We are anonymous, we are legion

Peering behind the veil of ICANN’s DIDP (I)

Padmini Baruah — 2015-10-15T02:42:14Z

One of the key elements of the process of enhancing democracy and furthering transparency in any institution which holds power is open access to information for all the stakeholders. This is critical to ensure that there is accountability for the actions of those in charge of a body which utilises public funds and carries out functions in the public interest.

As the body which “...coordinates the Internet Assigned Numbers Authority (IANA) functions, which are key technical services critical to the continued operations of the Internet's underlying address book, the Domain Name System (DNS)”^{^[1]}, the centrality of ICANN in regulating the Internet (a public good if there ever was one) makes it vital that ICANN’s decision-making processes, financial flows, and operations are open to public scrutiny. ICANN itself echoes the same belief, and upholds “...a proven commitment to accountability and transparency in all of its practices”^{^[2]}, which is captured in their By-Laws and Affirmation of Commitments. In furtherance of this, ICANN has created its own Documentary Information Disclosure Policy, where it promises to “...ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”^{^[3]}

ICANN has a vast array of documents that are already in the public domain, listed here. These include annual reports, budgets, registry reports, speeches, operating plans, correspondence, etc. However, their Documentary Information Disclosure Policy falls short of meeting international standards for information disclosure. In this piece, I have focused on an examination of their defined conditions for non-disclosure of information, which seem to undercut the entire process of transparency that the DIDP process aims towards upholding. The obvious comparison that comes to mind is with the right to information laws that governments the world over have enacted in furtherance of democracy. While ICANN cannot be equated to a democratically elected government, it nonetheless does exercise sufficient regulatory power of the functioning of the Internet for it to owe a similar degree of information to all the stakeholders in the internet community. In this piece, I have made an examination of ICANN’s conditions for non-disclosure, and compared it to the analogous exclusions in India’s Right to Information Act, 2005

ICANN’ꜱ Defined Conditions for Non-Disclosure versus Exclusions in Indian Law :

ICANN, in its DIDP policy identifies a lengthy list of conditions as being sufficient grounds for non-disclosure of information. One of the most important indicators of a strong transparency law is said to be minimum exclusions.^{^[4]} However, as seen from the table below, ICANN’s exclusions are extensive and vast, and this has been a barrier in the way of free flow of information. An analysis of their responses to various DIDP requests (available here) shows that the conditions for non-disclosure have been invoked in over 50 of the 85 requests responded to (as of 11.09.2015); i.e., over two-thirds of the requests that ICANN receives are subjected to the non-disclosure policies.

In contrast, an analysis of India’s Right to Information Act, considered to be among the better drafted transparency laws of the world, reveals a much narrower list of exclusions that come in the way of a citizen obtaining any kind of information sought. The table below compares the two lists:

No.	ICANN^{^[5]}	India	Analysis
1.	Information provided by or to a government or international organization which was to be kept confidential or would materially affect ICANN’s equation with the concerned body.	Information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, "strategic, scientific or economic" interests of the State, relation with foreign State or lead to incitement of an offense^{^[6]}/ information received in confidence from foreign government^{^[7]}	The threshold for both the bodies is fairly similar for this exclusion.
2.	Internal (staff/Board) information that, if disclosed, would or would be likely to compromise the integrity of ICANN's deliberative and decision-making process	Cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers, provided that such decisions the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over (unless subject to these exemptions)^{^[8]}	The Indian law is far more transparent as it ultimately allows for the records of internal deliberation to be made public after the decision is taken.
3.	Information related to the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process	No similar provision in Indian Law.	This is an additional restriction that ICANN introduces in addition to the one above, which in itself is quite broad.
4.	Records relating to an individual's personal information	Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual (but it is also provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied by this exemption);^{^[9]}	Again, the Indian law contains a proviso for information with “relationship to any public activity or interest”
5.	Proceedings of internal appeal mechanisms and investigations.	Information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;^{^[10]}	While ICANN prohibits the disclosure of all proceedings, in India, the exemption is only to the limited extent of information that the court prohibits from being made public.
6.	Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement.	Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;^{^[11]}	This is fairly similar for both lists.
7.	Confidential business information and/or internal policies and procedures.	No similar provision in Indian Law. This is encapsulated in the abovementioned provision	This is fairly similar in both lists.
8.	Information that, if disclosed, would or would be likely to endanger the life, health, or safety of any individual or materially prejudice the administration of justice.	Information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;^{^[12]}	This is fairly similar for both lists.
9.	Information subject to any kind of privilege, which might prejudice any investigation	Information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature^{^[13]}/Information which would impede the process of investigation or apprehension or prosecution of offenders;^{^[14]}	This is fairly similar in both lists.
10.	Drafts of all correspondence, reports, documents, agreements, contracts, emails, or any other forms of communication.	No similar provision in Indian Law	This exclusion is not present in Indian law, and it is extremely broadly worded, coming in the way of full transparency.
11.	Information that relates in any way to the security and stability of the Internet	No similar provision in Indian Law	This is perhaps necessary to ICANN’s role as the IANA Functions Operator. However, given the large public interest in this matter, there should be some proviso to make information in this regard available to the public as well.
12.	Trade secrets and commercial and financial information not publicly disclosed by ICANN.	Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;^{^[15]}	This is fairly similar in both cases.
13.	Information requests: ● which are not reasonable; ● which are excessive or overly burdensome ● complying with which is not feasible ● which are made with an abusive or vexatious purpose or by a vexatious or querulous individual.	No similar provision in Indian Law	Of all the DIDP exclusions, this is the one which is most loosely worded. The terms in this clause are not clearly defined, and it can effectively be used to deflect any request sought from ICANN because of its extreme subjectivity. What amounts to ‘reasonable’? Whom is the process going to ‘burden’? What lens does ICANN use to define a ‘vexatious’ purpose? Where do we look for answers?
14.	No similar provision in ICANN’s DIDP.	Information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;^{^[16]}	-
15.	No similar provision in ICANN’s DIDP.	Information which providing access to would involve an infringement of copyright subsisting in a person other than the State.^{^[17]}	-

Thus, the net cast by the DIDP exclusions policy is more vast than even than that of a democratic state’s transparency law. Clearly, the exclusions above have effectively allowed ICANN to dodge answers to most of the requests floating its way. One can only hope that ICANN realises that these exclusions come in the way of the transparency that they are so committed to, and does away with this unreasonably wide range on the road to the IANA Transition.

