We are anonymous, we are legion

Pastebin, Dailymotion, Github blocked after DoT order: Report

praskrishna — 2015-01-03T04:17:48Z

A number of Indian users are reporting they're not able to access websites such as Pastebin, DailyMotion and Github while accessing the internet through providers such as BSNL and Vodafone.

The article by Anupam Saxena was published in the Times of India on December 31, 2014. Pranesh Prakash is quoted.

The block was first reported by Pastebin, a website where you can store text online for a set period of time, through its social media accounts on December 19. In a follow-up post on December 26, the site posted that it was still blocked in India on the directions of the Indian government.A number of users also posted about the blocks on Reddit threads confirming that the sites have been blocked by Vodafone, BSNL and Hathway, among others.It now appears that the blocks are being carried out on the instructions of DoT (Department of Telecom). The telecom body reportedly issued a notification regarding the same on December 17. A screenshot of the circular has been posted on Twitter by Pranesh Prakash.

The notification mentions that 32 URLs including Pastebin, video sharing sites Vimeo and DailyMotion, Internet archive site archive.org and Github.com( a web-based software code repository), have been blocked under Section 69A of the Information Technology Act, 2000. DoT has also asked ISPs to submit compliance reports. However, we have not been able to verify the authenticity of the circular.

At the time of writing this story, we could not access Pastebin, DailyMotion and Github on Vodafone 3G and our office network that has access via dedicated lines. Vodafone is not displaying any errors and is simply blocking access. However, a number of users report that they're getting an error that says 'the site is blocked as per the instructions of Competent Authority.' However, we were able to access all the websites on Airtel 3G.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-anupam-saxena-december-31-2014-pastein-dailymotion-github-blocked-after-dot-order

Partnership on AI adds new organizations to its network

praskrishna — 2017-05-19T06:40:08Z

The Partnership on AI to Benefit People and Society (Partnership on AI) is strengthening its network of partners by welcoming new organizations to share their diverse, unique perspectives on AI.

The blog post by Madison Moore was published in Software Development Times on May 17, 2017.

Earlier in the year, Partnership on AI brought in Apple and six nonprofit board members to serve on the board of directors. This week, the partnership announced that 22 new organizations will join the Partnership on AI, and these organizations will work and support the board of directors.

The Partnership on AI is welcoming eight new for-profit partners, including eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, and Zalando, along with the start-up Cogitai.

The fourteen non-profit Partners that joined include: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

Some of the representatives from these newly added organizations include Dr. Hiroaki Kitano, who is the head of Sony Computer Science Laboratories. Other collaborators include Chris Fabian, who leads the Ventures team in UNICEF’s Office of Innovation. SAP’s Dr. Markus Noga, who has led efforts applying machine learning to business problems, is also joining the partnership.

Additionally, the partnership will move forward with one other initiative, and that is to form a cross-conference “AI, People, and Society” Best Paper Award, and start an AI Grand Challenge series, which will focus on addressing long-term social and societal issues around artificial intelligence.

The partnership is also in the process of finding an executive director, and that person will oversee day-to-day operation of the organization.

For more details visit https://cis-india.org/internet-governance/news/sd-times-may-17-partnership-on-ai-adds-new-organizations-to-its-network

Partnership on AI Adds Corporate, NGO Members, Charts Initial Course

praskrishna — 2017-05-19T06:00:15Z

Artificial intelligence is a booming business in 2017, but one that also comes with significant baggage in the form of public misunderstanding, potential job losses, and fear.

The blog post by Benjamin Roman was published by Xconomy on May 16, 2017.

Last fall, A.I. competitors Amazon, Microsoft, Facebook, IBM, and Google banded together to form the Partnership on AI to Benefit People and Society, an industry-led attempt to get ahead of the many social, ethical, and economic issues presented by the advent of technology with increasingly human-like capabilities. Apple joined the group as another founding member earlier this year.

On Tuesday, the Partnership on AI (PAI) announced nearly two dozen new members, including more of the tech industry’s biggest names—Intel, eBay, Salesforce, and SAP among them—and many of the world’s foremost A.I. research institutions, such as the Seattle-based Allen Institute for Artificial Intelligence. Also joining are nonprofits focused on digital privacy, human rights, and freedom. The full list of members is below.

The organization also outlined its initial plan of action, organized around seven “thematic pillars” (several of which hew closely to the AI principles agreed on by a gathering of researchers at the Asilomar conference earlier this year). The PAI pillars include safety, transparency, human-A.I. collaboration, economic and workforce impacts, and social and societal impacts.

