We are anonymous, we are legion

Sex, drugs and the dark web

Admin — 2018-01-02T16:13:14Z

Blend anonymity and bitcoins for a ‘guaranteed safe’ cocktail of terrifying potential.

The article was published in the Hindu on October 7, 2017.

It’s hardly a secret that marijuana’s quite easy to get nowadays. Cigarette shop owners, paanwaalas, and otherwise innocuous dealers of innocuous goods hide their stash just out of sight of the unaware. Rustom Juneja is just another marijuana-smoking adult in one of India’s biggest cities. He used to get his ‘stuff’ from local dealers. Till he “got bored of Indian produce,” as he says. So, in 2015, he decided to go to the dark web.

“I brought strains of marijuana from the U.S. and Canada, from a marketplace on the dark web,” Juneja says. The packages were shipped from their respective countries, they traversed borders, bypassed stringent security and checks, crossed continents, and landed at Juneja’s doorstep.

That is the dark web for you. Completely unpoliced, willing users can find anything, from the aforementioned marijuana, to “hard” drugs, to military grade-weaponry and even sex workers. All delivered to your doorstep just like books or designer watches from Amazon, Flipkart, or Snapdeal. And yes, some even offer cash-on-delivery. Returns might not be as simple, though.

Earlier this year, a group of students were arrested in Hyderabad on charges of purchasing LSD (also called ‘acid’) on the dark web. But they weren’t arrested because they had made the transaction on the dark web; they were arrested because the purchase and/ or use of LSD is illegal under Indian law (Narcotic Drugs and Psychotropic Substances Act, 1985).

In India, transactions on the dark web belong to a legal grey area. More importantly, the transactions here are mostly untraceable.

So, just what is the dark web?

Shadow world

The world wide web is a Brobdingnagian mass of data, parts of which are ‘indexed’ so that they may be found by users through search engines (Google, Bing, etc). The parts of the web that aren’t indexed, and therefore available for public access, are known as the ‘deep web’. This was the part initially known as the dark web, with the ‘dark’ being more an allusion to being kept away from the light of regular access than its now more nefarious association. While it’s near impossible to put a number to it, unofficial estimates mostly concur that the vast majority of the web is unindexed.

Then, in the early 2000s, programmers began developing techniques that would be able to offer anonymous access to these hidden bits of the web. In 2002, the U.S. Naval Laboratory released one of the earliest versions of The Onion Router (TOR), a software that would allow anonymous communication between American intelligence agents and operatives on foreign soil.

This didn’t go quite according to plan, though. Tor was soon appropriated by cyberpunks, who began using the protocol to give access to websites that would host, share, and trade illicit goods. Today, the dark web is a sub-section of the deep web, accessed using specialised software like Tor that ensures absolute anonymity.

The onion protocol

“If you want to track anything on the Internet, it can happen at three levels — the level of the person who sends a request, at the level of the person responding to this request, or it can happen in between these two ends,” says Udbhav Tiwari, Policy Officer at the Centre for Internet and Society.

“Because of this structure, it is easy to track actions and resources across the Internet, using the same terminology that makes it so easy to index and search. So, people began thinking this might become a problem.”

Most of us have heard of the Hyper Text Transfer Protocol Secure or HTTPS, a protocol that ensures that information is encrypted and secure the moment it leaves a computer till the time it reaches a destination computer. But this protocol only protects one of the three levels on which information might be tracked. The dark web is built to ensure that the remaining levels are also protected and kept anonymous.

“The reason it’s called the ‘onion’ protocol is because there are bits of information that are encrypted over and over again. So, when something leaves one computer, it is encrypted with a layer, then it hits another computer and is encrypted with another layer, and it hits another computer, where it is encrypted yet again. When this information returns, each layer is peeled off, so that you get the information you requested, with none of the encryption,” Tiwari says.

This kind of encryption makes it borderline impossible to figure out who is communicating with who and what they are talking about, unless the physical machines at either end are compromised, or a vulnerability on these machines is exploited by setting up a fake website on the Internet — a technique the FBI uses to track child pornography.

And what does it all mean? A level of guaranteed secrecy with terrifying potential. A 2015 study found that light drugs were the most traded commodity on the dark web, and that as much as 26% of its content could be classified as ‘child exploitation’.

A 2016 study found that almost 57% of live websites on the dark web hosted illicit material. The ease of access and the minimal chances of being caught has meant a steady rise in the use of the dark web and the murk it peddles.

It’s a market where both buyer and vendor are rated, like Uber. This establishes trust, and authenticates the veracity of a potential transaction. Thus, for instance, buyers are obviously more inclined to buy an assault rifle from a highly-rated seller. And you will be sold grenades only if your ratings assure the vendor you’ll fulfil your end of the transaction.

Once a transaction is finalised, the payment is held ‘in escrow’ — a third party arbitration system which ensures the buyer is paid only after they have met their end of the bargain. The third parties also arbitrate in the event of a dispute.

As easy as pie

Juneja bought marijuana three times, all from the same vendor, but only two shipments reached him. The third time, the parcel never landed, but the arbiters decided in favour of the vendor because he had a much better rating and Juneja lost his money.

With no proper method to find out whether the vendor has shipped a product or the buyer has received it, this adjudication is seen as the best stop-gap arrangement. For Juneja, as for many others, the loss was a deal breaker, and he didn’t go back to the dark web.

When the first two shipments did arrive though, they came with absolute swagger and nonchalance. “The product was sealed and flattened out, as if it were a magazine or postcard.” It does say something of international security that it can’t differentiate between a shipment of The New Yorker and marijuana.

Dark web transactions were initially carried out using legal state-issued currencies. However, the simplicity of tracking online transactions made with property monitored by the government led to the rise of cryptocurrencies — digital or virtual currency that uses cryptographic techniques for security and which would be beyond state control. Besides the need to go underground, there was a political angle.

“These people see money as a state incursion into private affairs,” says Jyotirmoy Bhattacharya, economics professor at Delhi’s Ambedkar University.

The first, and still most popular, cryptocurrency was released in 2009 — bitcoin. Created by an unknown person or group of people, going only by the pseudonym Satashi Nakamoto, bitcoin was intended as a ‘peer-to-peer electronic cash system’, which would be completely decentralised, with no central server or state authority. This meant that the value and proliferation of bitcoin would be determined by its creators and users.

The idea of a virtual currency has been around since before Nakamoto, but a large problem was in limiting creation and supply. Bitcoin was the first to solve this problem. “Bitcoin uses a technique known as the ‘proof-of-work’ (POW). So, to create a new set of this currency, you have to spend some amount of computational resources. This limits how much currency you can generate, thus ensuring that the currency has a value,” says Bhattacharya.

What is bitcoin?

“A bitcoin is simply a solution to a puzzle. If there are a set of puzzles that are a part of the bitcoin protocol, one bitcoin is simply one of the solved puzzles of that set, along with a digital signature of who solved the puzzle,” says Bhattacharya. A public ledger tracks the ownership of bitcoins, which ensures that the same one is not used again by the same person.

“Since there is no central authority, your transaction has to match the globally agreed ledger.” To ensure that ownership of bitcoin is legitimate, every transaction is published in the ledger, thus creating a ‘chain of transactions’ known as a blockchain.

Over the past few years, the value of bitcoin has skyrocketed, so much so that people have begun investing in it, as an asset. When bitcoin was first used as tender in early 2010, it was valued at around $0.003. For a brief while in August, one bitcoin was valued at $4,500, a record high.

In the everyday world of eggs and bread, though, bitcoin has limited use. It is still unrecognised by several nations, and deemed illegal in many others. It’s in the dark web that it finds its most votaries. While it would be flippant to suggest that bitcoin is used on the dark web solely for illicit uses, it is difficult to deny its origins for that purpose, and its continuing use there.

Bedavyasa Mohanty, an Associate Fellow at Observer Research Foundation Cyber Initiative, says that there are Indian users transacting on the dark web using bitcoin and claims that this number is only likely to increase as accessibility increases. “Bitcoin cannot be tracked,” says Mohanty. “With the ledger and the blockchain, you can trace the trail of a certain bitcoin, but it is anonymised. You can’t point out who owns that bitcoin.”

This, in effect, means an entirely anonymous transaction may be made on the dark web for any number of illegal goods or services using a currency that leaves a trail which goes nowhere and leaves no fingerprints. This, in a nutshell, is the danger when bitcoin combines with the dark web.

Several users I spoke to either claimed that fears about the dark web were mostly unfounded, or that the freedom it offered was an essential facet of the Internet. But it can’t be denied that the sheer possibility that somebody can deal in child porn or hard drugs or deadly weapons right under the nose of the law is a terrifying one.

From the perspective of Indian law enforcement, given the technical knowhow they have to track down owners and users of bitcoins, the chances of discovery are minimal, says Mohanty. The currency uses a system of public and private ‘keys’, ensuring that an intercepted bitcoin transmission is useless without those keys. To top it, India does not have any clear laws to regulate cryptocurrencies.

“For India to regulate cryptocurrencies, it would need to legally recognise their existence,” says Mohanty. “And if you do recognise them, what do you treat them as? As a security? Or as a currency that can be traded openly, and so on. That’s part of the reason why the Reserve Bank hasn’t formally recognised cryptocurrencies.”

Flagging illegal trades

Bitcoin exchanges in India insist that they follow strict guidelines and e-KYC (Know Your Customer) rules, ensuring that the identity of every customer on the exchange is verified. “If somebody tries to use a bitcoin from Zebpay or any other recognised exchange, they will definitely be tracked down,” says Saurabh Agrawal, co-founder of Zebpay, one of India’s largest bitcoin exchanges.

“We use strong software; if any of our users use bitcoins for illegal purposes, we close their accounts. We’ve done this in the past and will do so in future as well.” He claims their software maintains a list of web addresses deemed ‘red alert’ sites, and the moment a bitcoin is sent to such a site, the transaction is flagged.

Others are less positive. “While we can track whether a transaction is made through illegal routes, to some extent it’s true that we cannot track all transactions in real time as this takes a large amount of data,” says Sathvik Vishwanath, CEO, Unocoin.

“But if someone is trying to buy or sell from illegal marketplaces, we have a mechanism where we can — and do — stop it.” Given that customers are KYC-verified, “they don’t try to indulge in malicious activities,” he says.

Pan to Rustom Juneja. Juneja made three transactions in 2015, using bitcoins purchased entirely legally from an exchange. “You have to create an account on any of the markets online, and transfer your bitcoins to that account,” Juneja informs me. His account too was KYC-verified, and they had all his details — PAN number, Aadhar, and so on. He had no clue then that the exchanges had tracking methods. “Look, if these actually worked, there’s no way we wouldn’t have been caught,” he says.

Part of the problem, of course, is that Indian law does not recognise the dark web as a separate entity from the ‘surface’ web; there are no special laws for it. Yet, even if laws were put in place, there are few ways in which states can monitor or block the use of the dark web owing to a host of technical and legal reasons.

“A sense of urgency [regarding the dark web], especially relating to the use of bitcoin for illicit activities, hasn’t been instilled in the government yet,” says Mohanty. “What they are worried about is terrorism, and the use of anonymous technologies and chatrooms for radicalisation, terror planning, or buying and selling weapons.”

Juneja is one of a few thousand active Indian users on the dark web. Nothing stops them from buying a strain of marijuana from Canada. But nothing stops them from buying a Kalashnikov either.

Sunny side up

The dark web isn’t necessarily only a marketplace for all of the world’s nefarious practices. The very anonymity and shrouds that the dark web offers can be used for general practices by users looking merely for privacy.

Aritra Ghosh, a Ph.D student of Computational Astrophysics at Yale University says, “(The dark web is) possibly the only way to do something in “secret” away from any kind of surveillance. Onion routing still hasn’t been broken. So, it can play a substantial role in movements against companies, governments and so on.”

And this is a quality that many frequenters of the dark web swear by. Even the ability to use anonymous messenger service with a near-complete guarantee of not being ‘watched’ drives a lot of people here.