^{^[1]} https://www.icann.org/resources/pages/welcome-2012-02-25-en

^{^[2]} https://www.icann.org/resources/accountability

^{^[3]} https://www.icann.org/resources/pages/didp-2012-02-25-en

^{^[4]} Shekhar Singh, India: Grassroot Initiatives in Tʜᴇ Rɪɢʜᴛ ᴛᴏ Kɴᴏᴡ 19, 44 (Ann Florin ed., 2007)

^{^[5]} In a proviso, ICANN’s DIDP states that all these exemptions can be overridden if the larger public interest is higher. However, this has not yet been reflected in their responses to any DIDP requests.

^{^[6]} Section 8(1)(a), Right to Information Act, 2005.

^{^[7]} Section 8(1)(f), Right to Information Act, 2005.

^{^[8]} Section 8(1)(i), Right to Information Act, 2005.

^{^[9]} Section 8(1)(j), Right to Information Act, 2005.

^{^[10]} Section 8(1)(b), Right to Information Act, 2005.

^{^[11]} Section (1)(d), Right to Information Act, 2005

^{^[12]} Section 8(1)(g), Right to Information Act, 2005.

^{^[13]} Section 8(1)(c), Right to Information Act, 2005.

^{^[14]} Section 8(1)(h), Right to Information Act, 2005.

^{^[15]} Section (1)(d), Right to Information Act, 2005

^{^[16]} Section 8(1)(e), Right to Information Act, 2005.

^{^[17]} Section 9, Right to Information Act, 2005.

For more details visit https://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icann2019s-didp

Peering behind the veil of ICANN's DIDP (II)

Padmini Baruah — 2015-10-15T03:14:18Z

In a previous blog post, I had introduced the concept of ICANN’s Documentary Information Disclosure Policy (“DIDP”) and their extremely vast grounds for non-disclosure. In this short post, I have made an analysis of every DIDP request that ICANN has ever responded to, to point out the flaws in their policy that need to be urgently remedied.

Read the previous blog post here. Every DIDP request that ICANN has ever responded to can be accessed here.

The table here is a comprehensive breakdown of all the different DIDP requests that ICANN has responded to. This table is to be read with this document, which has a numbered list of the different non-disclosure exceptions outlined in ICANN’s policy. What I sought to scrutinize was the number of times ICANN has provided satisfactory information, the number of times it has denied information, and the grounds for the same. What we found was alarming:

Of a total of 91 requests (as of 13/10/2015), ICANN has fully and positively responded to only 11.
It has responded partially to 47 of 91 requests, with some amount of information (usually that which is available as public records).
It has not responded at all to 33 of 91 requests.
The Non-Disclosure Clause (1)^{^[1]} has been invoked 17 times.
The Non-Disclosure Clause (2)^{^[2]} has been invoked 39 times.
The Non-Disclosure Clause (3)^{^[3]} has been invoked 31 times.
The Non-Disclosure Clause (4)^{^[4]} has been invoked 5 times.
The Non-Disclosure Clause (5)^{^[5]} has been invoked 34 times.
The Non-Disclosure Clause (6)^{^[6]} has been invoked 35 times.
The Non-Disclosure Clause (7)^{^[7]} has been invoked once.
The Non-Disclosure Clause (8)^{^[8]} has been invoked 22 times.
The Non-Disclosure Clause (9)^{^[9]} has been invoked 30 times.
The Non-Disclosure Clause (10)^{^[10]} has been invoked 10 times.
The Non-Disclosure Clause (11)^{^[11]} has been invoked 12 times.
The Non-Disclosure Clause (12)^{^[12]} has been invoked 18 times.

This data is disturbing because it reveals that ICANN has in practice been able to deflect most requests for information. It regularly utilised its internal processes and discussions with stakeholders clauses, as well as clauses on protecting financial interests of third parties (over 50% of the total non-disclosure clauses ever invoked - see chart below) to do away with having to provide information on pertinent matters such as its compliance audits and reports of abuse to registrars. We believe that even if ICANN is a private entity legally, and not at the same level as a state, it nonetheless plays the role of regulating an enormous public good, namely the Internet. Therefore, there is a great onus on ICANN to be far more open about the information that they provide.

Finally, it is extremely disturbing that they have extended full disclosure to only 12% of the requests that they receive. An astonishing 88% of the requests have been denied, partly or otherwise. Therefore, it is clear that there is a failure on part of ICANN to uphold the transparency it claims to stand for, and this needs to be remedied at the earliest.

^{^[1]} “Information provided by or to a government or international organization, or any form of recitation of such information, in the expectation that the information will be kept confidential and/or would or likely would materially prejudice ICANN's relationship with that party”

^{^[2]} “Internal information that, if disclosed, would or would be likely to compromise the integrity of ICANN's deliberative and decision-making process by inhibiting the candid exchange of ideas and communications, including internal documents, memoranda, and other similar communications to or from ICANN Directors, ICANN Directors' Advisors, ICANN staff, ICANN consultants, ICANN contractors, and ICANN agents”

^{^[3]} “Information exchanged, prepared for, or derived from the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process between and among ICANN, its constituents, and/or other entities with which ICANN cooperates by inhibiting the candid exchange of ideas and communications”

^{^[4]} “Personnel, medical, contractual, remuneration, and similar records relating to an individual's personal information, when the disclosure of such information would or likely would constitute an invasion of personal privacy, as well as proceedings of internal appeal mechanisms and investigations”

^{^[5]} “Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement”

^{^[6]} “Confidential business information and/or internal policies and procedures”

^{^[7]} “Information that, if disclosed, would or would be likely to endanger the life, health, or safety of any individual or materially prejudice the administration of justice”

^{^[8]} “Information subject to the attorney– client, attorney work product privilege, or any other applicable privilege, or disclosure of which might prejudice any internal, governmental, or legal investigation”

^{^[9]} “Drafts of all correspondence, reports, documents, agreements, contracts, emails, or any other forms of communication”

^{^[10]} “Information that relates in any way to the security and stability of the Internet, including the operation of the L Root or any changes, modifications, or additions to the root zone”

^{^[11]} “Trade secrets and commercial and financial information not publicly disclosed by ICANN”

^{^[12]} “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual”

For more details visit https://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icanns-didp-ii

Peeping Toms In Your Inbox

praskrishna — 2011-04-02T11:42:11Z

Nothing’s safe any more—not your mobile number, nor your e-mail—as they’re put on offer for the benefit of telemarketers, writes Namrata Joshi and Neha Bhatt in an article published in the Outlook.

