We are anonymous, we are legion

Open House on Security Practices in FinTech

Admin — 2017-11-12T10:18:09Z

CIS in collaboration with Has Geek is organizing an Open House on security practices in FinTech.

The prevalence of fintech companies operating in India is growing with new actors entering the sector and traditional actors such as banks beginning to offer digital financial services. The push to digital payments has been particularly strong after the demonetization policy, the development and implementation of Aadhaar and India Stack. Services offered by Fintech firms can range from offering a loan or credit to a digital wallet and digital banking and payment services.

Presently, there is a regulatory gap for many of the fintech services and business models. The Reserve Bank of India has published consultation papers on Peer-to-Peer lending platforms as well as Account Aggregators, but comprehensive regulations, especially those surrounding minimum security practices, have yet to emerge – presenting a critical policy and research window. Furthermore, under Section 43A of the IT Act and its associated Rules, ‘body corporates’ are required to implement reasonably security procedures compliant with ISO27001 or a sectoral standard approved by the Central Government. However, currently such a sectoral standard is absent for the FinTech and Digital Payments space.

The growing prevalence of these fintech technologies and the criticality of security of the same to engender citizen trust, protect rights, and comprehensive national security posture demands debate and discussion.

On November 17th, the HasGeek in collaboration with the Centre for Internet and Society will be holding an Open House from 6pm - 8pm to discuss security practices in the fintech industry.

Pressing questions for discussion include: How secure are these services? What security standards are they adhering to? Who is holding them accountable for adherence to security standards? What can individuals do if there financial data is compromised?

Please join us for a robust discussion on these issues @HasGeek House, 2699, 19th Main Rd, HAL 2nd Stage, Indiranagar, 19th Main Rd, HAL 2nd Stage, Indiranagar, Bengaluru, Karnataka 560008 from 6PM - 8 PM on November 17th.

For more details visit https://cis-india.org/internet-governance/events/open-house-on-security-practices-in-fintech

A Comparison of Legal and Regulatory Approaches to Cyber Security in India and the United Kingdom

Authored by Divij Joshi and edited by Elonnai Hickok — 2017-11-14T15:26:46Z

This report is the first part of a three part series of reports that compares the Indian cyber security framework with that of the U.K, U.S and Singapore.

This report compares laws and regulations in the United Kingdom and India to see the similarities and disjunctions in cyber security policy between them. The first part of this comparison will outline the methodology used to compare the two jurisdictions. Next, the key points of convergence and divergence are identified and the similarities and differences are assessed, to see what they imply about cyber space and cyber security in these jurisdictions. Finally, the report will lay out recommendations and learnings from policy in both jurisdictions.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-legal-and-regulatory-approaches-to-cyber-security-in-india-and-the-united-kingdom

#NAMAprivacy: Data standards for IoT and home automation systems

Admin — 2017-11-08T02:15:52Z

On 5th October, MediaNama held a #NAMAprivacy conference in Bangalore focused on Privacy in the context of Artificial Intelligence, Internet of Things (IoT) and the issue of consent, supported by Google, Amazon, Mozilla, ISOC, E2E Networks and Info Edge, with community partners HasGeek and Takshashila Institution. Part 1 of the notes from the discussion on IoT:

Link to the original published by Medianama on October 18 here

The second session of the #NAMAprivacy in Bangalore dealt with the data privacy in the Internet of Things (IoT) framework. All three panelists for the session – Kiran Jonnalagadda from HasGeek, Vinayak Hegde, a big data consultant working with ZoomCar and Rohini Lakshane a policy researcher from CIS – said that they were scared about the spread of IoT at the moment. This led to a discussion on the standards which will apply to IoT, still nascent at this stage, and how it could include privacy as well.

Hedge, a volunteer with the Internet Engineering Task Force (IETF) which was instrumental in developing internet protocols and standards such as DNS, TCP/IP and HTTP, said that IETF took a political stand recently when it came to privacy. “One of the discussions in the IETF was whether security is really important? For a long time, the pendulum swung the other way and said that it’s important and that it’s not big enough a trade-off until the bomb dropped with the Snowden revelations. The IETF has always avoided taking any political stance. But for the first time, they did take a political position and they published a request for comments which said: “Pervasive monitoring is an attack on the Internet” and that has become a guiding standard for developing the standards,” he explained.

He added that this led the development of new standards which took privacy into consideration by default.

“The repercussions has been pervasive across all the layers of the stack whether it is DNS and the development of DNS Sec. The next version of HTTP, does not actually mandate encryption but if you look at all the implementation on the browser side, all of them without exception have incorporated encryption,” he added.

Rohini added that discussion around the upcoming 5G standard, where large-scale IoT will be deployed, also included increased emphasis on privacy. “It is essentially a lot of devices connected to the Internet and talking to each other and the user. The standards for security and privacy for 5G are being built and some of them are in the process of discussion. Different standard-setting bodies have been working on them and there is a race of sorts for setting them up by stakeholders, technology companies, etc to get their tech into the standard,” she said.

“The good thing about those is that they will have time to get security and privacy. Here, I would like to mention RERUM which is formed from a mix of letters which stands for Reliable, Resilient, and Secure IoT for smart cities being piloted in the EU. It essentially believes that security should include reliability and privacy by design. This pilot project was thought to allow IoT applications to consider security and privacy mechanisms early in the design, so that they could balance reliability. Because once a standard is out or a mechanism is out, and you implement something as large as a smart city, it is very difficult to retrofit these considerations,” she explained.

Privacy issues in home automation and IoT

Rohini pointed out a report which illustrates the staggering amount of data collection which will be generated by home automation. “I was looking for figures, and I found an FTC report published in 2015 where one IoT company revealed in a workshop that it provides home automation to less than 10,000 households but all of them put together account for 150 million data points per day. So that’s one data point for every six seconds per household. So this is IoT for home automation and there is IoT for health and fitness, medical devices, IoT for personal safety, public transport, environment, connected cars, etc.”

In this sort of situation, the data collected could be used for harms that users did not account for.

“I received some data a couple of years back and the data was from a water flowmeter. It was fitted to a villa in Hoskote and the idea was simple where you could measure the water consumption in the villa and track the consumption. So when I received the data, I figured out by just looking at the water consumption, you can see how many people are in the house, when they get up at night, when they go out, when they are out of station. All of this data can be misused. Data is collected specifically for water consumption and find if there are any leakages in the house. But it could be used for other purposes,” Arvind P from Devopedia said.

Pranesh Prakash, policy director at Centre for Internet and Society (CIS), also provided an example of a Twitter handle called “should I be robbed now” where it correlates a user’s vacation pictures says that they could be robbed. “What we need to remember is that a lot of correlation analysis is not just about the analysis but it is also about the use and misuse of it. A lot of that use and misuse is non-transparent. Not a single company tells you how they use your data, but do take rights on taking your data,” he added.

Vinayak Hedge also added that the governments are using similar methods of data tracking to catch bitcoin miners in China and Venezuela from smart meters.

“In China, there are all these bitcoin miners. I was reading this story in Venezuela, where bitcoin mining is outlawed. The way they’re catching these bitcoin miners is by looking at their electricity consumption. Bitcoin mining uses a huge amount of power and computing capacity. And people have come out with ingenious ways of getting around it. They will draw power from their neighbours or maybe from an industrial setting. This could be a good example for a privacy-infringing activity.”

Pseudonymization

Srinivas P, head of security at Infosys, pointed out that a possible solution to provide privacy in home automation systems could be the concept of pseudonymity. Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms.

“There are a number of home automation systems which are similar to NEST, which is extensively used in Silicon Valley homes, that connect to various systems. For example, when you are approaching home, it will know when to switch on your heating system or AC based on the weather. And it also has information on who stays in the house and what room and what time they sleep. And in a the car, it gives a full real-time profile about the situation at home. It can be a threat if it is hacked. This is a very common threat that is being talked about and how to introduce pseudo-anonymity. When we use these identifiers, and when the connectivity happens, how do we do so that the name and user are not there? Pseudonymity can be introduced so that it becomes difficult for the hacker to decipher who this guy is,” Srinivas added.

Ambient data collection

With IoT, it has never been able to capture ambient data. Ambient data is information that lies in areas not generally accessible to the user. An example for this is how users get traffic data from Internet companies. Kiran Jonnalagadda explained how this works:

“When you look at traffic data on a street map, where is that data coming from? It’s not coming from the fact that there is an app on the phone constantly transmitting data from the phone. It’s coming from the fact that cell phone towers record who is coming to them and you know if the cell phone tower is facing the road, and it has so many connections on it, you know that traffic is at a certain level in that area. Now as a user of the map, you are talking to a company which produces this map and it is not a telecom company. Someone who is using a phone is only dealing with a telecom company and how does this data transfer happen and how much user data is being passed on to the last mile user who is actually holding the phone.”

Jonnalagadda stressed on the need for people to ask who is aggregating this ambient data.