Akarsh Pandit, 24, says unrestricted access to many resources including books and documents is an area of huge potential. “Another significant pro is the avoidance of national firewalls that exist in some countries. Moreover, you gain access to unindexed search results,” he says.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-saurya-sengupta-sex-drugs-and-the-dark-web

Sex on-the-go

praskrishna — 2013-06-05T09:08:05Z

After a freak fire in 2011 reduced the cubbyholes trading in electronic goods inside a Crawford Market shopping plaza to ashes, Junaid has gone alfresco.

The article by Anand Holla was published in Mumbai Mirror on May 4, 2013. Pranesh Prakash is quoted in it.

He sits on a stool by a chock-full street tinkering with mobile phones while three teenage staffers hover around him. A laptop receives favourable treatment; it sits at the centre of the makeshift stall scattered with card readers. The imaginary wall of hostility he carefully builds over several seconds crashes when he realises we are genuine customers. "This is not your regular movie...it will cost you Rs 250 for 4 GB," he mutters, dodging eye contact. Some bargaining later, he hurriedly transfers 200 short pornographic clips from the laptop on to a memory card for Rs 150. Most are the fall-out of crosscountry MMS scandals, the flavour of the season. "Everyone does it, no one talks about it. A raid means we lose our equipment and pay a hefty fine," he says in staccato metre, handing us back the card. Seconds later, head down, he's back to reviving a dead smartphone.

The rates vary at a booth a few metres down. It's Rs 400 for 16GB - the same price as that for loading your phone with the latest Bollywood and Hollywood films - of a "collection" that includes foreign porn, and bestiality videos.

It's hardly a secret that several of the city's cell phone repair shops and SIM card kiosks that flaunt a computer, stock smut in secret folders marked by gibberish names. "We get some women, too," one owner says. "They say, "Zara woh waale movies daal dena'."

Which brings you to the rules of the mobile-porn-off-the-street universe.

A blunt demand for a blue film clip will send shopkeepers into a shell. Some may even express mock disgust at your request. Blame it on random raids by the State Anti-Piracy Cell. Around South Mumbai's markets, for instance, code words 'Daal gosht' or 'Pelampaal' put the Flashing-Loading-Repairing stall owners at ease. But for tongue-tied first-timers, body language is the marker. A local cell phone accessories distributor says, "The more desperate you look and sound, the easier it is for you to pass off as a bona fide purchaser. If you are well-dressed, they'll deny they stock it. There's no fixed rate. Sab grahak dekhke poodi baandhte hain. Considering how it's a simple copy-paste job, it's free money anyway."

Regular customers frequently leave their phones with their trusted 'service' providers for loading apps, games, the latest films, and porn too. It's a package deal. "If you know how to ask for it, there's hardly a corner in Mumbai where you can't buy pocket porn," says a shopkeeper from Mulund.

In fact, pornography is not high on the authorities' agenda, says Vijay Mukhi, former member of the High Court/State Government Committee on Pornography and Cyber Laws. "Unless the Anti-Piracy Cell sends a dummy customer to lay a trap, it's near impossible to prosecute the shopkeepers because watching porn is not a crime; only producing, publishing or distributing it is," he clarifies.

Shafqat Usmani, President of the Mobile Dealers Welfare Association of Mumbai, says, the paltry 2.5 per cent margin on products makes the city's 50,000 mobile phone retailers render additional services, including repairing. Is loading porn part of the survival mechanism? "The low margin is no excuse to indulge in disgusting activities," he says.

Hand-held and hi-res
The cell phone boom - both, cheap Chinese models that allow the not-so-privileged access to technology and the arrival of high-res display screens that offer the affluent a viewing experience superior to television - has worked towards making porn consumption mainstream. Local train commuters will tell you of the passenger on the corner seat watching smutty clips, as if it were an impassive pastime. It's even found favour as a 'stress reliever'. "My friends and I buy phone porn to watch whenever the workload at office gets out of hand," says a Mankhurd resident.

While watching porn on laptops, either straight off the net or via DVDs, means you could get busted by family and friends, the handheld experience - with a phone password to boot - allows complete privacy.

What would you like?
Depending on which neighbourhood market you access, the popular offering varies. In Kurla, says a cell phone mechanic, foreign porn has no takers. "They (customers) say everything happens too soon and easy. The demand is for morphed celebrity sex videos, South Indian porn and of course, MMS clips." Some of these are what the industry refers to as 'kaand' videos. They resemble MMS scandal clips but are staged. It's the lure of these grainy, sloppily shot videos that landed Karnataka BJP ministers Lakshman Savdi and CC Patil in a soup last February. The two were caught watching a clip during assembly. Amid a storm of criticism, they and Mangalore minister Krishna Palemar, who was accused of transferring the video to Savdi's phone, resigned.

On Ahmedabad's Relief Road, a row of kiosks that sport the 'Downloading' sign, like the one run by Karimmuddin, offer hi-definition (HD) foreign porn to affluent students who walk in with large-screen 3G phones demanding virus-free content. It's Rs 100 for 2GB worth of mp4 clips of 720p resolution, and Rs 50 for 2GB worth low-quality clips, says 21-year-old Moin. Smaller, dirt cheap deals are available too. A single HD clip at Rs 5.50, a low-res one for Rs 2, and the 'lightest' clip for Rs 21 paise.

"My customers are youngsters from middle and upper middle class families," says 30-year-old Rocky, a shop owner in Navrangpura, while catering to Vikas, a collegian waiting for a Rs 100 download. "We are a group of six friends, including girls. For Rs 100, I'm going away with more than 20 HD video clips," he says straight-faced, adding that his group of friends, girls included, get together during the holidays for collective viewing. A relationship of trust between regulars like Vikas and shopkeepers means he will share a clip with the mobile store owner, in case he doesn't have it in stock.

It's a business of 100 per cent profits, they admit, and raids are easy to dodge since the police usually come looking for duplicate cell phones. They'd make half their monthly earnings if they relied on selling SIM cards, mobile accessories and software loading alone, says Ramesh, a 23-year-old staffer at a cell phone shop in Odhav that gets walk-ins from rickshawallahs and college students.

The rise of mobile porn has turned into a thorn in the flesh for pirated DVD sellers. Ajju, who runs a CD/DVD stand near Panchwati Crossroads, remembers a time when customers crowded him for 'tragda' or XXX CDs. "Older women would arrive in cars, roll down the window and ask for adult movies. I'd notice how they'd chuck the explicit cover and plonk the CD in an unsuspecting plastic bag." Mobile porn has hit his profits, bringing it down by 20 per cent.

Southward bound
Surprisingly, in Bengaluru, the erotic DVD trend is experiencing freak survival. Two years ago, the youth scoured Majestic and SP Road for downloaded porn. But with affordable mobile phone data plans and pirated DVD sellers ratting on their competitors, mobile repair shop owners have had to stick to doing just that - fiddle with hardware.

It's the tier II and III cities across India that are waking up to the potential of porn-on-phone. Earlier this year, Mysore-based moral awareness group Rescue conducted a survey across 964 junior college students from Mysore, Chamarajanagar and Bengaluru. More than 75 per cent watched porn regularly, and most watched six times more porn on their phones than on any other device, said the findings.

Mangalore, Belgaum, Dharwad and Mysore, all educational centres, support a thriving porn-lending library system. A student from Moodabidri says, "Most hostel students venture out to these shops once a week, and pay Rs 50 for a porn-loaded memory card. They return it a week later in exchange for fresh content."

Mangalore leads the pack in the sleaze game. It's believed that the clip that got the Karnataka ministers into trouble was called Fasila, and was a hit in Mangalore and neighbouring Kasargod two years ago. Six years ago, a seven-minute MMS sex clip was converted into a half-hour CD named Mangalooru Mungaru Male and sold widely. In 2000, before mobiles became the rage they are now, sex CDs flew off the shelves. The famous 40-minute clip, Mysore Mallige (known as MM CD) that featured a girl from Puttur, was sold for as much as Rs 1,000.

A mobile accessories shop owner in Puttur says the porn viewing audience has grown to include blue collar workers, who aren't tech-savvy to figure their own Internet downloads. "All they want is clarity of clips,' he says.

Watch, don't act
His customers then, are not very different from 22-year-old Manoj Sah and his 19-year-old companion Pradeep Kumar, who admitted to investigators probing the rape of a five-year-old girl in East Delhi last month, that they were drinking and watching porn on their mobile phone before they lured the girl into Sah's house with a chocolate.

While the nation erupted in protest, the confession drew attention to the possible fallout of easy access to pornographic content. The Delhi case isn't isolated. In January, Mumbai cringed when 70-year-old Niyaz Raza was arrested in the Govandi rape case involving a 13-year-old girl. His SIM was found loaded with sex clips, including one where he had filmed the girl performing oral sex on him.

Last month, Indore advocate Kamlesh Vaswani filed a writ petition in the Supreme Court seeking a change in Internet laws that would make watching pornography a nonbailable offence. It estimates that the number of such clips accessible to Indians is more than 200 million. The petition states: "The sexual content that kids are accessing today is far more graphic, violent, brutal, deviant, and destructive (than before), and has put the entire society in danger." It also finds the increasing "severity and gravity" of these visuals a concern, and accuses accessible pornography of "fuelling" most of the offences committed against women and children.

So, more than porn, it's the exposure of a larger audience to its extreme forms - bondage, bestiality, even paedophila - that's spurred a debate. To sum up the sentiment in the words of award-winning writer Robin Morgan: "Pornography is the theory, rape is the practice."

There are enough and more voices refuting Vaswani's claim. Pranesh Prakash is one of them. The policy director with Bengaluru-based Centre for Internet and Society, says, "There is no data to establish a direct co-relation between porn and sexual crimes. To be alarmed over the widespread availability of porn through mobile phone loading alone is a classist reaction; those who are well-to-do have had easy digital access anyway."

Way before those accused of rape were introduced to porn, they were exposed to a culture of misogyny that says women must be controlled, and their bodies are free to loot.

- With Hemington James and Yogesh Avasthi in Ahmedabad, Rakesh Prakash in Bengaluru and Deepthi Shridhar in Mangalore (Some names been changed to protect identity)

For more details visit https://cis-india.org/news/mumbai-mirror-anand-holla-may-4-2013-sex-on-the-go

Several Indian Twitter users' accounts suspended due to tech glitch

praskrishna — 2014-12-05T00:17:15Z

Twitter denies conspiracy theory, blames technical glitch for account suspensions

The blog entry by Silky Malhotra was published on digit on November 3, 2014. Pranesh Prakash gave his inputs.

The accounts of several Twitter users were suspended for unknown reasons, setting off conspiracy theories that only the accounts of right-wing supporters had been targeted. However, Twitter has denied these rumors and instead blamed technical issues for the glitch.

Although Twitter blamed a technical glitch for the account suspension, several Twitter users responded by stating that there was a pattern to the suspension because 'suspended users' were asked to change their behavior to be able to continue using the micro-blogging site.

A message sent out to a Twitter user whose account was suspended read, "Twitter has automated systems that find and remove multiple automated spam accounts in bulk".

Twitter officials have denied blocking of accounts deliberately and added that the incident was an accident as part of spam cleaning process.

Twitter also apologized for the inconvenience but added, "Unfortunately, your account got caught in one of these spam groups by mistake. It is possible your account posted an update that appeared to be spam, so please be careful what you tweet... You will need to change your behavior to continue using Twitter. Repeat violations of the Twitter rules may result in the permanent suspension of your account."

However this statement has triggered outrage among users who called it Internet policing. Several users responded with humor, and one posted, "In the Twitter canteen you never get chicken wings in pairs because the right wing is blocked."

Pranesh Prakash, policy director, Centre for Internet and Society, stated that though there have been instances of 'privatisation of censorship' in the past, this incident may not have been that. "It doesn't look deliberate especially because even accounts such as eBay India were suspended."

For more details visit https://cis-india.org/internet-governance/news/digit-november-3-2014-silky-malhotra-several-indian-twitter-users-accounts-suspended-due-to-tech-glitch

Seventh Privacy Round-table

elonnai — 2013-11-20T09:58:39Z

On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.

The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.

Previous Privacy Round-tables were held in:

New Delhi: (April 13, 2013) with 45 participants;
Bangalore: (April 20, 2013) with 45 participants;
Chennai: (May 18, 2013) with 25 participants;
Mumbai, (June 15, 2013) with 20 participants;
Kolkata: (July 13, 2013) with 25 participants; and
New Delhi: (August 24, 2013) with 40 participants.

Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.

The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, the Privacy Protection Bill, 2013, drafted by the Centre for Internet and Society, Strengthening Privacy through Co-regulation by the Data Security Council of India, and the Report of the Group of Experts on Privacy by the Justice A.P. Shah committee were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.

The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under section 43A of the Information Technology Act, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.

Presentation: Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Group

Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded.

Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.

In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.

Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.

Key Points:

Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.
Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data.
India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.

Discussion: National Security, Surveillance and Privacy

Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.

Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.

While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.

Key Points:

The Indian surveillance regime currently does not have strong enough safeguards.
The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.
A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.

Presentation: Chantal Bernier, Deputy Privacy Commissioner, Canada

In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.

Bernier described three main characteristics of the Canadian privacy regime including:

It is comprehensive and applies to both the public and the private sectors.
The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.
The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing.

Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.

Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.

Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:

The importance of having strong regulators.
Privacy regulators must work and cooperate together.
Privacy has become a condition of trade.
In today’s age, issues around surveillance cannot be underestimated.
Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.
Privacy frameworks must be clear and flexible.
Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments.

Key Points:

The Right to Privacy is a fundamental right in Canada.
The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.
The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest.

Discussion: The Data Protection Authority

Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.

When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.

Key Points:

The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.
The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.
The Data Protection Authority could be established as a small regulator with an appellate body attached.

Presentation: Christopher Graham, Information Commissioner, United Kingdom

Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the UK Data Protection Act and the Freedom of Information Act. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.

Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.

Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.

Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.

Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.

Key Points:

The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.
Penalties must be proportionate and scalable to the offense.
Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective.

Discussion: Collection of Data with Consent and Collection of Data without Consent

Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.

Key Points:

There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.
The Privacy Protection Bill should explicitly address transfer of information to other countries.
The Privacy Protection Bill should address consent in the context of changing terms of service.

Discussion: Penalties and Offences

The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.

The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.

Key Points:

Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.
Instead of levying penalties, the Bill should include incentives to ensure compliance.
Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach.

Discussion: Cultural Aspects of Privacy

The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.

Key Points:

India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.
Given India’s diversity, a principle based model might not be adequate.
Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India.

Conclusion

The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.

For more details visit https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table

Seventh Open Letter to the Finance Committee: A Note on the Deduplication of Unique Identifiers

praskrishna — 2011-11-22T07:28:11Z

Sahana Sarkar on behalf of the Centre for Internet and Society (CIS) had sent in a Right to Information application on 30 June 2011 to Ashish Kumar, Central Public Information Officer, UIDAI. The UIDAI sent in its reply. Through the seventh open letter, Hans attempts to characterize in an abstract way the replies that CIS managed to elicit and makes some elementary observations. The UIDAI records one or more biometric signatures of those individuals to whom it assigns its unique identity or identifier ; and for convenience let us call this the process of registering an applicant. In the normal course of registration the signatures of an applicant will be compared to those already recorded; and the outcomes of this exercise of comparing suites of biometric signatures — fingerprints and iris-scans, say — may be regarded as the values of a binary variable:

With more than one signature, we have Y = 1 only when those of the applicant match the signatures in some other suite of such item by item; and Y = 0 then if at least one of his or her signatures fails to match any already recorded one.

Though the circumstance should be unlikely, a person who has already been registered may apply again to be registered: with fraudulent intent maybe: or simply because he or she has lost the document – some identity card, perhaps – which bears the identifier assigned to him or her by the UIDAI. And the possibilities here may be regarded as the values of a binary variable:

Though we are regarding X and Y as variables equally, and taking them for jointly distributed ones, there is an evident asymmetry between them. The exercise of trying to match a given suite of signatures to some set of other suites can be performed so long as the signatures remain available; but for a given applicant the values of X refer to events already past. Faced with an applicant of whom they may suppose no more than what he or she may disclose, the personnel of the UIDAI cannot directly estimate either of the two quantities:

We have p[X = 0] + p[X = 1] = 1 here, needless to say, so there is only one quantity that needs estimating. But it is worth emphasizing that even when an applicant declares himself to have been registered already— and has come, say, to have a lost card newly issued — the personnel of the UIDAI are obliged to remain agnostic about p[X = 1] : no matter how ready they are to believe him.[1]

That no individual should be assigned more than one identifier is an entirely evident desideratum: so the process of comparing the signatures of a fresh applicant to those already recorded must be a strict one. But the process of comparison should also make it very likely that, when a match of signatures does occur, the applicant is someone who has in fact been registered already. The chance that a genuinely new applicant’s signatures will match some already recorded suite should be very small: the proportion of such mistaken matches, among all matches, should be as low as possible. This proportion is usually denoted by p[X = 0 | Y = 1] : the conditional probability that X = 0 given that Y = 1 : the chance that, despite a match of signatures, the applicant has not in fact been registered already. The defining formula:

relates this conditional probability to the ‘absolute’ or ‘raw’ probabilities of the events [Y = 1] and [X = 0 and Y = 1] ; the second of which is sometimes said to be contained in the first.

Suppose that there have been N applicants thus far. It is usual to say N trials of X and Y have occurred; but only the outcomes for Y are known. Suppose that matches have been found some m times out of these N ; then N − m applicants will have been registered. With regard to these trials, set

Note that these numbers are not individually known; but as the specified events exhaust the possibilities, we have c 00 +c 01 +c 10 +c 11 = N ; and we do know that

The ratio m/N would be a reasonable estimate of p[Y = 1] ; and (N − m)/N a reasonable estimate of p[Y = 0] = 1 − p[Y = 1] likewise. The quantity we are seeking is p[X = 0 | Y = 1] however: of which the ratio c 01/m would be a natural estimate. But unless we have some sense of the relative magnitudes of c 01 and c 11 the quantity

could be anything between 0 and 1 now. To estimate the relative magnitudes of c 01 and c 11 in any direct way would be difficult, because one has no purchase on how likely the events [X = 0 & Y = 1] or [X = 1 & Y = 1] are. So p[X = 0 | Y = 1] must be estimated directly, it would seem; and we shall come back to the question.

The reply we have received from the UIDAI indicates that 2.59 × 107 registrations — or successful ‘enrolments’, as they have put it — had been effected by 17.08.2011;while the ‘enrolments rejected’ came to 2.005 × 103 they say. Enrolments were rejected when ‘residents were duplicates’: if we take this to mean that an applicant was refused registry on account of his signatures matching some suite of signatures already recorded, then we may suppose that

The False Positive Identification Rate, or FPIR, is defined in that reply as the ratio of the number of the number of false positive identification decisions to the total number of enrolment transactions by unenrolled individuals : if by “unenrolled individual” we understand an applicant of whom [X = 0] actually obtains, then in our notation we have

rather: which would be a natural estimate of p[X = 0 & Y = 1] now, and since

the ‘false postive identification rate’ thus construed could be bound, at least, if p[X = 0 | Y = 1] itself could be. At any rate, this latter proportion seems to be the most pertinent one here: p[X = 0 | Y = 1] is the conditional probability, of mistaken matches, that the UIDAI must strive to keep as low as possible.

The reply from the UIDAI defines a false negative identification as an incorrect decision of a biometric system that an applicant for a UID, making no attempt to avoid recognition, has not been previously enrolled in the system, when in fact they have. One is at a loss to understand how the personnel of the UIDAI are to determine when an applicant is making no attempt to avoid recognition. Putting that aside, the False Negative Identification Rate or FNIR would now appear to be p[X = 1 | Y = 0] : the probability that, despite his or her signatures not matching any already recorded suite, an applicant has in fact already been registered: and with our notation

now. But c 10 cannot be reliably estimated, again, because one has no purchase on how likely [X = 1 & Y = 0] is; and the conditional probability p[X = 1 | Y = 0] will have to be estimated or bound in some direct way as well.

The preceding paragraphs have asserted that, in order to estimate or effectively bound the identification rates being sought by the UIDAI, the conditional probabilities p[X = 0 | Y = 1] and p[X = 1 | Y = 0] will have to be addressed in some direct way: without any attempt to estimate the likelihoods of [X = 0 & Y = 1] and [X = 1 & Y = 0] by themselves, that is to say. There might be ways of reliably estimating these conditional probabilities; and the manufacturers of the devices that produce the signatures may have provided tight bounds on what they would be — when the devices are working properly, at least. But let us now consider how the UIDAI has elaborated on these rates.

Their reply to our second question states that the biometric service providers have to meet the following accuracy SLA’s for FPIR and FNIR:

The condition of ‘non-duplication’ in the requirement (P) implies that the FPIR is being understood now as the formula in (†) above computes it: as an estimate of the conditional probability p[Y = 1 |X = 0]: since one already knows that [X = 0] for each enrolment here. Such an estimate could be made if one had obtained a sample of suites of signatures from distinct individuals — where no two suites in the sample could have come from the same individual — and compared each suite to every other: the proportion of matches found would be an estimate of p[Y = 1 |X = 0] now.[2]

The ‘biometric service providers’ the UIDAI has contracted with are presumably able to perform such experiments accurately. But an estimate of p[Y = 1 |X = 0] will not, as we shall momentarily see, by itself readily yield a usable bound on p[X = 0 | Y = 1] : on the crucial likelihood that, despite his or her suite of signatures matching a suite already recorded, an applicant has not in fact been registered.

The condition “ONLY duplicate enrolments” in the requirement (N) implies that the FNIR is being understood as an estimate of the conditional probability p[Y = 0 |X = 1] now: as one already knows that [X = 1] for each enrolment here. The biometric service providers should be able to estimate this probability as well. The FNIR as (‡) construes it is an estimate of p[X = 1 | Y = 0] rather; but a usable bound for this likelihood is readily got from p[Y = 0 |X = 1] now, for we may surely expect p[X = 1] < p[Y = 0].

Let us see if the requirement (P) will yield any usable upper bound on the crucial likelihood p[X = 0 | Y = 1]: which, to note it again, is what the UIDAI must seek to minimise. Consider the consequences when the FPIR is understood as (P) envisages. Taken together with formula (1) above we have

If we are not willing to wager on any upper limit appreciably less than 1 for p[X = 0] , we obtain

now.[3] Unless one can reasonably suppose that the event [Y = 1] never occurs, one must grant that p[Y = 1] > 0 . We have

But this inequality yields a usable upper bound only when K < 3: only when K is 1 or 2 that is. In either case, only by supposing that p[Y = 1] > 10−2 will the accuracy mandated for the FPIR by the UIDAI yield a usable upper bound on p[X = 0 | Y = 1] . Since the UIDAI expects that p[Y = 1] < 10−2 surely, we must conclude now that the requirements it has imposed on its ‘biometric service providers’ will not help its personnel estimate an upper limit for the crucial likelihood that, despite his or her suite signatures matching some already recorded suite, an applicant for a UID has not in fact been registered already: which likelihood, to insist again, is what the UIDAI must seek to minimise.

The argument just made will seem perverse: but the calculation is perfectly general. Suppose an FPIR limit of 10−J is mandated; then, unless one is willing to wager an upper limit on p[X = 0] , one cannot get a usable upper bound on p[X = 0 | Y = 1] from this limit on the FPIR, used all by itself, unless one supposes that p[Y = 1] > 10−J+1.

To save writing, denote by L01 the crucial likelihood p[X = 0 | Y = 1] ; and suppose that is some desired upper bound on L01 now. Assume that the FPIR achieved by a service provider is an accurate estimate of p[Y = 1 |X = 0] ; then from (1) we get

Now [X = 0] should not be a rare event at all, and, conversely, [Y = 1] should be a rare event.[4] So one should be able to set some reasonable upper limit to the ratio p[Y = 1]/ p[X = 0] : but without attempting any precise estimate, at all, of either individual probability. One may reasonably expect, for instance, that no more than one in a thousand applicants for a uid will already have been registered; and when p[X = 1] < 10−3 we will have

from (3) above. This calculation can be repeated with any number m in place of 3 here, of course, provided p[X = 1] < 10−m and p[Y = 1] < 10−m are both likely; and it seems entirely reasonable, now, for the UIDAI to insist that its biometric service providers meet the requirement.

for some appropriate upper bound X on L01 . The considerations leading to (4) make it reasonable to insist on m _ 3 now; and recalling what L01 is — the crucial likelihood that, despite his or her signatures matching some already recorded suite of signatures, an applicant has not in fact been registered — the UIDAI will have to insist on some quite small bound X: for it would not want, too often, to refuse anyone a UID on account of a mistaken match of biometric signatures.[6]

It would be foolish to speculate on what the authorities regard as acceptable error here; but if the UIDAI is of a mind that such mistakes should happen less than one in a thousand times say, then, taking the minimal value of 3 for m in the suggested requirement (R), it should demand an FPIR less than 10−6 : a ‘false positive identification rate’ a thousand-fold less than the limit currently imposed.