It was Saturday morning and Sneha Gupta wanted to book a table for dinner at a Delhi restaurant called Rodeo. So she called up a telephone directory service and procured the restaurant’s phone number, firmly nixing the operator’s seemingly casual offer to also provide numbers of similar restaurants. But that wasn’t the end of the story. The next day, Sunday brunch with her extended family was interrupted by calls from sundry restaurants enquiring if she’d be interested in hosting parties and events—at a discount.

“Instead of enjoying the food, the company and the conversation, I was busy ticking off these guys. Why were they assuming I wanted to organise a party? How did they get my mobile number to blatantly infringe on my private family time?” asks Sneha. She got no answers from them, but the sequence of events is clear: the telephone directory service sold Sneha’s contact details to marketers who broadly assumed, from her Rodeo outing, that she was a party animal, and decided to bombard her with similar offers.

Something similar happened to media professional Raghav Agarwal. He paid off his bank loan for a car in two-and-a-half years instead of the stipulated five, happy to stop living off credit. But from the next day, he was inundated with calls offering him bigger and better credit for everything—from house to car to education. “It was awfully distracting to deal with this while trying to meet deadlines,” he recounts. The fact that he had paid back the loan ahead of time had, by hook or by crook, reached financial outfits who used the information to serenade what they saw as an attractive catch.

For Kuhu Tanvir, these attentions come laced with a hint of menace. The film student was startled to find herself receiving unsolicited calls from unknown vendors offering to maintain the water purifier installed in the recesses of her kitchen. “It’s scary to think,” she says, “that there are people out there who even know which products you’ve bought for your house.” It was equally unnerving for film producer Gaurang Jalan to have his personal details passed on to data-miners by none other than a prominent Calcutta club (“strangers now call you on your birthday, offering schemes”). All those out there accosted by calls offering car insurance just at the time their policy is up for renewal will know exactly how they felt....

8 Ways In Which You’re Being Intruded Upon

Privacy is being redefined in India, with the lines between the public and the private blurring not just for celebrities but also for ordinary citizens...
Personal details like your phone number, date of birth, credit history, bank loans, insurance policies, white goods purchases, favourite restaurants and nightclubs are bought and sold among cellphone operators, banks, shops, telephone directory services, credit card companies, hospitals, hotels, elite clubs and even your locality’s residents’ welfare association.
Unsolicited telemarketing calls, spam SMSes and e-mails intrude incessantly on your private space, time
Your online purchases and searches, archived e-mails and documents are being tracked for marketing purposes. Social networking groups and search engines stand accused of sharing user information and contact details.
Personal pictures, information about relationships on social networking sites are being misused by online predators and molesters.
Identity theft is fast emerging as a threat.
Surveillance cameras and intrusive frisking have become a way of life, at airports, cinema halls, malls, hospitals, hotels, etc.
TV cameras and sting operations blur the line between individual privacy and public interest.
People encouraged and offered inducements to bare all about their lives on TV. Shows like Emotional Atyachar, Splitsvilla, Truth Love Cash play out individual dating rituals and infidelity games for the masses.

7 Steps You Can Take To Protect Yourself

Give out your mobile number cautiously, if at all; don’t print it on the visiting cards you hand out generously. Give only your landline number if you have to, to avoid being constantly disturbed.
Be wary of filling in random forms at retail stores and restaurants, or the gift voucher you’re offered in return for your friends’ names and phone numbers.
Be alert while shopping with your debit or credit card. The retailer may be also swiping the card on his computer to feed your contact information into it.
Even though the Do Not Call facility has not worked for a majority of users, you lose nothing by registering for it on www.donotcall.gov. You can’t complain about unsolicited calls unless you register.
Online, be cautious of the personal information you reveal, such as your date of birth and photographs, which make you especially vulnerable to identity theft. Use Google dashboard and the new Facebook privacy settings to protect yourself.
Get the latest browser that allows you to delete cookies-as-you-go, delete your browsing history regularly, learn to encrypt your e-mail.
Always read privacy clauses in bank and other forms, and on websites carefully, and remember to tick opt-out boxes if you don’t want to be besieged with new product information.

For celebrities, the lines between the private and the public have always been blurred. But in a transforming India, ordinary people like Sneha, Raghav, Kuhu and Gaurang are finding themselves intruded upon in newer ways—from the trivial to the serious—and across varied platforms, from the mobile phone to the internet, TV to the surveillance camera. And, with citizens like them mostly dimly aware of how to safeguard, renegotiate or fight for their right to privacy—enshrined in the Constitution, but vaguely defined—in a changing world, and no effective laws to rein in those who violate it, the infringements and threats are set to increase.

Take telemarketing, perhaps the most insistent manifestation today of this marauding culture. It started out as an irritant, became a nuisance and is now a virtually unchecked invasion. “In the West, telemarketing is an unobtrusive experience thanks to opt-in services by which users get calls only if they ask for them. Moreover, governments discourage telemarketers through strict regulations. In India, it’s a menace,” says Supreme Court advocate Harsh Pathak, who has litigated against telemarketing calls and the sale of personal data to companies.

Indeed, you can chart an entire day in your life with these intrusions as markers. You get woken up with the SMS: “Hare Krishna. Today is Ekadashi. Fasting from grains and beens (sic). Chant Hare Krishna mahamantra 25 rounds (sic) and be happy. Hari bol.” Through the day, they keep coming, both SMSes and human voices, trying to sell you everything from houses and farmland to hotel deals, sauna belts, equity tips and public speaking skills. And, if you happen to be even an occasional club-hopper, your phone could carry on beeping till two or three am, with SMSes announcing the next gig in town.

