We are anonymous, we are legion

Public Law and Jurisprudential Issues of Privacy: A Talk at CIS

praskrishna — 2013-12-30T12:39:23Z

On Friday, September 27, 2013, Abhayraj Naik will give a talk on public law and jurisprudential issues related to privacy. CIS will host the talk at its office in Bangalore from 4.30 p.m. to 6.00 p.m.

Abhayraj Naik

Abhayraj Naik is a graduate of the National Law School of India University, Bangalore, and the Yale Law School. He previously taught public law at the Jindal Global Law School of the OP Jindal Global University where he also co-directed the Centre for Public Law & Jurisprudence from September 2009 to July 2012.

Abhay is actively associated with the Environment Support Group, Bangalore (http://www.esgindia.org), and has also been associated with the Meiklejohn Civil Liberties Institute, Berkeley, USA; Universities Allied for Essential Medicines, USA; Culture Move, Bangalore and other national and international advocacy, activism and research groups for several years now.

Abhay's research interests include legal theory, philosophy, criminal justice reform, urban governance, ecology, and technology policy. His current research projects include interdisciplinary studies of urban street vending, information privacy, fiduciary duties, forgiveness, biopiracy, and criminal justice reform.

He enjoys cycling, travel, poetry, music, and radical educational and ecological activism.

Abhay currently teaches at the Azim Premji University in Bangalore.

VIDEO

For more details visit https://cis-india.org/internet-governance/events/public-law-and-jurisprudential-issues-of-privacy-talk-at-cis

Public Debate on 'Differential Pricing': Series 3

vidushi — 2016-01-28T13:53:12Z

The Centre for Internet and Society, in association with ICRIER and the Department of Civics and Politics, University of Mumbai, is pleased to announce “A Series of Public Debates on Differential Pricing” in the cities of Bangalore, Mumbai and New Delhi. The third public debate will be held at India Habitat Centre, Lodhi Road near Air Force Bal Bharti School, New Delhi on February 5, 2016.

In light of the recent consultation paper released by the Telecom Regulatory Authority of India (TRAI), the objective of these debates will be to deconstruct the issue of differential pricing through a discussion on the variety of views this subject has attracted. Speakers will also discuss possible implications of differential pricing policy on questions of access, diversity, competition and entrepreneurship.

Each debate will comprise three rounds. In the first round, speakers will present the body of their arguments over 10 minutes each. The second round will be a rebuttal round, with each speaker being given 5 minutes. The third and final round will see the floor being opened to the audience who will engage the speakers with comments and questions.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/public-debate-on-differential-pricing-series-3

Public Debate on 'Differential Pricing': Series 2

vidushi — 2016-01-28T13:51:06Z

The Centre for Internet and Society, in association with ICRIER and the Department of Civics and Politics, University of Mumbai, is pleased to announce “A Series of Public Debates on Differential Pricing” in the cities of Bangalore, Mumbai and New Delhi. The second public debate will be held at Pherozeshah Mehta Bhavan, Vidyanagari, Kalina, Mumbai on February 3, 2016.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/public-debate-on-differential-pricing-series-2

Public Debate on 'Differential Pricing': Series 1

vidushi — 2016-01-27T13:51:06Z

The Centre for Internet and Society, in association with ICRIER and the Department of Civics and Politics, University of Mumbai, is pleased to announce “A Series of Public Debates on Differential Pricing” in the cities of Bangalore, Mumbai and New Delhi. The first public debate will be held at the Centre for Internet & Society office in Bangalore on February 1, 2016.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/a-series-of-public-debates-on-differential-pricing-series-1

Public data on the Web leaves much to be desired

praskrishna — 2011-05-30T07:38:04Z

Making government data accessible to all is a vital challenge, says Deepa Kurup in her article published in the Hindu on May 28, 2011.

Tim Berners-Lee, chief architect and inventor of the World Wide Web and an ardent advocate of open data, said, earlier this year, that countries should be judged on their willingness to open up public data to their citizens. This, along with 'network neutrality', he considered as important as free speech, he had emphasised, adding that this was particularly critical for developing nations.

In January 2011, the British Government, led by Mr. Berners-Lee, launched www.data.gov.uk, a site aimed at creating a platform for disclosing data to citizens, civil society organisations and even private institutions from a wide range of government departments and processes.

In India, while ‘civic hackers' and non-governmental organisations are coming up with interesting initiatives that attempt to put government data in the form of mash-ups and easily readable content online, government data on the Web leaves much to be desired. Half a decade after the powerful and progressive Right to Information Act was implemented, accessing government data online is still a challenge. Given the huge amount of public information that has been generated this year through Census 2011, and some sections of these even being GIS mapped, it is imperative that government data be ‘set free', researchers say. They believe that this could not only aid governance and public planning but also increase citizen engagement in public processes.

Technology aid

A recent study by a research team at the Centre for Internet and Society, a Bangalore-based research organisation, finds that despite challenges, the Government and bureaucrats in India are receptive to using technology to open up more data to the public. Speaking to policymakers across the country, the report records various impediments and accessibility barriers, and surveys existing open data initiatives in the Government.

Drawing from these, the report presents a set of recommendations to help the Government move towards an open data ecosystem. These include re-examining the end goals and the end users of this data, involving volunteers and citizens in putting out the data in accessible forms, and seeking support from pre-existing ‘open content' communities such as Wikipedia editors or open street mappers, to name a few.

For a start

Nishant Shah, researcher at CIS, says it is heartening to see that governments, and policymakers, are already thinking along the lines of open government data. There are several initiatives, such as the Bhoomi project or Nemmadi of the Karnataka Government, that may not look at themselves as open data initiatives, but are certainly going that way, Mr. Shah points out. There are several critical infrastructure changes that are happening such as the use of computers at different levels of governance, setting up of community Internet centres in villages and various e-governance programmes; so there is a lot of hope that data will be accessible to more people, he adds.

Challenges

However, Mr. Shah points out that while there is talk about taking government data into the public domain, the larger ecosystem for this has not been worked out. The report points out that there is insufficient standardisation, while e-governance, to a large degree, has been far from perfect. System interoperability issues and the larger issues of privacy (in the absence of any existing law) are both challenges.

Speaking to The Hindu, a senior official from the department of e-governance said it was indeed on the Government's agenda to open up more data, and offer it in more accessible formats. He pointed out that interoperability of formats is a huge problem, one that he hopes the recently enforced National Policy on Open Standards will accurately address.

"However, it is a gargantuan process to get departments across the country, at different levels of governance, to comply. This may take time and effort. Another problem is that the input formats are not standardised, which means a lot of vital data is being offered in cumbersome formats that are barely useable," he says. However, a bigger concern is to provide the information ecosystem to take this to the millions that are left out of the Internet loop. That is a greater challenge, he points out.

Read the original story published by the Hindu here

For more details visit https://cis-india.org/news/public-data-on-web

Proxies and VPNs: Why govt can't ban porn websites?

pranesh — 2015-09-13T08:26:17Z

The government's move to block more than 800 pornographic websites has led experts to question whether this latest attempt to police the internet is even feasible.

The article by Siladitya Ray was published in the Hindustan Times on August 3, 2015. Pranesh Prakash was quoted.

Internet service providers (ISPs) have confirmed they received letters from the Department of Telecommunications (DoT) on Saturday that directed them to block certain websites. But can the government stop users from visiting porn sites?

The answer seems to be no.

"It is extremely easy to circumvent these blocks, using virtual private networks (VPNs) and proxies that anonymise your traffic," said Pranesh Prakash, policy director at the Centre for Internet and Society in Bengaluru.

A cursory Google search on how to unblock porn websites throws up millions of how-tos and guides on using proxies and VPNs to get around restrictions set by authorities. All these services anonymise users’ web traffic by routing them through foreign servers.

According to data from Pornhub, one of the world's biggest porn sites, India ranks fifth for the most daily visitors to the website. Pornhub saw a total of 78.9 billion video views globally in 2014.

The government can try to keep up with proxies and block them too. But as proxies change on a daily basis and there are always dozens of functioning proxies to choose from across, blocking all of them will be a near impossible task.

Tor, an anonymity network, is also a popular way to surf blocked sites.

But is it legal to circumvent blocks put in place by authorities by using VPNs and proxies?

There is no law in India that prohibits viewing pornography, experts say. Section 67 of the Information Technology Act only deals with "publishing obscene information in electronic form".

This provision has been interpreted as a measure to criminalise the posting of pornographic content online. However, accessing "obscene" content privately – such as within the four walls of a person’s home – is not illegal, say experts.

In July, while hearing a petition seeking the blocking of pornographic websites, Supreme Court Chief Justice HL Dattu wondered whether the court could restrain an adult from watching pornography within his home and described such a ban as a violation of Article 21 of the Constitution, which grants the right to personal liberty to its citizens.

But what about the legality of using VPNs and proxies? “There are no laws preventing the use of VPNs and proxies in India," said Prakash.

Are proxies and VPNs safe?

While the use of proxies and VPNs is very simple, they do come with their own set of problems. These services have access to all your browsing data and may push adware and other forms of malware.

Prakash advised that users should only choose services that are well known and have a good reputation.

"Sites like TorrentFreak put out annual lists of the top VPNs available," he said. These can be used as a guide to determine what services are safe.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-3-2015-siladitya-ray-proxies-and-vpns

Provide hacker details, outfit that claimed data leak told

praskrishna — 2017-06-07T12:14:13Z

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.

The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told

Protest@ censorship.com

praskrishna — 2012-06-05T04:23:19Z

Activism goes online as more angry young citizens decide to make their voices heard, writes Sandhya Soman in an article published in the Times of India. Pranesh Prakash is quoted in the article.

If there was a software code to ‘Invite All’, then Ashish D and friends would’ve called the world to land up at Gateway of India on June 9. The next best option for this netizen from Mumbai was to go online.

Hacktivism –– a form of activism for social change that uses computers and electronic networks –– is back. And the most recent protest is from hacker group Anonymous, which is trying to gather public support to stem internet censorship and blocking of websites in India by service providers and the government recently.

Since showing up in front of the town hall is not enough, Ashish has set up a Facebook page. Fellow netizens, irritated by the arbitrary blocking of sites and impressed by Anonymous OpIndia’s jabs at websites of political parties and corporates, are signing up to discuss the best possible venues to protest from.

Is there a better place than Marina beach in Chennai to make the maximum impact, wonders one user while another says it would be better to split up to cover more area in Mumbai. According to Pranesh Prakash, lawyer and programme manager at The Centre for Internet and Society, a Bangalore-based research organisation, a strong online presence helps protests to get publicity. A lot of the Jan Lokpal agitation happened online, he says.

“It is not enough to fast at Jantar Mantar. If you get 1,000 people to click ‘like’ or 40 people to retweet your tweet, then the site becomes the default area of protest,” he says. If those petitioners are 10 influential people, then it carries more weight with the media than a few hundred shouting slogans on the street.

“Also called electronic civil disobedience, hacktivism is geared to political ends,” writes Pramod K Nayar in his book ‘An Introduction to New Media and Cybercultures.’ Virtual sit-ins involving intellectuals and ordinary citizens and bombarding authorities with emails have been used by Mexican revolutionaries, Tamil separatists and protesters in Iran and the Middle East. “Hacktivism is clearly here to stay,” writes Nayar.

But it is not enough to collect a few digital signatures, says Nithin Manayath, one of the people behind the 2009 ‘Pink Chaddi’ campaign, which sought to protest in an irreverent manner the attacks against women by the radical Sri Ram Sena. Manayath and his friends sustained the campaign through a Facebook group, which saw thousands of pairs of pink underwear being sent to the office of the group that attacked women for what it considered ‘violations of Indian culture’.

“Marches, candlelight vigils and dharnas are something we do regularly. By the tenth dharna you will be so jaded that you go to the protest venue to meet friends,” says Manayath. After a while, this happens to online petitions also if you are not thinking about what you are doing. “What I liked about the ‘Pink Chaddi’ campaign was that we were responding to violence with a shameless act. It made me aware about many things and the novelty of the protest resonated with many people,” he says.

Though the current campaign is going the offline way on June 9, the hacking and denial of service attacks on websites by Anonymous have ensured that issue of blocking got publicity. “There is corporate and private censorship of internet and it is being done without enough proof of who is violating the copyrights of moviemakers. If these protests create awareness about the larger issues and developments in the areas of e-governance, IT Act and copyright law, then they could be helpful,” says Pranesh Prakash.

Meanwhile, Anonymous OpIndia, which is hoping for lifting of ban on websites, is already getting feelers from eager citizens on future issues. “Many people have requested us to protest other issues such gasoline price hike,” says a member. “And we always tell them that there are no strict rules, they can protest as per their needs.”

NET ANGST

Through Facebook, the ‘Pink Chaddi’ campaign of 2009 encouraged women to send undergarments to Sri Ram Sena. The right-wing group had attacked women for ‘violations of Indian culture’

Jan Lokpal campaign in 2011 had support from various online forums. They sent petitions to political parties and inundated a government website with e-mails.

Following the blocking of websites due to a court order to prevent copyright violations.

Anonymous OpIndia targeted government and corporate websites. It is mobilising people for protests in nearly 11 cities on June 9.

Read the original here

For more details visit https://cis-india.org/news/protest-at-censorship

Protection of Privacy in Mobile Phone Apps

Hitabhilash Mohanty and Edited by Leilah Elmokadem — 2016-12-15T14:18:43Z

The term “Fintech” refers to technology-based businesses that compete against, enable and/or collaborate with financial institutions. The year 2015 was a critical year for the Indian fintech industry, which saw the rise of numerous fintech start-ups, incubators and investments from the public and private sector.

According to NASSCOM, the Indian fintech market is worth an estimated USD 1.2 billion, and is predicted to reach USD 2.4 billion by 2020.[1] The services brought forth by Fintech, such as digital wallets, lending, and insurance, have transformed the ways in which businesses and institutions execute dayto-day transactions. The rise of fintech in India has rendered the nation’s market a point of attraction for global investment.[2] Fintech in India is perceived both as a catalyst for economic growth and innovation, as well as a means of financial inclusion for the millions of unbanked individuals and businesses. The government of India, along with regulators such as SEBI (Securities and Exchange Board of India) and RBI (Reserve Bank India), has consistently supported the digitalization of the nation’s economy and the formation of a strong fintech ecosystem through funding and promotional initiatives.[3]

The RBI has been pivotal in enabling the development of India’s fintech sector and adopting a cautious approach in addressing concerns around consumer protection and law enforcement. Its key objective as a regulator has been to create an environment for unimpeded innovations by fintech, expanding the reach of banking services for unbanked populations, regulating an efficient electronic payment system and providing alternative options for consumers. The RBI’s prime focus areas for enabling fintech have been around payment, lending, security/biometrics and wealth management. For example, the RBI has introduced “Unified Payment Interface” with the NPCI (National Payments Corporation of India), which has been critical in revolutionizing digital payments and pushing India closer to the objective of a cash-less society. It has also released a consultation paper on regulating Peer 2 Peer (P2P) lending market in India, highlighting the advantages and disadvantages of regulating the sector.[4]

The consultation paper offers a definition of P2P lending as well as a general explanation of the activity and the digital platforms that facilitate transactions between lenders and borrowers. It also provides a set of arguments for and against regulating P2P lending. The arguments against regulating the sector mainly pertain to the risk of stifling the growth of an innovative, efficient and accessible avenue for borrowers who either lack access to formal financial channels or are denied loans by them.[5]

This is the general consensus around the positive impact of the Fintech sector in India: its facilitation of financial inclusion and economic opportunity. However, the paper lists many more arguments for regulation than against. One of the main points made is with regards to P2P lending’s potential to disrupt the financial sector by challenging traditional banking channels. There is also the argument that, if properly regulated, the P2P lending platforms can more efficiently and effectively exercise their potential of promoting alternative forms of finance.[6]

The paper concludes that the balance of advantage would lie in developing an appropriate regulatory and supervisory toolkit that facilitates the orderly growth of the P2P lending sector in order to harness its ability to provide an alternative avenue for credit for the right borrowers[7]

The RBI’s regulatory framework for P2P lending platforms encompasses the permitted activity, prudential regulations on capital, governance, business continuity plan (BCP) and customer interface, apart from regulatory reporting.[8]

The Securities and Exchange Board of India (SEBI) is also a prominent regulator of the Indian fintech sector. They issued a consultation paper on “crowdfunding”, which is defined as the solicitation of funds (small amounts) from multiple investors through a web-based platform or social networking site for a specific project, business venture or social cause. P2P lending is then a form of crowdfunding, which can be understood as an umbrella term that covers fintech lending practices. SEBI’s paper aimed to provide a brief overview of the global scenario of crowdfunding including the various prevalent models under it, the associated benefits and risks, the regulatory approaches in different jurisdictions, etc. It also discusses the legal and regulatory challenges in implementing the framework for crowdfunding. The paper proposes a framework for ushering in crowdfunding by giving access to capital markets to provide an additional channel of early stage funding to Start-ups and SME’s and seeks to balance the same with investor protection.[9] Unlike RBI’s consultation paper on P2P lending, SEBI’s paper on crowdfunding was intended mainly to invite discussion and not necessarily to implement a framework for regulation.

Some of the benefits cited in SEBI’s crowdfunding paper pertain to the commonly mentioned advantages of fintech: economic opportunity for the SME sector and start-ups, alternative lending systems to keep SMEs alive when traditional banks crash, new investment avenues for the local economy and increased competition in the financial sector.[10]

The paper also lists a set of risks that suggest the need for a regulatory framework for crowdfunding. For example, it mentions the “substitution of institutional risk by retail risk”, meaning that individual lenders, who’s risk tolerance may be low, bear the risk of low/no return investors when they lend to SMEs without adequate assessment of credit worthiness. Also, there is the risk that the digital platform that facilitates lending and issues all the transactions, may not conduct proper due diligence. If the platform is temporarily shut down or closed permanently, no recourse is available to the investors.[11]

The SEBI paper mentions a long list of other risks associated with crowdfunding, mostly associated with systemic failures, loan defaults, fraud practices, and information asymmetry. Information asymmetry refers partially to the chance that lending decisions are made based on incomplete data sets that are based on social networking platforms. There is a lack of transparency and reporting obligations in issuers including with respect to the use of funds raised.[12]

Similar to the RBI consultation paper, SEBI makes a decent effort to weigh the costs and benefits of crowdfunding practices but only does this from an economic/financial perspective. Most of the cited risks, benefits and concerns tend to overlook information security and risks of privacy breaches of the implicated borrowers.

India Stack is a paperless and cashless service delivery system that has been supported by the Indian government as part of the fintech sector. It is a new technology paradigm that is designed to handle massive data inflows, and is poised to enable entrepreneurs, citizens and governments to interact with one another transparently. It is intended to be an open system to electronically verify businesses, people and services. It allows the smartphone to become the delivery platform for services such as digital payments, identification and digital lockers. The vision of India Stack is to shift India towards a paperless economy.[13]

The central government, based on its experience with the Aadhaar project, decided to launch the opendata initiative in 2012 supported by an open API policy, which would pave the way for private technology solutions to build services on top of Aadhaar and to make India a digital cash economy. Unified Payments Interface (UPI), which will make mobile payments card-less and completely digital, allows consumers to transact directly through their bank account with a unique UPI identity that syncs to Aadhaar’s verification and connects to the merchant, the settlement and the issuing bank to close transactions.[14]

It is suspected that India Stack will shift in business models in banking from low-volume, high-value, high-cost and high fees to high-volume, low-value, low cost and no fees. This well lead to a drastic increase in accessibility and affordability, and the market force of consumer acquisition and the social purpose of mass inclusion will converge.[15]

India Stack serves as an example of how the Government of India has supported initiatives that would promote the fintech sector while facilitating economic growth and financial opportunity for unbanked individuals. However, there is continuous discussion around India Stack’s attachment to the Aadhaar system, which can lead to the exclusion of unregistered individuals from the benefits that would otherwise be reaped from the open-data initiative. It can also result in many privacy and security breaches when records of individuals’ daily transactions are attached to their Aadhaar numbers, which carry their biometric information and is linked to other personal data that is held by the government such as health records.

Download the Full Report

[1]. KPMG: https://assets.kpmg.com/content/dam/kpmg/pdf/2016/06/FinTech-new.pdf

[2]. Id.

[3]. Id.

[4]. Id.

[5]. RBI 2P2 Consultation Paper, https://rbidocs.rbi.org.in/rdocs/content/pdfs/CPERR280416.pdf

[6]. Id.

[7]. Id.

[8]. Id.

[9]. SEBI Crowdfunding consultation paper, http://www.sebi.gov.in/cms/sebi_data/attachdocs/1403005615257.pdf

[10]. Id.

[11]. Id.

[12]. Id.

[13]. Krishna, https://yourstory.com/2016/07/india-stack/

[14]. Id.

[15]. Nilekani, http://indianexpress.com/article/opinion/columns/the-coming-revolution-in-indian-banking-2924534/

For more details visit https://cis-india.org/internet-governance/blog/protection-of-privacy-in-mobile-phone-apps

Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY

Zaheer Merchant — 2019-03-20T15:56:51Z

“We respectfully call on you to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules in December. As published, the draft amendments would erode digital security and undermine the exercise of human rights globally.”

The blog post by Zaheer Merchant was published by Medianama on March 18, 2019.

A global coalition of 31 civil society organizations and technology experts has called on MeitY to reconsider the proposed amendments to the Intermediary Liability Rules, terming them a threat to privacy and free speech. In a letter to the ministry dated March 15, the coalition said that the proposed amendments “would harm fundamental rights and the space for a free internet, without necessarily addressing the problems that the ministry aims to resolve.” Some of the signatories are Centre for Internet and Society, SFLC.in, Internet Freedom Foundation, Government Accountability Project and Human Rights Watch, among others (A copy of the letter is attached at the bottom). The letter breaks down its reasons for opposing the proposed amendments:

1. Traceability would undermine security, lead to surveillance

Under the proposed guidelines, intermediaries would have to ensure ‘traceability’ of messages by providing information related to its originator and receivers. This, the letter argues, would force intermediaries to undermine the security of of their platforms and create a surveillance regime. “Undermining security features to ensure traceability would affect all users of that platform, not just those that are the subjects of the information request,” the letter reads. “… such wide and ambiguous powers… on interception of communications would directly harm the fundamental right to privacy of Indians and facilitate unchecked surveillance.”

2. Data retention antithetical to privacy, must go

The letter also states that the data retention mandate included in the draft guidelines is antithetical to privacy. The guidelines state that intermediaries must preserve content requested by law enforcement for 180 days or longer. This open-ended data retention, the letter argues, contradicts the principle of ‘Storage Limitation’ recommended by the Srikrishna Committee. “Provisions regarding storage limitation and data retention must not be included within the fold of the Intermediary Guidelines, and should be subject to parliamentary law-making,” the letter reads.

3. Proactive monitoring contradicts SC’s Shreya Singhal judgment, would result in censorship

The letter also criticizes the requirement that intermediaries proactively monitor and automatically delete ‘unlawful content’. “[This] would directly conflict with the legal standard laid down by the Supreme Court of India in the Shreya Singhal judgment, which holds that intermediaries should only be legally compelled to take down content on the basis of court orders or legally empowered government agencies,” the letter reads. It could also cause intermediaries to err in favor of takedowns, resulting in unnecessary censorship.

“With the upcoming General Elections in India and the imposition of the Model Code of Conduct on new policy decisions in place, we urge the government to not push through these amended regulations given their impact on fundamental rights and secure communications,” the letter concludes.

The proposed amendments to Intermediary Liability Rules

Released at the end of December 2018, the proposed amendments to the Intermediary Guidelines would modify guidelines under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:

Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]

For more details visit https://cis-india.org/internet-governance/news/medianama-march-18-2019-zaheer-merchant-proposed-intermediary-liability-rules-threat-privacy-and-free-speech

Proposals to regulate social media run into multiple roadblocks

Saumya Tewari and Abhijit Ahaskar — 2019-11-28T14:16:25Z

The Cambridge Analytica scandal, the Pegasus spyware attack on WhatsApp and the growing misuse of social media platforms to spread misinformation have made governments world over, including in India, realise the limitations of existing laws in dealing with the misuse of these platforms.

The article by Saumya Tewari and Abhijit Ahaskar was published by Livemint on November 27, 2019. Gurshabad Grover was quoted.

“The draft guidelines are already in place and we have invited comments from all stakeholders across the country for the same. We have already conducted nationwide discussion with social activists, platforms and states and committed to the court that we will submit the intermediary guidelines by 15 January," said N.N. Kaul, media adviser to electronics and information technology minister Ravi Shankar Prasad.

The need for greater regulation of social media companies stems from the growing feeling that they are not doing enough to curb the misuse of their platforms. In recent times, many of them have been involved in brushes with the government and courts. For instance, short-video app TikTok was accused of promoting pornography among teens and temporarily banned from app stores following a Madras high court order; WhatsApp was slammed for not being able to curb fake messages which led to several cases of mob lynchings in 2018 and, more recently, for the Pegasus spyware attack. Twitter too has been criticised for failing to curb hate speech.

While the draft talks about intermediaries as a whole and doesn’t specify any particular segment, the proposals that apply to social media companies include setting up an India office and having a nodal officer for liaising with the government, furnishing information within 24 hours and tracing the source of a post or information. While forcing companies to have a nodal officer in the country can make these platforms more accountable to legal requests, it also makes them vulnerable to government pressure.

“Having offices in India allows the government to exert extralegal pressure on the company officials by forcing them to comply with informal requests. It is only useful if the intermediaries are willing to push back on the pressure and not entertain any informal request from the government," said Gurshabad Grover, research manager at the Centre for Internet and Society.

China-based TikTok, in a statement, emphasised that it is committed to respecting local laws and actively coordinates with law enforcement agencies through an India-based grievance officer. TikTok claims to have removed six million videos between July 2018 and April 2019 for violation of its guidelines.

Some of these proposals have been flagged on grounds of privacy. For instance, the traceability clause is going to have a huge impact on specific platforms such as WhatsApp and Telegram that encrypt all messages and calls. Enforcing traceability and deploying technology-based automated tools to proactively identify and disable public access to malicious content will force them to break or lower the encryption as has been pointed out by industry in the past.

WhatsApp maintained its official stance from February and reiterated that what is contemplated by the rules is not possible today given the end-to-end encryption that it provides. The rules would require the company to re-architect WhatsApp, which would lead to a different product, one that would not be fundamentally private.

“The fact that India doesn’t have an encryption law per say also complicates the scenario. In fact, section 84A (introduced after an amendment in 2008) of IT Act 2000 has specific provisions authorizing central government for coming up with a policy on encryption. It has been 11 years but there is still no law on it," said Pavan Duggal, a cyberlaw expert.

Further, to ensure that companies abide by the proposed rules and furnish information within 24 hours, the government will have to address hurdles in mutual legal assistance treaty between India and the US, which is why many of these requests take a lot of time to process. “The target of the government should be having an executive agreement with the US under the Cloud Act. The US has significant stakes in the data localization debate as many of the companies are based in the US, and that can be used as leverage to negotiate such an agreement. That will allow law enforcement agencies in India to have expedited access to information held by platforms which are based outside the country," Grover said.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-27-2019-saumya-tewari-and-abhijit-ahaskar-proposals-to-regulate-social-media-run-into-multiple-roadblocks

Prometheus bound and gagged

praskrishna — 2012-02-14T04:47:46Z

Funny how a healthy person like me can collapse one day and end up in the hospital. The doctor who made me go through every lab test available, finally diagnosed the cause after a chat with me. Apparently, I collapsed because I’m getting angry, increasing my blood pressure. The only solution he said is to stop reading newspapers, as I’m getting agitated by headlines like ‘India can go the China way and block sites’, or by how the government says there’s no Internet censorship while all it’s actions point the other way.

The article by Adarsh Matham was published in the New Indian Express on 20 January 2012. Pranesh Prakash is quoted in this article.

Censorship is a word that is particularly abhorrent for someone like me, who grew up listening to tales of how people like Ramnath Goenka fought the censors during the Emergency. And to say that we’ll start blocking websites in India like China is doing, the most heart wrenching moment I’ve ever heard. While researching for this piece, I came across some information that is out in the open on the Internet, but which is not generating the level of debate it deserves. We seem to be immersed in discussing Kolaveri, while slowly sliding into an Orwellian nightmare. As an example, I didn’t know there are rules called ‘Intermediary Guidelines’ and ‘Cyber cafe rules’, and I bet you didn’t either. As Pranesh Prakash of Centre for Internet and Society (CIS) has pointed out in a blog post, these two rules alone, made up by the Department of IT in April 2011, give the government and citizens of India great powers at censoring the web by allowing them to get Internet firms to remove content that is ‘disparaging’, ‘doesn’t have rights to’, etc.

Killing freedom of speech is only the first crime of these rules as proved by the good people at CIS. To test these rules, they complained against some frivolous content to ISPs and Internet companies, which resulted in six out of seven listings being removed without informing posters or users. More alarmingly, of the 358 items the Government of India (and some states) has requested Google to remove, only eight were for hate speech, one for national security, and an astounding 255 for ‘government criticism’.

Since introducing these draconian rules, the tale only gets murkier. Not content with asking Internet firms to self-regulate, Kapil Sibal has introduced an amendment to the Copyright Act, which introduces section 52(1)(C ), that allows anyone to send a notice complaining about infringement of his copyright. While this sounds normal, the catch is that ‘the Internet company has to remove the content immediately without question, even if the notice is false or malicious’. This amendment is before Rajya Sabha, and considering how our Parliament passes bills without a debate, it’ll become a law very soon.

Baleful rules and people behind them fail to realise that such efforts will lead to the Streisand effect, whereby attempts to hide any information will lead to it being publicised more widely. Yes more widely, because you can take out some content, but India’s youth will re-post it in a million places within minutes, like they do with pirated movies. We play a lot of cunning games just to live peacefully in India already. Please don’t let us play them online too.

The writer is a tech geek.
Email: articles@theadarsh.net

For more details visit https://cis-india.org/news/prometheus-bound-and-gagged

Project on Gender, Health Communications and Online Activism with City University

ambika — 2019-12-02T09:38:21Z

CIS is a partner on the project 'Gender, Health Communications and Online Activism in the Digital Age'. The project is lead by Dr. Carolina Matos, Senior Lecturer in Sociology and Media in the Department of Sociology at City University.

It is funded by the Global Challenges Research Fund. Ambika Tandon, Policy Officer at CIS, conducted fieldwork for the project in May and June 2019 as a research assistant.

The goal of the project is to advance research on how new communication technologies (ICTs) can be used to create awareness of gender equality and sexual and reproductive rights. It aims to assess how the use of technologies, by women's groups and feminist NGOs can empower women in developing countries to advance citizen and human rights with the intent to influence policy at the global and local level. More information on the preliminary findings of the project can be found in the downloadable presentation."

You may find Dr. Carolina Matos's presentation here.

For more details visit https://cis-india.org/internet-governance/blog/project-on-gender-health-communications-and-online-activism-with-city-university

Programme Officer - Privacy

amber — 2019-04-15T06:53:44Z

The Centre for Internet and Society (CIS) is seeking applications for the position of Programme Officer, to undertake public policy research on privacy and related themes. For this position, we will hire one full time researcher, to be based in the Delhi office of CIS, for the duration of one year.

To apply for this position please write to amber@cis-india.org along with a CV, two writing samples and contact details of two references, Interested candidates are invited to send their applications at the earliest — latest by April 30th.

Organisation Profile

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around internet, technology and society in India, and elsewhere.

Privacy Research at CIS

While privacy has been a key subject of study for digital rights and development organisations in India for the last decade, recent and ongoing legal and policy developments have placed this issue at the forefront of human rights and regulatory research. CIS has conducted extensive research into the areas of privacy, data protection, data security, and was also a member of the Committee of Experts constituted under Justice A P Shah. CIS has also been cited multiple times in the Report of the Committee of Experts led by Justice Srikrishna. CIS values the fundamental principles of justice, equality, freedom and economic development and strongly advocates the right to privacy.

Over the next year, CIS intends to look at several research questions on data protection which may include the global experience with privacy enforcement, need for effective redressal mechanisms, documenting the design of business models and data flows, regulation of social media big data, how data of disadvantaged groups including children may be protected. Additionally, while we now have the Supreme Court’s unanimous and emphatic recognition of the fundamental right to privacy, there is a need for research enquiry into several issues such as a clarification of the scope of the Puttaswamy judgment, unpacking the different dimensions of privacy, how state actions interact with privacy.

The Role

Research and analysis: Literature review, policy design, detailed analysis of research topics
Knowledge management: Staying up-to-date on developments of interest to the project, and sharing/debating these with the team. Contributing to documentary and knowledge management processes
Policy outreach and stakeholder engagement: Supporting the project manager in the dissemination of research findings in innovative formats. Attending, planning and executing events
Writing op-eds, short notes, policy briefs and longer form academic writing for a range of audiences
Presentations and formal discussions: Preparing and delivering presentations to various audiences
Helping manage communications with stakeholders including international experts, regulators and policy makers
Managing interns and team: Managing work outputs with our interns; coordinating research with team members and the project manager

Qualifications and Skills

We are looking for professionals from law, regulatory theory and public policy backgrounds.

We are looking for candidates who are interested in studying the regulatory challenges of notice and consent, state capacity, how business models thwart privacy and the future of privacy post Puttaswamy.

This is a full-time position based out of Delhi. The position is for a duration of one year. Salary will be commensurate with qualifications and experience.

For more details visit https://cis-india.org/jobs/programme-officer-privacy-2019

Private-public partnership for cyber security

basu — 2018-12-26T15:02:21Z

Given the decentralised nature of cyberspace, the private sector will have to play a vital role in enforcing rules for security.

The article by Arindrajit Basu was published in Hindu Businessline on December 24, 2018.

On November 11, 2018, as 70 world leaders gathered in Paris to commemorate the countless lives lost in World War I, French President Emmanuel Macron inaugurated the Paris Peace Forum with a fiery speech denouncing nationalism and urging global leaders to pursue peace and stability through multilateral initiatives.

In many ways, it echoed US President Woodrow Wilson’s monumental speech delivered at the US Senate a century ago in which he outlined 14 points on the principles for peace post World War I. As history unkindly reminds us through the catastrophic realities of World War II, Wilson’s principles went on to be sacrificed at the altar of national self-interest and inadequate multilateral enforcement.

President Macron’s first initiative for global peace — the Paris Call for Trust and Security in Cyber Space was unveiled on November 12 — at the UNESCO Internet Governance Forum — also taking place in Paris. The call was endorsed by over 50 states, 200 private sector entities, including Indian business guilds such as FICCI and the Mobile Association of India and over 100 organisations from civil society and academia from all over the globe. The text essentially comprises a set of high-level principles that seeks to prevent the weaponisation of cyberspace and promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace.

Need for private participation

Given the increasing exploitation of the internet for reaping offensive dividends by state and non-state actors alike and the prevailing roadblocks in the multilateral cyber norms formulation process, Macron’s efforts are perhaps of Wilsonian proportions.

A key difference, however, was that Macron’s efforts were devised hand-in-glove with Microsoft — one of the most powerful and influential private sector actors of our time. Microsoft’s involvement is unsurprising given that private entities have become a critical component of the global cybersecurity landscape and governments need to start thinking about how to optimise their participation in this process.

Indeed, one of the defining features of cyberspace is its incompatibility with state-centric ‘command and control’ formulae that lead to the ordering of other global security regimes — such as nuclear non-proliferation. The decentralised nature of cyberspace means that private sector actors play a vital role in implementing the rules designed to secure cyberspace.

Simultaneously, private actors such as Microsoft have recognised the utility of clearly defined ‘rules of the road’ which ensure certainty and stability in cyberspace and ensure its trustworthiness among global customers.

Normative deadlock

There have been multiple gambits to develop universal norms of responsible state behaviour to foster cyber stability. The United Nations-Group of Governmental Experts (UN-GGE) has been constituted five times now and will meet again in January 2019.

While the third and fourth GGEs in 2013 and 2015 respectively made some progress towards agreeing on some baseline principles, the fifth GGE broke down due to opposition from states including Russia, China and Cuba on the application of specific principles of international law to cyberspace.

This was an extension of a long-running ‘Cold War’ like divide among states at the United Nations. The US along with its NATO allies believe in creating voluntary non-binding norms for cybersecurity through the application of international law in its entirety while Russia, China and its allies in the Shanghai Co-operation Organization (SCO) reject the premise that international law applies in its entirety and call for the negotiation of an independent treaty for cyberspace that lays down binding obligations on states.

Critical role

The private sector has begun to play a critical role in breaking this deadlock. Recent history is testament to catalytic roles played by non-state actors in cementing global co-operative regimes.

For example, Dupont — the world’s leading ChloroFluoroCarbon (CFC) producer — played a leading role in the 1970s and 1980s towards the development of The Montreal Protocol on Substances that Deplete the Ozone Layer and gained positive recognition for its efforts.

Another example is the International Committee of the Red Cross (ICRC) — a non-governmental organisation that played a crucial role in the development of the Geneva Conventions and its Additional Protocols, which regulate the conduct of atrocities in warfare by preparing initial drafts of the treaties and circulating them to key government players.

Similarly, in cyberspace, Microsoft’s Digital Geneva Convention which devised a set of rules to protect civilian use of the internet was put forward by Chief Legal Officer, Brad Smith two months before the fifth GGE met in 2017.

Despite the breakdown at the UN-GGE, Microsoft pushed on with the Tech Accords — a public commitment made by (as of today) 69 companies “agreeing to defend all customers everywhere from malicious attacks by cyber-criminal enterprises and nation-states.”

Much like the ICRC, Microsoft leads commendable diplomatic efforts with the Paris Call as they reached out to states, civil society actors and corporations for their endorsement.

Looking Forward

Private sector-led normative efforts towards securing cyberspace are redundant in the absence of three key recommendations. First, is the implementation of best practices at the organisational level through the implementation of robust cyber defense mechanisms, the detection and mitigation of vulnerabilities and breach notifications — both to consumer and the government.

Second, is the development of mechanisms that enables direct co-operation between governments and private actors at the domestic level. In India, a Joint Working Group between the Data Security Council of India (DSCI) and the National Security Council Secretariat (NSCS) was set up in 2012 to explore a Private Public Partnership on cyber-security in India , which has great potential but is yet to report any tangible outcomes.

The third and final point is the recognition that their efforts need to result in a plurality of states coming to the negotiating table. The absence of the US, China and Russia in the Paris Call are eerily reminiscent of the lack of US participation in Woodrow Wilson’s League of Nations, which was one of the reasons for its ultimate failure.

Microsoft needs to keep on calling with Paris but Beijing, Washington and Alibaba need to pick up.

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-hindu-businessline-december-24-2018-private-public-partnership-for-cyber-security