[1]Should it seem entirely odd to talk of probability when one of the events in question — either [X = 0] or [X = 1] — will already have occurred, we may regard the probabilities we assign them as measures of our uncertainty only: but no practical question hinges on probabilities being understood ‘subjectively’ rather than ‘objectively’.

[2]It might be well to note, however, that the size of the sample must be manageable: for a sample of size K a total of K • (K − 1)/2 comparisons will have to be performed.

[3]Wagering an upper limit on p[X = 0] would require one to reasonably estimate the probability of finding already-registered individuals among applicants.

[4]The event [Y = 1] must be just as rare, one supposes, as [X = 0] is frequent.

[5]We are supposing, that is to say, that matches of biometic signatures are very rarely mistaken matches.

[6]A small _ is consistent with supposing that p[X = 1] and p[Y = 1] are commensurate probabilites. If p[X = 0 | Y = 1] < 10−3 for instance, then p[X = 1 | Y = 1] _ (103 − 1)/103 ; one may suppose, that is, that [X = 1] will be the case 999 out of a 1000 times that [Y = 1] obtains; and, of course, to suppose that [X = 1] will be appreciably more frquent than [Y = 1] is to grant that biometric signatures will fail appreciably often to distinguish individuals.

See the RTI application of 30/06/2011 [PDF, 15 kb].

Download the Seventh Open Letter here

For more details visit https://cis-india.org/internet-governance/blog/de-duplication-of-unique-identifiers

Seventh Meeting of the Group of Experts on Privacy Issues under the Chairmanship of Justice AP Shah

praskrishna — 2012-09-11T06:20:53Z

The seventh meeting of the Group of Experts on Privacy Issues under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court is scheduled to be held on September 18, 2012 at 10.30 a.m. in the Committee Room No. 228, Yojana Bhawan, Sansad Marg, New Delhi - 110001.

The agenda of the meeting is to discuss and finalize the draft report prepared on the basis of the recommendations of the two Sub-Groups of the Expert Group.

The meeting notice was sent by S. Bose, Deputy Secretary (CIT&I) to the following individuals:

Justice A.P. Shah, Chairman
Shri R. S. Sharma, D.G., UIDAI
Shri R. Ragupathi,Additional Secretary, Department of Legal Affairs
Dr. Gulshan Rai, D.G. CERT-In, DeITy
Shri Manoj Joshi, J.S. DOPT
Shri Som Mittal, Nasscom
Ms. Barkha Dutt, NDTV
Ms. Usha Ramanathan
Shri Sunil Abraham, CIS
Dr. Kamlesh Bajaj
Ms. Mala Dutt
Shri R.K. Gupta

For more details visit https://cis-india.org/news/seventh-meeting-of-group-of-experts-sept-18-2012-under-chairmanship-of-justice-shah

Seven reasons why Parliament should debate the Aadhaar bill (and not pass it in a rush)

praskrishna — 2016-03-24T02:25:24Z

Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.

The blog post by Anumeha Yadav was published in Scroll.in on March 11, 2016. Pranesh Prakash was quoted.

Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.

An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.

For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.

Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.

The Aadhaar (Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.

But a close examination of the Bill shows several questions remain.

1. Does the Bill make it mandatory for you to get an Aadhaar number?
Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.

Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will not be made mandatory.

“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”

But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”

A committee of experts on privacy, chaired by Justice AP Shah, had recommended in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.

But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.

7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.

As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.

Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.

2. Does the Bill allow Aadhaar authorities to share your personal data?
Yes, in the "interest of national security", a term that remains undefined.

Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.

The debate centres over the interception provisions in section 33.

In a piece in The Indian Express, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.

However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):

33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government

where, Section 29(1)(b) states:

29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication 'in the interest of national security.'"

Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.

Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but not to the person whose data is being disclosed.

3. Does the Bill protect you from interception and surveillance?
No, the Bill does not provide for transparency concerning covert surveillance.

Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.

This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of necessary and proportionate principles on communications surveillance related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.

“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”

Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.

4. Does the Bill allow you to seek redress in case of breach of information?
Yes, but the provisions are weak.

Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.

But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.

“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”

5. Does the Bill give you the right to alter your information?
No, it leaves you to the mercy of the Unique Identification Authority of India.

Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.

International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They provide for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.

In an interview to Mint, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.

6. Is the current Bill an improvement over the previous one?
Not really.

The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.

This is a watered down version of the provisions in the previous Unique Identification Authority of India 2010 Bill, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.

“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."

Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.

Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.

7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?
The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.

The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.

A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers preventing the poor from accessing benefits and subsidies." But last April, the UIDAI in response to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (0.03%) used the "introducer system" that provides an exception to those lacking identity proof.

More recently, there has been no public consultation by the government over the latest Bill.

For more details visit https://cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush

Setting the Agenda: A Behavioural Science approach to Data Privacy

Admin — 2019-07-04T16:47:31Z

Amber Sinha attended a meeting organised by the Centre for Social Behaviour Change (CSBC) at Ashoka University and the Busara Center for Behavioral Economics on 26 June 2019 at CSBC office, Vasant Vihar in New Delhi.

The session brought together a small group (8-12) of critical players from industry, academia, and the public sector to solicit inputs on the structure and content of India’s first experiment-based behavioural research on data privacy. This body of research, set to launch in the next few months, will use a behavioural science approach to answer 4 main topics facing data privacy: (1) consent practices, (2) business advantages for enhanced privacy, (3) willingness to pay, and (4) nudges to improve engagement in privacy. Equipped with a behavioural science toolkit, we aim to produce new evidence through lab and field experiments that help define best practices in data privacy across these topics. More info here.

For more details visit https://cis-india.org/internet-governance/news/setting-the-agenda-a-behavioural-science-approach-to-data-privacy

Setting International Norms of Cyber Conflict is Hard, But that Doesn't Mean that We Should Stop Trying

Arindrajit Basu and Karan Saini — 2019-10-14T15:04:03Z

Last month, cyber-defense analyst and geostrategist Pukhraj Singh penned a stinging epitaph, published by MWI, for global norms-formulation processes that are attempting to foster cyber stability and regulate cyber conflict—specifically, the Tallinn Manual.

The article by Arindrajit Basu and Karan Saini was published by Modern War Institute on September 30, 2019.

His words are important, and should be taken seriously by the legal and technical communities that are attempting to feed into the present global governance ecosystem. However, many of his arguments seem to suffer from an unjustified and dismissive skepticism of any form of global regulation in this space.

He believes that the unique features of cyberspace render governance through the application of international law close to impossible. Given the range of developments that are in the pipeline in the global cyber norms proliferation process, this is an excessively defeatist attitude toward modern international relations. It also unwittingly encourages the continued weaponization of cyberspace by fomenting a “no holds barred” battlespace, to the detriment of the trust that individuals can place in the security and stability of the ecosystem.

“The Fundamentals of Computer Science”

Singh argues that the “fundamentals of computer science” render rules of international humanitarian law (IHL)—which serve as the governing framework during armed conflict in other domains—inapplicable, and that lawyers and policymakers have gotten cyber horribly wrong. Singh theorizes that in the case of the United States having pre-positioned espionage malware in Russian military networks, that malware could have been “repurposed or even reinterpreted as an act of aggression.”

The possibility of a fabricated act of espionage being used as justification for an escalated response exists within the realm of analogous espionage, too. A reconnaissance operation that has been compromised can also be repurposed midway into a full-blown armed attack, or could be reinterpreted as justification for an escalatory response. However, i nternational l aw states that self-defense can only be exercised when the “necessity of self-defense is instant, overwhelming, leaving no choice of means, and no moment of deliberation.” In order to legitimize any action taken under the guise of self-defense, the threat would have to be imminent and the response both necessary and proportionate. There is nothing inherently unique in the nature of cyber conflict that would render the traditional law of self-defense moot.

Further, the presumption that cyber operations are ambiguous and often uncontrollable, as Singh suggests, is flawed. An exploit that is considered “deployment-ready” is the result of an attacker’s attempts at fine-tuning variables—until it is determined that the particular vulnerability can be exploited in a manner that is considered to be reasonably reliable. An exploit may have to be worked upon for quite some time for it to behave exactly how the attacker intends it to. While it is true that there still may be unidentified factors that can potentially alter the behavior of a well-developed exploit, a skilled operator or malware author would nonetheless have a reasonable amount of certainty that an exploit code’s execution will result in the realization of only a certain possible set of predefined outcomes.

It is true that a number of remote exploits that target systems and networks may make use of unreliable vulnerabilities, where outcomes may not be fully apparent prior to execution—and sometimes even afterward. However, for most deployment-ready exploits, this would simply not be the case. In fact, the example of the infamous Stuxnet malware, which Singh uses in his article, helps buttress our point.

Singh questions whether India should have interpreted the widespread infection of systems within the region—which also happened to affect certain critical infrastructure—as an armed attack. This question can cursorily be dismissed since we now know that Stuxnet did not cause any deliberate damage to Indian computing infrastructure. A 2013 report by journalist Joseph Menn correctly states that “the only place deliberately affected [by Stuxnet] was an Iranian nuclear facility.” Therefore, for India to claim mere infection of systems located within the bounds of its territory as having been an armed attack, it would have to concretely demonstrate that the operators of Stuxnet caused “grave harm”—as described in IHL—purely by way of having infected those machines, through execution of malicious instructions programmed in the malware’s payload.

At the same time, it should not be dismissed that the act of the Stuxnet malware infecting a machine could very well be interpreted by a state as constituting an armed attack. However, given the current state of advancement in malware decompilation and reverse-engineering studies, the process of deducing instructions that a particular malicious program seeks to execute can in most cases be performed in a reasonably reliable manner. Thus, for a state to make such a claim, it would have to prove that the malware did indeed cause grave harm, that which meets the criteria of the “scale and effects” threshold laid down in Nicaragua v. United States—whether it was caused due to operator interaction or preprogrammed instructions—along with sufficient reasoning and evidence for attributing it to a state.

An analysis of the Stuxnet code made it apparent that operators were seeking out machines that had the Siemens STEP 7 or SIMATIC WinCC software installed. The authors of the malware quite clearly had prior knowledge that the nuclear centrifuges that they intended to target made use of a particular type of programmable logic controllers, which the STEP 7 and WinCC software interacted with. On the basis of this prior knowledge, the authors of Stuxnet made design choices by which, upon infection, target machines would communicate to the Stuxnet command-and-control server—including identifiers such as operating system version, IP address, workstation name, and domain name—whether or not the infected system had the STEP 7 or WinCC software installed. This allowed the operators of Stuxnet to easily identify and distinguish machines that they would ultimately attack for fulfilling their objectives. In effect, this gave them some amount of control over the scale of damage they would deliberately cause.

It has been theorized that the malware reached the nuclear facility in Iran through a flash drive. It may be true that widespread and unnecessary propagation of the worm—which could be described as it “going out of control”—was not something the operators had intended (as it would attract unwanted attention and raise alarm bells across the board). It has nonetheless been several years since Stuxnet was in action, and there have been no documented cases of Stuxnet having caused grave harm to Indian (or other) computers. For all purposes, it could be said that the risk of collateral damage was minimized as the control operators were able to direct the execution of damaging components of the malware, to a degree that could be interpreted as having complied with IHL—thereby making it a calculated cyberattack, with controllable effects.