“Now obviously, when you look at the map, you don’t get to see, who is around you. And that would be a clear privacy violation and you only get to see the fact that traffic is at a certain level of density around the street around you. But at what point is the aggregation of data happening from an individually identifiable phone to just a red line or a green line indicating the traffic in an area. We also need to ask who is doing this aggregation. Is it happening on the telecom level? Is it happening on the map person level and what kind of algorithms are required that a particular phone on a cell phone network represents a moving vehicle or a pedestrian? Can a cell phone company do that or does a map company do that? If you start digging and see at what point is your data being anonymized and who is responsible for anonmyzing it and you think that this is the entity that is supposed to be doing it, we start realizing that it is a lot more complicated and a lot more pervasive than we thought it would be,” he said.

#NAMAprivacy Bangalore:

Will artificial Intelligence and Machine Learning kill privacy? [read]
Regulating Artificial Intelligence algorithms [read]
Data standards for IoT and home automation systems [read]
The economics and business models of IoT and other issues [read]

#NAMAprivacy Delhi:

Blockchains and the role of differential privacy [read]
Setting up purpose limitation for data collected by companies [read]
The role of app ecosystems and nature of permissions in data collection [read]
Rights-based approach vs rules-based approach to data collection [read]
Data colonisation and regulating cross border data flows [read]
Challenges with consent; the Right to Privacy judgment [read]
Consent and the need for a data protection regulator [read]
Making consent work in India [read]

For more details visit https://cis-india.org/internet-governance/news/medianama-october-18-2017-namaprivacy-data-standards-for-iot

#NAMAprivacy: The economics and business models of IoT and other issues

Admin — 2017-11-08T02:09:51Z

Link to the original published by Medianama on October 18, 2017 here

Part 1 of the notes from the discussion on IoT are here. Part 2:

The session on IoT shifted gears and the participants spoke more about the economics and business IoT. Participants expressed concern that data could be linked to very private aspects of their lives and build business models around them. For example, data from fitness trackers can be linked to a user’s insurance premiums. Or sensors on a car that monitors a user’s driving behavior and link motor insurance.

“I work for Zoomcar, and these are devices which our lives depend and are collecting and reporting data. And that data can be used against you. So it is very hard to know what is fair and what is unfair. Someone mentioned insurance, I feel it is useful to collect a lot of data and decide on insurance based on your driving behaviour and we have had markers for that. But is it fair to the user? The same kind of questions crops up elsewhere like in the US when it comes to healthcare,” Vinayak Hegde said.

An audience member pointed out to that in such a scenario, privacy can help businesses rather than inhibit them and cited a research study in UC Berkely. “If I use a health tracking device, some of those devices can be valuable for health insurance companies and using that data, they might increase the premiums. But I don’t know actually who might sell my data to someone,” he explained.

“Because I don’t know which tracking devices sell my data, I would like not to own the devices itself. So that itself harms the entire health tracker industry itself. He (the researcher) defines privacy as contextual integrity. So a health tracking device is supposed to help me track my health and not supposed to be used by insurance people to determine my premium. If the regulation mandates the contextual integrity of that, it helps that particular industry to avoid those feedback loops,” he explained.

Are fitness trackers in the hardware or services business?

Kiran Jonnalagadda of HasGeek added to the point on fitness trackers. He said that all of IoT is not in the business of hardware and that they are in the services business. “I had an unusual experience for the past one week, I was out in an area with no Internet connection. But I have two fitness trackers. I bought them mostly because I’m curious about how these companies operate and what they’re doing. And the differences between them are the way they think about things. Now both of these are capable of counting steps without an Internet connection…. But they cannot do anything to show the step count on my phone which it connects to until the data is sent to the Internet and brought back. So my phone would keep telling me that I am not moving and tell me the move but the watch is saying that I am doing 20,000 steps a day and that I am trekking a lot,” he explained.

“For whatever reason, these companies have decided to operate in this manner where validation of data happens on the cloud and not on the device. You only get the most rudimentary data from your device and your phone is just a conduit and not a processing centre at all,” Jonnalagadda said.

He explained both the devices were in the device sales business and has not asked money from them for enabling this sort of Internet-based processing of data. “It calls into question, what is the model here. One could bring the conspiracy theory that they’re selling my data and therefore they don’t worry about collecting data from me. The second is to say: be a little bit more charitable and they recognize that if they piss me off, I won’t buy their device again. And then just assume that a device has a lifetime of just 2-3 years and if you keep a person happy for 2-3 years, they will buy the device from you again. What’s interesting is ultimately not about devices and that it is about services. And this is what I want to say about IoT that it is not about hardware at all it is entirely about services. Without services, the entire business model of IoT breaks down. You do not get software updates, you get vulnerabilities, you get broken design, things have stopped working and no one supports you.”

The economics of processing data locally on a device

Thejesh GN, co-founder of DataMeet, questioned the need for data to be processed on the Internet and asked whether the data will be better protected and have better privacy if it were processed locally. “Considering the fact that we have such powerful phones which are affordable, and can do a lot of things without the Internet. I mean the biggest concept we had in IoT was that we didn’t have CPU or memory and processing power. Given that and the availability of EDGE devices, how long will we have economic cases where privacy can be sold as part of IoT. The processing happens 99% of the times locally without Internet and requires the Internet only when there is messaging. This could be true for your fitness trackers that can be connected to your phone. Your phone has all the capabilities to do all the analysis and doesn’t need to go to the server,” he said.

Pranesh Prakash of the CIS countered him and said that the economics for processing data works out cheaper for the companies.

“One on local processing, this I think is a perennial problem and it really is a question of economics versus principles. Free software is losing out the battle against using other people’s computers for computing—cloud computing—because of economics. So, you no longer own the software that you purchase and even the hardware, very often, with IOT might not actually be yours. It might come with a license, it might come with data that is tied to the company that is actually providing you the device. So the economics of this are for me clear: it’s much cheaper to do it on other computers than to do it locally,” Prakash explained.

He made a case for asserting for individual user’s rights to privacy in this kind of scenario. “It is a question of principles. Should we allow for that or should we assert for consumer protection laws and assert other manners of laws to say that ‘no, people who are purchasing devices’ ought to have greater control of the devices and the data that they produce,” he added.

Group privacy

The audience also suggested that privacy laws should not just look at protecting the rights of individuals but should look at protecting the rights of groups as well. They raised concerns that even in a group and if the data has been anonymized, it still can be weaponized and cause harms.

“For example, if there are 10-15 of us in this room and given our detailed medical histories, I can find a correlation between some of that. And then I can use that data in some other form when I run a test to see if I am vulnerable to something or use it as a way to discriminate further down the line. As a group, privacy matters a lot because when we talk about devices, we are talking about individuals. Maybe you can target via ethnicity or by age or by class and that can also be weaponized,” an audience member suggested.

Vinayak Hegde gave an example of how weather data captured by IoT can cause harms to a society at large. “If I’m using the weather sensor data and because of global warming, some places like Florida and south of India are going to be extremely hot, I can use surge pricing for a person’s electricity. Again I am not getting targeted as an individual, but as a group, I am being targeted. And sensors are closing that loop really fast.” he explained.

Srinivas P, head of security at Infosys, gave another example where gyroscopes in a phone could target a family. “Some companies in the US use gyroscope in a phone to surreptitiously monitor TV viewing habits. The mobile phone gets activated and over a period of time, they can tweak the advertisements. It is an interesting example, because in TV, when you watch at home, you cannot pinpoint TV a user, because it is shared by a family. This is because the guy who is watching the maximum amount of TV, their data gets circulated and the ads will be tailored to them. The person who does not watch that much amount of TV gets baffled to see advertisements that are not relevant to them. So when you want to process data, you want to assume that, this TV belongs to a user. The TV belongs to a group. And what if the viewing habits are so different, that once your privacy is violated, you don’t want your other family member to know what you are watching,” he added.

Perception of permissions for sensors

Rohini Lakshane of CIS raised an important point during the discussion. The users have different perceptions about the sensors that are embedded in smartphones. She pointed out that users are generally unaware that accelerometers are sensors and capture data and most apps do not ask permissions for the same. An accelerometer is a device used to measure acceleration forces. It is usually used in devices to measure movement and vibrations in devices such as fitness trackers.

“A researcher surveyed a control group and asked them if their GPS data was taken and their camera was made accessible, whether they would be comfortable with it? They were hugely uncomfortable. The question came to the accelerometer on the phone and the respondents said that ‘we are not all that afraid’. The accelerometer only counts the acceleration. So in that app which counts how many steps we have taken in a day, it uses the accelerometer and there is no permission required for it. The accelerometer is still on the phone and is still generating the data and you don’t see it because you don’t have an interface directly with it,” she commented.

#NAMAprivacy Bangalore:

Will artificial Intelligence and Machine Learning kill privacy? [read]
Regulating Artificial Intelligence algorithms [read]
Data standards for IoT and home automation systems [read]
The economics and business models of IoT and other issues [read]

#NAMAprivacy Delhi:

Blockchains and the role of differential privacy [read]
Setting up purpose limitation for data collected by companies [read]
The role of app ecosystems and nature of permissions in data collection [read]
Rights-based approach vs rules-based approach to data collection [read]
Data colonisation and regulating cross border data flows [read]
Challenges with consent; the Right to Privacy judgment [read]
Consent and the need for a data protection regulator [read]
Making consent work in India [read]

For more details visit https://cis-india.org/internet-governance/news/medianama-october-18-2017-namaprivacy-economics-and-business-models-of-iot

Big Data for governance

Admin — 2017-11-08T01:42:18Z

Recent times have witnessed an explosion of data as users started leaving a huge data footprint everywhere they go. Interestingly, this period has seen a phenomenal increase in computing power couple by a drop in costs of storage.