After a recent board of directors retreat, the PAI plans: working groups to develop best practices by topic and sector; a fellowship for individuals at nonprofits and non-governmental organizations; an “AI, People, and Society” Best Paper Award; and a series of A.I. Grand Challenges aimed at “some of the most pressing long-term social and societal issues.”

The PAI is finding its organizational footing, but still has some big pieces missing: an executive director, for one.

While it was organized by the biggest names in technology and business, the PAI also aspires to be a “multi-stakeholder” organization and has welcomed into its fold the likes of the American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation, and Human Rights Watch.

It will be interesting to watch the degree to which these groups and their representatives to the PAI have sway over the organization’s direction, and the policy positions and best practices it puts forth—particularly on issues that could conflict with the business interests of its for-profit member companies.

PAI founding partners: Amazon, Apple, DeepMind, Google, Facebook, IBM, Microsoft

Other for-profit partners: eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, Cogitai

Nonprofit partners: Association for the Advancement of Artificial Intelligence, ACLU, Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society—India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, OpenAI, UNICEF, Upturn, the XPRIZE Foundation.

For more details visit https://cis-india.org/internet-governance/news/x-conomy-benjamin-romano-may-16-2017-partnership-on-ai-adds-corporate-ngo-members-charts-initial-course

Parties seek social media influencers to go viral

Admin — 2018-04-03T15:30:30Z

It was 2015. Rahul Gandhi, Congress vice president then, met Mount Carmel College students in Bengaluru. Soon after the interaction, there were media reports on how Gandhi was stumped by the questions.

The article by Ipsita Basu was published in the Economic Times on March 31, 2018. Sunil Abraham was quoted.

While everybody was debating what really transpired in the auditorium, a 20-something Elixir Nahar wrote an open letter to Gandhi which said: ‘Thanks for stopping by, Rahul Gandhi. You were inspiring’.

It was the letter’s outspokenness and stating of facts that caught the imagination of everyone, especially on social media. The blog post went viral and was shared widely across digital platforms. In 2017, Nahar became part of the Congress social media cell when the party wanted to increase the party’s digital outreach.

Digital-savvy influencers are now an essential part of social media teams of political parties, which know that a viral tweet or a post can mean immense visibility. Knowing that traditional means like door-todoor campaigning and rallies have limited reach towards millennials, parties are making sure that the right messaging is sent out through such influencers, who usually have a large following on platforms like Twitter, Facebook and even Instagram.

According to Sunil Abraham, executive director, the Centre for Internet and Society, a Bengalurubased organisation looking at multidisciplinary research and advocacy works in internet and society, “Internet communication is becoming more and more sophisticated. Social media is not impressed by just ghost accounts and mass propagation. Influencers come with their own brand and credibility and this constitutes into more articulate and targeted communication, which is an engaging way to speak to a constituency."

Shilpa Ganesh, star wife and state vice president of BJP Mahila Morcha, is an intrinsic part of the party’s social media outreach. With 56,000 followers on Twitter and close to 2,00,000 on Facebook, she makes for a formidable influencer. “Most of my posts get a huge traction. I spend about 15-18 hours on various social media platforms to track news and restrict issue-related posts to at least twice a day,” she says.

Working on such social media teams is a draw for young corporates, IT professionals and college students who want to experience the power of digital media. Kamran Shahid, 28, a simulation engineer with a German car company, has taken a break, to work for the Aam Aadmi Party. Shahid, who now oversees the party’s state social media, was chosen for his knack with words and digital content.

Influencers are picked depending on their online popularity, proficiency to articulate on the Internet and the number of followers across platforms. The identities of those working in the background are kept under wraps. Review meetings are held every week to discuss the next strategy. Actor and former Mandya MP Divya Spandana, the chief of social media and digital communications of the Congress, has put together a mid-size team for digital outreach. “We’ve chosen people from diverse backgrounds who share our ideology. Each one brings a specific skill set to our team,” says Spandana, who is on the phone 24x7 tracking social media developments.

For more details visit https://cis-india.org/internet-governance/news/economic-times-ipsita-basu-march-31-2018-parties-seek-social-media-influencers-to-go-viral

Parties give short shrift to privacy

praskrishna — 2014-05-05T05:54:11Z

Both the Congress and BJP vision documents disappoint, but the real surprise is the CPI-M document that deals with cyber issues in a substantial manner.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 12, 2014. Sunil Abraham is quoted.