It’s clear from this virtually round-the-clock barrage that our personal lives are up for sale in an aggressive marketing-driven environment. Be it telecom companies, banks, shops, credit card firms, DVD rental libraries, insurance, auto dealers, clubs or hotels, they all profit from sharing personal information—phone numbers, credit history, spending patterns, shopping preferences and much else—about their customers. “The irony is that the corporate world has no accountability or transparency in India but the public has turned transparent for them,” says media analyst and columnist Sudheesh Pachauri.

Those often identified as the prime offenders in this game are quick to shrug off blame, or not respond, as Outlook found. ICICI Bank could not “participate in this story”, Airtel declined comment while Vodafone did not respond at all. Rajat Mukarji, chief corporate officer, Idea Cellular, who did respond, said phone companies were unfairly blamed for unsolicited calls. “Such data is available everywhere now, you can buy it off the Net for Rs 150,” he argued. HDFC Bank’s chief information security officer Vishal Salvi also stoutly denies that databases are sold, and when asked why existing customers are deluged with new product and service offers, says: “It only happens on a need-to-know, need-to-do-basis.” That’s the theory, but in practice, many customers find that the “need” seems to be defined by the banks, not their clients.

So where does that leave the consumer? Well, says Bangalore-based freelance writer and photographer Darshan Manakkal, “On a good day, I plead with the telemarketer to never call me again. With the more persistent ones, I try a different approach, like putting them on hold while I go for a bath. On really bad days, I just abuse them.” Others, like Chennai professional P.K. Pradeep, who shared with us pages upon pages of (extremely polite) e-mails to Airtel and Vodafone requesting them to halt unsolicited calls and SMSes, have been more persistent, but have achieved little beyond the robotic response, “We’re looking into it.”

Signing up, along with some 66 million souls, at the National Do Not Call (NDNC) Registry set up in October 2007, provided no protection to Pradeep, nor did changing phone numbers. “I got a new number from Vodafone recently, and would you believe it, the very next day I was bombarded with promotional messages. They had clearly passed on my number,” he says. The NDNC of the Telecom Regulatory Authority of India (TRAI) is now widely acknowledged as a failure. There was a brief dip in calls, but they resumed with renewed gusto. You could get lost in the maze of explanations for why NDNC doesn’t work; what’s clear, though, is that it has no capacity to deal with telemarketers who fail to register with it—like all those unknown real estate companies who bombard you with SMSes—and little teeth to deal with those who do. Fines are laughably minuscule—ranging from Rs 500 to Rs 1,000—and the threat of disconnecting a telemarketer’s line is an empty one when it can quickly sign up and assault consumers from another connection. In view of its failure, a Do Call registry has been mooted, on the more consumer-friendly principle that those who want to be called should opt in rather than opt out. Consultations are on but its future shape is still unclear, with telecom companies (no surprise there) opposed to it. “We have gone far with dnc. To now backtrack and try something new doesn’t seem feasible,” says Mukarji.

“The whole problem of unregistered telemarketers will continue and telecom companies will go on blaming them,” S. Saroja, legal coordinator for the Chennai-based Citizen Consumer and Civic Action Group, predicts pessimistically. The group has tried, to no avail, to get phone companies to trace bulk SMSes, which she maintains are easily traceable. “Telemarketing is a Rs 50,000-crore industry and growing at 20 per cent every year. Nobody wants to upset it as everybody is making money out of it, including the government,” says Supreme Court advocate Nivedita Sharma, who has fought her own battles against the sale of privacy.

Meanwhile, an expanding online world is throwing up its own challenges. By 2013, according to some estimates, India will have the third-largest internet user base in the world. Already, with 50 million-plus users and growing, it is a magnet for marketers, who as we know—without perhaps fully internalising the fact—avidly follow the telltale digital pugmarks and trails we leave on the Net as we e-mail, search, shop and obsessively communicate with each other on platforms like Facebook and Twitter.

These spaces on the Net, and their counterparts on other media, seem to be drawing us into an open, sharing, even confessional, culture, without our being fully aware of our vulnerability. We occasionally get intimations of it—like when our e-mail account is hacked into and bizarre mail sent out on our behalf; our Facebook pictures downloaded and their obscene versions floated on Orkut, as happened to two Delhi airhostesses recently; or vicious, revealing comments on our personal lives posted amid the banter on our favourite chat sites.

However, as media analysts point out, there is little push in the Indian environment to do what Western users of Facebook did recently: forcing it to change privacy policies and settings by protesting against its inadequate privacy controls. Here too, as with telemarketing, the regulatory environment is missing.

“In India, there are no regulatory bodies related to online privacy concerns like in the US and Canada where there are privacy commissions which force corporations to make changes in their privacy policy in the interest of citizens,” says Sunil Abraham, executive director, the Centre for Internet and Society, Bangalore.

But individuals are to blame too. Saad Akhtar of naukri.com points out: “We don’t even read the fine print on privacy policies on websites, not realising that a lot of the data we upload even on Indian social networking websites becomes their property, which they can share with advertisers.”

Indeed, Akhila Sivadas of the Centre for Advocacy and Research, says that privacy issues are creating a cultural crisis of sorts, with no understanding of them, leave alone resolution. “Privacy is something that has been negotiated in a personal, intimate, micro universe. We have drawn our individual lakshman rekhas. But we have not debated on privacy norms as a society in a public space, which is very significant in the wake of how the mass media and social networking media is exploding in our country,” she says. It’s leading to an uneasy blend of the very closed and guarded, and the extremely open and no-holds-barred in our society. “There is no robust normative system in place, and corporate entities are exploiting that void,” she says. “The market is primed to take advantage and exploit existing conditions for profit. We are allowing the market to overreach itself,” agrees adman and social commentator Santosh Desai.

So what should be done? Obviously, the R-word—regulation—is critical, and hopefully, the cry for it from the ground will become stronger, as intrusions gather apace. But it would help for consumers to get smarter. Some of the questions to ask ourselves are: should I really be patronising a phone directory service, as Sneha did, that states that it shares information with third-party members and is not responsible for that information being misused by third parties? Should I hand out my visiting card, with my mobile number on it, to all and sundry? Should I reflexively press the “I agree to the terms & conditions” button while signing up for net services without reading the fine print? As Desai puts it, we need to be “mindful, suspicious and careful”. Without, of course, descending into paranoia. The irony, getting sharper and sharper in our lives, is that the very platforms that are used to invade our privacy also enrich our lives in manifold ways.