The article by Alekhya Hanumanthu was published in Telangana Today on November 4, 2017.

India is now sitting on the data so generated and subjecting it to data analytics for uses in various sectors like insurance, education, healthcare, governance, so on and so forth.

According to Centre for Internet and Society (CIS), in 2015, the Government of Narendra Modi launched Digital India Programme to ensure availability of government services to citizens electronically by improving online infrastructure and Internet connectivity.

Amongst other things, e-Governance and e-Kranti intend to reform governance through technology and enable electronic delivery of services. Needless to say, it will involve large scale digitisation, electronic collection of data from residents and processing. The Big data so created will help policy making evolve into a data backed, action oriented initiative with accountability asserted where it is due.

Let’s take a look at some Big Data based initiatives underway according to analyticsindiamag:

Project insight: Undertaken up by Indian tax agencies, Project Insight is an advanced analytical tool that is a comprehensive platform that encourages compliance of tax while at the same time it prevents non-compliance. Significantly, it will be used to detect fraud, support investigations and provide insights for policy making. For instance, it will detect the social media activity of a person to glean their spending and check if it is commensurate with the tax they have paid during that year. Needless to say, this will also unearth sources of black money.

Economic Development Board in Andhra: CORE-CM Office Realtime Executive Dashboard is an integrated dashboard established to monitor category-wise key performance indicators of various departments/schemes in real time. Users can check key performance indicators of various departments, schemes, initiatives, programmes, etc. With a panoply of services information ranging from Women and Child Welfare to Street lights monitoring, it has become an exemplary role model of governance.

Geo-tagging of assets under Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA): Under the guidance of Narendra Modi, online monitoring of assets to check leakages Ministry of Rural development was started. To achieve this, they were tied up with ISRO and National Informatics Centre to geo tag MGNREGA assets. According to India Today, the assets created range from plantations, rural infrastructure, water harvesting structures, flood control measures such as check dams etc. To do this, a junior engineer takes a photo of an asset and uploads it on the Bhuvan web portal run by ISRO’s National Remote Sensing Centre via a mobile app. Once a photo is uploaded, time and location gets encrypted automatically. Thus, the Government hopes to hold an ironclad control of the resources thus disseminated.

CAG’s centre for Data Management and Analytics: According to Comptroller and Auditor General of India, The CAG’s Centre for Data Management and Analytics (CDMA) is going to play a catalytic role to synthesise and integrate relevant data into auditing process. According to an announcement on National Informatics Centre (NIC), it aims to build up capacity in the Indian Audit and Accounts Department in Big Data Analytics to explore the data rich environment at the Union and State levels. What’s more, this initiative of CAG of India, puts it amongst the pioneers in institutionalising data analytics in government audit in the international community.

Task Force to spruce up Employment Data: The data provided by Labour Bureau is limited and not timely enough for policymakers to assess the need for job creation. To address this gap, the Government has set up a committee tasked to fill the employment data gap and ensure the timely availability of reliable information regarding job creation. Thus the top line of Government has a direct view of where the employment gaps are so that it can facilitate creation of appropriate jobs.

What’s the big picture?

Policy making and governance by Indian government have traditionally been rife with red tape, bureaucracy and corruption. Lack of accountability on part of Government workforce not only impacted the quantity and quality of work delivered but also invited corrupt practices and leakages. So, Big data is a welcome change in direction.

For more details visit https://cis-india.org/internet-governance/news/telangana-today-november-8-2017-alekhya-hanumanthu-big-data-for-governance

October 2017 Newsletter

praskrishna — 2018-01-10T00:53:03Z

October 2017 Newsletter

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
CIS submitted its comments on mobile accessibility guidelines to the Ministry of Electronics & IT, Govt. of India. Between 1 to 16 September, an online discussion took place on the creation of social media guidelines and strategy for Telugu Wikimedia handles online. Manasa Rao captured the developments in a blog post. Padma Venkataraman in a blog entry chronologically mapped CIS’ efforts at enhancing financial transparency and accountability at ICANN, while providing an outline of what remains to be done. Shyam Ponappa's article on NPAs and structural issues was published in the Business Standard on October 5, 2017.

Highlights

CIS submitted its comments on mobile accessibility guidelines to the Ministry of Electronics & IT, Govt. of India.
Between 1 to 16 September, an online discussion took place on the creation of social media guidelines and strategy for Telugu Wikimedia handles online. Manasa Rao captured the developments in a blog post.
Padma Venkataraman in a blog entry chronologically mapped CIS’ efforts at enhancing financial transparency and accountability at ICANN, while providing an outline of what remains to be done.
Shyam Ponappa's article on NPAs and structural issues was published in the Business Standard on October 5, 2017.

CIS in the News:

Attempted data breach of UIDAI, RBI, ISRO and Flipkart is worrisome (DailyO, October 4, 2017).
Sex, drugs and the dark web (Hindu; October 7, 2017).
Ahead of data protection law roll out, experts caution that it shouldn't limit collection and use of data (First Post; October 12, 2017).
#NAMAprivacy: The economics and business models of IoT and other issues (Medianama; October 18, 2017).
#NAMAprivacy: Data standards for IoT and home automation systems (Medianama; October 18, 2017).
Majority of top politicians' Twitter followers fake: audit (Furquan Moharkan; Deccan Herald; October 24, 2017).
Awards for those working on employment opportunities for disabled (Eastern Mirror; October 24, 2017).
Nibbling away into your bank account, salami attackers cart away a fortune (New Indian Express; October 25, 2017).
Nirmita Narasimhan wins the 18th NCPEDP-Mindtree Helen Keller Award 2017! (National Centre for Promotion of Employment for Disabled People; October 31, 2017).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

Blog Entries

Odia Wikisource Turns 3 (Manasa Rao; October 22, 2017).
Wikimedia Workshop at Ismailsaheb Mulla Law College, Satara (Subodh Kulkarni; October 24, 2017).
Marathi Wikipedia Edit-a-thon at Dalit Mahila Vikas Mandal, Satara (Subodh Kulkarni; October 24, 2017).
Marathi Wikipedia Workshop at MGM Trust's College of Journalism and Mass Communication, Aurangabad (Subodh Kulkarni; October 24, 2017).
Orientation Program at Kannada University, Hampi (A. Gopalakrishna; October 24, 2017).
Marathi Wikipedia Workshop at Solapur University (Subodh Kulkarni; October 24, 2017).
Discussion on Creation of Social Media Guidelines & Strategy for Telugu Wikimedia (Manasa Rao; October 24, 2017).

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Freedom of Expression

ICANN’s Problems with Accountability and the .WEB Controversy (Padma Venkataraman; October 24, 2017).
Why Presumption of Renewal is Unsuitable for the Current Registry Market Structure (Padma Venkataraman; October 29, 2017).
CIS’ Efforts Towards Greater Financial Disclosure by ICANN (Padma Venkataraman; October 29, 2017).

►Cyber Security

Participation in Event

CyFy 2017 (Organized by Observer Research Foundation; New Delhi; October 2 - 4, 2017). Sunil Abraham was a speaker.

►Privacy

Blog Entry

GDPR and India: A Comparative Analysis (Aditi Chaturvedi; October 17, 2017).

Participation in Event

Securing The Digital Payments Ecosystem (Organized by NITI Aayog; October 9, 2017).

►Big Data

Blog Entry

Revisiting Per Se vs Rule of Reason in Light of the Intel Conditional Rebate Case (Shruthi Anand; October 4, 2017).

Event Organized

Emerging Issues in the Internet of Things (CIS, Bengaluru; October 23, 2017). Andrew Rens gave a talk.

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

NPAs & Structural Issues (Shyam Ponappa; Business Standard; October 4, 2017).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Articles

Digital Native: There is no spoon, There is no privacy (Nishant Shah; October 9, 2017).
Digital Native: Finger on the buzzer (Nishant Shah; October 22, 2017).

-----------------------------------
About CIS
-----------------------------------

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/october-2017-newsletter

Why Presumption of Renewal is Unsuitable for the Current Registry Market Structure

Padma Venkataraman — 2017-10-31T02:53:26Z

With the recent and much protested renewal of the .net legacy Top-Level-Domain (TLD), the question of the appropriate method of renewal has again come to the forefront. While this seems relatively uncontroversial to most, Padma Venkataraman, a law student and intern at CIS looks at presumptive renewal through a critical lens.