For civil rights activists in the internet and cyber space, the election manifestoes of major political parties including the Congress and the BJP have come as a disappointment. Both the parties are mute on privacy. In the recent past there has been a vociferous demand for a strong legislation on privacy. A draft bill on privacy has been making rounds of the bureaucratic circle for three years. Manifestoes are also silent on the need for correction in the information technology act, which activists say is characterised by 'arbitrariness and lack of processes'.

“A healthy democracy gives equal weightage to transparency and privacy. It’s disappointing that the two parties have overlooked these two,” says Sunil Abraham, director of the Bangalore based Centre for Internet and Society (CIS). Both Congress and BJP don’t mention about the lack of implementation of the open data policy. The policy, aka NDSAP 2012, requires all departments and ministries to put high value data sets in public domain within a few months of the policy enforcement. The parties are also silent on need for a balancing act on surveillance and civil liberty.

Nikhil Pahwa, founder of Medianama.com, a portal posting news and analysis on digital media, says “The parties could have talked about reforming the IT legislation, especially the Section 79 and IT Rules 2011 which gives the intermediaries—the ISPs, websites, and cyber cafes—the power to strike down content without even hearing the author.” The law, currently, doesn’t provide a redressal mechanism to the author.

Similarly both parties are mute on internet governance, which has become a major global issue after the US showed willingness to cede its monopolistic oversight over the body governing the internet ICANN.

The Congress manifesto is also blank on making websites and systems accessible for specially-abled population, also called as e-accessibility. While the BJP too doesn’t talk about making government portals e-accessible, it speaks about the use of technology to deliver low cost quality education to specially-abled students. Issuance of universal identity cards for all applicable government benefits and disabled friendly access to public facilities are two other things which the party promises to implement if voted in power.

Both election manifestoes don’t mention concerns related to telecommunication sector. Broadband is the only term that appears in the two manifestoes. The Congress promises to bring high speed Internet to every village panchayat. This is not a new initiative; a project under DoT called national optical fibre network, NOFN, proposes to do the same. The BJP’s manifesto says, “Deployment of broadband in every village would be a thrust area.”

Both parties also talk about putting public services online. There is also nothing concrete about promotion of indigenous manufacturing in electronics and IT hardware. While there are serious omissions in the two manifestoes, the manifesto of the CPI-M surprises many, highlighting key issues concerning civil rights and liberty.

The manifesto talks about ‘demilitarisation of cyber space’ and ‘protecting Internet and telecommunications networks from cyber attacks and surveillance by building indigenous capability’. Edward Snowden’s revelation of the PRISM programme seems to be the context. It also talks about promoting ‘free software and other such new technologies which are free from monopoly ownership through copyrights or patents; knowledge commons should be promoted across disciplines, like biotechnology and drug discovery’.

For more details visit https://cis-india.org/news/governance-now-april-12-2014-pratap-vikram-singh-parties-give-short-shrift-to-privacy

Participation in the meetings of ISO/IEC JTC 1/SC 27 'IT Security techniques'

Admin — 2018-10-31T01:28:29Z

From 30 September 2018 to 4 October 2018, Gurshabad Grover participated in the meetings of the working groups of ISO/IEC JTC 1/SC 27 'IT Security techniques' held in Gjøvik, Norway. The meetings were organized by Standards Norway with support from NTNU, Microsoft, Telenor, et.al.

Gurshabad mainly focused on the meetings of Working Group 5 responsible for standards and research in "Identity management and privacy technologies" in SC 27. I attended sessions discussing work related to current ISO/IEC standards and upcoming work in the WG, such as:

Establishing a PII deletion concept in organizations

Privacy guidelines for smart cities

Additional privacy-enhancing data de-identification standards

Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management

User-centric framework for PII handling based on user privacy preferences

Gurshabad will be a co-rapporteur on a 12-month study period to investigate the 'Impact of Artificial Intelligence on Privacy' which was initiated by the WG in the meeting. Additionally, I was a part of the drafting committee which prepared the final resolutions and liaison statements from the meeting.

Gurshabad also attended the Norwegian Business Forum on cyber security which was held on October 4th, which featured talks by professionals and academicians working in cyber security in their different sectors. The agenda for the business forum can be found here.