Read the original article in Outlook

For more details visit https://cis-india.org/news/peeping-toms-in-inbox

Paytm Payments Bank woos corporates with digital incentives

Admin — 2018-01-24T23:52:36Z

Offerings will be an incentive to companies already using Paytm e-wallet services to shift employees’ salary accounts to the bank, says Paytm Payments Bank CEO Renu Satti.

The article was published by Komal Gupta and Remya Nair was published in Livemint on January 24, 2018

Looking to tap the ready customer base of salary accounts, Paytm Payments Bank is trying to attract corporate entities with digital offerings such as food and gift wallets for their employees.

The bank has set a target of reaching a customer base of 500 million over the next 2-3 years, managing director and chief executive Renu Satti said in an interview. The bank claims to have 170 million customers, including those using the Paytm e-wallet.

Satti said the offerings will be an incentive to companies already using Paytm e-wallet services to shift employees’ salary accounts to the bank. Around 500 corporate entities are using e-wallet services.

“These corporate offerings will ensure better accountability and convenience for both the employers and employees,” she said, giving the example of food wallets which are automatically debited when a customer buys food, due to the tagging of merchants done at the back-end by Paytm.

“We even offer customisation to the extent of restricting usage of food wallet to specific merchants like office cafeterias, basis requirement,” Satti said.

Food vouchers and gift coupons have been typically issued in a physical form by corporate entities, earlier as paper coupons and now as prepaid cards.

Paytm Payments Bank offers customers the convenience of using their food and gift wallets through the app across the merchant base of Paytm, Satti said. “It doesn’t require any card, which also does away with issues such as loss of card and expiry of coupons, plus avail the benefits of cashback running on any Paytm merchant,” she added.

Last week, Paytm Payments Bank launched physical debit cards for its customers to facilitate account holders to withdraw cash from ATMs and make offline payments. Hitherto, the bank had been issuing virtual debit cards which could only be used for online payments.

The bank also plans to set up around 100,000 banking outlets across the country in the next one year to cater largely to under-banked rural areas.

The list of these outlets will be available on the bank’s website where the customer will be able to access a range of services including net banking, National Electronic Funds Transfer (NEFT), Immediate Payment Service (IMPS) and Unified Payments Interface (UPI). There will be monetary incentives for these correspondents for every transaction they perform for the customer. These outlets could be a local kirana store or a chemist shop, Satti said.

“We will follow a stringent process to shortlist merchants. There will be screening, quality check, physical check to ensure whether the place is actually authorized to run a business,” she said.

The bank plans to onboard some from the existing merchant networks using Paytm wallets while others will be from areas where there is no Paytm presence as of now.

More than 6 million merchants are already a part of the Paytm ecosystem, primarily using wallet services.

Paytm Payments Bank was launched in November after receiving a payments bank license from RBI in January last year. Vijay Shekhar Sharma, founder of One97 Communications, holds the majority share in Paytm Payments Bank, with the rest being held by One97 Communications.

The bank currently has no minimum balance requirements and offers 4% interest on savings deposits. India has three other operational payment banks—Airtel Payments Bank, India Post Payments Bank and Fino Payments Bank. “The traditional banks that offer customized corporate services to its customers having a high amount of deposits would face competition from payments banks. They will have no other option but to offer those services to customers with deposits at the Payments bank limits, to stay relevant in the market,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank.

“Also, as a payment company, Paytm has data pertaining to the spending patterns of customers which help it be more competitive in the market,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-remya-nair-january-24-2018-paytm-payments-bank-woos-corporates-with-digital-incentives

Patanjali's Kimbho swiftly retreats over security scare, ripped on Twitter

Admin — 2018-06-01T14:15:44Z

Swadeshi" messaging app targeted at WhatsApp taken off from app stores hours after launch.

The article by Alnoor Peermohamed and Manavi Kapur was published in the Business Standard on May 31, 2018. Gurshabad Grover was quoted.

The fate of Patanjali’s “swadeshi” instant messaging app Kimbho was sealed in the span of just a few hours, thanks to viral messages being shared on Facebook-owned WhatsApp, the app that the Baba Ramdev-promoted company was trying to combat.

Patanjali on Thursday launched Kimbho with the sole intent of checking the rise of messaging giant WhatsApp in India. However, after Kimbho’s various data vulnerabilities were exposed by the security expert and whistleblower who goes by the pseudonym Elliot Alderson on Twitter, the app made a quiet exit from Google’s Play Store.

Jokes surrounding the app’s quick retreat spread like wildfire on rival platform WhatsApp. It was perhaps the quickest rise and fall in the popularity of a mobile application.

Alderson, who has exposed data breaches in the UIDAI’s website, took to Twitter to rip apart the Kimbho app. “This @KimbhoApp is a joke, next time before making press statements, hire competent developers... If it is not clear, for the moment don't install this app,” he wrote. His next tweet sent alarm bells ringing among users: “The #Kimbho #android #app is a security disaster. I can access the messages of all the users...”

Kimbho, though, claims that every message on its platform is encrypted by the Advance Encryption Standard and that it saves “no data on our servers or cloud”. But Alderson pointed out that the one-time password security could be worked around. “It's possible to choose a security code between 0001 and 9999 and send it to the number of your choice,” he tweeted. Kimbho, explained as a Sanskrit greeting by S K Tijarawala, Ramdev’s spokerperson, on Twitter, is also a patched-up application over the existing Bolo messaging app.

This is most likely the reason the app was taken off the Google Play Store. “There were basic authentication and authorisation related vulnerabilities where an end user can see the data of other users. These flaws may be the reason the developers took down the app. Google flags such things,” said Anand Prakash, a Bengaluru-based ethical hacker.

“WhatsApp uses end-to-end encryption that essentially means even they can’t access the messages you send. But Kimbho, on the other hand, was not using end-to-end security and probably even saving every message as plain text on its server,” adds Gurshabad Grover, policy officer at the Centre for Internet and Society.