However, if the adverse effects of the operation were to be indiscriminate (i.e., machines were tangibly damaged immediately upon being infected), and could not be controlled by the operator within reasonable bounds, then the rules of IHL would render the operation illegal—a red line that, among other declarations, the recent French statement on the application of international law to cyberspace recognizes.

“Bizarre and Regressive”: The Westphalian Precept of Territoriality

Singh’s next grievance is with the precept of territoriality and sovereignty in cyberspace. However, the reasoning he provides decrying this concept is unclear at best. The International Group of Experts authoring the Tallinn Manual argued that “cyber activities occur on territory and involve objects, or are conducted by persons or entities, over which States may exercise their sovereign prerogatives.” They continued to note that even though cyber operations can transcend territorial domains, they are conducted by “individuals and entities subject to the jurisdiction of one or more state.”

Contrary to Singh’s assertions, our reasoning is entirely in line with the “defend forward” and “persistent engagement” strategies adopted by the United States defense experts. In fact, Gen. Paul Nakasone, commander of US Cyber Command—whose interview Singh cites to explain these strategies—explicitly states in that interview that “we must ‘defend forward’ in cyberspace as we do in the physical domains. . . . [Naval and air forces] patrol the seas and skies to ensure that they are positioned to defend our country before our borders are crossed. The same logic applies in cyberspace.” This is a recognition of the Westphalian precept of territoriality in cyberspace—which includes the right to take pre-emptive measures against adversaries before the people and objects within a nation’s sovereign borders are negatively impacted.

Below-the-Threshold Operations

Singh also argues that most cyber operations would not reach the threshold armed attack to invoke IHL. He concludes, therefore, that applying the rules of IHL “bestows another garb of impunity upon rogue cyber attacks.” However, as discussed above, the application of IHL does not require a certain threshold of intensity, but the mere application of armed force that is attributable to a state.

Therefore, laying down “red lines” by, for example, applying the principle of distinction, which seeks to minimize damage to civilian life and property, actually works toward setting legal rules that seek to prevent the negative civilian fallout of cyber conflict. There appears to be no reason why any cyberattack by a state should harm civilians without the state using all means possible to avoid this harm. If there is an ongoing armed conflict, this entails compliance with the IHL principles of necessity and proportionality, ensuring that any collateral damage ensuing as a result of an operation is proportionate to the military advantage being sought.

Moreover, we agree that certain information operations may not cause any damage in terms of injury to human life or property. But IHL is not the only framework for governing cyber conflict. Ongoing cyber norms proliferation efforts are attempting to move beyond the rigid application of international law to account for the unique challenges of cyberspace. Despite the flaws in the process thus far, individuals from a variety of backgrounds and disciplines must engage meaningfully and shape effective regulation in this space. Singh’s “garb of impunity” exists when there are a lack of restrictions on collateral damage caused by cyber operations, to the detriment of civilian life and property alike.

Obstacles in Developing Customary International Law

His third argument is on the fetters limiting the development of customary international law in the cyber domain. This is a valid concern. Until recently, most states involved in cyber operations have adopted a stance of silence and ambiguity with regard to their legal position on the applicability of international law in cyberspace or their position on the Tallinn Manual.

This is due to multiple reasons: First, states are not certain if the rules of the Tallinn Manual protect their long-term interests of gaining covert operational advantages in the cyber domain, which acts as a disincentive for strongly endorsing the rules laid out therein. Second, even those states keen on applying and adhering to the manual may not be able to do so in the absence of technical and effective processes that censure other states that do not comply. Given this ambiguity, states have demonstrated a preference to engage in cyber operations and counteroperations that are below the threshold—in other words, those that do not bring IHL into play. However, as others have convincingly argued, it is incorrect to assume that the current trend of silence and ambiguity will continue.

Recent developments indicate that the variety of normative processes and actors alike may render the Tallinn Manual more relevant as a focal point in the discussions. The UK, France, Germany, Estonia, Cuba (backed by China and Russia), and the United States have all engaged in public posturing in advocacy of their respective positions regarding the applicability of international law in cyberspace, in varying degrees of detail—which is essentially customary international law in the making. The statements made by a number of delegations at the recently concluded first substantive session of the United Nations’ Open-Ended Working Group covered a broad range of issues, from capacity building to the application of international law, which is the first step towards fostering consensus among the variety of global actors.

Positive Conflict and the Future of Cyber Norms

The final argument—a theme that runs from the beginning of Singh’s article—is a stark criticism of Western-centric cyber policy processes. Despite attempts to foster inclusivity, efforts like those that produced the Tallinn Manual are still driven largely from and by the United States in an attempt to, as Singh describes it, keep “cyber offense fully potentiated.” This is an unfortunate reality, but one that is not limited solely to the cyber domain. For example, in an excellent paper written in 2001, retired US Air Force Maj. Gen. Charles Dunlap explained “that ‘lawfare,’ that is, the use of law as a weapon of war, is the newest feature of 21st century combat.”

We are presented therefore with two options: either sit back and witness the hegemonization of policy discourse by a limited number of powerful states, or actively seek to contest these assumptions by undertaking adversarial work across standards-setting bodies, multilateral and multi-stakeholder norms-setting forums, as well as academic and strategic settings. In a recent paper, international law scholar Monica Hakimi argues that international law can serve as a fulcrum for facilitating positive conflict in the short run between a variety of actors across industry, civil society, and military and civilian government entities, which can lead to the projection of shared governance endeavors in the long run. Despite its several flaws, the Tallinn Manual can serve as a this type of fulcrum for facilitating this conflict.

In writing a premature eulogy of efforts to bring to realization a set of norms in cyberspace, Singh dismisses that historically, global governance regimes have taken considerable time and effort to come into being and emerge after an arduous process of continuous prodding and probing. This process necessitates that any existing assumptions—and the bases on which they are constructed—are challenged regularly, so that we can enumerate and ultimately arrive at an agreeable definition for what works and what does not. Rejecting these processes in their entirety foments a global theater of uncertainty, with no benchmarks for cooperation that stakeholders in this domain can reasonably rely on.

For more details visit https://cis-india.org/internet-governance/blog/modern-war-institute-september-30-2019-arindrajit-basu-and-karan-saini-setting-international-norms-cyber-conflict-hard-doesnt-mean-stop-trying

Session M4 – International Public Policy and Internet Governance Issues Pertaining to the Internet

praskrishna — 2012-07-19T05:59:40Z

The Asia Pacific Regional Internet Governance Forum 2012 is being organised at Aoyama Campus, Aoyama Gakuin University in Tokyo on July 20, 2012. Sunil Abraham will be speaking in the session on international public policy and internet governance issues pertaining to the internet. The event is organised by APrIGF.Asia

The Internet is a vital strategic communications infrastructure for the Asia Pacific region, and so the future evolution of the Internet is a hugely important policy issue for individuals, business and government alike across the region. The region is the most diverse and dynamic in the world and the formulation of a unified and coherent regional view on such an important policy issue is very challenging. With internet governance becoming increasingly important, efforts are underway by some countries in Asia Pacific and elsewhere to change the nature of internet governance; moving from a relatively open multi-stakeholder model to a more closed, government led system of governance. What is the best evolution Internet governance path for Internet users of Asia Pacific to follow? This workshop will discuss the competing paths currently under discussion and seek to offer delegates a comprehensive understanding of the issues.

Panel

Moderator – Mr. Jeremy Malcolm, Consumers International

Speakers

Hasanul Aaq Inu, Member, Bangladesh National Parliament; Chairman, Parliamentary Standing Committee for Ministry of Posts and Telecommunications
Atsushi Umino, Director for International Policy Coordination, Global ICT Strategy Bureau (MIC)
Sunil Abraham, Centre for Internet & Society, India
David Farrar, Director of Curia Market Research

Panelists

Naoya Bessho, General Counsel, Chief Compliance Officer, Yahoo Japan Corporation
William Drake, International Fellow & Lecturer, Media Change & Innovation Division, IPMZ, University of Zurich, Switzerland

For the full agenda, click here
Click to read the original

For more details visit https://cis-india.org/news/session-m4-international-public-policy-and-internet-governance-issues-pertaining-to-the-internet

Services like TwitterSeva aren’t the silver bullets they are made out to be

sunil — 2016-10-06T16:31:51Z

TwitterSeva is great, but it should not be considered a sufficient replacement for proper e-governance systems. This is because there are several serious shortcomings with the TwitterSeva approach, and it is no wonder that enthusiastic police officers and bureaucrats are somewhat upset with the slow deployment of e-governance applications. They are also right in being frustrated with the lack of usability and scalability of existing applications that hold out the promise of adopting private sector platforms to serve citizens better.

Sunil Abraham, executive director of the Centre for Internet and Society, wrote this in response to the FactorDaily story on TwitterSeva, a special feature developed by Twitter’s India team to help citizens connect better with government services. Sunil's article in FactorDaily can be read here.

Let’s take a look at why the TwitterSeva approach is not adequate:

1. Vendor and Technology Neutrality: Providing a level ground for competing technologies in e-governance has been a globally accepted best practice for about 15 years now. This is usually done by using open standards policies and interoperability frameworks.

India does have a national open standards policy, but the National Informatics Centre (NIC) has only published one chapter of the Interoperability Framework for e-Governance .

The thing is, while Twitter might be the preferred choice for urban elites and the middle class, it might not be the choice of millions of Indians coming online. By implicitly signaling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter. Ideally, all interactions that the state has with citizens should be such that citizens can choose which vendor and technology they would like to use. Ideally, the government should have its own work-flow so that it can harvest complaints, feedback and other communications from all social media platforms be it Twitter or Identica, Facebook or Diaspora, and publish responses back onto them.

By implicitly signalling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter

Apart from undermining the power of choice for citizens, lack of vendor and technology neutrality in government use of technology undermines the efficient functioning of a competitive free market, which is the bedrock of future innovation.

When it comes to micro-blogging, Twitter has established a near monopoly in India. There are no clear signs of harm and therefore it would not be wise to advocate that the Competition Commission of India investigate Twitter. However, if the government helps Twitter tighten its grip over the Indian market, it is preventing the next cycle of creative destruction and disruption. Therefore, e-governance applications should ideally only “loosely couple” with the APIs of private firms so that competition and innovation are protected.

2. Holistic Approach and Accountability: Ideally, as the Electronic Service Delivery Bill 2011 had envisaged, every agency within the government was supposed to (within 180 days of the enactment of the Act) do several things: publish a list of services that will be delivered electronically with a deadline for each service; commit to service-level agreements for each service and provide details of the manner of delivery; provide an agency-level grievance redressal mechanism for citizens unhappy with the delivery of these electronic services.

Notwithstanding the 180-day commitment, the Bill required that “all public services shall be delivered in electronic mode within five years” after the enactment of the Bill with a potential three-year extension if the original deadline was not met. The Bill also envisaged the constitution of a Central Electronic Service Delivery Commission with a team of commissioners who “monitor the implementation of this Bill on a regular basis” and publish an annual report which would include “the number of electronic service requests in response to which service was provided in accordance with the applicable service levels and an analysis of the remaining cases.”

The Electronic Service Delivery Bill 2011 had a much more comprehensive and accountable plan for e-governance adoption in the country

Citizens suffering from non-compliance with the provisions of the Bill and unsatisfied with the response from the agency level grievance redressal mechanism could appeal to the Commission. The state or central commissioners after giving the government officials an opportunity to be heard were empowered to impose a fine of Rs 5000.

Unlike the piecemeal approach of TwitterSeva, the Bill had a much more comprehensive and accountable plan for e-governance adoption in the country.

3. Right To Transparency: Some of the interactions that the government has with citizens and firms may have to be disclosed under the obligation emerging from the Right to Information Act for disclosure to the public or to the requesting party. Therefore it is important that the government take its own steps for the retention of all data and records — independent of the goodwill and lifecycles of private firms.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests? Even if the government is not keen on pushing for data portablity as a right for consumers (just like mobile number portability in telecom, so that consumers can seamlessly shift between competing service providers), it absolutely should insist on data portability for all government use.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests?

This will allow it to shift to a) support multiple services, b) shift to competing/emerging services c) incrementally build its own infrastructure and also comply with the requirements of the Right to Information Act.