With the recent renewal of the .net legacy Top-Level-Domain (TLD), the question of the appropriate method of renewal is worth reconsidering. When we talk about presumption of renewal for registry agreements, it means that the agreement has a reasonable renewal expectancy at the end of its contractual term. According to the current base registry agreement, it shall be renewed for 10-year periods, upon expiry of the initial (and successive) term, unless the operator commits a fundamental and material breach of the operator’s covenants or breach of its payment obligations to ICANN.

Download the entire blog post here

For more details visit https://cis-india.org/internet-governance/blog/why-presumption-of-renewal-is-unsuitable-for-the-current-registry-market-structure

CIS’ Efforts Towards Greater Financial Disclosure by ICANN

Padma Venkataraman — 2017-10-31T02:10:11Z

CIS has been working towards enhancing transparency and accountability at ICANN since 2014. While initial efforts have resulted in ICANN revealing its sources of income in a granular fashion in 2015, we are yet to see this level of transparency become a default approach within ICANN. Here, Padma Venkataraman chronologically maps CIS’ efforts at enhancing financial transparency and accountability at ICANN, while providing an outline of what remains to be done.

With the $135 million sale of .web,^[1] the much protested renewal of the .net agreement^[2] and the continued annual increase in domain name registrations,^[3] among other things, it is no surprise that there are still transparency and accountability concerns within the ICANN Community. CIS, as part of its efforts to examine the functioning of ICANN’s accountability mechanisms, has filed many DIDP requests till date, in a bid for greater transparency of the organisation’s sources of revenues.

1.Efforts towards disclosure of revenue break-up by ICANN

- 2014

- 2015

- 2017

2.The need for granularity regarding historical revenues

-----

1.Efforts towards disclosure of revenue break-up by ICANN

- 2014

In 2014, CIS’ Sunil Abraham demanded greater financial transparency of ICANN at both the Asia Pacific IGF and the ICANN Open Forum at the IGF. Later that year, CIS was provided with a list of ICANN’s sources of revenue for the financial year 2014, including payments from registries, registrars, sponsors, among others, by ICANN India Head Mr. Samiran Gupta.^[4] This was a big step for CIS and the Internet community, as before this, no details on granular income had ever been publicly divulged by ICANN on request.

However, as no details of historical revenue had been provided, CIS filed a DIDP request in December 2014, seeking financial disclosure of revenues for the years 1999 to 2014, in a detailed manner - similar to the 2014 report that had been provided.^[5] It sought a list of individuals and entities who had contributed to ICANN’s revenues over the mentioned time period.

In its response, ICANN stated that it possessed no documents in the format that CIS had requested, that is, it had no reports that broke down domain name income and revenue received by each legal entity and individual.^[6] It stated that as the data for years preceding 2012 were on a different system, compiling reports of the raw data for these years would be time-consuming and overly burdensome. ICANN denied the request citing this specific provision for non-disclosure of information under the DIDP.^[7]

- 2015

In July 2015, CIS filed a request for disclosure of raw data regarding granular income for the years 1999 to 2014.^[8] ICANN again said that it would be a huge burden ‘to access and review all the raw data for the years 1999 to 2014 in order to identify the raw data applicable to the request’.^[9] However, it mentioned its commitment to preparing detailed reports on a go-forward basis - all of which would be uploaded on its Financials page.^[10]

- 2017

To follow up on ICANN’s commitment to granularity, CIS sought a detailed report on historical data for income and revenue contributions from domain names for FY 2015 and FY 2016 in June 2017.^[11] In its reply, ICANN stated that the Revenue Detail by Source reports for the last two years would be out by end July and that the report for FY 2012 would be out by end September.^[12]

2.The need for granularity regarding historical revenues

In 2014, CIS asked for disclosure of a list of ICANN’s sources of revenue and detailed granular income for the years 1999 to 2014. ICANN published the first but cited difficulty in preparing reports of the second. In 2015, CIS again sought detailed reports of historical granular revenue for the same period, and ICANN again denied disclosure claiming that it was burdensome to handle the raw data for those years. However, as ICANN agreed to publish detailed reports for future years, CIS recently asked for publication of reports for the FYs 2012, 2015 and 2016. Reports for these three years were uploaded according to the timeline provided by ICANN.

CIS appreciates ICANN’s cooperation with its requests and is grateful for their efforts to make the reports for FYs 2012 to 2016 available (and on a continued basis). However, it is important that detailed information of historical revenue and income from domain names for the years 1999 to 2014 be made publicly available. It is also crucial that consistent accounting and disclosure practices are adopted and made known to the Community, in order to avoid omissions of statements such as Detail Revenue by Source and Lobbying Disclosures, among many others, in the annual reports - as has evidently happened for the years preceding 2012. This is necessary to maintain financial transparency and accountability, as an organisation’s sources of revenues can inform the dependant Community about why it functions the way it does.

It will also allow more informed discussions about problems that the Community has faced in the past and continues to struggle with. For example, while examining problems such as ineffective market competition or biased screening processes for TLD applicants, among others, this data can be useful in assessing the long-term interests, motives and influences of different parties involved.

^[1] https://www.icann.org/news/announcement-2-2016-07-28-en

^[2] Report of Public Comment Proceeding on the .net Renewal. https://www.icann.org/en/system/files/files/report-comments-net-renewal-13jun17-en.pdf

^[3] https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2016-06-27-en

^[4] https://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014

^[5] DIDP Request no - 20141222-1, 22 December 2014. https://cis-india.org/internet-governance/blog/didp-request-2

^[6] https://www.icann.org/en/system/files/files/cis-response-21jan15-en.pdf

^[7] Defined Conditions for Non-Disclosure - Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.

https://www.icann.org/resources/pages/didp-2012-02-25-en

^[8] DIDP Request no - 20150722-2, 22 July 2015. https://cis-india.org/internet-governance/blog/didp-request-12-revenues

^[9] https://www.icann.org/en/system/files/files/didp-response-20150722-2-21aug15-en.pdf

^[10] https://www.icann.org/en/system/files/files/didp-response-20150722-2-21aug15-en.pdf; https://www.icann.org/resources/pages/governance/financials-en

^[11] DIDP Request No. 20170613-1, 14 June 2017.

^[12] https://www.icann.org/en/system/files/files/didp-20170613-1-marda-obo-cis-response-13jul17-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/cis2019-efforts-towards-greater-financial-disclosure-by-icann

Roundtable on Enhancing Indian Cyber Security through Multi-Stakeholder Cooperation

Admin — 2018-02-01T14:04:36Z

A closed door round-table on enhancing Indian cyber security is being organized on 4 November 2017 at Indian Islamic Centre, Lodhi Road in New Delhi.

With the proliferation of digital technologies and the central role they play in national infrastructure and governance, security of systems and services is fundamental to the economic, political, and social development and success of a nation. Digital India, the National Payments Corporation of India, IndiaStack, and the Aadhaar ecosystem are just a few examples of such digital infrastructure. Yet the digital realm is increasingly becoming more complex and difficult to secure and monitor for vulnerabilities, threats, breaches, and attacks. The responsibility of identifying and monitoring such vulnerabilities can be spearheaded by designated governmental bodies like CERT-IN and NCIIPC, but for effective identification of threats and vulnerabilities, collaboration is needed across stakeholder groups including security researchers, industry, and government bodies. Transparency about breaches and attacks is also key in enabling consumer awareness and building trust with the public. Examples of such mechanisms include bug bounty programs and breach notification frameworks.

This closed door roundtable will seek to bring together government, industry, civil society, academia, and security researchers to identify different areas and tools of collaboration between stakeholders towards enhancing Indian cyber security. It will broadly focus on vulnerability identification and reporting and vulnerability/breach notification. This will include a reflection on:

Existing frameworks, forms of collaborations, policies and practices in India.
Practices, standards, certifications, and programmes adopted in other jurisdictions.
The way forward for India addressing issues like establishing trust, harmonization and communication across stakeholders and sectors, and ensuring quality and response.

RSVP: pranav@cis-india.org

Download the Invite

See the Report

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation

Nibbling away into your bank account, salami attackers cart away a fortune

Admin — 2017-11-27T15:35:33Z

A ‘salami’ might sound an innocuous term in the culinary sense. When it comes to cybercrime, a ‘salami’ is a dreaded attack which even the victims are hardly aware of. Like a salami slice, a hacker slices away small sums of money from multiple accounts on a daily basis. By the time the victims realise that they are being ‘sliced’, too little can be done or it’s already too late.

The article by Kiran Parashar KM and Akram Mohammed was published in New Indian Express on October 25, 2017.

This is among the various strategies allegedly used by some bank employees, working in cahoots with persons working in telecom companies to defraud customers of their savings. Cyber crime police, who have arrested several bank employees in the past in similar cases, warn that throwing caution to the wind while banking online or responding to calls claiming to be from banks could land you in serious financial trouble.

What’s shocking is law enforcement agencies have failed to nab the culprits in a majority of such crimes.
Speaking to Express, Shubhamangala Sunil, head, Global Cyber Security Response Team, said that of all the techniques used by bank insiders to siphon off funds, ‘salami attack’ is probably the stealthiest. “Imagine you have Rs 2,75,233 in to your account. If someone steals say `3 or 4 from your account every day, would you get an alert? If you did, would you go and complain to the bank that such a small amount is being stolen?” she questioned.

Due to lack of awareness about such threats, a complaint to the bank about such an issue is unlikely to bring any relief to the victim, she said. With time, many new techniques will be discovered by fraudsters and security might not be adequate to thwart all of them, she added.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the extent of fraud in the financial sector can be decreased “by improving security of financial processes, auditing software for vulnerabilities and fixing them and improving consumer protection laws.” Processes used by banks, both offline and while engaging with customers online and through systems such as Unified Payments Interface, should be improved, he said.

Bad practices
Prakash cited bad practices by different banks — such as preventing right click in password boxes (which curb positive security practices such as usage of password managers), limiting password lengths, and not supporting software-based OTPs and stronger security like “Universal 2nd Factor” — were also putting customers at risk. Stressing the need for consumer awareness, he said that even if everything works fine at the bank/financial institutions side customers commit mistakes, leaving them vulnerable. Therefore, spreading awareness about security best practices and hassle-free insurance to minimise harm to customers is essential, he said. “Bank fraud or any other online fraud is inevitable. We have to ensure that the harms from such fraud are as minimal as possible,” he added.

Insider frauds
While bank fraud cases — both online and offline — are increasing, police are finding the involvement of insiders who exploit loopholes in the banking systems. Sources in the CID-Cyber Crime Cell say there have been multiple cases where there is involvement of at least one bank employee. Digital banking has increased post demonetisation and yet the security features are not enhanced. Two days after police caught two employees of JP Morgan bank who had swindled `12 crore of a US-based client, police express concern over the security and background checks in the banking system as one of the accused had been working for four years with fake documents and on a fake name. An investigating official said the insider shares details of debit/credit cards with the conmen who clone cards for commission.

Banking security
Joint Commissioner of Police (Crime), Satish Kumar N said there is a co-ordination committee of police and Reserve Bank of India. “We share notes about cases of bank fraud and also recommend some security features to be adopted in the banking sector. The meeting is held on a regular basis,” he said. To a question on ‘salami attack’, he said that police have not come across any such complaints yet. “We have been vigilant about cyber related issues,” he added.

WHODUNNIT?

Case 1: June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd, located in Embassy Heights on Magrath Road filed a complaint with police that Know Your Customer (KYC) data of customers was compromised. Apart from this, fake credit cards were created resulting in a loss of `38.39 lakh. The investigating officials suspect the involvement of insiders in the case.
Status: No arrests yet

Case 2: May 2016

An US-couple living in Bengaluru was cheated of `6 lakh in just 2 hours.Cyber criminals, using their bank data credentials, had shopped online.The police, almost a year-and-half after the incident, are yet to know how their credit card details were extracted, but suspect that a bank employee was involved in the case.Status: No arrests yet

Case 3: January 2016
Police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused.
Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-october-25-2017-nibbling-away-into-your-bank-account-salami-attackers-cart-away-a-fortune

Majority of top politicians' Twitter followers fake: audit

Admin — 2017-11-28T01:10:44Z

A majority of Twitter users following top Indian politicians, including prime minister Narendra Modi, are fake, according to an audit site.

The article by Furquan Moharkan was published in Deccan Herald on October 24, 2017.

Leaders cutting across party lines generate popularity on social media using bots, or automated software, according to the data-analytics website TwitterAudit.

Delhi chief minister Arvind Kejriwal, Modi, and Congress vice president Rahul Gandhi have a combined Twitter credibility of just 35%. In other words, 65 out of 100 followers are fake.

Kejriwal, with 1.24 crore followers, has a low credibility of 22.9% on Twitter, according to TwitterAudit. A good 96.34 lakh of Kejriwal’s followers are bots.

Modi, who has two personal Twitter handles (@narendramodi and @narendramodi_in), has a combined credibility of just 37.4%. On the handle @narendramodi, of 3.5 crore followers, just 1.3 crore followers are said to be authentic. The remaining 2.2 crore are marked as bots by TwitterAudit.

The handle @narendramodi_in has 5.99 lakh authentic followers, and 8.01 lakh are again marked as bots.

Congress heir apparent Rahul Gandhi, relatively new to social media, has seen much traction of late. His credibility score is 51.6% on Twitter.

While 19.73 lakh of his followers are authentic, 18.51 lakh are said to be fake.

Rahul’s story
Rahul Gandhi’s handle ‘OfficeofRG’ has been in the news, with a spike in retweets being cited by rivals in the BJP as evidence of bots at work.

The handle got 2,784 retweets in September, as compared to 2,506 for Modi and and 1,722 for Kejriwal. In October, he’s scoring even better, with 3,812 retweets.

Sites like TwitterAudit are helpful, but their results are guesses based on various assumptions about ‘bot-like’ qualities, according to an expert.

Pranesh Prakash, Policy Director at Centre for Internet and Society, told DH some users were also out on ‘false flag operations,’ besmirching opponents by ‘exposing’ their usage of bots. “The idea that social media bots can shape popular discourse, as is often supposed to be the case with Brexit, is not backed by research,” he said. “A study by Enders Analysis shows the opposite to be the case.”

The score by TwitterAudit is based on the number of tweets, date of the last tweet, and ratio of followers to friends.

A news agency alleged the traction came from ‘bots’ with Russian, Kazakh or Indonesian handles routinely retweeting Rahul’s posts.

Infact, Prime Minister Office handle (@PMOIndia) also has a low credibility of 39.6%, according to twitter audit.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-furquan-moharkan-october-24-2017-majority-of-top-politicians-twitter-followers-fake

ICANN’s Problems with Accountability and the .WEB Controversy

Padma Venkataraman — 2017-10-28T15:49:38Z

The Post-Transition IANA promised enhanced transparency and accountability to the global multistakeholder community. The series of events surrounding the .WEB auction earlier this year has stirred up issues relating to the lack of transparency and accountability of ICANN. This post examines the .WEB auction as a case study to better understand exact gaps in accountability.

Chronological Background of the .WEB Auction

In June 2012, ICANN launched a new phase for the creation and operation of Generic Top-Level Domains (gTLDs). After confirming the eligibility of seven applicants for the rights of the .WEB domain name, ICANN placed them in a string contention set (a group of applications with similar or identical applied for gTLDs).^[1]

[Quick Note: ICANN procedure encourages the resolving of this contention set by voluntary settlement amongst the contending applicants (also referred to as a private auction), wherein individual participation fees of US $185,000 go to ICANN and the auction proceeds are distributed among the bidders. If a private auction fails, the provision for a last resort auction conducted by ICANN is invoked - here the total auction proceeds go to ICANN along with the participation fees.^[2]]

In June 2016, NuDotCo LLC, a bidder that had previously participated in nine private auctions without any objection, withdrew its consent to the voluntary settlement. Ruby Glen LLC, another bidder, contacted NDC to ask if it would reconsider its withdrawal, and was made aware of changes in NDC’s Board membership, financial position, management and a potential change in ownership, by NDC’s Chief Financial Officer.^[3] Concerned about the transparency of the auction process, Ruby Glen requested ICANN to postpone the auction on June 22, in order to investigate the discrepancies between NDC’s official application and its representation to Ruby Glen.^[4] The Vice President of ICANN’s gTLD Operations and the independent ICANN Ombudsman led separate investigations, both of which were limited to few e-mails seeking NDC’s confirmation of status quo. On the basis of NDC’s denial of any material changes, ICANN announced that the auction would proceed as planned, as no grounds had been found for its postponement.^[5]

On July 27, NDC’s winning bid – USD 135 million – beat the previous record by $90 million, doubling ICANN’s total net proceeds from the past fifteen auctions it had conducted.^[6] Soon after NDC’s win, Verisign, Inc., the market giant that owns the .com and .net domain names, issued a public statement that it had used NDC as a front for the auction, and that it had been involved in its funding from the very beginning. Verisign agreed to transfer USD 130 million to NDC, allowing the latter to retain a $5 million stake in .WEB.^[7]

Ruby Glen LLC filed for an injunction against the transfer of .WEB rights to NDC, and sought expedited discovery^[8] against ICANN and NDC in order to gather evidentiary support for the temporary restraining order.^[9] Donuts Inc., the parent company of Ruby Glen, simultaneously filed for recovery of economic loss due to negligence, fraud and breach of bylaws among other grounds, and Affilias, the second highest bidder, demanded that the .WEB rights be handed over by ICANN.^[10] Furthermore, at ICANN57, Affilias publicly brought up the issue in front of ICANN’s Board, and Verisign followed with a rebuttal. However, ICANN’s Board refused to comment on the issue at that point as the matter was still engaged in ongoing litigation.^[11]

Issues Regarding ICANN’s Assurance of Accountability

The Post-Transition IANA promised enhanced transparency and accountability to the global multistakeholder community. The series of events surrounding the .WEB auction has stirred up issues relating to the lack of transparency and accountability of ICANN. ICANN’s arbitrary enforcement of policies that should have been mandatory, with regard to internal accountability mechanisms, fiduciary responsibilities and the promotion of competition, has violated Bylaws that obligate it to operate ‘consistently, neutrally, objectively, and fairly, without singling out any particular party for discriminatory treatment’.^[12]

Though the US court ruled in favour of ICANN, the discrepancies that were made visible with regard to ICANN’s differing emphasis on procedural and substantive compliance with its rules and regulations, have forced the community to acknowledge that corporate strategies, latent interests and financial advantages undermine ICANN’s commitment to accountability. The approval of NDC’s ridiculously high bid with minimal investigation or hesitation, even after Verisign’s takeover, signifies pressing concerns that stand in the way of a convincing commitment to accountability, such as:

The Lack of Substantive Fairness and Accountability at ICANN (A Superficial Investigation)
ICANN’s Sketchy Tryst with Legal Conformity
The Financial Accountability of ICANN’s Auction Proceeds

The Lack of Substantive Fairness and Accountability in its Screening Processes:

Ruby Glen’s claim that ICANN conducted a cursory investigation of NDC’s misleading and unethical behaviour brought to light the ease and arbitrariness with which applications are deemed valid and eligible.