Google did not respond to queries about whether the developer took the app down or Google flagged it as unsecure. Kimbho declared on its Twitter handle that its app was removed from the Play Store because of heavy traffic, claiming that it was downloaded 150,000 times in a mere three hours since its launch.

On Apple’s App Store, it was trending in the social networking category at the fourth position in India, just below WhatsApp, Facebook and Facebook’s Messenger, and above popular messaging apps such as Skype, LinkedIn and hike messenger.

Tijarawala had announced Kimbho’s launch on Twitter, calling it an app developed by the “shishyas” (disciples) and “navdikshit sadhus” (newly ordained priests) of Ramdev and Acharya Balkrishna, managing director, Patanjali Ayurved and co-founder, Patanjali Yogpeeth in Haridwar. Tijarawala’s tweet also claimed that this app was built using “swadeshi” techniques, though what these are remains a mystery. Emails, text messages and calls to Tijarawala went unanswered.

In keeping with an “Indian” aesthetic, the app’s logo has a “shankh” (conch shell), perhaps signifying a war cry against foreign-born WhatsApp, which has over 200 million active users in India. The conch shell also blends well with Kimbho’s tag line, “Ab Bharat Bolega” (now India will speak). But that is where its tenuous Indianness begins to crumble.

While the app was registered as a product of Patanjali Ayurved on the Play Store, the developer on Apple’s App Store is Appdios Inc, a San Francisco-based app development company. Aditi Kamal and Sumit Kumar are this company’s founders according to LinkedIn. The duo has worked with technology giants such as Google and Apple and hold masters degrees from University of Southern California in the US. A blonde man features on the screenshots that the app has featured on its landing page on the App Store.

Taking forward Bolo’s keyboard suggestions, cheekily called “Quickies”, Kimbho offers pre-typed messages such as “hugs and kisses”, “what the heck” and “parents are watching”. Whether these millennial-friendly features and Kimbho itself are an attempt to get young millennials in touch with their “swadeshi” roots remains to be seen.

For more details visit https://cis-india.org/internet-governance/news/business-standard-manavi-kapur-alnoor-peermohamed-may-31-2018-patanjali-s-kimbho-swiftly-retreats-over-security-scare-ripped-on-twitter

Pastebin, Dailymotion, Github blocked after DoT order: Report

praskrishna — 2015-01-03T04:17:48Z

A number of Indian users are reporting they're not able to access websites such as Pastebin, DailyMotion and Github while accessing the internet through providers such as BSNL and Vodafone.

The article by Anupam Saxena was published in the Times of India on December 31, 2014. Pranesh Prakash is quoted.

The block was first reported by Pastebin, a website where you can store text online for a set period of time, through its social media accounts on December 19. In a follow-up post on December 26, the site posted that it was still blocked in India on the directions of the Indian government.A number of users also posted about the blocks on Reddit threads confirming that the sites have been blocked by Vodafone, BSNL and Hathway, among others.It now appears that the blocks are being carried out on the instructions of DoT (Department of Telecom). The telecom body reportedly issued a notification regarding the same on December 17. A screenshot of the circular has been posted on Twitter by Pranesh Prakash.

The notification mentions that 32 URLs including Pastebin, video sharing sites Vimeo and DailyMotion, Internet archive site archive.org and Github.com( a web-based software code repository), have been blocked under Section 69A of the Information Technology Act, 2000. DoT has also asked ISPs to submit compliance reports. However, we have not been able to verify the authenticity of the circular.

At the time of writing this story, we could not access Pastebin, DailyMotion and Github on Vodafone 3G and our office network that has access via dedicated lines. Vodafone is not displaying any errors and is simply blocking access. However, a number of users report that they're getting an error that says 'the site is blocked as per the instructions of Competent Authority.' However, we were able to access all the websites on Airtel 3G.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-anupam-saxena-december-31-2014-pastein-dailymotion-github-blocked-after-dot-order

Partnership on AI adds new organizations to its network

praskrishna — 2017-05-19T06:40:08Z

The Partnership on AI to Benefit People and Society (Partnership on AI) is strengthening its network of partners by welcoming new organizations to share their diverse, unique perspectives on AI.

The blog post by Madison Moore was published in Software Development Times on May 17, 2017.

Earlier in the year, Partnership on AI brought in Apple and six nonprofit board members to serve on the board of directors. This week, the partnership announced that 22 new organizations will join the Partnership on AI, and these organizations will work and support the board of directors.

The Partnership on AI is welcoming eight new for-profit partners, including eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, and Zalando, along with the start-up Cogitai.

The fourteen non-profit Partners that joined include: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

Some of the representatives from these newly added organizations include Dr. Hiroaki Kitano, who is the head of Sony Computer Science Laboratories. Other collaborators include Chris Fabian, who leads the Ventures team in UNICEF’s Office of Innovation. SAP’s Dr. Markus Noga, who has led efforts applying machine learning to business problems, is also joining the partnership.

Additionally, the partnership will move forward with one other initiative, and that is to form a cross-conference “AI, People, and Society” Best Paper Award, and start an AI Grand Challenge series, which will focus on addressing long-term social and societal issues around artificial intelligence.

The partnership is also in the process of finding an executive director, and that person will oversee day-to-day operation of the organization.

For more details visit https://cis-india.org/internet-governance/news/sd-times-may-17-partnership-on-ai-adds-new-organizations-to-its-network

Partnership on AI Adds Corporate, NGO Members, Charts Initial Course

praskrishna — 2017-05-19T06:00:15Z

Artificial intelligence is a booming business in 2017, but one that also comes with significant baggage in the form of public misunderstanding, potential job losses, and fear.

The blog post by Benjamin Roman was published by Xconomy on May 16, 2017.

Last fall, A.I. competitors Amazon, Microsoft, Facebook, IBM, and Google banded together to form the Partnership on AI to Benefit People and Society, an industry-led attempt to get ahead of the many social, ethical, and economic issues presented by the advent of technology with increasingly human-like capabilities. Apple joined the group as another founding member earlier this year.