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meetings-of-iso-iec-jtc-1-sc-27-it-security-techniques

Participation in the meeting of LITD 17 at BIS

Admin — 2019-11-02T06:30:29Z

On September 25, 2019, Gurshabad Grover along with Elonnai Hickok and Karan Saini attended the meeting of the Information Systems Security & Privacy Sectional Committee (LITD17) of the Bureau of Indian Standards (BIS).

Some agenda points:

Elonnai, Karan and Gurshabad had submitted comments on two standards related to infomration security of biometrics systems: (i) ISO/IEC 24745: 2011 Information Technology – Security techniques – Biometric information protection; (ii) Doc. No. LITD 17 (3595) ISO/IEC 19792: 2009 Information Technology – Security techniques – Security evaluation of biometrics. Gurshabad Grover is now serving in a panel with BIS and MeitY representatives to discuss how the standards compare to UIDAI's standards and governing regulations.
Gurshabad updated the committee with my plan of participation at the ISO/IEC JTC 1 SC 27 meetings (which were held earlier this month in Paris).
Gurshabad will be joining a panel to discuss and further develop a draft mobile phone security standard for India.

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meeting-of-litd-17-at-bis

Participation in the meeting of BIS LITD 17

Admin — 2019-03-03T06:12:01Z

Gurshabad Grover participated in the fifteenth meeting of the Information Systems Security and Biometrics Sectional Committee (LITD 17) of the Bureau of Indian Standards (BIS), which was conducted online on February 26.

Some of the things we discussed included:

Participation of committee members at the ISO level in SC 27 'IT Security Techniques' working groups.
Update from the last SC 27 working group meetings (I updated the committee with some standards I was tracking and my participation as co-rapporteur in the 'Impact of AI on Privacy' study period).
Participation in the next SC 27 working group meetings, which will be held in April (where I will be participating in WG 1 'Information Security Management Systems' and WG 5 'Identity management and privacy technologies' meetings).

For more details visit https://cis-india.org/internet-governance/news/participation-in-the-meeting-of-bis-litd-17

Participation in ISO/IEC JTC 1 SC 27 meetings

Admin — 2019-11-02T06:31:46Z

From October 14 - 18, 2019, Gurshabad Grover, participated in the meetings of ISO/IEC JTC 1 SC 27 held in Paris, the committee that develops international standards for IT Security techniques.

Gurshabad focused on the meetings of working group 5 that deals with identity management and privacy technologies. Some highlights of the participation:

I represented the Indian delegation's contributions in the comment resolution meeting on WD TS 27570: Privacy guidelines for smart cities.

Since October 2018, I have been a co-rapporteur on the working groups' study period on the impact of machine learning on privacy. At this meeting, we presented our interim report. We are extending the study period for six months to further collaborate with SC 42 (that deals with artificial intelligence standards) to document privacy aspects for the applications and use cases they have developed.

I will now be a co-rapporteur on the study period on `Privacy for fintech services', which was initiated in this meeting. We will be surveying privacy standards and data protection regulations to assess the need for new work items (standards/guidelines document) in the space.

For more details visit https://cis-india.org/internet-governance/news/participation-in-iso-iec-jtc-1-sc-27-meetings

Parsing the Cyber Security Policy

chinmayi — 2013-07-22T06:37:56Z

An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

We therefore run a great risk if we leave air-traffic control, defense resources or databases containing several citizens’ personal data vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.

For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken.

The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.

This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared. Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy

Parliament panel blasts govt over ambiguous internet laws

praskrishna — 2013-03-28T08:37:30Z

The Parliamentary Standing Committee on Subordinate Legislation has come out with a report in which it has lambasted the government and asked it to make changes to IT rules that govern internet-related cases in India.

This article by Ishan Srivastava was published in the Times of India on March 28, 2013. Pranesh Prakash is quoted.

It said in the report that multiple clauses in the laws had inherent ambiguity and that discrepancies exist in the government's stand on whether some rules are mandatory or only of advisory nature.

The committee said that inherent ambiguity of words like 'blasphemy' and `disparaging', among others, could lead to harassment of people as has happened with Section 66A of the IT Act repeatedly in recent times. Incidents include the arrest of two girls over 'liking' a Facebook post and a defamation case against an individual for an 'offensive' tweet. It has also been used by multiple politicians to suppress voices of dissent by branding them as 'defamatory'.

These ambiguous terms are used in the Intermediary Guidelines rules, passed in April 2011, which the committtee said could lead to legitimate speech being removed. Also, the Standing Committee noted that many categories of speech prohibited by the Intermediary Guidelines rules were not prohibited by any statute, and hence could not be prohibited by the government through these rules. The Standing Committee has asked the government to ensure that "no new category of crimes or offences is created" by these rules.