4. Privacy: Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology.” There is an obsession with collecting as much data as possible from citizens, storing it in centralized databases and providing “dashboards” to bureaucrats and politicians. This is diametrically opposed to the view of the security community.

Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology”

For example, Bruce Schneier posted on his blog in March this year (in a piece titled ‘Data is a Toxic Asset‘) saying: “What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous. This idea has always been part of the data protection law starting with the 2005 EU Data Protection Directive expressed as the principle of “Data Minimization” or “Collection Limitation”. More recently technologists and policy makers also use the phrase “Privacy by Design”. Introducing an unnecessary intermediary or gate-keeper between what is essentially transactions between citizens and the state is an egregious violation of a key privacy principle.”

5. Middle Class and Elite Capture: The use of Twitter amplifies the voices of the English-speaking, elite, and middle class citizens at the expense of the voices of the poor. While elites don’t exhibit fear when tagging police IDs and making public complaints from the comforts of their gated communities with private security guards shielding them the violence of the state, this might be a very intimidating option for the poor and disempowered.

While elites don’t fear tagging police IDs and making public complaints from the comforts of their gated communities, it’s intimidating for the disempowered

While the system may not be discriminatory in its design, it will have disparate impact on different sections of our society. In other words, the introduction of TwitterSeva will exacerbate power asymmetries in our society rather than ameliorating them.

The canonical scholarly reference for this is Kate Crawford’s analysis of City of Boston’s StreetBump smartphone, which resulted in an over-reporting of potholes in elite neighbourhoods and under-reporting from poor and elderly residents. This meant that efficiency in the allocation of the city’s resources was only a cover for increased discrimination against the powerless.

6. Security: The most important conclusion to draw from the Snowden disclosure is that the tin-foil conspiracy theorists who we used to dismiss as lunatics were correct. What has been established beyond doubt is that the United States of America is the world leader when it comes to conducting mass surveillance on netizens across the globe. It is still completely unclear how much access the NSA has to the databases of American social media giants. When the complete police force of a state starts to use Twitter for the delivery of services to the public, then it may be possible for foreign intelligence agencies to use this information to undermine our sovereignty and national security.

For more details visit https://cis-india.org/internet-governance/blog/factordaily-sunil-abraham-october-6-2016-services-like-twitterseva-are-not-the-silver-bullets-they-are-made-out-to-be

September 2019 Newsletter

praskrishna — 2019-12-06T04:53:12Z

The newsletter for the month of September 2019.

Highlights for September 2019
Centre for Internet & Society's application for membership of the Christchurch Call Advisory Network has been accepted! As a part of this network, we, along with other civil society groups based out of various jurisdictions, would be providing inputs on making the Call a robust, human rights-centred initiative. A book by Amber Sinha titled 'The Networked Public: How Social Media is Changing Democracy' was published by Rupa Publications. The book looks at how networks exert unchecked power in subverting political discourse and polarizing the public in India. Towards that, it investigates the history of misinformation and the biases that make the public susceptible to it, how digital platforms and their governance impacts the public’s behaviour in them, as well as the changing face of political targeting in a data-driven ecosystem. Akriti Bopanna and Gayatri Puthran co-authored a research paper which compares the Manila Principles to Draft of The Information Technology [Intermediary Guidelines(Amendment) Rules], 2018, introduced by the Ministry of Electronics and Information Technology (MeitY) in December, 2018. Gurshabad Grover and Torsha Sarkar along with Rajashri Seal and Neil Trivedi co-authored a paper that examines the constitutionality of the government prohibition on the broadcast of news against private and community FM channels. The authors also mapped chronologically the history of the development of community and private radio channels in India. Ambika Tandon and Aayush Rathi generated empirical evidence about the CCTV programme well underway in Delhi. The case study was published by Centre for Development Informatics, Global Development Institute, SEED, in the Development Informatics working paper series housed at the University of Manchester. Shruti Trikanand and Amber Sinha published a blog post titled Core Concepts and Processes by which the authors hope to arrive at a shared vocabulary to discuss and critically analyse digital identity systems, both within our team and in engagements with other stakeholders. Pooja Saxena and Akash Sheshadri contributed to the project. The Global Commission on the Stability of Cyberspace released a public consultation process that sought to solicit comments and obtain feedback on the definition of “Stability of Cyberspace”, as developed by the Global Commission on the Stability of Cyberspace (GCSC). CIS gave detailed commentary on the definitions and suggested a new definition of cyber stability. CIS is undertaking a study on digital mediation of domestic and care work in India, as part of and supported by the Feminist Internet Research Network led by the Association for Progressive Communications (APC), funded by the International Development Research Centre (IDRC). The study is exploring the ways in which structural inequalities, such as those of gender and class, are being reproduced or challenged by digital platforms. The project sites are Delhi and Bangalore, where we are conducting interviews with workers, companies, and unions. In Bangalore, we are collaborating with Stree Jagruti Samiti to collect qualitative data from different stakeholders. The outputs of the research will include a report, policy brief, and other communication materials in English, Hindi, and Kannada. This study is being led by Ambika Tandon and Aayush Rathi, along with Sumandro Chattapadhyay. CIS-A2K has put up a call for joining the Free Knowledge movement #Wikipedia #Wikimedia. Are you an individual or do you represent any organisation, institution, groups or enterprises? You can actually help the ‘Free Knowledge’ movement by donating photos, media, content or archives.

CIS and the News

The following articles and research papers were authored by CIS secretariat during the month:

Doing Standpoint Theory (Ambika Tandon and Aayush Rathi; Gender IT.org; September 1, 2019).
Traffic Rules, Mindset and On-Time Payments (Shyam Ponappa; Business Standard; September 4, 2019).
Kashmir’s digital blackout marks a period darker than the dark side of the moon (Nishant Shah; Indian Express; September 15, 2019).
The Networked Public: How Social Media Changed Democracy (Amber Sinha; Rupa Publications; September 19, 2019).
Capturing Gender and Class Inequities: The CCTVisation of Delhi (Aayush Rathi and Ambika Tandon; Centre for Development Informatics, Global Development Institute; September 27, 2019).

CIS in the News

CIS secretariat was consulted for the following articles published during the month in various publications:

Why having more CCTV cameras does not translate to crime prevention (Manasa Rao; The News Minute; September 3, 2019).
Android 10 out, big on ‘privacy’ (Roshan H. Nair; Deccan Herald; September 4, 2019).
Internet pour toutes (Isabelle Grégoire; L'Actualite; September 11, 2019).
Chennai residents rue fuzzy CCTV surveillance (Vivek Narayanan and R. Srinivasan; The Hindu; September 18, 2019).

Millions of kids in India access the Net on their parents’ devices, says study (Varun Aggarwal; Hindu Businessline; September 27, 2019).
SC directs govt to further regulate social media: Is it necessary? Experts weigh in (Geetika Mantri; The News Minute; September 28, 2019).

Access to Knowledge

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape.

Wikipedia

Under a grant from Wikimedia Foundation we are doing a project for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

News

Bhuvana Meenakshi elected Mozilla Rep for July 2019 (Bhuvana Meenakshi was selected as a Rep of the Month (July 2019) by Mozilla for her active contributions).

Openness

Participation in Events

FOSSCON India 2019 (Organized by KLS Gogte Institute of Technology; Belgaum; August 29 - 31, 2019). Bhuvana Meenakshi gave a talk on "The revolution of WebXR".
DevFest'19 (Organized by Google Developers Groups; Coimbatore; September 14, 2019).
React India 2019 (Organized by React India; Goa; September 26 - 28, 2019). Bhuvana Meenakshi was a speaker.

Internet Governance

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programmes that shape the evolution and use of the Internet. As part of internet governance work we work on policy issues relating to freedom of expression primarily focusing on the Information Technology Act and issues of liability of intermediaries for unlawful speech and simultaneously ensuring that the right to privacy is safeguarded as well.

Freedom of Speech & Expression

Under a grant from the MacArthur Foundation, CIS is doing research on the restrictions placed on freedom of expression online by the Indian government and contribute studies, reports and policy briefs to feed into the ongoing debates at the national as well as international level. As part of the project we bring you the following outputs:

Research Papers

Examining the Constitutionality of the Ban on Broadcast of News by Private FM and Community Radio Stations (Gurshabad Grover, Torsha Sarkar, Rajashri Seal and Neil Trivedi; September 27, 2019).
Comparison of the Manila Principles to Draft of The Information Technology [Intermediary Guidelines(Amendment) Rules], 2018 (Akriti Bopanna and Gayatri Puthran; September 30, 2019).

News

Turning off the internet: Chips with Everything podcast (Gurshabad Grover and Ambika Tandon recorded an episode with the Guardian's podcast on digital culture, called Chips with Everything).

Privacy

Under a grant from Privacy International and IDRC we are doing a project on surveillance. CIS is researching the history of privacy in India and how it shapes the contemporary debates around technology mediated identity projects like Aadhar. As part of our ongoing research, we bring you the following outputs:

Submission

Submission to Global Commission on Stability of Cyberspace on the definition of Cyber Stability (Arindrajit Basu and Elonnai Hickok; September 11, 2019).

Participation in Events

Policy Design Jam (Organized by Whatsapp and ISPP; Qutub Institutional Area, New Delhi; September 16, 2019). Pallavi Bedi, Akash Sheshadri and Anubha Sinha attended the event.
Conceptualising India's Digital Policy Vision (Organized by National University of Juridical Sciences; National University of Juridical Sciences; Kolkata; September 18, 2019).
All Partners Meeting (Organized by Partnership on AI; London; September 26 - 27, 2019). Elonnai Hickok reprsented CIS as the co-chair for the Labour and Economy Expert Group.

Digital Identity

Omidyar Network is investing in establishment of a three-region research alliance — to be co-led by the Institute for Technology & Society (ITS), Brazil, the Centre for Intellectual Property and Information Technology Law (CIPIT) , Kenya, and CIS. As part of this Alliance, CIS is examining the policy objectives of digital identity projects, how technological policy choices can be thought through to meet the objectives, and how legitimate uses of a digital identity framework may be evaluated.

Featured Research

Core Concepts and Processes (Shruti Trikanand and Amber Sinha; September 13, 2019). Research by Shruti Trikanad and Amber Sinha. Conceptualization by Pooja Saxena and Amber Sinha. Illustrations by Akash Sheshadri and Pooja Saxena.

Artificial Intelligence

With origins dating back to the 1950s Artificial Intelligence (AI) is not necessarily new. However, interest in AI has been rekindled over the recent years due to advancements of technology and its applications to real-world scenarios. We conduct research on the existing legal and regulatory parameters:

Participation in Events

AI in Healthcare (Organized by Center for Information Technology and Public Policy and International Institute of Information Technology; Bangalore). Radhika Radhakrishnan gave a talk.
Responsible AI Workshop (Organized by Facebook; September 17, 2019; New Delhi). Sunil Abraham participated in the meeting.
Constitutionalizing Artificial Intelligence (Organized by Constitutional Law Society; National University of Juridical Sciences; Kolkata). Arindrajit Basu delivered a lecture.

Researchers@Work

The researchers@work programme at CIS produces and supports pioneering and sustained trans-disciplinary research on key thematics at the intersections of internet and society; organise and incubate networks of and fora for researchers and practitioners studying and making internet in India; and contribute to development of critical digital pedagogy, research methodology, and creative practice.

Announcement

Digital mediation of domestic and care work in India: Project Announcement (Ambika Tandon and Aayush Rathi; October 1, 2019).

Essays on #List — Selected Abstracts

In response to a recent call for essays that social, economic, cultural, political, infrastructural, or aesthetic dimensions of the #List, we received 11 abstracts. Out of these, we have selected 4 pieces to be published as part of a series titled #List on the r@w blog.

Blog Entries

#HookingUp (Akhil Kang, Christina Thomas Dhanraj, Dhrubo Jyoti, and Gowthaman Ranganathan; August 1, 2019).
Call for Contributions and Reflections: Your experiences in Decolonizing the Internet’s Languages! (P.P. Sneha; August 7, 2019).
Simiran Lalvani - Workers’ fictive kinship relations in Mumbai app-based food delivery (Sumandro Chattapadhyay; August 16, 2019).