On Tuesday, the Partnership on AI (PAI) announced nearly two dozen new members, including more of the tech industry’s biggest names—Intel, eBay, Salesforce, and SAP among them—and many of the world’s foremost A.I. research institutions, such as the Seattle-based Allen Institute for Artificial Intelligence. Also joining are nonprofits focused on digital privacy, human rights, and freedom. The full list of members is below.

The organization also outlined its initial plan of action, organized around seven “thematic pillars” (several of which hew closely to the AI principles agreed on by a gathering of researchers at the Asilomar conference earlier this year). The PAI pillars include safety, transparency, human-A.I. collaboration, economic and workforce impacts, and social and societal impacts.

After a recent board of directors retreat, the PAI plans: working groups to develop best practices by topic and sector; a fellowship for individuals at nonprofits and non-governmental organizations; an “AI, People, and Society” Best Paper Award; and a series of A.I. Grand Challenges aimed at “some of the most pressing long-term social and societal issues.”

The PAI is finding its organizational footing, but still has some big pieces missing: an executive director, for one.

While it was organized by the biggest names in technology and business, the PAI also aspires to be a “multi-stakeholder” organization and has welcomed into its fold the likes of the American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation, and Human Rights Watch.

It will be interesting to watch the degree to which these groups and their representatives to the PAI have sway over the organization’s direction, and the policy positions and best practices it puts forth—particularly on issues that could conflict with the business interests of its for-profit member companies.

PAI founding partners: Amazon, Apple, DeepMind, Google, Facebook, IBM, Microsoft

Other for-profit partners: eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, Cogitai

Nonprofit partners: Association for the Advancement of Artificial Intelligence, ACLU, Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society—India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, OpenAI, UNICEF, Upturn, the XPRIZE Foundation.

For more details visit https://cis-india.org/internet-governance/news/x-conomy-benjamin-romano-may-16-2017-partnership-on-ai-adds-corporate-ngo-members-charts-initial-course

Parties seek social media influencers to go viral

Admin — 2018-04-03T15:30:30Z

It was 2015. Rahul Gandhi, Congress vice president then, met Mount Carmel College students in Bengaluru. Soon after the interaction, there were media reports on how Gandhi was stumped by the questions.

The article by Ipsita Basu was published in the Economic Times on March 31, 2018. Sunil Abraham was quoted.

While everybody was debating what really transpired in the auditorium, a 20-something Elixir Nahar wrote an open letter to Gandhi which said: ‘Thanks for stopping by, Rahul Gandhi. You were inspiring’.

It was the letter’s outspokenness and stating of facts that caught the imagination of everyone, especially on social media. The blog post went viral and was shared widely across digital platforms. In 2017, Nahar became part of the Congress social media cell when the party wanted to increase the party’s digital outreach.

Digital-savvy influencers are now an essential part of social media teams of political parties, which know that a viral tweet or a post can mean immense visibility. Knowing that traditional means like door-todoor campaigning and rallies have limited reach towards millennials, parties are making sure that the right messaging is sent out through such influencers, who usually have a large following on platforms like Twitter, Facebook and even Instagram.

According to Sunil Abraham, executive director, the Centre for Internet and Society, a Bengalurubased organisation looking at multidisciplinary research and advocacy works in internet and society, “Internet communication is becoming more and more sophisticated. Social media is not impressed by just ghost accounts and mass propagation. Influencers come with their own brand and credibility and this constitutes into more articulate and targeted communication, which is an engaging way to speak to a constituency."

Shilpa Ganesh, star wife and state vice president of BJP Mahila Morcha, is an intrinsic part of the party’s social media outreach. With 56,000 followers on Twitter and close to 2,00,000 on Facebook, she makes for a formidable influencer. “Most of my posts get a huge traction. I spend about 15-18 hours on various social media platforms to track news and restrict issue-related posts to at least twice a day,” she says.

Working on such social media teams is a draw for young corporates, IT professionals and college students who want to experience the power of digital media. Kamran Shahid, 28, a simulation engineer with a German car company, has taken a break, to work for the Aam Aadmi Party. Shahid, who now oversees the party’s state social media, was chosen for his knack with words and digital content.

Influencers are picked depending on their online popularity, proficiency to articulate on the Internet and the number of followers across platforms. The identities of those working in the background are kept under wraps. Review meetings are held every week to discuss the next strategy. Actor and former Mandya MP Divya Spandana, the chief of social media and digital communications of the Congress, has put together a mid-size team for digital outreach. “We’ve chosen people from diverse backgrounds who share our ideology. Each one brings a specific skill set to our team,” says Spandana, who is on the phone 24x7 tracking social media developments.

For more details visit https://cis-india.org/internet-governance/news/economic-times-ipsita-basu-march-31-2018-parties-seek-social-media-influencers-to-go-viral

Parties give short shrift to privacy

praskrishna — 2014-05-05T05:54:11Z

Both the Congress and BJP vision documents disappoint, but the real surprise is the CPI-M document that deals with cyber issues in a substantial manner.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 12, 2014. Sunil Abraham is quoted.

For civil rights activists in the internet and cyber space, the election manifestoes of major political parties including the Congress and the BJP have come as a disappointment. Both the parties are mute on privacy. In the recent past there has been a vociferous demand for a strong legislation on privacy. A draft bill on privacy has been making rounds of the bureaucratic circle for three years. Manifestoes are also silent on the need for correction in the information technology act, which activists say is characterised by 'arbitrariness and lack of processes'.

“A healthy democracy gives equal weightage to transparency and privacy. It’s disappointing that the two parties have overlooked these two,” says Sunil Abraham, director of the Bangalore based Centre for Internet and Society (CIS). Both Congress and BJP don’t mention about the lack of implementation of the open data policy. The policy, aka NDSAP 2012, requires all departments and ministries to put high value data sets in public domain within a few months of the policy enforcement. The parties are also silent on need for a balancing act on surveillance and civil liberty.

Nikhil Pahwa, founder of Medianama.com, a portal posting news and analysis on digital media, says “The parties could have talked about reforming the IT legislation, especially the Section 79 and IT Rules 2011 which gives the intermediaries—the ISPs, websites, and cyber cafes—the power to strike down content without even hearing the author.” The law, currently, doesn’t provide a redressal mechanism to the author.

Similarly both parties are mute on internet governance, which has become a major global issue after the US showed willingness to cede its monopolistic oversight over the body governing the internet ICANN.

