We are anonymous, we are legion

Short-term Consultant (IETF)

elonnai — 2018-04-21T15:44:49Z

The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.

Note: This position is consultancy based on output.

Compensation: Based on experience and output.

Application requirements: two writing samples or other examples of technical work and CV

Contact: sunil@cis-india.org

For more details visit https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf

Short-term Consultant (Cyber Security)

elonnai — 2018-04-20T01:27:36Z

The Centre for Internet & Society is seeking an individual with strong understanding of cyber security to contribute research to its cyber security research under its Internet Governance programme.

Research topics include economic incentives for cyber security, cross border sharing of data, India’s cyber security framework, and cybersecurity dimensions of e-governance .

Note: This position is consultancy based on output.

Compensation: Based on experience and output.

Application requirements: two writing samples and CV

Contact: elonnai@cis-india.org

For more details visit https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security

Shopping on apps raise privacy and security concerns

praskrishna — 2017-03-21T14:56:26Z

The recently concluded online Diwali sales frequently offered consumers hefty discounts on merchandise if they shopped via store app, a move that experts say increases security risks for internet users.

The article by Vivek Ananth was published by the Softcopy, an IIJNM Web Publication on November 23, 2015. Sunil Abraham gave inputs.

“It makes the security much worse because of increased complexity from the user perspective,” said Sunil Abraham, executive director at Centre for Internet and Society.

“User will have to install multiple apps and then worry about the security implications arising from each app. From the e-commerce corporation perspective it might reduce effort but for users this is a nightmare.”

Do apps increase security risks?

The degree of risk depends on the specific app and can only be determined after a detailed security audit, Abraham said.

“Unfortunately there aren't many organisations doing such audits and making their results available to the public,” he added.

There are some users who say that privacy on the internet isn’t an option.

“Once you are online your privacy is kind of gone,” said Hasmit Trivedi of Mumbai. “I mean you are vulnerable.”

“That (browsing history being used to target advertisements) does concern me, but not to the extent that I'll stop using these websites,” said Sweta Rajan, a lawyer from Mumbai.

“Google has done this forever," said Dinoo Muthappa.“I don't even care if they use my search to place advertisements of what they think I need while browsing.”

Comfort and Convenience trumps privacy

“I don't really shop for things I'm not comfortable allowing the world to know. I'm ok with them using this (usage pattern and browsing information) for commercial reasons,” Rajan said.

“We live in a world where the cost of convenience is our privacy. Take my user preferences,” said Dinoo Muthappa, a lawyer from Delhi.“If it means you'll make money and somehow reflect as a discount to me later, that's fine,” she added.

“I frankly don't have a problem with it in principle,” said Akshara Kumar Chitoor, a lawyer from Bengaluru, about companies mining data to target advertisements at her. “I don't think it's very different from how certain TV channels carry certain advertisements because they know the audiences.I mean, you get Rin and Horlicks ads on Zee and Sony but not Romedy Now or Comedy Central.”

“The convenience of having it come home when I want and not having to face the guy who I know is ripping me off; these guys can use and sell my information,” Muthappa said.

“With my work timings I literally do not find time to go to a store and shop,”Rajan said. “I buy everything online. It's very convenient and time saving.”

“Personally, I think just browsing stuff to buy is much easier on your computer,” said Sreenath Unnikrishnan, a product developer from Singapore. “However, I do think apps are more convenient for payment. As in your card information is normally stored and can be accessed without having to log in and all. I can do that on a computer too, but it's less secure. At least that's what I think.”

Google and Facebook have their advertisement norms disclosed.

Twitter also follows a similar model using the email ids that their users have associated with their twitter handles.

“If the service is free - then as many have said before - you are the product, said Sunil Abraham executive director at Centre for Internet and Society. “Your personal information is being sold to marketers and advertisers. As Bruce Schneier puts it ‘surveillance is the business model of the Internet’".

The terms and conditions are sometimes very long and use difficult language.

“Transparency and Informed Consent are principles in most jurisdictions that have data protection law modelled on the EU Data Protection Directive,” Abraham said.“Part of the transparency principle is the accessibility of the language.”

The user though still has an option to opt out of the above process where their data is collected by these companies.
Privacy policies of internet companies are legal documents. These are required under data protection laws. This makes them complicated, said Abraham.

The users don’t care that their usage data is being mined by businesses till they have a bad experience, Abraham said.

For more details visit https://cis-india.org/internet-governance/news/the-soft-copy-vivek-ananth-november-23-2015-shopping-on-apps-raise-privacy-and-security-concerns

Shooting cyber cafes before they die

praskrishna — 2013-05-31T06:32:38Z

Working for an NGO, Christy Raj cans the history of city internet parlours through the eyes of a transgender.

Vandana Kamath's article was published in the Bangalore Mirror on May 31, 2013. The Centre for Internet and Society's film on Cyber Cafes is mentioned in this article.

At the turn of the century, when dotcoms were booming, cyber cafes were ubiquitous. But just as video killed the radio star, smartphones have been the slow death of cyber cafes. They may soon be history, but before internet parlours are wiped off the face of the city, Christy Raj, 26, a transgender, has ‘captured’ them for posterity.

Raj (female to male transgender) has single-handedly shot a film on cyber cafes, viewed from the eyes of a transgender. The film is part of a project by Video Volunteers,an NGO that promotes community media. Raj is a correspondent for the NGO.

“I wanted to capture what happens in a cyber café, especially from the point of view of a transgender,” Raj said. “I’ve captured why a transgender would go to a cyber café. It could be for various reasons like applying for a job. The film captures the difficulties a transgender faces etc. It’s a short film, but conveys a lot, especially for a viewer who sees it after cyber cafes have gone extinct in the city!”

Raj admits that he had a tough time while shooting the movie. “We (actor and I) went to several cyber cafes to shoot the film,” Raj said. “Since my actor and I are both transgender, many gave us suspicious looks. Most refused to allow us to even enter the place, forget about shooting the film. We had to show our identity cards at several places and finally we got the opportunity to shoot in a cyber cafe.”

The film, a joint venture of Centre for Internet and Society (CIS) and Video Volunteers, was completed in two weeks and the raw footage was sent to Video Volunteers based in Goa. The film was screened at their fifth anniversary celebrations recently. Raj, who has basic knowledge of camera handling, has been with the NGO since 2010 and has shot various short films on subjects like sexual minorities, the recent eviction of people in Ejipura and human rights.

“Being a correspondent with Video Volunteers has given me an opportunity to work on mainstream issues and work with people from the mainstream. Prior to joining Video Volunteers, I was associated with NGOs like Samara and Sangama. We were given training in camera handling. They give us an opportunity to work on several issues based on the community.”

Raj was born and brought up in Bangalore. His parents abandoned him after they learnt of his transsexual tendencies and he had to drop out of school in the ninth standard. He lives with his partner in Sanjay Nagar.When he left his home, Raj decided he had to make a name in the community.“Today,Icanhandleacamera with confidence and conceptualise and make the films on issues pertaining not only to sexual minorities but also on several other issues,” says Raj.

For more details visit https://cis-india.org/news/bangalore-mirror-vandana-kamath-may-31-2013-shooting-cyber-cafes-before-they-die

Shining light into darkness: Encouraging greater transparency of government offensive practices in cyberspace

Admin — 2019-06-05T06:53:31Z

RightsCon is organizing a summit on human rights in the digital age in Tunis in June 2019. Sunil Abraham will be attending a conversation on encouraging greater transparency of government offensive practices in cyberspace on June 12.

In the plethora of different cybersecurity benchmark reports today, one is conspicuously missing. No entity has so far found a way to highlight and measure the different cyber offensive and deterrence doctrines, policies, or capabilities on a country-by-country basis. Similarly, there have been limited attempts to not only map, but monitor adherence to, international law and emerging international norms of behaviour in cyberspace.

During this session, pulled together by Microsoft, the Hewlett Foundation and Mastercard, we will explore whether there is value in developing either one or the other product, and assess how difficult they would be to realize. Would such a report encourage greater transparency of these policies and as a result drive international discussion about responsible behaviour in cyberspace? What would data would be required for it to generate a meaningful impact?

We will also examine whether there are lessons that can be learnt on the development, use, and impact of seminal benchmarking reports, such as the Global Peace Index, the Nuclear Security Index, Human Rights Watch’s World Report, and others. This gap is being examined in the light of the potential creation of a CyberPeace Institute, an independent non-profit organization to empower the global community with the knowledge and capabilities to protect civilians in cyberspace from sophisticated systemic cyber-attacks. It is envisioned that the CyberPeace Institute would perform three key functions: a) increase transparency of information on cyberattacks that are perpetrated by sophisticated actors and have significant, direct harm on civilians and civilian infrastructure; b) advance the role of international law and norms in governing the behavior of states and other actors in cyberspace; and c) deliver assistance at scale to the most vulnerable victims of qualifying cyberattacks, accelerating victims’ recovery and increasing their resilience. More information on the proposed Institute can be find in the attached overview.

The conversation will take place at RightsCon, in the Erythrean room on Wednesday, June 12 from 4:30 p.m - 5:30 p.m.

For more details visit https://cis-india.org/internet-governance/news/shining-light-into-darkness-encouraging-greater-transparency-of-government-offensive-practices-in-cyberspace

Sharad Sharma's case shows how rampant troll culture has become under Modi

praskrishna — 2017-06-07T12:29:18Z

Sharad Sharma's case shows how rampant troll culture has become under Modi.

This was published by Catch News on May 25, 2017.

Noam Chomsky once said: “Propaganda is to a democracy what violence is to a dictatorship”.

This couldn't be more true than in the Indian context. Abusive right-wing trolls, in this sense, can be seen as stormtroopers of the Narendra Modi government.

They are no different from political goons, using every means at their disposal – intimidation, abuse, hacking attempts, sexual harassment – to silence voices that speak against the regime.

Try tweeting about human rights violations in Kashmir or police atrocities against in Bastar, invariably an anonymous troll will appear and call you “anti-national”. Even criticising government schemes or raising questions about industrial houses supposedly close to the government, can invite abuse.

Some of the trolls are paid, some are ideologically driven while many are just plain frustrated.

But what happens when you come to know that the anonymous troll calling you an ISI agent, is actually the high profile founder of a company working with the government?

Meet Sharad Sharma, co-founder of iSpirt, a think tank that closely worked with Aadhaar. Sharma has been exposed as the man behind the twitter-handle @confident_India- that used to troll all Aadhar critics on the micro-blogging website.

He has apologised from his original twitter account, calling it “a lapse of judgment” and that 'anonymity seemed easier than propriety'.

Through his anonymous twitter handle, Sharma constantly accused Center for Internet and Society (CIS), of being foreign-funded and violating the FCRA (Foreign Contribution Regulation Act) laws, without giving any proof.

In a recently published study, CIS had alleged that Aadhaar numbers of over 13 crore people and bank account details of about 10 crore people were leaked through government portals due to to poor security measures, putting them at risk of financial fraud and identity theft.

accepted the data breach in the Supreme Court." data-reactid="36">Later, the government accepted the data breach in the Supreme Court.

Given Sharma's proximity with the government, it is quite possible that he was aware of the leaks himself. Yet to defend the government on social media, he chose the FCRA card against CIS, providing a hint of what could be in store for the public advocacy group.

Kiran Jonnalagadda, founder of the Freedom Foundation, who first exposed that it was Sharad Sharma anonymously using the @Confident_ India handle, says that “FCRA threats are a way to stop people from questioning Aadhar".

FCRA seems to have been a useful tool for the NDA government against organisations that question government policies. In April this year, the government suspended registration of environmental advocacy NGO Greenpeace. While the government is well within its right to use the FCRA law against those who violate it, but if a law is used only against those who speak against the regime, questions are likely to be raised.

While Sharma has apologised for trolling the government's critics by accusing them of foreign exchange violations and being CIA stooges, there are several handles that go to the extent of giving giving rape and death threats to those who dare to speak against the establishment.

When PM follows trolls

Recently, Trinamool Congress MP, Derek O’Brien accused Prime Minister Narendra Modi of encouraging hatred by following people who run hate campaigns on social media.

“26 Twitter handles that give out rape threats, communal threats are followed by the Prime Minister (Narendra Modi),” O‘Brien said in the Rajya Sabha.

In a recently published book, “ I am a troll” journalist Swati Chaturvedi has given an account of a former BJP volunteer Sadhavi Khosla who alleged that the BJP's social media cell was responsible for putting pressure on e-commerce company Snapdeal to drop actor Aamir Khan as its brand ambassador after the latter made strong comments on the intolerance issue.

It would be wrong to say that only BJP and Modi have (mis)used social media trolls to harass their critics. Parties like AAP and Congress also have a significant presence of anonymous twitter handles as well. But pro-Modi trolls are unmatched in the kind of threats and abuse they indulge in.

Unfortunately, trolls aren't taken to task for their behaviour. Even Sharma, after being caught, received a pat on the back from none less than Nandan Nilekani, for coming clean.

For more details visit https://cis-india.org/internet-governance/news/catch-news-may-25-2017-sharad-sharma-apos-case-shows-how-rampant-troll-culture-has-become-under-modi

Sharad Sharma Apologises for Trolling Aadhaar Critics; Unmasking Ispirit's Controversial Trolling Program

praskrishna — 2017-05-26T01:08:09Z

Last weekend I was at Aditi Mittal’s standup comedy show in Mumbai where she made a cheeky remark that stayed with me – “Do you guys know what India’s soft power is today? It is trolling!”

The blog post by Shweta Modgil was published by Inc 42 on May 23, 2017.

While she was poking fun at the Snapchat-Snapdeal-Evan Spiegel controversy, in a bizarre coincidence those words came back to haunt me three days later. That was when one of biometric authentication system Aadhaar’s most vocal critics, Kiran Jonnalagadda, co-founder of Internet Freedom Foundation (IFF), an advocacy group, revealed in a series of tweets that @Confident_India, one of the anonymous accounts arguing in favour of Aadhaar and attacking its critics on Twitter, was being operated by none other than Sharad Sharma, the founder of software products think tank iSPIRT.

At the time, Sharad had completely denied that he was tweeting from an anonymous account. But today, on Twitter, Sharad apologised for the anonymous trolling on Twitter.

In a tweet, Sharad stated that “There was a lapse of judgement on my part. I condoned tweets with uncivil comments. So I’d like to unreservedly apologise to everybody who was hurt by them.”

He added that “Anonymity seemed easier than propriety, and tired as I was by personal events and attacks on iSPIRT’s reputation, I slipped.” Furthermore, he stated that he would not be part of anything like this again or allow such behaviour to continue. He also revealed that an iSPIRT Guidelines and Compliance Committee (IGCC) has been set up to investigate the matter and recommend corrective action.

On Catching a Troll

On 17 May, Kiran tweeted out a revelation, which shook a lot of people – “Have we caught an Aadhaar troll?” Kiran used Twitter’s account reset option on Confident_India with Sharad Sharma’s number to see if it is was accepted. And, as per a screenshot posted by him, it did.

This was further corroborated by many other Twitter users. Medianama’s Nikhil Pahwa (and co-founder of IFF) also confirmed the same, tweeting that the troll account does link to Sharad Sharma.

In a detailed Medium post, Kiran then revealed how he investigated the rise of anonymous Twitter accounts and trolls responding to critics of Aadhaar. But what he revealed next was the shocking part – that at the 27th Fellows meeting of the think tank, a plan was hatched to respond to critics of India Stack which involved the use of trolls. A group called Sudham, created earlier, divided people who were broadcasting different views on Aadhaar, into different categories and then underlined various proposals on dealing with them. One of the groups called “archers” was entrusted to carry out the mainstream debate, while another group of “swordsmen” was entrusted to challenge people who were categorised as informed yet “trolling.” Swordsmen would do this by coordinating on WhatsApp with quick responses and in numbers.

Kiran got a hold of the presentation and also shared how one controversial slide also showed a detractor matrix.

It is this slide which Kiran uses to illustrate the fact that: “ iSPIRT has an officially sanctioned trolling program where the trolls coordinate on WhatsApp and attack together on Twitter, exactly the behaviour seen in all the tweets above—and I’ve only covered the leader’s tweets. There are at least a dozen known troll accounts that attack in packs.”

First Denial

Back when the information was first revealed, Sharad Sharma responded by denying that he was tweeting from the @Confident_India Twitter account.

He further added that he was in for a family emergency in the US. And that he was clueless as to why his number was linked with that account.

But, interestingly, what roused the investigator’s suspicions was that Sharad shared the same denial from another troll account @indiaforward2 – which was captured by another Twitter user before it was deleted.

The denial from Sharad’s true account came half an hour later. But the damage had been done and all fingers pointed in the direction of Sharad Sharma engaging in trolling from those accounts. Kiran then wrote another damning post on Sharad’s dubious denial.

As can be guessed, all the tweets related to this matter from Sharad’s and Indiaforward’s accounts have been deleted. The last tweet from Confident India’s account on 17 May professed that he is not Sharad Sharma.

Meanwhile, iSPIRT finally responded to Kiran’s revelations on Medium –“We want to categorically state that the allegations against iSPIRT coordinating and/or promoting any troll campaign are false and the evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.”

The post further explained that in its Fellows meeting held in February and April 2017, it did address the issue of the chatter around India Stack. It says, “Our volunteer, Tanuj Bhojwani, led the discussion and we outlined our strategy for dealing with our detractors. The slide in question is clearly titled “Detractor Matrix.” The slide outlines how we classify those speaking against India Stack, and how we are engaging with them. We called one category of people “informed yet trolling (IYT),” a category of people deliberately misleading people, despite understanding the nuance behind the debate.”

The post admitted that the think tank encouraged volunteers to respond to these IYT Twitter handles directly from their own personal handles. However, at no point did it endorse or recommend anonymous trolling.

“We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.”

It concluded with: “Kiran’s motivated misrepresentation of the slides perhaps speaks to his biases against iSPIRT.” The post added that it plans to investigate the confusion around the alleged mobile number and account link and clarify all outstanding questions.

Meanwhile coming back to trolling from where we started. Though Sharad’s apology did not say directly whether he operated the two Twitter accounts — @Confident_ India and @Indiaforward2 — which he was suspected of using for trolling- he signs off by saying that he requests “those who I have disappointed to look at this as an exception.”

The Aadhaar Controversy

While the series of incidents raises many doubts over an esteemed organisation such as iSPIRT, the controversy over Aadhaar, India’s massive biometric identification programme, has been raging for many months now.

Over the last few months, it has come under fire for not addressing the privacy concerns of an individual and leaking individual data. Aadhaar critics have pointed out that it is more a mass surveillance tool, can lead to identity thefts, and linking basic services with it spells doom.

This month, a CIS (Centre for Internet and Society ) report revealed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals, due to lack of IT security practices. The report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about the address, photographs, and financial data. It also added that as many as 100 Mn bank account numbers could have been “leaked.”

However, on May 16, the CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is at “best characterised as an illegal data disclosure or publication and not a breach or a leak.” It also claimed that some of its findings were “misunderstood or misinterpreted” by the media and that it never suggested that the biometric database had been breached.

Meanwhile, the Aadhaar-issuing authority UIDAI has asked CIS to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. The UIDAI also wants CIS to clarify what kind of “sensitive data” is still with the Centre or anyone else. The UIDAI has strongly denied any breach of its database and has asked CIS to provide details such as the servers where the downloaded “sensitive data” is stored.

While the security of the above-mentioned Aadhaar data is still being debated, the government’s push towards making it compulsory across industries has become a major topic of debate in India.

From linking bank accounts, to PAN numbers, to obtaining free gas connections under the Pradhan Mantri Ujjwala Yojana, to linking scholarships to linking Aadhaar numbers to social welfare schemes for electronically disbursing money to specific beneficiaries, or the Aadhaar-enabled Payment System (AEPS), the government has been pushing on with Aadhaar to make it a mandatory ID rather than the voluntary one it was envisaged to be originally. India still does not have a data protection and privacy law and making Aadhaar mandatory in such a country is not without risks.

Given the fact that the UIDAI cannot afford to carry out authentication-based rollouts across schemes in haste as the failure rate of AEPS can lead to denial of direct benefits, it makes more sense to retain Aadhaar as a voluntary authenticator, at least until the government solves on-ground issues around Aadhaar-based authentication. Because any failure can erode public faith in Aadhaar as the beneficiary would not get his rightful ration over authentication failure— and, to that extent, in the government itself. So, for beneficiaries who depend on public distribution systems (PDS) for rice, sugar, kerosene or oil, authentication failure is a serious problem.

It is to this effect that PILs (public interest litigation suits) have been filed in the Supreme Court stating that making Aadhaar compulsory is illegal and would virtually convert citizens into “slaves” as they would be under the government’s surveillance all the time. The Supreme Court had itself stated in August 2015 that Aadhaar cards will not be mandatory for availing benefits of government’s welfare schemes and had also barred authorities from sharing personal biometric data collected for enrollment under the scheme.

Last month too, it lambasted the Narendra Modi-led BJP government at the Centre for making Aadhaar card a mandatory prerequisite to avail government services. The court will examine all applications against Aadhaar on June 27 2017, while the government remains steadfast on not extending the deadline of June 30 by which various schemes such as the grant of scholarships, Sarva Shiksha Abhiyan and various other social welfare schemes were to seek mandatory Aadhaar number.

While the debate rages on, controversies keep on piling up. Recently, linking people living with HIV/ AIDS with Aadhaar cards has allegedly driven away patients from hospitals and antiretroviral therapy (ATR) centres in Madhya Pradesh. As per health department sources, the MP State AIDS Control Society made Aadhaar card number compulsory from February this year for those affected by the virus to get free medicines and treatment in accordance with the Central government’s policy making Aadhaar mandatory to avail benefits of any government scheme.

However, this led to negative fallout as many patients and suspected victims started avoiding ATR centres and district hospitals after the new rule came into effect. The patients feared that the compulsory submission of Aadhaar card to get free medicines and medical check-ups could lead to the disclosure of their identity, inviting social stigma.

While there is no denying the fact that, in a welfare state, technology can play a big role in enabling the state to hand out entitlements more efficiently and distribute public services at scale. But doing the same at the cost of an individual citizen’s privacy and resting it all on one mandatory number whose authentication is still not completely foolproof, is hardly the way a welfare state would like to operate.

For more details visit https://cis-india.org/internet-governance/news/inc42-may-23-2017-shweta-modgil-sharad-sharma-aplogises-for-trolling-aadhaar-critics

Shanty home

radha — 2011-04-04T06:53:08Z

A nationwide initiative is imploring that you look closely at the greyed-out areas on your GPS maps, says Jaideep Sen in an article in the Time Out Bengaluru Magazine, November 13-26 2009 [Vol 2 Issue 9]

Call up a map of Bangalore city on Google, key in the letters “HAL”, and hit the return key. When the squiggly lines demarcating the area show up, put down the end of your forefinger at the Marathahalli end of the Old Airport Road stretch, and begin tracing your way all the way up to MG Road. It’s an easy route to follow, if you’re merely looking to head from one end of the city to the other, but that isn’t the purpose of this particular exercise, which could well be tried out along all major roadways in any city across India.

As the two Bangalore-based groups Centre for Internet and Society, and Tactical Technology Collective describe it, the attempt of that lingering fingertip is to ascertain the possibilities of creating “maps from the margins and of margins”. While that wouldn’t make immediate sense to most GPS-impelled drivers, what they’re implying is that you look around that route to try and locate and identify the numerous slums, unauthorised settlements and illegal waterways that remain greyed-out along those delineated main roads and prominent residential areas. As co-hosts of a two-month-long nationwide project titled “Maps for Social Change”, the groups are also wagering that you most likely won’t find such expanses on a map. Although, if you were to explore the neighbourhoods of say, HAL, Indira Nagar and Ulsoor, you’d find at least 30 unmarked shanties along that stretch of Old Airport Road alone.

Official figures peg the city’s slum-dwelling population at roughly 10 per cent of an estimated total 5.3 million people, in a little over 200 slums as declared by the Karnataka Slum Clearance Board. While that figure would appear minor in comparison to that of a city like Mumbai, where 60 per cent of approximately 19 million people are said to live in slums, it’s precisely that kind of disparity that this project aims to pin down against latitudinal and longitudinal positions. The purpose, said a note from the groups, is to use “geographical mapping techniques to support struggles for social justice in India”. The end result, it added, could make maps as “tools to fight injustice in society”. To understand that intention, the activists and technology specialists of the two host groups are urging people, and groups involved in social projects especially, to revisit maps and identify possibilities relevant to local campaigns and movements.

“In other countries, there’s a lot of talk about social movements using technology, even in subversive ways, but in India, this hasn’t really taken off,” said Anja (pronounced Anya) Kovacs, a Belgian who has lived in India for eight years, is a member of various campaigns in New Delhi, and is a CIS member spearheading this project. While there are many reasons for Indians to be desisting from technological means, there are many practical applications where mapping techniques can benefit social causes, she insisted.

“One example is to do with people who face displacement caused due to upcoming Special Economic Zones,” explained Kovacs. “The media, at times, portrays people against such models of development as a minority. But if you count the number of people involved in these movements, you’d come up with a mad number, and there are a mad number of struggles going on.” The project, she added, could help place such information on a map, “so that different classes of people could see what the truth actually is”.

The application inviting proposals from groups, individuals and students, begins with an exhortation for people to rethink the concept of maps. “Most of us think of maps as representations of territory,” it states. “But have you wondered why poor people are rarely given prominence, or at times are absent altogether?”

The graphic representation of a map also presents a handy educational medium, added Kovacs. “People working on concerns of sexual harassment, or state repression, public health, water management issues… the possibilities are immense.” Allan Stanley, another CIS member working on the project’s technical aspects, said the aim was to facilitate training, and extend their expertise. “It’s easily doable even for people with little internet experience,” said Stanley. “Where you create mash-ups, with [online photo and video hosting services] Flickr and You Tube, and some overlaid locative work.” At advanced levels, Stanley said that open-map projects could serve to track things like education, and density of schools in areas. Kovacs also spoke of the recent “pink chaddi” campaign, against instances of violence inflicted upon women, where a simple Google map was used to mark locations that attacks were reported from, to highlight the possibility of indicating potentially unsafe urban regions.

Link to original article

For more details visit https://cis-india.org/news/shanty-home

SFLC Round Table Discussion on Personal Data Protection Bill

Admin — 2018-10-02T03:16:19Z

Shweta Mohandas participated in a Round Table Discussion on Personal Data Protection Bill, orgnanised by SFLC on September 25, 2018 in Bangalore. She also moderated the first session - Data Protection Principles (Rights and Obligations).

See the agenda of the event here.

For more details visit https://cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill

Sexual Harassment at ICANN

padmini — 2016-04-06T14:40:55Z

Padmini Baruah represented the Centre for Internet & Society at ICANN in the month of March 2016. In a submission to ICANN she is calling upon the ICANN board for implementing a system for investigating cases related to sexual harassments.

On the 6th of March, 2016, Sunday, at about 10 am in the gNSO working session being conducted at the room Diamant, I was sexually harassed by someone from the private sector constituency named Khaled Fattal. He approached me, pulled at my name tag, and passed inappropriate remarks. I felt like my space and safety as a young woman in the ICANN community was at stake.

I had incidentally been in discussion with the ICANN Ombudsman on developing a clear and coherent sexual harassment policy and procedure for the specific purposes of ICANN’s public meetings. Needless to say, this incident pushed me to take forward what had hitherto been a mere academic interest with increased vigour. I was amazed, firstly that the office of the ombudsman only had two white male members manning it. I was initially inhibited by that very fact, but made two points before them:

With respect to action on my individual case.
With respect to the development of policy in general.

I would like to put on record that the ombudsman office was extremely sympathetic and gave me a thorough hearing. They assured me that my individual complaint would be recorded, and sought to discuss the possibility of me raising a public statement with respect to policy, as they believed that the Board would be likely to take this suggestion up from a member of the community. I was also informed, astoundingly, that this was the first harassment case reported in the history of ICANN.

I then, as a newcomer to the community, ran this idea of making a public statement by no means an easy task at all, given the attached stigma that comes with being branded a victim of a sexual crime by certain senior people within ICANN who had assured me that they would take my side in this regard. To my dismay, there were two strong stands of victim blaming and intimidation that I faced I was told, in some cases by extremely senior and well respected, prominent women in the ICANN community, that raising this issue up would demean my credibility, status and legitimacy in ICANN, and that my work would lose importance, and I would “...forever be branded as THAT woman.” My incident was also trivialised in offhand casual remarks such as “This happened because you are so pretty”, “Oh you filed a complaint, not against me I hope, ha ha” which all came from people who are very high up in the ICANN heirarchy. I was also asked if I was looking for money out of this. Click to read the full statement made to ICANN here.

For more details visit https://cis-india.org/internet-governance/blog/sexual-harassment-at-icann

Sex, drugs and the dark web

Admin — 2018-01-02T16:13:14Z

Blend anonymity and bitcoins for a ‘guaranteed safe’ cocktail of terrifying potential.

The article was published in the Hindu on October 7, 2017.

It’s hardly a secret that marijuana’s quite easy to get nowadays. Cigarette shop owners, paanwaalas, and otherwise innocuous dealers of innocuous goods hide their stash just out of sight of the unaware. Rustom Juneja is just another marijuana-smoking adult in one of India’s biggest cities. He used to get his ‘stuff’ from local dealers. Till he “got bored of Indian produce,” as he says. So, in 2015, he decided to go to the dark web.

“I brought strains of marijuana from the U.S. and Canada, from a marketplace on the dark web,” Juneja says. The packages were shipped from their respective countries, they traversed borders, bypassed stringent security and checks, crossed continents, and landed at Juneja’s doorstep.

That is the dark web for you. Completely unpoliced, willing users can find anything, from the aforementioned marijuana, to “hard” drugs, to military grade-weaponry and even sex workers. All delivered to your doorstep just like books or designer watches from Amazon, Flipkart, or Snapdeal. And yes, some even offer cash-on-delivery. Returns might not be as simple, though.

Earlier this year, a group of students were arrested in Hyderabad on charges of purchasing LSD (also called ‘acid’) on the dark web. But they weren’t arrested because they had made the transaction on the dark web; they were arrested because the purchase and/ or use of LSD is illegal under Indian law (Narcotic Drugs and Psychotropic Substances Act, 1985).

In India, transactions on the dark web belong to a legal grey area. More importantly, the transactions here are mostly untraceable.

So, just what is the dark web?

Shadow world

The world wide web is a Brobdingnagian mass of data, parts of which are ‘indexed’ so that they may be found by users through search engines (Google, Bing, etc). The parts of the web that aren’t indexed, and therefore available for public access, are known as the ‘deep web’. This was the part initially known as the dark web, with the ‘dark’ being more an allusion to being kept away from the light of regular access than its now more nefarious association. While it’s near impossible to put a number to it, unofficial estimates mostly concur that the vast majority of the web is unindexed.

Then, in the early 2000s, programmers began developing techniques that would be able to offer anonymous access to these hidden bits of the web. In 2002, the U.S. Naval Laboratory released one of the earliest versions of The Onion Router (TOR), a software that would allow anonymous communication between American intelligence agents and operatives on foreign soil.

This didn’t go quite according to plan, though. Tor was soon appropriated by cyberpunks, who began using the protocol to give access to websites that would host, share, and trade illicit goods. Today, the dark web is a sub-section of the deep web, accessed using specialised software like Tor that ensures absolute anonymity.

The onion protocol

“If you want to track anything on the Internet, it can happen at three levels — the level of the person who sends a request, at the level of the person responding to this request, or it can happen in between these two ends,” says Udbhav Tiwari, Policy Officer at the Centre for Internet and Society.

“Because of this structure, it is easy to track actions and resources across the Internet, using the same terminology that makes it so easy to index and search. So, people began thinking this might become a problem.”

Most of us have heard of the Hyper Text Transfer Protocol Secure or HTTPS, a protocol that ensures that information is encrypted and secure the moment it leaves a computer till the time it reaches a destination computer. But this protocol only protects one of the three levels on which information might be tracked. The dark web is built to ensure that the remaining levels are also protected and kept anonymous.

“The reason it’s called the ‘onion’ protocol is because there are bits of information that are encrypted over and over again. So, when something leaves one computer, it is encrypted with a layer, then it hits another computer and is encrypted with another layer, and it hits another computer, where it is encrypted yet again. When this information returns, each layer is peeled off, so that you get the information you requested, with none of the encryption,” Tiwari says.

This kind of encryption makes it borderline impossible to figure out who is communicating with who and what they are talking about, unless the physical machines at either end are compromised, or a vulnerability on these machines is exploited by setting up a fake website on the Internet — a technique the FBI uses to track child pornography.

And what does it all mean? A level of guaranteed secrecy with terrifying potential. A 2015 study found that light drugs were the most traded commodity on the dark web, and that as much as 26% of its content could be classified as ‘child exploitation’.

A 2016 study found that almost 57% of live websites on the dark web hosted illicit material. The ease of access and the minimal chances of being caught has meant a steady rise in the use of the dark web and the murk it peddles.

It’s a market where both buyer and vendor are rated, like Uber. This establishes trust, and authenticates the veracity of a potential transaction. Thus, for instance, buyers are obviously more inclined to buy an assault rifle from a highly-rated seller. And you will be sold grenades only if your ratings assure the vendor you’ll fulfil your end of the transaction.

Once a transaction is finalised, the payment is held ‘in escrow’ — a third party arbitration system which ensures the buyer is paid only after they have met their end of the bargain. The third parties also arbitrate in the event of a dispute.

As easy as pie

Juneja bought marijuana three times, all from the same vendor, but only two shipments reached him. The third time, the parcel never landed, but the arbiters decided in favour of the vendor because he had a much better rating and Juneja lost his money.

With no proper method to find out whether the vendor has shipped a product or the buyer has received it, this adjudication is seen as the best stop-gap arrangement. For Juneja, as for many others, the loss was a deal breaker, and he didn’t go back to the dark web.

When the first two shipments did arrive though, they came with absolute swagger and nonchalance. “The product was sealed and flattened out, as if it were a magazine or postcard.” It does say something of international security that it can’t differentiate between a shipment of The New Yorker and marijuana.

Dark web transactions were initially carried out using legal state-issued currencies. However, the simplicity of tracking online transactions made with property monitored by the government led to the rise of cryptocurrencies — digital or virtual currency that uses cryptographic techniques for security and which would be beyond state control. Besides the need to go underground, there was a political angle.

“These people see money as a state incursion into private affairs,” says Jyotirmoy Bhattacharya, economics professor at Delhi’s Ambedkar University.

The first, and still most popular, cryptocurrency was released in 2009 — bitcoin. Created by an unknown person or group of people, going only by the pseudonym Satashi Nakamoto, bitcoin was intended as a ‘peer-to-peer electronic cash system’, which would be completely decentralised, with no central server or state authority. This meant that the value and proliferation of bitcoin would be determined by its creators and users.

The idea of a virtual currency has been around since before Nakamoto, but a large problem was in limiting creation and supply. Bitcoin was the first to solve this problem. “Bitcoin uses a technique known as the ‘proof-of-work’ (POW). So, to create a new set of this currency, you have to spend some amount of computational resources. This limits how much currency you can generate, thus ensuring that the currency has a value,” says Bhattacharya.

What is bitcoin?

“A bitcoin is simply a solution to a puzzle. If there are a set of puzzles that are a part of the bitcoin protocol, one bitcoin is simply one of the solved puzzles of that set, along with a digital signature of who solved the puzzle,” says Bhattacharya. A public ledger tracks the ownership of bitcoins, which ensures that the same one is not used again by the same person.

“Since there is no central authority, your transaction has to match the globally agreed ledger.” To ensure that ownership of bitcoin is legitimate, every transaction is published in the ledger, thus creating a ‘chain of transactions’ known as a blockchain.

Over the past few years, the value of bitcoin has skyrocketed, so much so that people have begun investing in it, as an asset. When bitcoin was first used as tender in early 2010, it was valued at around $0.003. For a brief while in August, one bitcoin was valued at $4,500, a record high.

In the everyday world of eggs and bread, though, bitcoin has limited use. It is still unrecognised by several nations, and deemed illegal in many others. It’s in the dark web that it finds its most votaries. While it would be flippant to suggest that bitcoin is used on the dark web solely for illicit uses, it is difficult to deny its origins for that purpose, and its continuing use there.

Bedavyasa Mohanty, an Associate Fellow at Observer Research Foundation Cyber Initiative, says that there are Indian users transacting on the dark web using bitcoin and claims that this number is only likely to increase as accessibility increases. “Bitcoin cannot be tracked,” says Mohanty. “With the ledger and the blockchain, you can trace the trail of a certain bitcoin, but it is anonymised. You can’t point out who owns that bitcoin.”

This, in effect, means an entirely anonymous transaction may be made on the dark web for any number of illegal goods or services using a currency that leaves a trail which goes nowhere and leaves no fingerprints. This, in a nutshell, is the danger when bitcoin combines with the dark web.

Several users I spoke to either claimed that fears about the dark web were mostly unfounded, or that the freedom it offered was an essential facet of the Internet. But it can’t be denied that the sheer possibility that somebody can deal in child porn or hard drugs or deadly weapons right under the nose of the law is a terrifying one.

From the perspective of Indian law enforcement, given the technical knowhow they have to track down owners and users of bitcoins, the chances of discovery are minimal, says Mohanty. The currency uses a system of public and private ‘keys’, ensuring that an intercepted bitcoin transmission is useless without those keys. To top it, India does not have any clear laws to regulate cryptocurrencies.

“For India to regulate cryptocurrencies, it would need to legally recognise their existence,” says Mohanty. “And if you do recognise them, what do you treat them as? As a security? Or as a currency that can be traded openly, and so on. That’s part of the reason why the Reserve Bank hasn’t formally recognised cryptocurrencies.”

Flagging illegal trades

Bitcoin exchanges in India insist that they follow strict guidelines and e-KYC (Know Your Customer) rules, ensuring that the identity of every customer on the exchange is verified. “If somebody tries to use a bitcoin from Zebpay or any other recognised exchange, they will definitely be tracked down,” says Saurabh Agrawal, co-founder of Zebpay, one of India’s largest bitcoin exchanges.

“We use strong software; if any of our users use bitcoins for illegal purposes, we close their accounts. We’ve done this in the past and will do so in future as well.” He claims their software maintains a list of web addresses deemed ‘red alert’ sites, and the moment a bitcoin is sent to such a site, the transaction is flagged.

Others are less positive. “While we can track whether a transaction is made through illegal routes, to some extent it’s true that we cannot track all transactions in real time as this takes a large amount of data,” says Sathvik Vishwanath, CEO, Unocoin.

“But if someone is trying to buy or sell from illegal marketplaces, we have a mechanism where we can — and do — stop it.” Given that customers are KYC-verified, “they don’t try to indulge in malicious activities,” he says.

Pan to Rustom Juneja. Juneja made three transactions in 2015, using bitcoins purchased entirely legally from an exchange. “You have to create an account on any of the markets online, and transfer your bitcoins to that account,” Juneja informs me. His account too was KYC-verified, and they had all his details — PAN number, Aadhar, and so on. He had no clue then that the exchanges had tracking methods. “Look, if these actually worked, there’s no way we wouldn’t have been caught,” he says.

Part of the problem, of course, is that Indian law does not recognise the dark web as a separate entity from the ‘surface’ web; there are no special laws for it. Yet, even if laws were put in place, there are few ways in which states can monitor or block the use of the dark web owing to a host of technical and legal reasons.

“A sense of urgency [regarding the dark web], especially relating to the use of bitcoin for illicit activities, hasn’t been instilled in the government yet,” says Mohanty. “What they are worried about is terrorism, and the use of anonymous technologies and chatrooms for radicalisation, terror planning, or buying and selling weapons.”

Juneja is one of a few thousand active Indian users on the dark web. Nothing stops them from buying a strain of marijuana from Canada. But nothing stops them from buying a Kalashnikov either.

Sunny side up

The dark web isn’t necessarily only a marketplace for all of the world’s nefarious practices. The very anonymity and shrouds that the dark web offers can be used for general practices by users looking merely for privacy.

Aritra Ghosh, a Ph.D student of Computational Astrophysics at Yale University says, “(The dark web is) possibly the only way to do something in “secret” away from any kind of surveillance. Onion routing still hasn’t been broken. So, it can play a substantial role in movements against companies, governments and so on.”

And this is a quality that many frequenters of the dark web swear by. Even the ability to use anonymous messenger service with a near-complete guarantee of not being ‘watched’ drives a lot of people here.

Akarsh Pandit, 24, says unrestricted access to many resources including books and documents is an area of huge potential. “Another significant pro is the avoidance of national firewalls that exist in some countries. Moreover, you gain access to unindexed search results,” he says.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-saurya-sengupta-sex-drugs-and-the-dark-web

Sex on-the-go

praskrishna — 2013-06-05T09:08:05Z

After a freak fire in 2011 reduced the cubbyholes trading in electronic goods inside a Crawford Market shopping plaza to ashes, Junaid has gone alfresco.

The article by Anand Holla was published in Mumbai Mirror on May 4, 2013. Pranesh Prakash is quoted in it.

He sits on a stool by a chock-full street tinkering with mobile phones while three teenage staffers hover around him. A laptop receives favourable treatment; it sits at the centre of the makeshift stall scattered with card readers. The imaginary wall of hostility he carefully builds over several seconds crashes when he realises we are genuine customers. "This is not your regular movie...it will cost you Rs 250 for 4 GB," he mutters, dodging eye contact. Some bargaining later, he hurriedly transfers 200 short pornographic clips from the laptop on to a memory card for Rs 150. Most are the fall-out of crosscountry MMS scandals, the flavour of the season. "Everyone does it, no one talks about it. A raid means we lose our equipment and pay a hefty fine," he says in staccato metre, handing us back the card. Seconds later, head down, he's back to reviving a dead smartphone.

The rates vary at a booth a few metres down. It's Rs 400 for 16GB - the same price as that for loading your phone with the latest Bollywood and Hollywood films - of a "collection" that includes foreign porn, and bestiality videos.

It's hardly a secret that several of the city's cell phone repair shops and SIM card kiosks that flaunt a computer, stock smut in secret folders marked by gibberish names. "We get some women, too," one owner says. "They say, "Zara woh waale movies daal dena'."

Which brings you to the rules of the mobile-porn-off-the-street universe.

A blunt demand for a blue film clip will send shopkeepers into a shell. Some may even express mock disgust at your request. Blame it on random raids by the State Anti-Piracy Cell. Around South Mumbai's markets, for instance, code words 'Daal gosht' or 'Pelampaal' put the Flashing-Loading-Repairing stall owners at ease. But for tongue-tied first-timers, body language is the marker. A local cell phone accessories distributor says, "The more desperate you look and sound, the easier it is for you to pass off as a bona fide purchaser. If you are well-dressed, they'll deny they stock it. There's no fixed rate. Sab grahak dekhke poodi baandhte hain. Considering how it's a simple copy-paste job, it's free money anyway."

Regular customers frequently leave their phones with their trusted 'service' providers for loading apps, games, the latest films, and porn too. It's a package deal. "If you know how to ask for it, there's hardly a corner in Mumbai where you can't buy pocket porn," says a shopkeeper from Mulund.

In fact, pornography is not high on the authorities' agenda, says Vijay Mukhi, former member of the High Court/State Government Committee on Pornography and Cyber Laws. "Unless the Anti-Piracy Cell sends a dummy customer to lay a trap, it's near impossible to prosecute the shopkeepers because watching porn is not a crime; only producing, publishing or distributing it is," he clarifies.

Shafqat Usmani, President of the Mobile Dealers Welfare Association of Mumbai, says, the paltry 2.5 per cent margin on products makes the city's 50,000 mobile phone retailers render additional services, including repairing. Is loading porn part of the survival mechanism? "The low margin is no excuse to indulge in disgusting activities," he says.

Hand-held and hi-res
The cell phone boom - both, cheap Chinese models that allow the not-so-privileged access to technology and the arrival of high-res display screens that offer the affluent a viewing experience superior to television - has worked towards making porn consumption mainstream. Local train commuters will tell you of the passenger on the corner seat watching smutty clips, as if it were an impassive pastime. It's even found favour as a 'stress reliever'. "My friends and I buy phone porn to watch whenever the workload at office gets out of hand," says a Mankhurd resident.

While watching porn on laptops, either straight off the net or via DVDs, means you could get busted by family and friends, the handheld experience - with a phone password to boot - allows complete privacy.

What would you like?
Depending on which neighbourhood market you access, the popular offering varies. In Kurla, says a cell phone mechanic, foreign porn has no takers. "They (customers) say everything happens too soon and easy. The demand is for morphed celebrity sex videos, South Indian porn and of course, MMS clips." Some of these are what the industry refers to as 'kaand' videos. They resemble MMS scandal clips but are staged. It's the lure of these grainy, sloppily shot videos that landed Karnataka BJP ministers Lakshman Savdi and CC Patil in a soup last February. The two were caught watching a clip during assembly. Amid a storm of criticism, they and Mangalore minister Krishna Palemar, who was accused of transferring the video to Savdi's phone, resigned.

On Ahmedabad's Relief Road, a row of kiosks that sport the 'Downloading' sign, like the one run by Karimmuddin, offer hi-definition (HD) foreign porn to affluent students who walk in with large-screen 3G phones demanding virus-free content. It's Rs 100 for 2GB worth of mp4 clips of 720p resolution, and Rs 50 for 2GB worth low-quality clips, says 21-year-old Moin. Smaller, dirt cheap deals are available too. A single HD clip at Rs 5.50, a low-res one for Rs 2, and the 'lightest' clip for Rs 21 paise.

"My customers are youngsters from middle and upper middle class families," says 30-year-old Rocky, a shop owner in Navrangpura, while catering to Vikas, a collegian waiting for a Rs 100 download. "We are a group of six friends, including girls. For Rs 100, I'm going away with more than 20 HD video clips," he says straight-faced, adding that his group of friends, girls included, get together during the holidays for collective viewing. A relationship of trust between regulars like Vikas and shopkeepers means he will share a clip with the mobile store owner, in case he doesn't have it in stock.

It's a business of 100 per cent profits, they admit, and raids are easy to dodge since the police usually come looking for duplicate cell phones. They'd make half their monthly earnings if they relied on selling SIM cards, mobile accessories and software loading alone, says Ramesh, a 23-year-old staffer at a cell phone shop in Odhav that gets walk-ins from rickshawallahs and college students.

The rise of mobile porn has turned into a thorn in the flesh for pirated DVD sellers. Ajju, who runs a CD/DVD stand near Panchwati Crossroads, remembers a time when customers crowded him for 'tragda' or XXX CDs. "Older women would arrive in cars, roll down the window and ask for adult movies. I'd notice how they'd chuck the explicit cover and plonk the CD in an unsuspecting plastic bag." Mobile porn has hit his profits, bringing it down by 20 per cent.

Southward bound
Surprisingly, in Bengaluru, the erotic DVD trend is experiencing freak survival. Two years ago, the youth scoured Majestic and SP Road for downloaded porn. But with affordable mobile phone data plans and pirated DVD sellers ratting on their competitors, mobile repair shop owners have had to stick to doing just that - fiddle with hardware.

It's the tier II and III cities across India that are waking up to the potential of porn-on-phone. Earlier this year, Mysore-based moral awareness group Rescue conducted a survey across 964 junior college students from Mysore, Chamarajanagar and Bengaluru. More than 75 per cent watched porn regularly, and most watched six times more porn on their phones than on any other device, said the findings.

Mangalore, Belgaum, Dharwad and Mysore, all educational centres, support a thriving porn-lending library system. A student from Moodabidri says, "Most hostel students venture out to these shops once a week, and pay Rs 50 for a porn-loaded memory card. They return it a week later in exchange for fresh content."

Mangalore leads the pack in the sleaze game. It's believed that the clip that got the Karnataka ministers into trouble was called Fasila, and was a hit in Mangalore and neighbouring Kasargod two years ago. Six years ago, a seven-minute MMS sex clip was converted into a half-hour CD named Mangalooru Mungaru Male and sold widely. In 2000, before mobiles became the rage they are now, sex CDs flew off the shelves. The famous 40-minute clip, Mysore Mallige (known as MM CD) that featured a girl from Puttur, was sold for as much as Rs 1,000.

A mobile accessories shop owner in Puttur says the porn viewing audience has grown to include blue collar workers, who aren't tech-savvy to figure their own Internet downloads. "All they want is clarity of clips,' he says.

Watch, don't act
His customers then, are not very different from 22-year-old Manoj Sah and his 19-year-old companion Pradeep Kumar, who admitted to investigators probing the rape of a five-year-old girl in East Delhi last month, that they were drinking and watching porn on their mobile phone before they lured the girl into Sah's house with a chocolate.

While the nation erupted in protest, the confession drew attention to the possible fallout of easy access to pornographic content. The Delhi case isn't isolated. In January, Mumbai cringed when 70-year-old Niyaz Raza was arrested in the Govandi rape case involving a 13-year-old girl. His SIM was found loaded with sex clips, including one where he had filmed the girl performing oral sex on him.

Last month, Indore advocate Kamlesh Vaswani filed a writ petition in the Supreme Court seeking a change in Internet laws that would make watching pornography a nonbailable offence. It estimates that the number of such clips accessible to Indians is more than 200 million. The petition states: "The sexual content that kids are accessing today is far more graphic, violent, brutal, deviant, and destructive (than before), and has put the entire society in danger." It also finds the increasing "severity and gravity" of these visuals a concern, and accuses accessible pornography of "fuelling" most of the offences committed against women and children.

So, more than porn, it's the exposure of a larger audience to its extreme forms - bondage, bestiality, even paedophila - that's spurred a debate. To sum up the sentiment in the words of award-winning writer Robin Morgan: "Pornography is the theory, rape is the practice."

There are enough and more voices refuting Vaswani's claim. Pranesh Prakash is one of them. The policy director with Bengaluru-based Centre for Internet and Society, says, "There is no data to establish a direct co-relation between porn and sexual crimes. To be alarmed over the widespread availability of porn through mobile phone loading alone is a classist reaction; those who are well-to-do have had easy digital access anyway."

Way before those accused of rape were introduced to porn, they were exposed to a culture of misogyny that says women must be controlled, and their bodies are free to loot.

- With Hemington James and Yogesh Avasthi in Ahmedabad, Rakesh Prakash in Bengaluru and Deepthi Shridhar in Mangalore (Some names been changed to protect identity)

For more details visit https://cis-india.org/news/mumbai-mirror-anand-holla-may-4-2013-sex-on-the-go

Several Indian Twitter users' accounts suspended due to tech glitch

praskrishna — 2014-12-05T00:17:15Z

Twitter denies conspiracy theory, blames technical glitch for account suspensions

The blog entry by Silky Malhotra was published on digit on November 3, 2014. Pranesh Prakash gave his inputs.

The accounts of several Twitter users were suspended for unknown reasons, setting off conspiracy theories that only the accounts of right-wing supporters had been targeted. However, Twitter has denied these rumors and instead blamed technical issues for the glitch.

Although Twitter blamed a technical glitch for the account suspension, several Twitter users responded by stating that there was a pattern to the suspension because 'suspended users' were asked to change their behavior to be able to continue using the micro-blogging site.

A message sent out to a Twitter user whose account was suspended read, "Twitter has automated systems that find and remove multiple automated spam accounts in bulk".

Twitter officials have denied blocking of accounts deliberately and added that the incident was an accident as part of spam cleaning process.

Twitter also apologized for the inconvenience but added, "Unfortunately, your account got caught in one of these spam groups by mistake. It is possible your account posted an update that appeared to be spam, so please be careful what you tweet... You will need to change your behavior to continue using Twitter. Repeat violations of the Twitter rules may result in the permanent suspension of your account."

However this statement has triggered outrage among users who called it Internet policing. Several users responded with humor, and one posted, "In the Twitter canteen you never get chicken wings in pairs because the right wing is blocked."

Pranesh Prakash, policy director, Centre for Internet and Society, stated that though there have been instances of 'privatisation of censorship' in the past, this incident may not have been that. "It doesn't look deliberate especially because even accounts such as eBay India were suspended."

For more details visit https://cis-india.org/internet-governance/news/digit-november-3-2014-silky-malhotra-several-indian-twitter-users-accounts-suspended-due-to-tech-glitch

Seventh Privacy Round-table

elonnai — 2013-11-20T09:58:39Z

On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.

The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.

Previous Privacy Round-tables were held in:

New Delhi: (April 13, 2013) with 45 participants;
Bangalore: (April 20, 2013) with 45 participants;
Chennai: (May 18, 2013) with 25 participants;
Mumbai, (June 15, 2013) with 20 participants;
Kolkata: (July 13, 2013) with 25 participants; and
New Delhi: (August 24, 2013) with 40 participants.

Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.

The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, the Privacy Protection Bill, 2013, drafted by the Centre for Internet and Society, Strengthening Privacy through Co-regulation by the Data Security Council of India, and the Report of the Group of Experts on Privacy by the Justice A.P. Shah committee were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.

The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under section 43A of the Information Technology Act, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.

Presentation: Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Group

Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded.

Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.

In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.

Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.

Key Points:

Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.
Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data.
India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.

Discussion: National Security, Surveillance and Privacy

Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.

Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.

While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.

Key Points:

The Indian surveillance regime currently does not have strong enough safeguards.
The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.
A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.

Presentation: Chantal Bernier, Deputy Privacy Commissioner, Canada

In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.

Bernier described three main characteristics of the Canadian privacy regime including:

It is comprehensive and applies to both the public and the private sectors.
The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.
The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing.

Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.

Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.

Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:

The importance of having strong regulators.
Privacy regulators must work and cooperate together.
Privacy has become a condition of trade.
In today’s age, issues around surveillance cannot be underestimated.
Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.
Privacy frameworks must be clear and flexible.
Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments.

Key Points:

The Right to Privacy is a fundamental right in Canada.
The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.
The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest.

Discussion: The Data Protection Authority

Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.

When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.

Key Points:

The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.
The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.
The Data Protection Authority could be established as a small regulator with an appellate body attached.

Presentation: Christopher Graham, Information Commissioner, United Kingdom

Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the UK Data Protection Act and the Freedom of Information Act. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.

Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.

Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.

Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.

Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.

Key Points:

The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.
Penalties must be proportionate and scalable to the offense.
Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective.

Discussion: Collection of Data with Consent and Collection of Data without Consent

Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.

Key Points:

There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.
The Privacy Protection Bill should explicitly address transfer of information to other countries.
The Privacy Protection Bill should address consent in the context of changing terms of service.

Discussion: Penalties and Offences

The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.

The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.

Key Points:

Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.
Instead of levying penalties, the Bill should include incentives to ensure compliance.
Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach.

Discussion: Cultural Aspects of Privacy

The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.

Key Points:

India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.
Given India’s diversity, a principle based model might not be adequate.
Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India.

Conclusion

The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.

For more details visit https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table

Seventh Open Letter to the Finance Committee: A Note on the Deduplication of Unique Identifiers

praskrishna — 2011-11-22T07:28:11Z

Sahana Sarkar on behalf of the Centre for Internet and Society (CIS) had sent in a Right to Information application on 30 June 2011 to Ashish Kumar, Central Public Information Officer, UIDAI. The UIDAI sent in its reply. Through the seventh open letter, Hans attempts to characterize in an abstract way the replies that CIS managed to elicit and makes some elementary observations. The UIDAI records one or more biometric signatures of those individuals to whom it assigns its unique identity or identifier ; and for convenience let us call this the process of registering an applicant. In the normal course of registration the signatures of an applicant will be compared to those already recorded; and the outcomes of this exercise of comparing suites of biometric signatures — fingerprints and iris-scans, say — may be regarded as the values of a binary variable:

With more than one signature, we have Y = 1 only when those of the applicant match the signatures in some other suite of such item by item; and Y = 0 then if at least one of his or her signatures fails to match any already recorded one.

Though the circumstance should be unlikely, a person who has already been registered may apply again to be registered: with fraudulent intent maybe: or simply because he or she has lost the document – some identity card, perhaps – which bears the identifier assigned to him or her by the UIDAI. And the possibilities here may be regarded as the values of a binary variable:

Though we are regarding X and Y as variables equally, and taking them for jointly distributed ones, there is an evident asymmetry between them. The exercise of trying to match a given suite of signatures to some set of other suites can be performed so long as the signatures remain available; but for a given applicant the values of X refer to events already past. Faced with an applicant of whom they may suppose no more than what he or she may disclose, the personnel of the UIDAI cannot directly estimate either of the two quantities:

We have p[X = 0] + p[X = 1] = 1 here, needless to say, so there is only one quantity that needs estimating. But it is worth emphasizing that even when an applicant declares himself to have been registered already— and has come, say, to have a lost card newly issued — the personnel of the UIDAI are obliged to remain agnostic about p[X = 1] : no matter how ready they are to believe him.[1]

That no individual should be assigned more than one identifier is an entirely evident desideratum: so the process of comparing the signatures of a fresh applicant to those already recorded must be a strict one. But the process of comparison should also make it very likely that, when a match of signatures does occur, the applicant is someone who has in fact been registered already. The chance that a genuinely new applicant’s signatures will match some already recorded suite should be very small: the proportion of such mistaken matches, among all matches, should be as low as possible. This proportion is usually denoted by p[X = 0 | Y = 1] : the conditional probability that X = 0 given that Y = 1 : the chance that, despite a match of signatures, the applicant has not in fact been registered already. The defining formula:

relates this conditional probability to the ‘absolute’ or ‘raw’ probabilities of the events [Y = 1] and [X = 0 and Y = 1] ; the second of which is sometimes said to be contained in the first.

Suppose that there have been N applicants thus far. It is usual to say N trials of X and Y have occurred; but only the outcomes for Y are known. Suppose that matches have been found some m times out of these N ; then N − m applicants will have been registered. With regard to these trials, set

Note that these numbers are not individually known; but as the specified events exhaust the possibilities, we have c 00 +c 01 +c 10 +c 11 = N ; and we do know that

The ratio m/N would be a reasonable estimate of p[Y = 1] ; and (N − m)/N a reasonable estimate of p[Y = 0] = 1 − p[Y = 1] likewise. The quantity we are seeking is p[X = 0 | Y = 1] however: of which the ratio c 01/m would be a natural estimate. But unless we have some sense of the relative magnitudes of c 01 and c 11 the quantity

could be anything between 0 and 1 now. To estimate the relative magnitudes of c 01 and c 11 in any direct way would be difficult, because one has no purchase on how likely the events [X = 0 & Y = 1] or [X = 1 & Y = 1] are. So p[X = 0 | Y = 1] must be estimated directly, it would seem; and we shall come back to the question.

The reply we have received from the UIDAI indicates that 2.59 × 107 registrations — or successful ‘enrolments’, as they have put it — had been effected by 17.08.2011;while the ‘enrolments rejected’ came to 2.005 × 103 they say. Enrolments were rejected when ‘residents were duplicates’: if we take this to mean that an applicant was refused registry on account of his signatures matching some suite of signatures already recorded, then we may suppose that

The False Positive Identification Rate, or FPIR, is defined in that reply as the ratio of the number of the number of false positive identification decisions to the total number of enrolment transactions by unenrolled individuals : if by “unenrolled individual” we understand an applicant of whom [X = 0] actually obtains, then in our notation we have

rather: which would be a natural estimate of p[X = 0 & Y = 1] now, and since

the ‘false postive identification rate’ thus construed could be bound, at least, if p[X = 0 | Y = 1] itself could be. At any rate, this latter proportion seems to be the most pertinent one here: p[X = 0 | Y = 1] is the conditional probability, of mistaken matches, that the UIDAI must strive to keep as low as possible.

The reply from the UIDAI defines a false negative identification as an incorrect decision of a biometric system that an applicant for a UID, making no attempt to avoid recognition, has not been previously enrolled in the system, when in fact they have. One is at a loss to understand how the personnel of the UIDAI are to determine when an applicant is making no attempt to avoid recognition. Putting that aside, the False Negative Identification Rate or FNIR would now appear to be p[X = 1 | Y = 0] : the probability that, despite his or her signatures not matching any already recorded suite, an applicant has in fact already been registered: and with our notation

now. But c 10 cannot be reliably estimated, again, because one has no purchase on how likely [X = 1 & Y = 0] is; and the conditional probability p[X = 1 | Y = 0] will have to be estimated or bound in some direct way as well.

The preceding paragraphs have asserted that, in order to estimate or effectively bound the identification rates being sought by the UIDAI, the conditional probabilities p[X = 0 | Y = 1] and p[X = 1 | Y = 0] will have to be addressed in some direct way: without any attempt to estimate the likelihoods of [X = 0 & Y = 1] and [X = 1 & Y = 0] by themselves, that is to say. There might be ways of reliably estimating these conditional probabilities; and the manufacturers of the devices that produce the signatures may have provided tight bounds on what they would be — when the devices are working properly, at least. But let us now consider how the UIDAI has elaborated on these rates.

Their reply to our second question states that the biometric service providers have to meet the following accuracy SLA’s for FPIR and FNIR:

The condition of ‘non-duplication’ in the requirement (P) implies that the FPIR is being understood now as the formula in (†) above computes it: as an estimate of the conditional probability p[Y = 1 |X = 0]: since one already knows that [X = 0] for each enrolment here. Such an estimate could be made if one had obtained a sample of suites of signatures from distinct individuals — where no two suites in the sample could have come from the same individual — and compared each suite to every other: the proportion of matches found would be an estimate of p[Y = 1 |X = 0] now.[2]

The ‘biometric service providers’ the UIDAI has contracted with are presumably able to perform such experiments accurately. But an estimate of p[Y = 1 |X = 0] will not, as we shall momentarily see, by itself readily yield a usable bound on p[X = 0 | Y = 1] : on the crucial likelihood that, despite his or her suite of signatures matching a suite already recorded, an applicant has not in fact been registered.

The condition “ONLY duplicate enrolments” in the requirement (N) implies that the FNIR is being understood as an estimate of the conditional probability p[Y = 0 |X = 1] now: as one already knows that [X = 1] for each enrolment here. The biometric service providers should be able to estimate this probability as well. The FNIR as (‡) construes it is an estimate of p[X = 1 | Y = 0] rather; but a usable bound for this likelihood is readily got from p[Y = 0 |X = 1] now, for we may surely expect p[X = 1] < p[Y = 0].

Let us see if the requirement (P) will yield any usable upper bound on the crucial likelihood p[X = 0 | Y = 1]: which, to note it again, is what the UIDAI must seek to minimise. Consider the consequences when the FPIR is understood as (P) envisages. Taken together with formula (1) above we have

If we are not willing to wager on any upper limit appreciably less than 1 for p[X = 0] , we obtain

now.[3] Unless one can reasonably suppose that the event [Y = 1] never occurs, one must grant that p[Y = 1] > 0 . We have

But this inequality yields a usable upper bound only when K < 3: only when K is 1 or 2 that is. In either case, only by supposing that p[Y = 1] > 10−2 will the accuracy mandated for the FPIR by the UIDAI yield a usable upper bound on p[X = 0 | Y = 1] . Since the UIDAI expects that p[Y = 1] < 10−2 surely, we must conclude now that the requirements it has imposed on its ‘biometric service providers’ will not help its personnel estimate an upper limit for the crucial likelihood that, despite his or her suite signatures matching some already recorded suite, an applicant for a UID has not in fact been registered already: which likelihood, to insist again, is what the UIDAI must seek to minimise.

The argument just made will seem perverse: but the calculation is perfectly general. Suppose an FPIR limit of 10−J is mandated; then, unless one is willing to wager an upper limit on p[X = 0] , one cannot get a usable upper bound on p[X = 0 | Y = 1] from this limit on the FPIR, used all by itself, unless one supposes that p[Y = 1] > 10−J+1.

To save writing, denote by L01 the crucial likelihood p[X = 0 | Y = 1] ; and suppose that is some desired upper bound on L01 now. Assume that the FPIR achieved by a service provider is an accurate estimate of p[Y = 1 |X = 0] ; then from (1) we get

Now [X = 0] should not be a rare event at all, and, conversely, [Y = 1] should be a rare event.[4] So one should be able to set some reasonable upper limit to the ratio p[Y = 1]/ p[X = 0] : but without attempting any precise estimate, at all, of either individual probability. One may reasonably expect, for instance, that no more than one in a thousand applicants for a uid will already have been registered; and when p[X = 1] < 10−3 we will have

from (3) above. This calculation can be repeated with any number m in place of 3 here, of course, provided p[X = 1] < 10−m and p[Y = 1] < 10−m are both likely; and it seems entirely reasonable, now, for the UIDAI to insist that its biometric service providers meet the requirement.

for some appropriate upper bound X on L01 . The considerations leading to (4) make it reasonable to insist on m _ 3 now; and recalling what L01 is — the crucial likelihood that, despite his or her signatures matching some already recorded suite of signatures, an applicant has not in fact been registered — the UIDAI will have to insist on some quite small bound X: for it would not want, too often, to refuse anyone a UID on account of a mistaken match of biometric signatures.[6]

It would be foolish to speculate on what the authorities regard as acceptable error here; but if the UIDAI is of a mind that such mistakes should happen less than one in a thousand times say, then, taking the minimal value of 3 for m in the suggested requirement (R), it should demand an FPIR less than 10−6 : a ‘false positive identification rate’ a thousand-fold less than the limit currently imposed.

[1]Should it seem entirely odd to talk of probability when one of the events in question — either [X = 0] or [X = 1] — will already have occurred, we may regard the probabilities we assign them as measures of our uncertainty only: but no practical question hinges on probabilities being understood ‘subjectively’ rather than ‘objectively’.

[2]It might be well to note, however, that the size of the sample must be manageable: for a sample of size K a total of K • (K − 1)/2 comparisons will have to be performed.

[3]Wagering an upper limit on p[X = 0] would require one to reasonably estimate the probability of finding already-registered individuals among applicants.

[4]The event [Y = 1] must be just as rare, one supposes, as [X = 0] is frequent.

[5]We are supposing, that is to say, that matches of biometic signatures are very rarely mistaken matches.

[6]A small _ is consistent with supposing that p[X = 1] and p[Y = 1] are commensurate probabilites. If p[X = 0 | Y = 1] < 10−3 for instance, then p[X = 1 | Y = 1] _ (103 − 1)/103 ; one may suppose, that is, that [X = 1] will be the case 999 out of a 1000 times that [Y = 1] obtains; and, of course, to suppose that [X = 1] will be appreciably more frquent than [Y = 1] is to grant that biometric signatures will fail appreciably often to distinguish individuals.

See the RTI application of 30/06/2011 [PDF, 15 kb].

Download the Seventh Open Letter here

For more details visit https://cis-india.org/internet-governance/blog/de-duplication-of-unique-identifiers