Centre for Internet and Society

Anonymity in Cyberspace

sunil — 2015-09-09T01:31:03Z

While security threats require one to be identified in the Cyberspace, on the other hand, the need for privacy and freedom of speech without being targeted, calls for providing means for anonymous browsing and ability to express without being identified. Where do we draw the line , and how do we balance it? The group will dwell on need for anonymity in various sectors such as government, commercial, employers etc. Apart from security & privacy, the presentation will also cover social and technological perspectives.

For more details visit https://cis-india.org/internet-governance/blog/anonymity-in-cyberspace

Bangalore Chapter Meet of DSCI

sunil — 2015-09-09T01:40:56Z

The Centre for Internet & Society (CIS) will host the Bangalore Chapter Meeting of Data Security Council of India (DSCI) on September 26, 2015 at its Bangalore office in Domlur. The event will be held from 2.30 p.m. to 5.30 p.m.

After the Nasscom cyber security task force meeting held at Wipro in June, followed by DSCI Best Practices meet in July, we now have the next chapter meeting at CIS.

Speakers

The first speaker will be Melissa Hathaway, Commissioner, Global Commission for Internet Governance. She is an internationally distinguished cyber security expert and has worked as cyber security adviser in two US Presidential Administrations, and is the former acting Senior Director for cyberspace at the National Security Council in the US. The topic she will be speaking on is "Connected Choices".

The second speaker will be Sunil Abraham, Executive Director, CIS (Center for internet & Society). Sunil is a renowned thought leader when it comes to internet governance, cyber space & its interface with civil society and actively contributes to DSCI and other forums. He will be presenting on "Anonymity in Cyberspace" - the SIG that he led over last 8 months along with a diverse group of members from the industry in Bangalore.

Agenda

Time	Topic
2.30 p.m. - 2.45 p.m.	Recent Developments and Updates from DSCI
2.45 p.m. - 4.00 p.m.	Srinivas P. (Anchor): DSCI Bangalore Chapter
4.00 p.m. - 5.00 p.m.	Melissa Hathaway: Connected Choices
5.00 p.m. - 5.30 p.m.	Sunil Abraham: Anonymity in Cyberspace

This will be followed by High Tea & Networking.

For participation, please send your email confirmation to Rajesh of Infosys at Rajesh_K18@infosys.com

Since seats are limited, the participation will be restricted to first 50 confirmations. We had to organize it on a Saturday, due to Melissa’s availability – I’m sure many of you who know about her as expert security speaker, will not see weekend as a constraint to attend. Look forward to meeting you at CIS.

For more details visit https://cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015

India’s digital check

sunil — 2015-09-15T14:55:47Z

All nine pillars of Digital India directly correlate with policy research conducted at the Centre for Internet and Society, where I have worked for the last seven years. This allows our research outputs to speak directly to the priorities of the government when it comes to digital transformation.

The article was originally published by DNA on July 8, 2015.

Broadband Highways and Universal Access to Mobile Connectivity: The first two pillars have been combined in this paragraph because they both require spectrum policy and governance fixes. Shyam Ponappa, a distinguished fellow at our Centre calls for the leveraging of shared spectrum and also shared backhaul infrastructure. Plurality in spectrum management, for eg, unlicensed spectrum should be promoted for accelerating backhaul or last mile connectivity, and also for community or local government broadband efforts. Other ideas that have been considered by Ponappa include getting state owned telcos to exit completely from the last mile and only focus on running an open access backhaul through Bharat Broadband Limited. Network neutrality regulations are also required to mitigate free speech, diversity and competition harms as ISPs and TSPs innovate with business models such as zero-rating.