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum.

Monthly Blog

Traffic Rules, Mindset and On-Time Payments (Shyam Ponappa; September 4, 2019).

About CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

Follow CIS on:

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

Support CIS:

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

Collaborate with CIS:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/september-2019-newsletter

September 2018 Newsletter

praskrishna — 2018-10-16T06:28:42Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights

Wikisource is one of the trending Wikimedia projects. Many new editors and new books to Indic language Wikisource's get added over a period of time. However, new editors as well as existing editors face numerous problems while working with the content online. The Centre for Internet & Society's Access to Knowledge (CIS-A2K) team, to help the editors, has created a Wikisource Handbook for Indian communities. CIS invites feedback to the first draft of this Handbook.
Centre for Internet & Society (CIS) participated in the 5th Global Congress on IP and Public Interest held in Washington in a big way. CIS signed on as a supporting member to the Civil Society Proposal for a Treaty on Education and Research Activities.
Sunil Abraham, in an article in the Hindustan Times, explores what leads to fake news. He has revealed that transparency regulations is the need of the hour especially for election campaigns and political advertising.
Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu co-authored a blog post which examines cross-border data sharing. The authors have argued that conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.
Arindrajit Basu and Elonnai Hickok wrote a blog entry on usage of artificial intelligence in governance sector in India. As per research though artificial intelligence has the potential to ameliorate structural inefficiencies in governmental functions, the deployment of this technology across sub-sectors is still on the horizons.
Amber Sinha, Elonnai Hickok and Arindrajit Basu produced a research paper on the implications of artificial intelligence in India in various sectors such as health, banking, manufacturing, and governance sectors.
Artificial Intelligence in many ways is in direct conflict with traditional data protection principles and requirements including consent, purpose limitation, data minimization, retention and deletion, accountability, and transparency. Authors Elonnai Hickok and Amber Sinha have explained this in a blog entry.
The researchers@work programme has selected 10 essays, based on an open call announced in August, engaging with the thematic of "offline". The abstracts of the selected essays have been published, and the final essays will be published on the upcoming r@w blog.

Articles

India’s post-truth society (Swaraj Paul Barooah; Hindu Businessline; September 7, 2018).
Digital Native: #MemeToo (Nishant Shah; Indian Express; September 9, 2018).
The Right Words for Love (Nishant Shah; Indian Express; September 23, 2018).
A trust deficit between advertisers and publishers is leading to fake news (Sunil Abraham; Hindustan Times; September 30, 2018).
Digital Native: Hardly Friends Like That (Nishant Shah; Indian Express; September 30, 2018).

CIS in the News

Can this curb your addiction? (Surupasree Sarmmah; Deccan Herald; September 5, 2018).
'Why should we talk to Dunzo?' State regulators fume at liquor delivery (Aroon Deep; Medianama; September 7, 2018).
#NAMAprivacy: Data Protection Authority's regulatory and enforcement challenges (Rana; Medianama; September 9, 2018).
'What Security Breach?' The Unchanging Tone of UIDAI's Denials (Karan Saini; The Wire; September 12, 2018).
Haryana Cops Say Internet Shutdowns Hurt Police Operations (Gopal Sathe; Huffington Post; September 19, 2018).
Find ways to trace origin of messages: Government to WhatsApp (Surabhi Aggarwal; Economic Times; September 20, 2018).
Net nanny meets muscular law (Laxmi Murthy; Himal South Asian; September 26, 2018).
After Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar (Nishant Sharma; Bloomberg Quint; September 27, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Copyright and Patent

Participation in Event

5th Global Congress on IP and the Public Interest (Organized by PublicCitizen, Washington College of Law, American University, O'Neill Institute and the American Assembly, Columbia University; Washington D.C.; September 24 - 29, 2018). Sunil Abraham, Anubha Sinha and Swaraj Paul Barooah were panelists at the event.

Wikipedia

Publication

Wikisource Handbook for Indian Communities (Bodhisattwa Mandal and Ananth Subray P. V.; September 19, 2018).

Blog Entry

Christ (DU) students enrolls for 3rd Wikipedia certificate course (Ananth Subray; September 23, 2018).

Events Organized

Copyright Workshop (CIS; New Delhi; September 1 - 2, 2018).
Meeting on Digitization and Content Donation (Bhandarkar Oriental Research Institute; Pune; September 6, 2018).
Orientation session on Sanskrit Wikipedia (Tilak Maharashtra Vidyapeeth; Pune; September 6, 2018).
Workshop on FOSS, Unicode & Wikimedia Projects for Publishers, Printers, Designers and Writers (Fergusson College; Pune; September 7, 2018).
Workshop in MKCL regarding Vanbodh Project with TRTI (Maharashtra Knowledge Corporation Limited; Mumbai; September 11, 2018).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Research Papers

The Srikrishna Committee Data Protection Bill and Artificial Intelligence in India (Amber Sinha and Elonnai Hickok; September 3, 2018).
AI in India: A Policy Agenda (Amber Sinha, Elonnai Hickok and Arindrajit Basu; September 5, 2018).
Artificial Intelligence in the Governance Sector in India (Arindrajit Basu and Elonnai Hickok; edited by Amber Sinha, Pranav MB and Vishnu Ramachandran; ecosystem mapping by Shweta Mohandas and Anamika Kundu; September 14, 2018).
Cross-Border Data Sharing and India: A study in Processes, Content and Capacity (Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu; September 27, 2018).

Participation in Events

Online Cogitatum on AI and Ethics in India (Organized by Takshashila; Takshashila Institution; August 27, 2018). Elonnai Hickok participated in the event.
Conference on Data Protection (Organized by National Institute of Public Finance and Policy; New Delhi; September 4, 2018). Sunil Abraham and Amber Sinha were discussant in the session Disclosures in Privacy Policies: Does Consent Work?
Symposium on Data Privacy and Citizen's Rights (Organized by Tech Law Forum of NALSAR University of Law; Hyderabad; September 9, 2018).
Gender and Privacy: Countering the Patriarchal Gaze (Organized by Privacy International; United Kingdom; September 13 - 14, 2018).
Meeting of Information Systems Security and Biometrics Sectional Committee (Organized by Bureau of Indian Standards; New Delhi; September 14, 2018).
Forecasting the Implications of the CLOUD Act Around the World (Organized by Global Network Initiative; Russell Senate Office Building, Washington D.C.; September 18, 2018). Elonnai Hickok was a speaker.
Networked Economies and Gender Action Learning (Organized by IDRC and facilitated by Gender at Work; Ottawa; September 20 - 21, 2018). Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in the meeting. Sunil Abraham, Swaraj Paul Barooah and Ambika Tandon also attended a workshop on Gender Action Learning on September 24 - 25, 2018, which discussed strategies to work on gender under a grant for Cyber Policy Centres.
Round Table Discussion on Personal Data Protection Bill (Organized by SFLC; Bengaluru; September 25, 2018). Shweta Mohandas participated in the event and moderated the first session on Data Protection Principles (Rights and Obligations).

Cyber Security

Event Organized

Symposium on India’s Cyber Strategy (India Habitat Centre, New Delhi; August 31, 2018).

Participation in Event

Cyber-Security in the Age of Smart Manufacturing (Organized by Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka; The Lalit Ashok, Bengaluru; September 26, 2018). Arindrajit Basu attended the event.

researchers@work

The researchers@Work (r@w) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa.

Blog Entry

Essays on 'Offline' - Selected Abstracts (P.P. Sneha; September 6, 2018).
Digital Native: #MemeToo (Nishant Shah; Indian Express; September 9, 2018).
The Right Words for Love (Nishant Shah; Indian Express; September 23, 2018).
Digital Native: Hardly Friends Like That (Nishant Shah; Indian Express; September 30, 2018).

Participation in Event

Plenary Talk at Jyothi Nivas College Research Symposium (Organized by Jyoti Nivas College; Bangalore; September 28, 2018). P.P. Sneha made a presentation on presentation on new reading and writing practices in the digital context.

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/september-2018-newsletter

September 2017 Newsletter

Admin — 2017-11-21T15:19:25Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
CIS filed a request under the Right to Information Act in March 2016 as part of research for the paper: Patent Working Requirements and Complex Products: An Empirical Assessment of India's Form 27 Practice and Compliance (July 2017). Rohini Lakshané has captured the developments in a blog post. Last month’s judgment by the nine judge referral bench was an emphatic endorsement of the the constitutional right to privacy. Amber Sinha has dissected the various aspects of the right to privacy as put forth by the nine judge constitutional bench in the Puttaswamy matter. The papers on fundamental right to privacy can be accessed here. With offline as the theme of the third Internet Researchers' Conference (IRC18), CIS has invited teams of two or more members to submit sessions proposals by Sunday, October 22, 2017. The conference is expected to be held in Himachal Pradesh during February 22-24, 2018. The venue and dates will be confirmed soon. Anonymity-based internet apps like Sarahah may not be as vicious for those surrounded by the comfort of social status. If your experience of Sarahah has been positive, it might be good to reflect on your own cultural and social capital, wrote Nishant Shah in an article in the Indian Express, dated September 10, 2017.

CIS in the news:

Privacy is now a right in India. Here's what that means for the tech industry (Rishi Iyengar; CNN Tech; August 29, 2017).
Russian social network VKontakte temporarily blocked in India for Blue Whale threat (Kim Arora; The Times of India; September 12, 2017).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

RTI request to Indian Patents Office for Form 27 (Statement of Working of patents), March 2016 (Rohini Lakshané; September 9, 2017).
RTI request to Indian Patents Office for Form 27 (Statement of Working of patents), 2015 (Rohini Lakshané; September 9, 2017).

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Participation in Event

Praja - Enhancing Democracy Through Access to Open Data: What Are the Roles of Government and Civil Society? (Organized by Praja; September 8, 2017; New Delhi). Sumandro Chattapadhyay was a speaker.

-----------------------------------

Internet Governance
-----------------------------------

►Privacy

Blog Entries

Rethinking National Privacy Principles: Evaluating Principles for India's Proposed Data Protection Law (Amber Sinha; September 11, 2017).
The Fundamental Right to Privacy: An Analysis (Amber Sinha; September 27, 2017).

►Big Data

Upcoming Event

Emerging Issues in the Internet of Things (CIS, Bangalore; October 23, 2017). Andrew Rens will give a talk on the research that he is doing at the Internet Governance Lab.

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

Revamp Telecom Sector & Revive The Economy (Shyam Ponappa; Business Standard; September 7, 2017).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Article

Digital native: What’s in a name? Privilege (Indian Express, September 10, 2017).

Announcement

Internet Researchers' Conference 2018 (IRC18): Offline - Call for Session (P.P. Sneha; September 20, 2017). Teams of two or more members to submit sessions proposals by Sunday, October 22, 2017.

Blog Entry

The Digital Humanities from Father Busa to Edward Snowden (P.P. Sneha; September 4, 2017).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/september-2017-newsletter

September 2015 Bulletin

praskrishna — 2015-11-25T01:55:25Z

We are happy to share with you the ninth issue of the Centre for Internet and Society (CIS) newsletter (September 2015). It has been a significant month for public debates on the digital future of governance, citizenship, and economy in India, led by conversations around the draft National Encryption Policy, the Aadhaar number as a basis for provision of welfare services, the investigation of Google for potential abuse of market dominance by the Competition Commission of India, and the Guidelines for Examination of Computer Related Inventions released by the Indian Patents Office. We were busy engaging with these issues, and more.

The past editions of the newsletter can be accessed at http://cis-india.org/about/newsletters.

Sumandro Chattapadhyay, Research Director

Internet Researchers' Conference (IRC) 2016 - Studying Internet in India
With great excitement, we are announcing the beginning of an annual conference series titled Internet Researchers' Conference (IRC), the first edition of which is to take place in Delhi during February 25-27, 2016 (yet to be confirmed). We invite you to propose sessions for the conference by Sunday, November 15, 2015.

Highlights

CIS sent an Open Letter to Prime Minister Narendra Modi during his US visit, requesting him to urge USA to ratify the Marrakesh Treaty. During the month, NVDA team organized training programmes for the visually impaired at Kullu, Bangalore and Ranchi. Nehaa Chaudhari in a blog post laid out a series of research questions, potentially seeking to apply actor-network theory as a research methodology. Recently, the Indian Patents Office released the Guidelines for Examination of Computer Related Inventions (“2015 Guidelines/ Guidelines”) in an attempt to clarify examination of software related patents in India. Anubha Sinha analysed the 2015 Guidelines. Read on to understand how the new guidelines will potentially lead to an increase in software patenting activity by expanding the scope of patentable subject matter – in negation of the legislative intent of section 3(k) of the Indian Patents Act, 1970. As a part of its content donation initiative, CIS has brought Nadustunna Charithra magazine under CC BY SA licence. CIS-A2K has received 74 issues as of now from the Telugu Jaati foundation. Sunil Abraham’s article titled Hits and Misses with the Draft Encryption Policy was published in The Wire on September 26, 2015. Vidushi Marda in a blog post titled Data Flow in the Unique Identification Scheme of India analysed the data flow within the UID scheme and highlighted the vulnerabilities at each stage. Vanya Rakesh in a blog post titled Human DNA Profiling Bill 2012 v/s 2015 Bill has analysed the Human DNA Profiling Bill introduced in 2012 with the provisions of the 2015 Bill. CIS sought information from ICANN on their revenue streams by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in a blog post by Aditya Garg. CIS has submitted a joint proposal with DataMeet and Oorvani for the Knight News Challenge 2015. We are proposing the development of "an application for users to search for locally-relevant data, discuss missing data, demand data, explore and respond to data demands by others, and start data crowd-sourcing exercises." CIS made its submission on CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations to ICANN's CCWG-Accountability. Pranesh Prakash, on behalf of CIS, submitted comments to the Department of Telecom Panel’s report on net neutrality via MyGov. Prakash states that the report displays a far better understanding of the underlying issues than the TRAI consultation paper did, and is overall a good effort at balancing the different sides. Shyam Ponappa’s monthly column titled More on Those Dropped Calls was published by Business Standard.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing a project on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here.

NVDA and eSpeak

Monthly Updates

September 2015 Report (Suman Dogra; September 30, 2015).

Event Reports

Training in the use of eSpeak Hindi with NVDA (Organized by CIS and Lakshay for the Differently Abled; September 29 – 30, 2015; Ranchi). The event was conducted online by Dr. Homiyar over skype, with local support from Mritunjay Kumar and Zainab.
5 day TOT for Training in Use of eSpeak Kannada with NVDA (Organized by CIS, Mithra Jyoti, Enable India and NFB, Bangalore; September 21 – 25, 2015; Bangalore).
eSpeak Training in Hindi Language (Organized by CIS and National Association for the Blind; Kullu; September 3 – 4, 2015).
Training in eSpeak Marathi (Organized by CIS; Atmadepam Society; August 22 – 23, 2015). The report was published in the month of September.

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Pervasive Technologies

Blog Entries

Pervasive Technologies: Working Document Series - Research Questions and a Literature Review on the Actor-Network Theory (Nehaa Chaudhari; September 5, 2015).
FAQ: CIS Proposal for Compulsory Licensing of Critical Mobile Technologies (Rohini Lakshané; September 25, 2015).

Other (Copyright and Patent)

Submission

Comments on the Guidelines for Examination of Computer Related Inventions (CRIs) (Anubha Sinha; September 21, 2015).

Blog Entries

Open Letter to PM Modi on Intellectual Property Rights issues on His Visit to the United States of America in September 2015 (Pranesh Prakash and Nehaa Chaudhari; September 23, 2015).

Participation in Events

National Conference: WTO, FTAs and Investment Treaties: Implications for development policy space (Organized by Focus on the Global South, Institute for Studies in Industrial Development (ISID), Madhyam, MSF Access Campaign, National Working Group on Patent Laws and WTO (NWGPL), Public Services International (PSI) – South Asia, South Solidarity Initiative – ActionAid, Third Word Network (TWN), and Forum against FTAs; September 22 – 23, 2015; Institute for Studies in Industrial Development, New Delhi). Nehaa Chaudhari made a presentation on Copyright: Access to Knowledge in Free Trade Agreements?
IPEX 2015 (Organized by Confederation of Indian Industry, APTDC and TDPC; September 25 - 26, 2015; Chennai). Rohini Lakshané attended the event.

Media Coverage

Open letter from CIS to PM Modi on Intellectual Property Rights issues on his Visit to US (Apoorva Mandhani; LiveLaw; September 23, 2015).

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

CIS brings Nadustunna Charithra magazine under CC BY SA licence (Tanveer Hasan; September 2, 2015).
OCR and OER – update (Subhashish Panigrahi; Open Education Working Group; September 25, 2015).
As Odia Wikipedia turns 13, what happens next? (Subhashish Panigrahi; September 26, 2015). This was originally published on the Wikimedia Blog on August 21. The post was shared on Wikipedia's official Facebook page, and on Twitter handles [1 and 2].
Google's Optical Character Recognition Software Now Works with All South Asian Languages (Subhashish Panigrahi; September 26, 2015).
Wikimedia contributor shares his Linux story (Subhashish Panigrahi; September 27, 2015). This article is part of a series called My Linux Story. To participate and share your Linux story, contact us at: open@opensource.com. Read the original published by Opensource.com on September 3, 2015.

Events Co-organized

Annamaya Library edit-a-thon (Organized by CIS-A2K and Telugu Wikipedia Community; August 6, 2015; Andhra Loyola College; Vijaywada).
International Workshop on Digitization and Archiving (Organized by CIS-A2K and Wikipedia Community; August 19 – 21, 2015). Rahmanuddin Shaik was one of the trainers.

Media Coverage

CIS gave its inputs to the following:

Unable to read Odia on your android device? Don’t fret! (Ruby Nanda; Odisha Sun Times; September 28, 2015).

Openness

The advent of the Internet has radically redefined what it means to be open and collaborative. The Internet itself is built upon open standards and free/libre/open source software. Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Open Data

Submission

As one of the general stewards of the process, CIS was invited to take part in the final drafting meeting of the International Open Data Charter held before Con Datos 2015 in Santiago, Chile, but we could not take part in it. Apart from organising two public consultations on the draft Charter in Bengaluru and Delhi, we also submitted our detailed comments on the document. The final version of the Charter document has been launched at the United Nation General Assembly meeting, on September 27.

Free Software

Blog Entry

Software Freedom Pledge (Pranesh Prakash; September 25, 2015).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

Privacy

Article

Hits and Misses With the Draft Encryption Policy (Sunil Abraham; The Wire; September 26, 2015).

Blog Entries

Data Flow in the Unique Identification Scheme of India (Vidushi Marda; September 3, 2015).
Human DNA Profiling Bill 2012 v/s 2015 Bill (Vanya Rakesh; September 6, 2015).
Open Governance and Privacy in a Post-Snowden World: Webinar (Vanya Rakesh; September 26, 2015).

Participation in Event

The Changing Landscape of ICT Governance and Practice - Convergence and Big Data (Co-organized by Innovation Center for Big Data and Digital Convergence, Yuan Ze University, Taiwan; August 24 – 25, 2015). Sharat Chandra Ram was granted the Young Scholar Award 2015 to attend the Young Scholar Workshop followed by main CPRSouth2015 conference (Communication Policy Research South) conference.

Free Speech and Expression

Submission

CIS Submission on CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations (Pranesh Prakash; September 13, 2015).

Blog Entries

DIDP Request #11: NETmundial Principles (Aditya Garg; September 14, 2015).
DIDP Request #12: Revenues (Aditya Garg; September 14, 2015).
Peering behind the veil of ICANN’s DIDP (Padmini Baruah; September 21, 2015).

Participation in Event

Asian Regional Consultation on the WSIS+10 Review (Organized by The Internet Democracy Project, Bytes for All, APNIC, the Association for Progressive Communications, ISOC, Global Partners Digital and ICT Watch; September 3 – 5, 2015). Jyoti Panday attended the event.

IGF

The tenth annual IGF meeting will be held in João Pessoa, Brazil, on November 10 - 13, 2015. IGF's MAG has decided to retain the title “Evolution of Internet Governance: Empowering Sustainable Development” as the overarching theme. Sunil Abraham will be a panelist for the following workshops:

Understanding and Mitigating Online Hate Speech and Youth Radicalisation (Organized by Council of Europe, Oxford University, OHCHR, Google and ISOC; November 2015).
Transnational Due Process: A Case Study in Multi-stakeholder Cooperation (Organized by the United Nations; November 2015).

Cyber Security

Event Organized

Bangalore Chapter Meet of DSCI (Co-organized by DSCI and CIS; September 26, 2015). Melissa Hathaway, Commissioner, Global Commission for Internet Governance and Sunil Abraham gave a talk at this event.

Miscellaneous

Sustainable Smart Cities India Conference 2015, Bangalore (Vanya Rakesh; September 21, 2015).

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Submission

Comments on the DoT Panel Report via MyGov (Pranesh Prakash; September 26, 2015).

Op-ed

More on those Dropped Calls (Shyam Ponappa; Business Standard; September 2, 2015 and Organizing India Blogspot; September 3, 2015).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Submission

Where's My Data? Submission for Knight News Challenge 2015 (Sumandro Chattapadhyay; September 30, 2015). The text of the proposal was prepared by Nisha Thompson of DataMeet, Meera K of Oorvani, and Sumandro Chattapadhyay.

Blog Entries

The Internet in the Indian Judicial Imagination (Divij Joshi; September 9, 2015).
The Many Lives and Sites of Internet in Bhubaneswar (Sailen Routray; September 21, 2015).

News & Media Coverage

CIS gave its inputs to the following media coverage:

Does this click with you? (Parshathy J. Nath; The Hindu; September 1, 2015).
Government may tieup with global police, Interpol to fight child pornography (Surabhi Agarwal; September 3, 2015).
Hiding behind rules on naming sites it banned, govt reveals fears (Harjeet Inder Singh Sahi; September 3, 2015).
Outrage before sharing (Nikhil Verma; The Hindu; September 9, 2015).
Faking a stand (Shweta T. Nanda; The Week; September 20, 2015).
Some Key Words Are Missing (Arindam Mukherjee; Outlook; September 21, 2015).
Open sesame (The Hindu; September 22, 2015).
India encryption policy draft faces backlash (Moulishree Srivastava; September 22, 2015)
Online outcry forces government to withdraw draft encryption policy (Naina Khedekar; First Post; September 23, 2015).
Encryption policy would have affected emails, operating systems, WiFi (Amrita Madhukalya; DNA; September 23, 2015).
Govt presses 'undo' button on draft encryption policy (Business Standard; September 23; 2015).
Huge outcry forces India to backtrack on social media data proposal (Today; September 24, 2015).
Facebook’s Free Internet Access Program in Developing Countries Provokes Backlash (Newley Purnell and Resty Woro Uniar; The Wall Street Journal; September 24, 2015).
Ahead of hosting Modi, Facebook rebrands internet.org as Free Basics (Business Standard; September 26, 2015).
‘By weakening our security, govt is putting us at risk of espionage’ (S. Raghotham and Mayukh Mukherjee; Asian Age; September 27, 2015).
ভারতে পাঁচশোরও বেশি স্টেশনে ফ্রি ওয়াই-ফাই চালু হবে (BBC; September 28, 2015).
Do you agree with our fee hike? Press 1 to answer Yes; or 2 for Yes (Kieren McCarthy; The Register; September 29, 2015).
Indian PM Narendra Modi’s digital dream gets bad reception (Amanda Hodge; September 29, 2015).
What Bengaluru Thinks of the Big Tech Announcements in Silicon Valley (Maya Sharma; NDTV; September 29, 2015).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the mediation and reconfiguration of social and cultural processes and structures by the internet and digital media technologies.

► Follow us elsewhere

CIS - Twitter: http://twitter.com/cis_india
Access to Knowledge - Twitter: https://twitter.com/CISA2K
Access to Knowledge - Facebook: https://www.facebook.com/cisa2k
Access to Knowledge - E-Mail: a2k@cis-india.org
Researchers at Work - E-Mail: raw@cis-india.org
Researchers at Work - Mailing List: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/september-2015-bulletin