The committee also said that discrepancies exist in the nature of implementation of these laws. While the government's stand is that Intermediary Guidelines are only "of advisory nature and self-regulation" and that "it is not mandatory for the Intermediary to disable the information", the wording of the laws suggest otherwise. In many of the laws, terms like "shall act" within 36 hours are used. The committee said that there was a "need for clarity on the aforesaid contradiction" and "safeguards to protect against any abuse" since it could lead to censorship.

"The government has told the Committee that the rules are for "self-regulation", but they in fact aren't. The rules dictate what content cannot be hosted. And our research found that intermediaries react to fake takedown requests too, just to avoid being liable for their users' content. This is not self-regulation, but government-mandated private censorship," said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS). CIS is a Bangalore-based non-profit body looking at issues of public accountability, privacy, free expression, and openness, and has consistently argued that many parts of the IT Act are unconstitutional.

The committee also suggested that all evidence relating to foreign websites refusing to honour Indian laws should be made public and a public debate should be encouraged as the internet is a global phenomena. Recently there have been instances of issues between the Indian government and tech giants like Facebook and Google related to censorship and taking down of 'offensive' and 'defamatory' content.

While the government's stand is that Intermediary Guidelines are only "of advisory nature and self-regulation" and that "it is not mandatory for the Intermediary to disable the information," the wording of the laws suggest otherwise.

For more details visit https://cis-india.org/news/times-of-india-ishan-srivastava-march-28-2013-parliament-panel-blasts-govt-over-ambiguous-internet-laws

Paranoid about state surveillance? Here’s the FD Guide to living in the age of snoops

Admin — 2017-12-16T13:38:46Z

The US does it, so does China. Ever since Edward Snowden’s revelations back in 2013, which exposed the extent of the US’s global surveillance apparatus, the public has been fairly clued into the extent of mass surveillance.

The blog post by Sriram Sharma was published in Factor Daily on December 12, 2017

It doesn’t take a conspiracy theorist to worry that India does it (or wants to), too, especially with the high decibel campaigns by banks, telecom service providers and others to have Indians link Aadhaar, the unique citizen ID, to multiple services.

If you want a dystopian picture of the future of surveillance, look no further than China, considered the world’s worst abuser of internet freedom for the third year in a row, according to the new Freedom House, a US-based NGO that conducts research and analysis on the internet. With a score of 87/100 (higher is worse), the Chinese state is renowned for its Great Firewall, which filters access to the wider internet. “Digital activism has declined amid growing legal and technical restrictions as well as heavy prison sentences against prominent civil society figures,” the latest Freedom House report notes.

India is rated “Partly Free” with a score of 41/100 (lower is better) in Freedom House’s 2017 report on internet freedom

While it’s a long way away from China, India scores 41/100 on Internet Freedom in 2017 but is still considered only ‘partly free’ owing to blocking of internet and telecom service providers in Kashmir and detainment of citizens for expressing their views online. The India report from Freedom House highlights Aadhaar’s mandatory linking for a wide range of schemes and records concerns regarding its privacy and security implications.

In this guide, we take a look at the why, what and how of India’s surveillance apparatus, the legal provisions in the Indian constitution that enables them, ask domain experts to provide us with tips on living in an age of state surveillance. We also take a look at a variety of widely used tools and apps that help you countering state surveillance or tracking of any kind.

Know your Big Brother: India’s State Surveillance Programs

Right to privacy organisation Privacy International has a detailed dossier on the state of privacy in India, which examines India’s surveillance schemes, laws around interception and access, and central intelligence agencies that carry out surveillance. Apart from the state police and the army, surveillance is carried out at least 16 different intelligence agencies, it notes.

The Centre for Internet and Society (CIS) and Software Freedom Law Centre (SFLC) have done extensive research in the past on India’s surveillance apparatus. Earlier this year, CIS reported on the various programs and tech infrastructure behind India’s surveillance state: these include Central Monitoring System (CMS), National Intelligence Grid (NATGRID), Network Traffic Analysis System (NETRA), etc. An earlier CIS report highlights a boom in surveillance tech in India following the 26/11 terror attacks in Mumbai.

Based on an RTI (Right to Information) filing, SFLC’s 2014 report on India’s Surveillance State reveals that around 7,500 to 9,000 telephone interception orders are issued by the central government alone each month. State surveillance of citizens’ private communications is authorised by laws that let them monitor phone calls, texts, e-mails and Internet activity on a number of broadly worded grounds such as such as ‘security of the state’, ‘defence of India’, and ‘public safety’.

The Government of India is also known to said to work with private third parties, some of which go so far as to infect target devices using malicious software to extract information on the subject. A 2013 Citizen Lab report titled ‘The Commercialisation of Digital Spying’ found command and control servers (used to control the host system) for FinFisher (a remote computer monitoring software suite) in India. A Wikileaks expose in 2015 dumped over a million emails belonging to Italian surveillance malware vendor HackingTeam. The emails revealed how India’s top intelligence agencies and the government expressed interest in buying Hacking Team’s malware interception tools.

Fears of an Aadhaar Surveillance State

Thejesh G N, an infoactivist wrote in FactorDaily about Hyderabad’s surveillance hub, which wants to collect all manner of details. Aadhaar is one of the primary keys to matching profiles with external data sources, he notes.

A look at data points gathered by Hyderabad’s Integrated Information Hub

“The end product shows on a map where you live, what you consume, did you take PDS, move to some other place, your mobile number, gender… there’s a lot of data in the hands of the very lowest level of government, which doesn’t have any protection as by a parliamentary committee or anything like that. It’s run by bureaucrats, so that has huge implications,” he says. “If you see Citizen Four (a 2014 documentary about Edward Snowden), it shows a similar system, where you enter one’s SSN, and it shows everything you have done, and are planning to do. We are building the same system…Governments change, today we might have a good government, tomorrow we might have the worst possible government on the planet.”

Pranesh Prakash, Policy Director of CIS says he doesn’t regard Aadhaar as a surveillance project. “I see Aadhaar as something that can facilitate surveillance, but by and of itself, it isn’t surveillance,” he says, adding that it does so in a non-consensual manner. “By having Aadhaar numbers across multiple databases, you make surveillance easier. But you need to tie it up to a surveillance system. For instance, Aadhaar without NATGRID isn’t surveillance, but Aadhaar with NATGRID can be helpful for surveillance.” NATGRID (National Intelligence Grid) was first proposed in late 2009 following 26/11 attacks by the Union Home Minister, to enhance India’s counter-terror capabilities. It links 21 citizen databases for access to intelligence/enforcement agencies.

Ongrid’s website earlier had this visualisation depicting its verification service, which made privacy advocates cringe. Source: Twitter.

We discussed some worst-case scenarios around the commercial use of Aadhaar and India Stack companies with Thejesh. “Let’s say there’s a screening company and they have your Aadhaar ID. They will send it to Airtel, or Vodafone, and ask for a list of all the websites you have viewed. Maybe you’ve watched porn or something, at some point in your life, and that could hurt your employment,” he says.

Curbing your data exhaust

The EFF (Electronic Frontier Foundation) has published a number of useful articles and resources for countering internet surveillance. Recommendations include using end-to-end encryption through tools such as OTR (a messaging protocol available on Adium), PGP (to exchange secure emails), and Signal (messenger).

Other useful tips:

Use VPNs

VPNs (virtual private networks) use encryption protocols and secure tunneling techniques to keep your internet activity impervious to snooping. With a VPN, you can bypass ISP restrictions on blocked websites or access services (Spotify) not available in your country, making it appear that you are browsing from another part of the world. Keep in mind that you can still be outed by your VPN provider, so it’s important to choose one that respects your privacy. There are hundreds of VPN service providers to choose from, That One Privacy Guy maintains a detailed comparison chart of over a hundred VPN providers, with details on jurisdiction, price, ethics, logging policies, VPN protocols supported, and more. Out of these, the country that the VPN provider is based in is a key filter: you don’t want to choose a VPN service based out of the ‘14 eyes‘, as they are known to do mass surveillance.

Use TOR

Tor, an acronym for ‘The Onion Router’, is a free app that lets you anonymise your online communication by directing a web browser’s traffic through a volunteer-run network of thousands of servers. It is funded by the US-based National Science Foundation, Mozilla, and Open Technology Fund, among others. Tor is available for download on Windows, Mac, Linux, and Android.

Browsing on Tor can be far slower than a regular web browser, but it keeps you anonymous.

Encrypt your storage

It’s now a default feature on your phone, or computer, so there’s no reason why you shouldn’t make use of it. To check if it is turned on in Windows 10, Go to Settings > System > About, and look for a “Device encryption” setting at the bottom of the About tab. Keep in mind that you need to sign into Windows with a Microsoft account to enable this setting, so it’s likely that the NSA or FBI might be able to bypass it.

On a Mac, you turn on full-disk encryption through FileVault, accessible in > System Preferences > Security & Privacy.

On an iPhone, data protection is enabled once you set up a passcode on your device.

Android 5.0 and above devices support full-disk encryption. If it isn’t turned on by default on your device, you can turn on encryption under the Security menu.

Sensitive documents can also be encrypted using TrueCrypt. Though you must keep in mind that key disclosure laws apply in India, under the Section 69 of the Information Technology Act, which states that there’s a seven-year prison sentence for failing to assist the central and state governments in decrypting information on a computer resource.

Use an air-gapped PC

An air-gapped PC is one that is not connected to the internet or to any computers that are connected to the internet. Air-gapped PCs are typically used when handling critical infrastructure, and this is an extreme measure one can take when working with sensitive data that you don’t want to be leaked.

Use HTTPS everywhere

HTTPS Everywhere offers plugins for Firefox, Chrome, and Opera, and turns every link you open or key in, to a secure version of the HTTP protocol, which is encrypted by Transport Layer Security (TLS). The tool protects you from eavesdropping or tampering with the site you are visiting, but only works on sites that support HTTPS. Keep in mind that this tool won’t conceal the sites you have accessed from eavesdroppers but it won’t reveal the specific URL that you visited.

Turn on Advanced Protection in Gmail

If you trust Gmail with your data, take the relationship to the next level with Advanced Protection, which safeguards your account against phishing attacks, limits access to trusted apps, and adds extra verification features to block fraudulent account access. You will need a Bluetooth key and a USB key to turn this feature on.

Some other don’ts

Don’t leave any cameras open. Tape them up if you are a potential surveillance target.
Don’t use freemium apps, which trade in your privacy. A recent example of a worst-case scenario.
Don’t send any data via free email services that you would like to keep private.
Don’t use Google or Facebook, as Snowden says, if you value your privacy. Don’t take our word for it.

As for Aadhaar, Thejesh says that there isn’t much one can do as it is forcibly linked to many essential services. He recommends using different email ids for official work and unofficial work. “Use one email ID for Aadhaar and mobile related accounts, and use the other one for regular communication. It separates the accounts from surveillance and adds a layer of security,” he says. “Don’t use Aadhaar until is necessary. If you use Aadhaar and you are not in a mood to resist everything, then don’t use it where it is not required. Don’t use it like a regular address proof,” he adds.

If you are already an Aadhaar holder, it makes sense to use the biometric locking system provided by UIDAI on its website to protect against identity theft and unauthorised access. The biometric locking feature sends an OTP code to your registered mobile number to unlock or disable the locking system.

If someone is concerned about surveillance, CIS’s Prakash recommends not having a cell phone. “The cellphone is the single largest means of data gathering about you,” he says.

Surveillance can take many forms: it can be physical or off-the-air surveillance (an interception technique used to snoop on phone calls), he points out.

A CCTV camera fitted on top of a Hyderabad Police vehicle

Surveillance is not always bad: medical surveillance, for instance, an entire field around the spread of diseases, is necessary, Prakash clarifies. “Even state surveillance for national security purposes is absolutely necessary. A nation-state can’t survive without surveillance so I am quite clear that those who oppose all forms of surveillance are opposing all kinds of rights – because you can’t have rights without security. And indeed, individual security is a human right guaranteed under the Universal Declaration of Human Rights and guaranteed in Article 21 of the Indian Constitution. Without security of the person, you can’t have the right to freedom of speech, you can’t enjoy the right to privacy… If you’re in a state of war or in a state of terror, then you can’t enjoy rights – so clearly for me, surveillance is necessary,” he says.

That said, surveillance in India is highly problematic as the laws and the democratic framework for surveillance is very weak, and enforcement of that framework is even worse, Prakash adds. “One of the best ways of countering surveillance, I would suggest, is to actually demand a democratic framework for surveillance in India. Demand that your MLA and MP take up this issue at the state and central level… and that we have a democratic framework for both our intelligence agencies and for all the surveillance that is conducted by the state in India,” he says.

He calls everything else – “the technological stuff, using anonymising networks, end-to-end encryption” – a second order issue. “It can help you as an individual, but it doesn’t help us as a society.”

For more details visit https://cis-india.org/internet-governance/news/factor-daily-sriram-sharma-december-12-2017-paranoid-about-state-surveillance-here-s-the-fd-guide-to-living-in-the-age-of-snoops

Paper-thin Safeguards and Mass Surveillance in India

chinmayi — 2015-06-20T10:17:57Z

The Indian government's new mass surveillance systems present new threats to the right to privacy. Mass interception of communication, keyword searches and easy access to particular users' data suggest that state is moving towards unfettered large-scale monitoring of communication. This is particularly ominous given that our privacy safeguards remain inadequate even for targeted surveillance and its more familiar pitfalls.

This need for better safeguards was made apparent when the Gujarat government illegally placed a young woman under surveillance for obviously illegitimate purposes, demonstrating that the current system is prone to egregious misuse. While the lack of proper safeguards is problematic even in the context of targeted surveillance, it threatens the health of our democracy in the context of mass surveillance. The proliferation of mass surveillance means that vast amounts of data are collected easily using information technology, and lie relatively unprotected.

This paper examines the right to privacy and surveillance in India, in an effort to highlight more clearly the problems that are likely to emerge with mass surveillance of communication by the Indian Government. It does this by teasing out Indian privacy rights jurisprudence and the concerns underpinning it, by considering its utility in the context of mass surveillance and then explaining the kind of harm that might result if mass surveillance continues unchecked.

The first part of this paper threads together the evolution of Indian constitutional principles on privacy in the context of communication surveillance as well as search and seizure. It covers discussions of privacy in the context of our fundamental rights by the draftspersons of our constitution, and then moves on to the ways in which the Supreme Court of India has been reading the right to privacy into the constitution.

The second part of this paper discusses the difference between mass surveillance and targeted surveillance, and international human rights principles that attempt to mitigate the ill effects of mass surveillance.

The concluding part of the paper discusses mass surveillance in India, and makes a case for expanding our existing privacy safeguards to protect the right to privacy in a meaningful manner in face of state surveillance.

Download the paper here.

For more details visit https://cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india

Panelist at launch of Google-UNESCAP AI Report

Admin — 2019-11-02T06:48:25Z

Arindrajit Basu was a speaker at the panel launching the Google-UNESCAP AI Report at the GovInsider Forum held at the United Nations Convention Centre in Bangkok on October 16, 2019.

Click to view the agenda.

For more details visit https://cis-india.org/internet-governance/news/panelist-at-launch-of-google-unescap-ai-report

Panel suggests law to protect individual privacy

praskrishna — 2012-10-22T14:37:28Z

A government-appointed expert panel Thursday called for a law to protect individual privacy against misuse of information collected by various agencies, public and private, and through various methods like telephone tapping.

Published in Newstrack India on October 18, 2012.

Concerns have been voiced by various quarters in the country on the possible invasion of citizen's privacy guaranteed under Article 21 of the Constitution through national programmes like Unique Identification number, reproductive rights of women, DNA profiling and brain mapping which will be implemented through the information, communication and technology (ICT) platforms.

Minister of State for Planning Ashwani Kumar last year had constituted the experts group to identify the privacy issues and prepare a report to facilitate authoring of the privacy bill.

The group, headed by former Delhi High Court Chief Justice A.P. Shah, recommended setting up of a regulatory framework comprising Privacy Commissioners at the centre and regional levels to deal with privacy issues and mandatory destruction of telephone conversation after a specified period.

As regards the specific issue of phone tapping, it said "interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days".

It suggested that the records of the conservation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

Acccording to an official release, the following are some of the major recommendations made in the panel's report:

The regulatory framework will consist of Privacy Commissioners at the Central and Regional levels.

A system of co-regulation that will give self-regulating organizations at industry level choice to develop privacy standards which should be approved by a Privacy Commissioner.

Individuals would be given the choice (opt-in/opt-out) with regard to providing their personal information and the data controller would take individual consent only after providing inputs of its information practices.

The data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection as well as process the data relevant to the purpose for which they are collected.

The data collected would be put to use for the purpose for which it has been collected. Any change in the usage would be done with the consent of the person concerned.

Data collected and processed would be relevant for the purpose and no additional data elements would be collected from the individual.

Interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days. Records of interception must be destroyed by security agencies after 6 months or 9 months and service providers must destroy after 2 months or 6 months.

Infringement of any provision under the Act would constitute an offence by which individuals may seek compensation for an organization/bodies held accountable to.

Note: CIS was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/newstrackindia-october-18-2012-suggests-law-to-protect-individual-privacy