Disclosure of Significant Details Unique to Applicant Profiles: In the initial stage, applications for the gTLD auctions require disclosure of background information such as proof of legal establishment, financial statements, primary and secondary contacts to represent the company, officers, directors, partners, major shareholders, etc. At this stage, TAS User Registration IDs, which require VAT/tax/business IDs, principal business address, phone, fax, etc. of the applicants, are created to build unique profiles for different parties in an auction.^[13] Any important change in an applicant’s details would thus significantly alter the unique profile, leading to uncertainty regarding the parties involved and the validity of transactions undertaken. NDC’s application clearly didn’t meet the requirements here, as its financial statements, secondary contact, board members and ownership all changed at some point before the auction took place (either prior to or post submission of the application).^[14]

Mandatory Declaration of Third Party Funding: Applications presupposing a future joint venture or any organisational unpredictability are not deemed eligible by ICANN, and if any third party is involved in the funding of the applicant, the latter is to provide evidence of such commitment to funding at the time of submission of its financial documents.^[15] Verisign’s public announcement that it was involved in NDC’s funding from the very beginning (well before the auction) and its management later, proves that NDC’s failure to notify ICANN made its application ineligible, or irregular at the very least.^[16]

Vague Consequences of Failure to Notify ICANN of Changes: If in any situation, certain material changes occur in the composition of the management, ownership or financial position of the applicant, ICANN is liable to be notified of the changes by the submission of updated documents. Here, however, the applicant may be subjected to re-evaluation if a material change is concerned, at ICANN’s will (there is no mention of what a material change might be). In the event of failure to notify ICANN of changes that would lead the previous information submitted to be false or misleading, ICANN may reject or deny the application concerned.^[17] NDC’s absolute and repeated denial of any changes, during the extremely brief e-mail ‘investigation’ conducted by ICANN and the Ombudsman, show that at no point was NDC planning on revealing its intimacy with Verisign. No extended evaluation was conducted by ICANN at any point.^[18] Note: The arbitrary power allowed here and the vague use of the term ‘material’ obstruct any real accountability on ICANN’s part to ensure that checks are carried out to discourage dishonest behaviour, at all stages.

Arbitrary Enforcement of Background Checks: In order to confirm the eligibility of all applicants, ICANN conducts background screening during its initial evaluation process to verify the information disclosed, at the individual and entity levels.^[19] The applicants may be asked to produce any and all documents/evidence to help ICANN complete this successfully, and any relevant information received from ‘any source’ may be taken into account here. However, this screening is conducted only with regard to two criteria: general business diligence and criminal history, and any record of cybersquatting behaviour.^[20] In this case, ICANN’s background screening was clearly not thorough, in light of Verisign’s confirmed involvement since the beginning, and at no point was NDC asked to submit any extra documents (apart from the exchange of e-mails between NDC and ICANN and its Ombudsman) to enable ICANN’s inquiry into its business diligence.^[21] Further, ICANN also said that it was not required to conduct background checks or a screening process, as the provisions only mention that ICANN is allowed to do so, when it feels the need.^[22] This ludicrous loophole hinders transparency efforts by giving ICANN the authority to ignore any questionable details in applications it desires to deem eligible, based on its own strategic leanings, advantageous circumstances or any other beneficial interests.

ICANN’s deliberate avoidance of discussing or investigating the ‘allegations’ against NDC (that were eventually proved true), as well as a visible compromise in fairness and equity of the application process point to the conclusion it desired.

ICANN’s Sketchy Tryst with Legal Conformity:

ICANN’s lack of substantive compliance, with California’s laws and its own rules and regulations, leave us with the realisation that efforts towards transparency, enforcement and compliance (even with emphasis on the IANA Stewardship and Accountability Process) barely meet the procedural minimum.

Rejection of Request for Postponement of Auction: ICANN’s intent to ‘initiate the Auction process once the composition of the set is stabilised’ implies that there must be no pending accountability mechanisms with regard to any applicant.^[23] When ICANN itself determines the opening and closing of investigations or reviews concerning applicants, arbitrariness on ICANN’s part in deciding on which date the mechanisms are to be deemed as pending, may affect an applicant’s claim about procedural irregularity. In this case, ICANN had already scheduled the auction for July 27, 2016, before Ruby Glen sent in a request for postponement of the auction and inquiry into NDC’s eligibility on June 22, 2016.^[24] Even though the ongoing accountability mechanisms had begun after initiation of the auction process, ICANN confirmed the continuance of the process without assurance about the stability of the contention set as required by procedure. Ruby Glen’s claim about this violation in auction rules was dismissed by ICANN on the basis that there must be no pending accountability mechanisms at the time of scheduling of the auction.^[25] This means that if any objection is raised or any dispute resolution or accountability mechanism is initiated with regard to an applicant, at any point after fixing the date of the auction, the auction process continues even though the contention set may not be stabilised. This line of defence made by ICANN is not in conformity with the purpose behind the wording of its auction procedure as discussed above.

Lack of Adequate Participation in the Discovery Planning Process: In order to gather evidentiary support and start the discovery process for the passing of the injunction, ICANN was required to engage with Ruby Glen in a conference, under Federal law. However, due to a disagreement as to the extent of participation required from both parties involved in the process, ICANN recorded only a single appearance at court, after which it refused to engage with Ruby Glen.^[26] ICANN should have conducted a thorough investigation, based on both NDC’s and Verisign’s public statements, and engaged more cooperatively in the conference, to comply substantively with its internal procedure as well jurisdictional obligations. Under ICANN’s Bylaws, it is to ensure that an applicant does not assign its rights or obligations in connection with the application to another party, as NDC did, in order to promote a competitive market and ensure certainty in transactions.^[27] However, due to its lack of substantive compliance with due procedure, such bylaws have been rendered weak.

Demand to Dismiss Ruby Glen’s Complaint: ICANN demanded the dismissal of Ruby Glen’s complaint on the basis that the complaint was vague and unsubstantiated.^[28] After the auction, Ruby Glen’s allegations and suspicions about NDC’s dishonest behaviour were confirmed publicly by Verisign, making the above demand for dismissal of the complaint ridiculous.

Inapplicability of ICANN’s Bylaws to its Contractual Relationships: ICANN maintained that its bylaws are not part of application documents or contracts with applicants (as it is a not-for-profit public benefit corporation), and that ICANN’s liability, with respect to a breach of ICANN’s foundational documents, extends only to officers, directors, members, etc.^[29] In addition, it said that Ruby Glen had not included any facts that suggested a duty of care arose from the contractual relationship with Ruby Glen and Donuts Inc.^[30] Its dismissal of and considerable disregard for fiduciary obligations like duty of care and duty of inquiry in contractual relationships, prove the contravention of promised commitments and core values (integral to its entire accountability process), which are to ‘apply in the broadest possible range of circumstances’.^[31]

ICANN’s Legal Waiver and Public Policy: Ruby Glen had submitted that, under the California Civil Code 1668, a covenant not to sue was against policy, and that the legal waiver all applicants were made to sign in the application was unenforceable.^[32] This waiver releases ICANN from ‘any claims arising out of, or related to, any action or failure to act’, and the complaint claimed that such an agreement ‘not to challenge ICANN in court, irrevocably waiving the right to sue on basis of any legal claim’ was unconscionable.^[33] However, ICANN defended the enforceability of the legal waiver, saying that only a covenant not to sue that is specifically designed to avoid responsibility for own fraud or willful injury is invalidated under the provisions of the California Civil Code.^[34] A waiver, incorporating the availability of accountability mechanisms ‘within ICANN’s bylaws to challenge any final decision of ICANN’s with respect to an application’, was argued as completely valid under California’s laws. It must be kept in mind that challenges to ICANN’s final decisions can make headway only through its own accountability mechanisms (including the Reconsideration Requests Process, the Independent Review Panel and the Ombudsman), which are mostly conducted by, accountable to and applicable at the discretion of the Board.^[35] This means that the only recourse for dissatisfied applicants is through processes managed by ICANN, leaving no scope for independence and impartiality in the review or inquiry concerned, as the .WEB case has shown.