The Congress manifesto is also blank on making websites and systems accessible for specially-abled population, also called as e-accessibility. While the BJP too doesn’t talk about making government portals e-accessible, it speaks about the use of technology to deliver low cost quality education to specially-abled students. Issuance of universal identity cards for all applicable government benefits and disabled friendly access to public facilities are two other things which the party promises to implement if voted in power.

Both election manifestoes don’t mention concerns related to telecommunication sector. Broadband is the only term that appears in the two manifestoes. The Congress promises to bring high speed Internet to every village panchayat. This is not a new initiative; a project under DoT called national optical fibre network, NOFN, proposes to do the same. The BJP’s manifesto says, “Deployment of broadband in every village would be a thrust area.”

Both parties also talk about putting public services online. There is also nothing concrete about promotion of indigenous manufacturing in electronics and IT hardware. While there are serious omissions in the two manifestoes, the manifesto of the CPI-M surprises many, highlighting key issues concerning civil rights and liberty.

The manifesto talks about ‘demilitarisation of cyber space’ and ‘protecting Internet and telecommunications networks from cyber attacks and surveillance by building indigenous capability’. Edward Snowden’s revelation of the PRISM programme seems to be the context. It also talks about promoting ‘free software and other such new technologies which are free from monopoly ownership through copyrights or patents; knowledge commons should be promoted across disciplines, like biotechnology and drug discovery’.

For more details visit https://cis-india.org/news/governance-now-april-12-2014-pratap-vikram-singh-parties-give-short-shrift-to-privacy

Participation in the meetings of ISO/IEC JTC 1/SC 27 'IT Security techniques'

Admin — 2018-10-31T01:28:29Z

From 30 September 2018 to 4 October 2018, Gurshabad Grover participated in the meetings of the working groups of ISO/IEC JTC 1/SC 27 'IT Security techniques' held in Gjøvik, Norway. The meetings were organized by Standards Norway with support from NTNU, Microsoft, Telenor, et.al.

Gurshabad mainly focused on the meetings of Working Group 5 responsible for standards and research in "Identity management and privacy technologies" in SC 27. I attended sessions discussing work related to current ISO/IEC standards and upcoming work in the WG, such as:

Establishing a PII deletion concept in organizations

Privacy guidelines for smart cities

Additional privacy-enhancing data de-identification standards

Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management

User-centric framework for PII handling based on user privacy preferences

Gurshabad will be a co-rapporteur on a 12-month study period to investigate the 'Impact of Artificial Intelligence on Privacy' which was initiated by the WG in the meeting. Additionally, I was a part of the drafting committee which prepared the final resolutions and liaison statements from the meeting.

Gurshabad also attended the Norwegian Business Forum on cyber security which was held on October 4th, which featured talks by professionals and academicians working in cyber security in their different sectors. The agenda for the business forum can be found here.

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meetings-of-iso-iec-jtc-1-sc-27-it-security-techniques

Participation in the meeting of LITD 17 at BIS

Admin — 2019-11-02T06:30:29Z

On September 25, 2019, Gurshabad Grover along with Elonnai Hickok and Karan Saini attended the meeting of the Information Systems Security & Privacy Sectional Committee (LITD17) of the Bureau of Indian Standards (BIS).

Some agenda points:

Elonnai, Karan and Gurshabad had submitted comments on two standards related to infomration security of biometrics systems: (i) ISO/IEC 24745: 2011 Information Technology – Security techniques – Biometric information protection; (ii) Doc. No. LITD 17 (3595) ISO/IEC 19792: 2009 Information Technology – Security techniques – Security evaluation of biometrics. Gurshabad Grover is now serving in a panel with BIS and MeitY representatives to discuss how the standards compare to UIDAI's standards and governing regulations.
Gurshabad updated the committee with my plan of participation at the ISO/IEC JTC 1 SC 27 meetings (which were held earlier this month in Paris).
Gurshabad will be joining a panel to discuss and further develop a draft mobile phone security standard for India.

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meeting-of-litd-17-at-bis

Participation in the meeting of BIS LITD 17

Admin — 2019-03-03T06:12:01Z

Gurshabad Grover participated in the fifteenth meeting of the Information Systems Security and Biometrics Sectional Committee (LITD 17) of the Bureau of Indian Standards (BIS), which was conducted online on February 26.

Some of the things we discussed included:

Participation of committee members at the ISO level in SC 27 'IT Security Techniques' working groups.
Update from the last SC 27 working group meetings (I updated the committee with some standards I was tracking and my participation as co-rapporteur in the 'Impact of AI on Privacy' study period).
Participation in the next SC 27 working group meetings, which will be held in April (where I will be participating in WG 1 'Information Security Management Systems' and WG 5 'Identity management and privacy technologies' meetings).

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meeting-of-bis-litd-17

Participation in ISO/IEC JTC 1 SC 27 meetings

Admin — 2019-11-02T06:31:46Z

From October 14 - 18, 2019, Gurshabad Grover, participated in the meetings of ISO/IEC JTC 1 SC 27 held in Paris, the committee that develops international standards for IT Security techniques.

Gurshabad focused on the meetings of working group 5 that deals with identity management and privacy technologies. Some highlights of the participation:

I represented the Indian delegation's contributions in the comment resolution meeting on WD TS 27570: Privacy guidelines for smart cities.

Since October 2018, I have been a co-rapporteur on the working groups' study period on the impact of machine learning on privacy. At this meeting, we presented our interim report. We are extending the study period for six months to further collaborate with SC 42 (that deals with artificial intelligence standards) to document privacy aspects for the applications and use cases they have developed.

I will now be a co-rapporteur on the study period on `Privacy for fintech services', which was initiated in this meeting. We will be surveying privacy standards and data protection regulations to assess the need for new work items (standards/guidelines document) in the space.

For more details visit https://cis-india.org/internet-governance/news/participation-in-iso-iec-jtc-1-sc-27-meetings

Parsing the Cyber Security Policy

chinmayi — 2013-07-22T06:37:56Z

An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

We therefore run a great risk if we leave air-traffic control, defense resources or databases containing several citizens’ personal data vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.

For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken.

The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.

This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared. Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy