatory for availing any benefits, subsidies and services funded by the Consolidated Fund of India, the spate of services for which Aadhaar has been made mandatory suggests that as per the government, the Aadhaar Act has, in effect, nullified the orders by the Supreme Court.

This was stated in so many words by Union Law Minister Ravi Shankar Prasad in the Rajya Sabha in April. This view is an erroneous one. While acts of Parliament can supersede previous judicial orders, they must do so either through an express statement in the objects of the Act, or implied when the two are mutually incompatible. In this case, the Aadhaar Act, while permitting the government authorities to make Aadhaar mandatory, does not impose a clear duty to do so.

Therefore, reading the orders and the legislation together leads one to the conclusion that all instances of Aadhaar being made mandatory under the Aadhaar Act are void.

The question may be more complicated for cases where Aadhaar has been made mandatory through other legislations, such as Prevention of Money Laundering Act, as they clearly mandate the linking of Aadhaar numbers, rather than merely allowing it. However, despite repeated appeals of the petitioners, the court has so far refused to engage with the question of the legality of such instances.

How may the issues finally be resolved? When the court deigns to hear final arguments, the Aadhaar case will be instructive in how the court defines the contours of the right to privacy. The right to privacy judgement, while instructive in its exposition of the different aspects of privacy, does not delve deeply into the question of what may be legitimate limitations on this right.

In one of the passages of the judgement, "ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients" is mentioned as an example of a legitimate incursion into the right to privacy. However, it must be remembered that none of the opinions in the privacy judgement were majority judgements.

Therefore, in future cases, lawyers and judges must parse through the various opinions to arrive at an understanding of the majority opinion, supported by five or more judges. While the privacy judgement was a landmark one, its actual impact on the rights discourse and on matters like Aadhaar will depend extensively on the how the judges choose to interpret it.

For more details visit https://cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory

Short-term Consultant (IETF)

elonnai — 2018-04-21T15:44:49Z

The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.

Note: This position is consultancy based on output.

Compensation: Based on experience and output.

Application requirements: two writing samples or other examples of technical work and CV

Contact: sunil@cis-india.org

For more details visit https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf

Short-term Consultant (Cyber Security)

elonnai — 2018-04-20T01:27:36Z

The Centre for Internet & Society is seeking an individual with strong understanding of cyber security to contribute research to its cyber security research under its Internet Governance programme.

Research topics include economic incentives for cyber security, cross border sharing of data, India’s cyber security framework, and cybersecurity dimensions of e-governance .

Note: This position is consultancy based on output.

Compensation: Based on experience and output.

Application requirements: two writing samples and CV

Contact: elonnai@cis-india.org

For more details visit https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security

Shopping on apps raise privacy and security concerns

praskrishna — 2017-03-21T14:56:26Z

The recently concluded online Diwali sales frequently offered consumers hefty discounts on merchandise if they shopped via store app, a move that experts say increases security risks for internet users.

The article by Vivek Ananth was published by the Softcopy, an IIJNM Web Publication on November 23, 2015. Sunil Abraham gave inputs.

“It makes the security much worse because of increased complexity from the user perspective,” said Sunil Abraham, executive director at Centre for Internet and Society.

“User will have to install multiple apps and then worry about the security implications arising from each app. From the e-commerce corporation perspective it might reduce effort but for users this is a nightmare.”

Do apps increase security risks?

The degree of risk depends on the specific app and can only be determined after a detailed security audit, Abraham said.

“Unfortunately there aren't many organisations doing such audits and making their results available to the public,” he added.

There are some users who say that privacy on the internet isn’t an option.

“Once you are online your privacy is kind of gone,” said Hasmit Trivedi of Mumbai. “I mean you are vulnerable.”

“That (browsing history being used to target advertisements) does concern me, but not to the extent that I'll stop using these websites,” said Sweta Rajan, a lawyer from Mumbai.

“Google has done this forever," said Dinoo Muthappa.“I don't even care if they use my search to place advertisements of what they think I need while browsing.”

Comfort and Convenience trumps privacy

“I don't really shop for things I'm not comfortable allowing the world to know. I'm ok with them using this (usage pattern and browsing information) for commercial reasons,” Rajan said.

“We live in a world where the cost of convenience is our privacy. Take my user preferences,” said Dinoo Muthappa, a lawyer from Delhi.“If it means you'll make money and somehow reflect as a discount to me later, that's fine,” she added.

“I frankly don't have a problem with it in principle,” said Akshara Kumar Chitoor, a lawyer from Bengaluru, about companies mining data to target advertisements at her. “I don't think it's very different from how certain TV channels carry certain advertisements because they know the audiences.I mean, you get Rin and Horlicks ads on Zee and Sony but not Romedy Now or Comedy Central.”

“The convenience of having it come home when I want and not having to face the guy who I know is ripping me off; these guys can use and sell my information,” Muthappa said.

“With my work timings I literally do not find time to go to a store and shop,”Rajan said. “I buy everything online. It's very convenient and time saving.”

“Personally, I think just browsing stuff to buy is much easier on your computer,” said Sreenath Unnikrishnan, a product developer from Singapore. “However, I do think apps are more convenient for payment. As in your card information is normally stored and can be accessed without having to log in and all. I can do that on a computer too, but it's less secure. At least that's what I think.”

Google and Facebook have their advertisement norms disclosed.

Twitter also follows a similar model using the email ids that their users have associated with their twitter handles.

“If the service is free - then as many have said before - you are the product, said Sunil Abraham executive director at Centre for Internet and Society. “Your personal information is being sold to marketers and advertisers. As Bruce Schneier puts it ‘surveillance is the business model of the Internet’".

The terms and conditions are sometimes very long and use difficult language.

“Transparency and Informed Consent are principles in most jurisdictions that have data protection law modelled on the EU Data Protection Directive,” Abraham said.“Part of the transparency principle is the accessibility of the language.”

The user though still has an option to opt out of the above process where their data is collected by these companies.
Privacy policies of internet companies are legal documents. These are required under data protection laws. This makes them complicated, said Abraham.

The users don’t care that their usage data is being mined by businesses till they have a bad experience, Abraham said.

For more details visit https://cis-india.org/internet-governance/news/the-soft-copy-vivek-ananth-november-23-2015-shopping-on-apps-raise-privacy-and-security-concerns

Shooting cyber cafes before they die

praskrishna — 2013-05-31T06:32:38Z

Working for an NGO, Christy Raj cans the history of city internet parlours through the eyes of a transgender.

Vandana Kamath's article was published in the Bangalore Mirror on May 31, 2013. The Centre for Internet and Society's film on Cyber Cafes is mentioned in this article.

At the turn of the century, when dotcoms were booming, cyber cafes were ubiquitous. But just as video killed the radio star, smartphones have been the slow death of cyber cafes. They may soon be history, but before internet parlours are wiped off the face of the city, Christy Raj, 26, a transgender, has ‘captured’ them for posterity.

Raj (female to male transgender) has single-handedly shot a film on cyber cafes, viewed from the eyes of a transgender. The film is part of a project by Video Volunteers,an NGO that promotes community media. Raj is a correspondent for the NGO.

“I wanted to capture what happens in a cyber café, especially from the point of view of a transgender,” Raj said. “I’ve captured why a transgender would go to a cyber café. It could be for various reasons like applying for a job. The film captures the difficulties a transgender faces etc. It’s a short film, but conveys a lot, especially for a viewer who sees it after cyber cafes have gone extinct in the city!”

Raj admits that he had a tough time while shooting the movie. “We (actor and I) went to several cyber cafes to shoot the film,” Raj said. “Since my actor and I are both transgender, many gave us suspicious looks. Most refused to allow us to even enter the place, forget about shooting the film. We had to show our identity cards at several places and finally we got the opportunity to shoot in a cyber cafe.”

The film, a joint venture of Centre for Internet and Society (CIS) and Video Volunteers, was completed in two weeks and the raw footage was sent to Video Volunteers based in Goa. The film was screened at their fifth anniversary celebrations recently. Raj, who has basic knowledge of camera handling, has been with the NGO since 2010 and has shot various short films on subjects like sexual minorities, the recent eviction of people in Ejipura and human rights.

“Being a correspondent with Video Volunteers has given me an opportunity to work on mainstream issues and work with people from the mainstream. Prior to joining Video Volunteers, I was associated with NGOs like Samara and Sangama. We were given training in camera handling. They give us an opportunity to work on several issues based on the community.”

Raj was born and brought up in Bangalore. His parents abandoned him after they learnt of his transsexual tendencies and he had to drop out of school in the ninth standard. He lives with his partner in Sanjay Nagar.When he left his home, Raj decided he had to make a name in the community.“Today,Icanhandleacamera with confidence and conceptualise and make the films on issues pertaining not only to sexual minorities but also on several other issues,” says Raj.

For more details visit https://cis-india.org/news/bangalore-mirror-vandana-kamath-may-31-2013-shooting-cyber-cafes-before-they-die

Shining light into darkness: Encouraging greater transparency of government offensive practices in cyberspace

Admin — 2019-06-05T06:53:31Z

RightsCon is organizing a summit on human rights in the digital age in Tunis in June 2019. Sunil Abraham will be attending a conversation on encouraging greater transparency of government offensive practices in cyberspace on June 12.

In the plethora of different cybersecurity benchmark reports today, one is conspicuously missing. No entity has so far found a way to highlight and measure the different cyber offensive and deterrence doctrines, policies, or capabilities on a country-by-country basis. Similarly, there have been limited attempts to not only map, but monitor adherence to, international law and emerging international norms of behaviour in cyberspace.

During this session, pulled together by Microsoft, the Hewlett Foundation and Mastercard, we will explore whether there is value in developing either one or the other product, and assess how difficult they would be to realize. Would such a report encourage greater transparency of these policies and as a result drive international discussion about responsible behaviour in cyberspace? What would data would be required for it to generate a meaningful impact?

We will also examine whether there are lessons that can be learnt on the development, use, and impact of seminal benchmarking reports, such as the Global Peace Index, the Nuclear Security Index, Human Rights Watch’s World Report, and others. This gap is being examined in the light of the potential creation of a CyberPeace Institute, an independent non-profit organization to empower the global community with the knowledge and capabilities to protect civilians in cyberspace from sophisticated systemic cyber-attacks. It is envisioned that the CyberPeace Institute would perform three key functions: a) increase transparency of information on cyberattacks that are perpetrated by sophisticated actors and have significant, direct harm on civilians and civilian infrastructure; b) advance the role of international law and norms in governing the behavior of states and other actors in cyberspace; and c) deliver assistance at scale to the most vulnerable victims of qualifying cyberattacks, accelerating victims’ recovery and increasing their resilience. More information on the proposed Institute can be find in the attached overview.

The conversation will take place at RightsCon, in the Erythrean room on Wednesday, June 12 from 4:30 p.m - 5:30 p.m.

For more details visit https://cis-india.org/internet-governance/news/shining-light-into-darkness-encouraging-greater-transparency-of-government-offensive-practices-in-cyberspace