Note: ICANN has also previously argued that its waivers are not restricted by S. 1668 because the parties involved are sophisticated - without an element of oppression, and that these transactions don’t involve public interest as ICANN doesn’t provide necessary services such as health, transportation, etc.^[36] Such line of argument shows its continuous refusal to acknowledge responsibility for ensuring access to an essential good, in a diverse community, justifying concerns about ICANN’s commitment to accessibility and human rights.

Required to remain accountable to the stakeholders of the community through mechanisms listed in its Bylaws, ICANN’s repeated difficulty in ensuring these mechanisms adhere to the purpose behind jurisdictional regulations confirm hindrances to impartiality, independence and effectiveness.

The Financial Accountability of ICANN’s Auction Proceeds:

The use and distribution of significant auction proceeds accruing to ICANN have been identified by the internet community as issues central to financial transparency, especially in a future of increasing instances of contention sets.

Private Inurement Prohibition and Legal Requirements of Tax-Exempted Organisations: Subject to California’s state laws as well as federal laws, tax exemptions and tax-deductible charitable donations (available to not-for-profit public benefit corporations) are dependent on the fulfillment of jurisdictional obligations by ICANN, including avoiding contracts that may result in excessive economic benefit to a party involved, or lead to any deviation from purely charitable and scientific purposes.^[37] ICANN’s Articles require that it ‘shall pursue the charitable and public purposes of lessening the burdens of government and promoting the global public interest in the operational stability of the Internet’.^[38] Due to this, ICANN’s accumulation of around USD 60 million (the total net proceeds from over 14 contention sets) since 2014 has been treated with unease, making it impossible to ignore the exponential increase in the same after the .WEB controversy.^[39] With its dedication to a bottom-up, multi-stakeholder policy development process, the use of a single and ambiguous footnote, in ICANN’s Guidebook, to tackle the complications involving significant funds that accrue from last resort auctions (without even mentioning the arbiters of their ‘appropriate’ use) is grossly insufficient.^[40]

Need for Careful and Inclusive Deliberation Over the Use of Auction Proceeds: At the end of the fiscal year 2016, ICANN’s balance sheet showed a total of USD 399.6 million. However, the .WEB sale amount was not included in this figure, as the auction happened after the last date (June 30, 2016).^[41] Around seven times the average winning bid, a USD 135 million hike in ICANN’s accounts shows the need for greater scrutiny on ICANN’s process of allocation and distribution of these auction proceeds.^[42] While finding an ‘appropriate purpose’ for these funds, it is important that ICANN’s legal nature under US jurisdiction as well as its vision, mission and commitments be adhered to, in order to help increase public confidence and financial transparency.

The CCWG Charter on New gTLD Auction Proceeds: ICANN has always maintained that it recognised the concern of ‘significant funds accruing as a result of several auctions’ at the outset.^[43] In March 2015, the GNSO brought up issues relating to the distribution of auction proceeds at ICANN52, to address growing concerns of the community.^[44] A Charter was then drafted, proposing the formation of a Cross-Community Working Group on New gTLD Auction Proceeds, to help ICANN’s Board in allocating these funds.^[45] After being discussed in detail at ICANN56, the draft charter was forwarded to the various supporting organisations for comments.^[46] The Charter received no objections from 2 organisations and was adopted by the ALAC, ASO, ccNSO and GNSO, following which members and co-chairs were identified from the organisations to constitute the CCWG.^[47] It was decided that while ICANN’s Board will have final responsibility in disbursement of the proceeds, the CCWG will be responsible for the submission of proposals regarding the mechanism for the allocation of funds, keeping ICANN’s fiduciary and legal obligations in mind.^[48] While creating proposals, the CCWG must recommend how to avoid possible conflicts of interest, maintain ICANN’s tax-exempt status, and ensure diversity and inclusivity in the entire process.^[49] It is important to note that the CCWG cannot make recommendations ‘regarding which organisations are to be funded or not’, but is to merely submit a proposal for the process by which allocation is undertaken.^[50] ICANN’s Guidebook mentions possible uses for proceeds, such as ‘grants to support new gTLD applications or registry operators from communities’, the creation of a fund for ‘specific projects for the benefit of the Internet community’, the ‘establishment of a security fund to expand use of secure protocols’, among others, to be decided by the Board.^[51]

A Slow Process and the Need for More Official Updates: The lack of sufficient communication/updates about any allocation or the process behind such, in light of ICANN’s current total net auction proceeds of USD 233,455,563, speaks of an urgent need for a decision by the Board (based on a recommendation by CCWG), regarding a timeframe for the allocation of such proceeds.^[52] However, the entire process has been very slow, with the first CCWG meeting on auction proceeds scheduled for 26 January 2016, and the lists of members and observers being made public only recently.^[53] Here, even parties interested in applying for the same funds at a later stage are allowed to participate in meetings, as long as they include such information in a Statement of Interest and Declaration of Intention, to satisfy CCWG’s efforts towards transparency and accountability.^[54]

The worrying consequences of ICANN’s lack of financial as well as legal accountability (especially in light of its controversies), reminds us of the need for constant reassessment of its commitment to substantive transparency, enforcement and compliance with its rules and regulations. Its current obsessive courtship with only procedural regularity must not be mistaken for a greater commitment to accountability, as assured by the post-transition IANA.

^[1] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 2. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.p df)

^[2] 4.3, gTLD Applicant Guidebook ICANN, 4-19. (https://newgtlds.icann.org/en/applicants/agb)

^[3] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[4] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[5] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 4-7. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.pdf)

^[6] PLAINTIFF RUBY GLEN, LLC’S NOTICE OF MOTION AND MOTION FOR LEAVE TO TAKE THIRD PARTY DISCOVERY OR, IN THE ALTERNATIVE, MOTION FOR THE COURT TO ISSUE A SCHEDULING ORDER, 3.

(https://www.icann.org/en/system/files/files/litigation-ruby-glen-motion-court-issue-scheduling-order-26oct16-en.pdf)

^[7](https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm5ld3NocS5idXNpbmVzc3dpcmUuY29tL3ByZXNzLXJlbGVhc2UvdmVyaXNpZ24tc3RhdGVtZW50LXJlZ2FyZGluZy13ZWItYXVjdGlvbi1yZXN1bHRz)

^[8] An expedited discovery request can provide the required evidentiary support needed to meet the Plaintiff’s burden to obtain a preliminary injunction or temporary restraining order. (http://apps.americanbar.org/litigation/committees/businesstorts/articles/winter2014-0227-using-expedited-discovery-with-preliminary-injunction-motions.html)

^[9] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 2. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[10] (http://domainincite.com/20789-donuts-files-10-million-lawsuit-to-stop-web-auction); (https://www.thedomains.com/2016/08/15/afilias-asks-icann-to-disqualify-nu-dot-cos-135-million-winning-bid-for-web/)

^[11] (http://www.domainmondo.com/2016/11/news-review-icann57-hyderabad-india.html)

^[12] Art III, Bylaws of Public Technical Identifiers, ICANN. (https://pti.icann.org/bylaws)

^[13] 1.4.1.1, gTLD Applicant Guidebook ICANN, 1-39.(https://newgtlds.icann.org/en/applicants/agb)

^[14] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[15] 1.2.1; 1.2.2, gTLD Applicant Guidebook ICANN, 1-21. (https://newgtlds.icann.org/en/applicants/agb)

^[16](https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm5ld3NocS5idXNpbmVzc3dpcmUuY29tL3ByZXNzLXJlbGVhc2UvdmVyaXNpZ24tc3RhdGVtZW50LXJlZ2FyZGluZy13ZWItYXVjdGlvbi1yZXN1bHRz)

^[17] 1.2.7, gTLD Applicant Guidebook ICANN, 1-30. (https://newgtlds.icann.org/en/applicants/agb)

^[18] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 4. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.pdf)

^[19] 1.1.2.5, gTLD Applicant Guidebook ICANN, 1-8. (https://newgtlds.icann.org/en/applicants/agb)

^[20] 1.2.1, gTLD Applicant Guidebook ICANN, 1-21. (https://newgtlds.icann.org/en/applicants/agb)

^[21] DECLARATION OF CHRISTINE WILLETT IN SUPPORT OF ICANN’S OPPOSITION TO PLAINTIFF’S EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER, 7. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-declaration-willett-25jul16-en.pdf)

^[22] 6.8; 6.11, gTLD Applicant Guidebook ICANN, 6-5 (https://newgtlds.icann.org/en/applicants/agb);

DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 10. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[23] 1.1.2.10, gTLD Applicant Guidebook ICANN. (https://newgtlds.icann.org/en/applicants/agb)

^[24] NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER; MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 15. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[25] DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 8. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[26] 26(f); 65, Federal Rules of Civil Procedure (https://www.federalrulesofcivilprocedure.org/frcp/title-viii-provisional-and-final-remedies/rule-65-injunctions-and-restraining-orders/); (https://www.federalrulesofcivilprocedure.org/frcp/title-v-disclosures-and-discovery/rule-26-duty-to-disclose-general-provisions-governing-discovery/)

^[27] 6.10, gTLD Applicant Guidebook ICANN, 6-6. (https://newgtlds.icann.org/en/applicants/agb); (https://www.icann.org/resources/reviews/specific-reviews/cct)

^[28] 12(b)(6), Federal Rules of Civil Procedure; DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 6. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[29] DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 8. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[30] PLAINTIFF RUBY GLEN, LLC’S OPPOSITION TO DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MOTION TO DISMISS FIRST AMENDED COMPLAINT; MEMORANDUM OF POINTS AND AUTHORITIES, 12.

(https://www.icann.org/en/system/files/files/litigation-ruby-glen-opposition-motion-dismiss-first-amended-complaint-07nov16-en.pdf)

^[31] (https://archive.icann.org/en/accountability/frameworks-principles/legal-corporate.htm); Art. 1(c), Bylaws for ICANN. (https://www.icann.org/resources/pages/governance/bylaws-en)

^[32] (http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1668); NOTICE OF AND EX PARTE APPLICATION FOR TEMPORARY RESTRAINING ORDER: MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF, 24. (https://www.icann.org/en/system/files/files/litigation-ruby-glen-ex-parte-application-tro-memo-points-authorities-22jul16-en.pdf)

^[33] 6.6, gTLD Applicant Guidebook ICANN, 6-4. (https://newgtlds.icann.org/en/applicants/agb)

^[34] DEFENDANT INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS’ MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF MOTION TO DISMISS FIRST AMENDED COMPLAINT, 18. (http://domainnamewire.com/wp-content/icann-donuts-motion.pdf)

^[35] (https://www.icann.org/resources/pages/mechanisms-2014-03-20-en)

^[36] AMENDED REPLY MEMORANDUM IN SUPPORT OF ICANN’S MOTION TO DISMISS FIRST AMENDED COMPLAINT, 4. (https://www.icann.org/en/system/files/files/litigation-dca-reply-memo-support-icann-motion-dismiss-first-amended-complaint-14apr16-en.pdf)

^[37] 501(c)(3), Internal Revenue Code, USA. (https://www.irs.gov/charities-non-profits/charitable-organizations/exemption-requirements-section-501-c-3-organizations)

^[38] Art. II, Public Technical Identifiers, Articles of Incorporation, ICANN. (https://pti.icann.org/articles-of-incorporation)

^[39](https://community.icann.org/display/alacpolicydev/At-Large+New+gTLD+Auction+Proceeds+Discussion+Paper+Workspace)

^[40] (https://www.icann.org/policy); 4.3, gTLD Applicant Guidebook ICANN, 4-19. (https://newgtlds.icann.org/en/applicants/agb)

^[41]5, Internet Corporation for ASsigned Names and Numbers, Fiscal Statements As of and for the Years Ended June 30, 2016 and 2015. (https://www.icann.org/en/system/files/files/financial-report-fye-30jun16-en.pdf);

(http://domainincite.com/21204-icann-has-400m-in-the-bank?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DomainIncite+%28DomainIncite.com%29)

^[42] (http://www.theregister.co.uk/2016/07/28/someone_paid_135m_for_dot_web)

^[43](https://community.icann.org/display/CWGONGAP/Cross-Community+Working+Group+on+new+gTLD+Auction+Proceeds+Home)

^[44] (https://www.icann.org/public-comments/new-gtld-auction-proceeds-2015-09-08-en)

^[45] (https://www.icann.org/news/announcement-2-2016-12-13-en)

^[46] (https://www.icann.org/news/announcement-2-2016-12-13-en)

^[47](https://www.icann.org/news/announcement-2-2016-12-13-en);

(https://community.icann.org/display/CWGONGAP/Cross-Community+Working+Group+on+new+gTLD+Auction+Proceeds+Home)

^[48] (https://ccnso.icann.org/workinggroups/ccwg-charter-07nov16-en.pdf); (https://www.icann.org/news/announcement-2-2016-12-13-en)

^[49] (https://www.icann.org/public-comments/new-gtld-auction-proceeds-2015-09-08-en)

^[50] (https://community.icann.org/display/CWGONGAP/CCWG+Charter)

^[51] 4.3, gTLD Applicant Guidebook ICANN, 4-19. (https://newgtlds.icann.org/en/applicants/agb)

^[52] (https://newgtlds.icann.org/en/applicants/auctions/proceeds)

^[53] (https://community.icann.org/pages/viewpage.action?pageId=63150102)

^[54] (https://www.icann.org/news/announcement-2-2016-12-13-en)

For more details visit https://cis-india.org/internet-governance/blog/icann2019s-problems-with-accountability-and-the-web-controversy

GDPR and India: A Comparative Analysis

Aditi Chaturvedi — 2017-11-28T15:17:39Z

At present, companies world over are in the process of assessing the impact that EU General Data Protection Regulations (“GDPR”) will have on their businesses.

The post is written by Aditi Chaturvedi and edited by Amber Sinha

High administrative fines in case of non-compliance with GDPR provisions are a driving force behind these concerns as they can lead to loss of business for various countries such as India.

To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing changes to retain the status as a dependable processing destination. This document gives a brief overview of data protection provisions of the Information Technology Act, 2000 followed by a comparative analysis of the key provisions of GDPR and Information Technology Act and the Rules notified under it.

Download the full blog post

For more details visit https://cis-india.org/internet-governance/blog/gdpr-and-india-a-comparative-analysis

Policy Officer - Internet Governance

Admin — 2018-09-03T07:12:15Z

The Centre for Internet and Society is seeking an individual with a background and interest in issues pertaining to internet governance including privacy, big data, freedom of expression, artificial intelligence etc. under its Internet Governance programme.

This position will include undertaking field research, developing policy briefs, organizing conferences, and writing research reports, engaging with key stakeholders, and collaborating with project partners in areas under our research.

This position is for a duration of 1 year. There is currently one vacancy for this post. Selected candidate will work from CIS office in Bangalore.

Required Skill Sets

Previous work and an interest in issues pertaining to IG including privacy, big data, FoE, and AI.
Strong writing and analytical skills.
Experience in conducting research.
Knowledge of Indian law and policy relevant to the digital sphere.
Demonstrable research skills and ability to undertake research independently.
Demonstrable writing and communication skills.
Ability to work independently or with minimal supervision.

Compensation: Based on experience and education.

Application requirements: two writing samples and CV.

Contact: elonnai@cis-india.org.

For more details visit https://cis-india.org/jobs/policy-officer-ig

Ahead of data protection law roll out, experts caution that it shouldn't limit collection and use of data

Admin — 2018-01-02T15:20:48Z

With India planning to roll out a new data protection regime following the landmark Supreme Court judgment upholding right to privacy as fundamental right, experts have cautioned that the new law should not limit collection and use of data.

The article was published by First Post on October 12, 2017. Sunil Abraham was quoted.

"The new data protection law should have data-driven innovation at its core," said Kamlesh Bajaj, Founder-CEO, Data Security Council of India (DSCI).

"It should not limit data collection and use, but limit harm to citizens," Bajaj added at a seminar on "Data Protection and Privacy" organised by non-profit industry body Internet and Mobile Association of India (IAMAI).

In a major boost to individual freedom, the Supreme Court in August declared that right to privacy was a fundamental right and protected as an intrinsic part of life and personal liberty and freedoms guaranteed by the Constitution.

"The Supreme Court judgment calls for production of a new law," said Sunil Abraham, Executive Director of Bangaluru-based research organisation, Centre for Internet and Society (CIS).

The experts noted that the Supreme Court judgment remains meaningless for digital Indians without a proper data protection law in place as all other existing laws, such as the Information Technology Act, 2000, do not adequately address the question of right to privacy.

Recognising the importance of data protection and keeping personal data of citizens secure and protected, the Ministry of Electronics and Information Technology (MeitY) on 31 July, constituted a Committee of Experts under the chairmanship of its former judge Justice BN Srikrishna to study and identify key data protection issues and recommend methods for addressing them. The committee will also suggest a draft Data Protection Bill.

"While the regulator should be given tools to make companies behave better, it should not start with harsh punitive actions," Abraham noted, adding that big fines could challenge the very logic of regulation.

In a question to whether a robust data protection regime should come in conflict with issue such as national security, he said that lawmakers should find a way to maximise both imperatives.

"Surveillance is like salt in cooking. It is necessary, but in limited quantity," he added.

Participating in a chat with Google's Public Policy Director Chetan Krishnaswamy at the event, MP Rajeev Chandrasekhar, however, said that regulation should start with the process of data collection itself and consumers cannot be expected to demonstrate harm or inappropriate use of their data to enjoy the right to privacy.

"It should not be a free run for companies to mine consumer data," the independent Rajya Sabha member said.

He emphasised that the process of formulating a data protection law is as important as the law itself and all stakeholders should be able to openly put forward their views and apprehensions and it is only with such a consultative process that the opportunities for the technology space can be safeguarded.

For more details visit https://cis-india.org/internet-governance/news/first-post-october-12-2017-ahead-of-data-protection-law-roll-out-experts-caution-that-it-shouldnt-limit-collection-and-use-of-data