Public Internet Access Programme: Continuing investments into Common Service Centres (CSCs) for almost a decade may be questionable and therefore a citizen’s audit should be undertaken to determine how the programme may be redesigned. The reinventing of post offices is very welcome, however public libraries are also in need urgent reinventing. CSCs, post offices and public libraries should all leverage long range WiFi for Internet and intranet, empowering BYOD [Bring Your Own Device] users. Applications will take time to develop and therefore immediate emphasis should be on locally caching Indic language content. State Public Library Acts need to be amended to allow for borrowing of digital content. Flat-fee licensing regimes must be explored to increase access to knowledge and culture. Commons-based peer production efforts like Wikipedia and Wikisource need to be encouraged.

e-Governance: Reforming Government through Technology: DeitY, under the leadership of free software advocate Secretary RS Sharma, has accelerated adoption and implementation of policies supporting non-proprietary approaches to intellectual property in e-governance. Policies exist and are being implemented for free and open source software, open standards and electronic accessibility for the disabled. The proprietary software lobby headed by Microsoft and industry associations like NASSCOM have tried to undermine these policies but have failed so far.

The government should continue to resist such pressures. Universal adoption of electronic signatures within government so that there is a proper audit trail for all communications and transactions should be made an immediate priority. Adherence to globally accepted data protection principles such as minimisation via “form simplification and field reduction” for Digital India should be applauded. But on the other hand the mandatory requirement of Aadhaar for DigiLocker and eSign amounts to contempt of the Supreme Court order in this regard.

e-Kranti — Electronic Delivery of Services: The 41 mission mode projects listed are within the top-down planning paradigm with a high risk of failure — the funds reserved for these projects should instead be converted into incentives for those public, private and public private partnerships that accelerate adoption of e-governance. The dependency on the National Informatics Centre (NIC) for implementation of e-governance needs to be reduced, SMEs need to be able to participate in the development of e-governance applications. The funds allocated for this area to DeitY have also produced a draft bill for Electronic Services Delivery. This bill was supposed to give RTI-like teeth to e-governance service by requiring each government department and ministry to publish service level agreements [SLAs] for each of their services and prescribing punitive action for responsible institutions and individuals when there was no compliance with the SLAs.

Information for All: The open data community and the Right to Information movement in India are not happy with the rate of implementation of National Data Sharing and Accessibility Policy (NDSAP). Many of the datasets on the Open Data Portal are of low value to citizens and cannot be leveraged commercially by enterprise. Publication of high-value datasets needs to be expedited by amending the proactive disclosure section of the Right to Information Act 2005.

Electronics Manufacturing: Mobile patent wars have begun in India with seven big ticket cases filed at the Delhi High Court. Our Centre has written an open letter to the previous minister for HRD and the current PM requesting them to establish a device level patent pool with a compulsory license of 5%. Thereby replicating India’s success at becoming the pharmacy of the developing world and becoming the lead provider of generic medicines through enabling patent policy established in the 1970s. In a forthcoming paper with Prof Jorge Contreras, my colleague Rohini Lakshané will map around fifty thousand patents associated with mobile technologies. We estimate around a billion USD being collected in royalties for the rights-holders whilst eliminating legal uncertainties for manufacturers of mobile technologies.

IT for Jobs: Centralised, top-down, government run human resource development programmes are not useful. Instead the government needs to focus on curriculum reform and restructuring of the education system. Mandatory introduction of free and open source software will give Indian students the opportunity to learn by reading world-class software. They will then grow up to become computer scientists rather than computer operators. All projects at academic institutions should be contributions to existing free software projects — these projects could be global or national, for eg, a local government’s e-governance application. The budget allocated for this pillar should instead be used to incentivise research by giving micro-grants and prizes to those students who make key software contributions or publish in peer-reviewed academic journals or participate in competitions. This would be a more systemic approach to dealing with the skills and knowledge deficit amongst Indian software professionals.

Early Harvest Programmes: Many of the ideas here are very important. For example, secure email for government officials — if this was developed and deployed in a decentralised manner it would prevent future surveillance of the Indian government by the NSA. But a few of the other low-hanging fruit identified here don’t really contribute to governance. For example, biometric attendance for bureaucrats is just glorified bean-counting — it does not really contribute to more accountability, transparency or better governance.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation that has zero-rating alliances with telecom operators in many countries across the world

For more details visit https://cis-india.org/internet-governance/blog/dna-sunil-abraham-july-8-2015-india-digital-check

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

Lining up the data on the Srikrishna Privacy Draft Bill

sunil — 2018-07-31T02:52:23Z

In the run-up to the Justice BN Srikrishna committee report, some stakeholders have advocated that consent be eliminated and replaced with stronger accountability obligations. This was rejected and the committee has released a draft bill that has consent as the bedrock just like the GDPR. And like the GDPR there exists legal basis for nonconsensual processing of data for the “functions of the state”. What does this mean for lawabiding persons?

The article was published in Economic Times on July 30, 2018

Non-consensual processing is permitted in the bill as long it is “necessary for any function of the” Parliament or any state legislature. These functions need not be authorised by law.

Or alternatively “necessary for any function of the state authorised by law” for the provision of a service or benefit, issuance of any certification, licence or permit.
Fortunately, however, the state remains bound by the eight obligations in chapter two i.e., fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability. This ground in the GDPR has two sub-clauses: one, the task passes the public interest test and two, the loophole like the Indian bill that possibly includes all interactions the state has with all persons.

The “necessary” test appears both on the grounds for non-consensual processing, and in the “collection limitation” obligation in chapter two of the bill. For sensitive personal data, the test is raised to “strictly necessary”. But the difference is not clarified and the word “necessary” is used in multiple senses.

Under the “collection limitation” obligation the bill says “necessary for the purposes of processing” which indicates a connection to the “purpose limitation” obligation. The “purpose limitation” obligation, however, only requires the state to have a purpose that is “clear, specific and lawful” and processing limited to the “specific purpose” and “any other incidental purpose that the data principal would reasonably expect the personal data to be used for”. It is perhaps important at this point to note that the phrase “data minimisation” does not appear anywhere in the bill.

Therefore “necessary” could broadly understood to mean data Parliament or the state legislature requires to perform some function unauthorised by law, and data the citizen might reasonably expect a state authority to consider incidental to the provision of a service or benefit, issuance of a certificate, licence or permit.

Or alternatively more conservatively understood to mean data without which it would be impossible for Parliament and state legislature to carry out functions mandated by the law, and data without it would be impossible for the state to provide the specific service or benefit or issue certificates, licences and permits. It is completely unclear like with the GDPR why an additional test of “strictly necessary” is — if you will forgive the redundancy — necessary.

After 10 years of Aadhaar, the average citizen “reasonably expects” the state to ask for biometric data to provide subsidised grain. But it is not impossible to provide subsidised grain in a corruption-free manner without using surveillance technology that can be used to remotely, covertly and non-consensually identify persons. Smart cards, for example, implement privacy by design. Therefore a “reasonable expectation” test is not inappropriate since this is not a question about changing social mores.

When it comes to persons that are not law abiding the bill has two exceptions — “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”. Here the “necessary” test is combined with the “proportionate” test.

The proportionate test further constrains processing. For example, GPS data may be necessary for detecting someone has jumped a traffic signal but it might not be a proportionate response for a minor violation. Along with the requirement for “procedure established by law”, this is indeed a well carved out exception if the “necessary” test is interpreted conservatively. The only points of concern here is that the infringement of a fundamental right for minor offences and also the “prevention” of offences which implies processing of personal data of innocent persons.

Ideally consent should be introduced for law-abiding citizens even if it is merely tokenism because you cannot revoke consent if you have not granted it in the first place. Or alternatively, a less protective option would be to admit that all egovernance in India will be based on surveillance, therefore “necessary” should be conservatively defined and the “proportionate” test should be introduced as an additional safeguard.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

The generation of e-Emergency

sunil — 2015-06-29T16:40:54Z

The next generation of censorship technology is expected to be ‘real-time content manipulation’ through ISPs and Internet companies.

The article was published in Livemint on June 22, 2015.

Censorship during the Emergency in the 1970s was done by clamping down on the media by intimidating editors and journalists, and installing a human censor at every news agency with a red pencil. In the age of both multicast and broadcast media, thought and speech control is more expensive and complicated but still possible to do. What governments across the world have realized is that traditional web censorship methods such as filtering and blocking are not effective because of circumvention technologies and the Streisand effect (a phenomenon in which an attempt to hide or censor information proves to be counter-productive). New methods to manipulate the networked public sphere have evolved accordingly. India, despite claims to the contrary, still does not have the budget and technological wherewithal to successfully pull off some of the censorship and surveillance techniques described below, but thanks to Moore’s law and to the global lack of export controls on such technologies, this might change in the future.

First, mass technological-enabled surveillance resulting in self-censorship and self-policing. The coordinated monitoring of Occupy protests in the US by the Department of Homeland Security, the Federal Bureau of Investigation (FBI) counter-terrorism units, police departments and the private sector showcased the bleeding edge of surveillance technologies. Stingrays or IMSI catchers are fake mobile towers that were used to monitor calls, Internet traffic and SMSes. Footage from helicopters, drones, high-res on-ground cameras and the existing CCTV network was matched with images available on social media using facial recognition technology. This intelligence was combined with data from the global-scale Internet surveillance that we know about thanks to the National Security Agency (NSA) whistle-blower Edward Snowden, and what is dubbed “open source intelligence” gleaned by monitoring public social media activity; and then used by police during visits to intimidate activists and scare them off the protests.

Second, mass technological gaming—again, according to documents released by Snowden, the British spy agency, GCHQ (Government Communications Headquarters), has developed tools to seed false information online, cast fake votes in web polls, inflate visitor counts on sites, automatically discover content on video-hosting platform and send takedown notices, permanently disable accounts on computers, find private photographs on Facebook, monitor Skype activity in real time and harvest Skype contacts, prevent access to certain websites by using peer-to-peer based distributed denial of service attacks, spoof any email address and amplify propaganda on social media. According to The Intercept, a secret unit of GCHQ called the Joint Threat Research Intelligence Group (JTRIG) combined technology with psychology and other social sciences to “not only understand, but shape and control how online activism and discourse unfolds”. The JTRIG used fake victim blog posts, false flag operations and honey traps to discredit and manipulate activists.

Third, mass human manipulation. The exact size of the Kremlin troll army is unknown. But in an interview with Radio Liberty, St. Petersburg blogger Marat Burkhard (who spent two months working for Internet Research Agency) said, “there are about 40 rooms with about 20 people sitting in each, and each person has their assignments.” The room he worked in had each employee produce 135 comments on social media in every 12-hour shift for a monthly remuneration of 45,000 rubles. According to Burkhard, in order to bring a “feeling of authenticity”, his department was divided into teams of three—one of them would be a villain troll who would represent the voice of dissent, the other two would be the picture troll and the link troll. The picture troll would use images to counter the villain troll’s point of view by appealing to emotion while the link troll would use arguments and references to appeal to reason. In a day, the “troika” would cover 35 forums.

The next generation of censorship technology is expected to be “real-time content manipulation” through ISPs and Internet companies. We have already seen word filters where blacklisted words or phrases are automatically expunged. Last week, Bengaluru-based activist Thejesh GN detected that Airtel was injecting javascript into every web page that you download using a 3G connection. Airtel claims that it is injecting code developed by the Israeli firm Flash Networks to monitor data usage but the very same method can be used to make subtle personalized changes to web content. In China, according to a paper by Tao Zhu et al titled The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions, “Weibo also sometimes makes it appear to a user that their post was successfully posted, but other users are not able to see the post. The poster receives no warning message in this case.”

More than two decades ago, John Gilmore, of Electronic Frontier Foundation, famously said, “the Net interprets censorship as damage and routes around it.” That was when the topology of the Internet was highly decentralized and there were hundreds of ISPs that competed with each other to provide access. Given the information diet of the average netizen today, the Internet is, for all practical purposes, highly centralized and therefore governments find it easier and easier to control.

For more details visit https://cis-india.org/internet-governance/blog/livemint-june-22-2015-sunil-abraham-the-generation-of-e-emergency

Sense and Censorship

sunil — 2012-01-31T06:15:38Z

The Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) bills, at the US House of Representatives and Senate, respectively, appear to enforce property rights, but are, in fact, trade bills. This article by Sunil Abraham was published in the Indian Express on 20 January 2012.

In developed countries like the US, intellectual property (IP) plays a dominant role in the economy, unlike in economies like India. Countries that have significant IP are keen to increase global and national enforcement activities, while countries with little domestic IP are keen to reduce outgoing royalties in the balance of payments and therefore, keen to expand alternatives, limitations and exceptions like copyleft licensing, compulsory/statutory licensing and fair dealing.

The loss of generic medicines, hardware based on open standards, public domain content, free and open source software, open access journal articles, etc will equally impoverish consumers in the US and in India. SOPA and PIPA, therefore, do not represent the will of the average American but rather the interests of the IP sector, which has tremendous influence in the Hill. There is one more layer of complication for policy-makers to consider as they work towards a compromise of interests in Internet governance — the tension between the old and the new. The incumbents — corporations with business models that have been rendered obsolete by technological developments — versus emerging actors who provide competing products and services, often with greater technological sophistication, higher quality, at a lower cost.

The US, in terms of policy and infrastructure, still controls the global Domain Name System (DNS) and consequently, post-SOPA/PIPA, can take unilateral trade action without worrying about national variations enabled by international law. These bills directly undermine the business models of many Indian companies — generic drug manufacturers like Ranbaxy, software service providers like Infosys, electronics manufacturers like Spice and players in many other sectors dominated by IP rights. So it is baffling that they have not added their voices to the global outcry.

SOPA and PIPA, if passed, will enable the US administration to take three-pronged action against IP infringers — seizure of domain names and DNS filtering, blocking of transactions by financial intermediaries and revocation of hosting by ISPs. While circumvention may still be possible, it will get increasingly laborious — something like the Great Firewall of China, but worse. Unfortunately, the implementation of these blunt policy instruments will require more and more public-funded surveillance and censorship.

The censorship potential of efforts like SOPA and PIPA may appeal to others, as autocratic and democratic regimes across the world have been keen to try technology-mediated social engineering — these efforts have been multiplied in the post-Arab Spring and Occupy Wall Street world. Organised religion, social conservatives and those who have been at the receiving end of free speech would all want to shut down platforms like WikiLeaks and political movements like Anonymous and the Pirate Party.

These are equally dismal times for Internet governance in India. Google, Facebook and 20-odd other intermediaries are trying to avoid jail time at the hands of a Delhi court. However, ever since the IT Act amendments were put in place three years back, digital activists have been requesting intermediaries to register their protests early and often, regarding draconian provisions in the statute and in the associated rules. Their silence is going to be very expensive for all of us. We cannot depend on the private sector alone to defend our constitutional rights. As yet unpublished research from CIS demonstrates that private intermediaries only bother with defending freedom of expression when it undermines their business interests. Working with an independent researcher, we conducted a policy sting operation — faulty take-down notices were served to seven intermediaries asking for legitimate content to be taken down. In six of those cases, the intermediaries over-complied, in one case deleting all comments on a news article instead of just those comments identified in the notice. The only take-down that was resisted was one claiming that sale of diapers was “harmful to minors” under the Indian IT Act (because they caused nappy rash). It is clear that the IT Act and its associated rules have already had a chilling effect on online participation by Indians.

Fortunately for us, during the previous parliamentary session — Jayant Chaudhary, Lok Sabha MP from the Rashtriya Lok Dal, asked for the revision of rules concerning intermediaries, cyber-cafes and reasonable security practices. The next Parliament session is the last opportunity for the House to reject these rules and intervene for a free Internet.

The writer is executive director of the Bangalore-based Centre for Internet and Society

Read the original published in the Indian Express

For more details visit https://cis-india.org/internet-governance/sense-and-censorship

US Clampdown Worse than the Great Firewall

sunil — 2012-01-26T20:42:14Z

If you thought China’s Internet censorship was evil, think again. American moves to clean up the Web could hurt global surfers, writes Sunil Abraham in this article published in Tehelka, Volume 8, Issue 50, 17 December 2011.

TWO PARTICULARLY terrible pieces of legislation — the PROTECT-IP Act and the Stop Online Piracy Act (SOPA) — have been introduced in the US Senate and House of Representatives. If passed, the US administration will be empowered to shut down specific websites using the same four measures it employed in its failed attempt to shut down WikiLeaks — domain name system (DNS) filtering, blocking financial transfers via financial intermediaries, revoking hosting and sanitising search engine results. SOPA represents the perfect policy interest overlap between a State clamping down on freedom of expression and IPR-holders protecting their obsolete business models. After all it was Bono who publicly articulated the unspoken desire of many right-holders: “We know from China’s ignoble effort to suppress online dissent that it’s perfectly possible to track content.”

China fortunately only censors the Internet for its own citizens, the Great Firewall does not, for example, prevent access to knowledge by Indian netizens. SOPA will enable the US to censor the global Internet unilaterally. The Great Firewall can be circumvented using tools like Tor, but SOPA will in many ways make its targets disappear for the average user. DNS filtering, even when implemented in a single country, has global consequences. DNS, one of the foundational mechanisms of the Internet, is an address look-up service that allows users to translate domain names (e.g. cisindia.org — easier for humans to remember) into IP addresses (e.g. 202.190.125.69 — easier for machines). The most critical servers in the global DNS hierarchy are the root servers, or today’s server clusters. Mandated DNS filtering would result in some DNS servers returning different IP addresses than other DNS servers for certain domain names. With PROTECT-IP and SOPA, these global consequences would be at unprecedented levels given that seven of the 13 server clusters that constitute the DNS root fall within US jurisdiction. We already have some indication where this is headed. The US Immigration and Customs Enforcement Agency announced recently that it has seized 150 domain names for alleged IPR infringement.

We must remember that IPR policy in some countries has been configured in public interest to take advantage of the exceptions and limitations afforded by the TRIPS (trade-related aspects of IPR) agreement. In others, even though the letter of the law goes beyond TRIPS requirements, access by ordinary citizens is protected because of poor enforcement of these maximalist policies. E-commerce platforms that sell Micromax, Karbonn, Spice and Lava mobile phones that are manufactured in China may be taken offline because an American court is convinced of patent infringement. An online publisher of George Orwell’s books, which are public domain in Russia, India and South Africa but still under copyright in the US and Europe, may have its Paypal account blocked.

After the witch-hunt against WikiLeaks, policymakers have realised the extent of American hypocrisy

In the recent past, activists in authoritarian regimes and democracies with draconian Internet laws have leveraged US Internet freedom rhetoric. This was first deployed by Hillary Clinton in early 2010 after Google’s melodramatic withdrawal from China. Even then, many observers were convinced that this was just selective tokenism and the real agenda was domination of global markets by US-based MNCs. Today, after the witch-hunts against WikiLeaks and Anonymous, global policymakers have realised the extent of American hypocrisy.

Fortunately, opposition for SOPA has cut across traditional political and ideological divides — libertarians, liberal human rights organisations and political conservatives who believe in small government and also modern- day capitalists like Google, Facebook and Twitter. Let us pray that Kapil Sibal registers his protest with the Obama administration to protect the online aspirations of millions of Indian citizens and entrepreneurs.

Read the original published in Tehelka here

For more details visit https://cis-india.org/internet-governance/us-clampdown

Availability and Accessibility of Government Information in Public Domain

sunil — 2014-12-30T01:25:12Z

The information provided on most Government websites such as Acts, notifications, rules, orders, minutes of meetings and consultations, etc. is usually in the form of electronic documents. However, these lack authenticity and accessibility and cannot be (text) searched., This policy brief identifies the problem areas with the current work flow being used to publish documents and proposes suitable modifications to make them easy to locate, authentic and accessible.

Prepared by Sunil Abraham, Nirmita Narasimhan, Beliappa, and Anandhi Viswanathan and with inputs from Dipendra Manocha, Saksham, and Deepak Maheshwari, Symantec. Download the text as PDF here. (96 Kb)

Problem Statement: The information published on most government websites exist in the form of document files [including but not limited to the Acts, Rules and Regulations, Government Orders and Notifications, Consultation Papers, Reports etc.] which, even when published, more often than not lack authenticity and accessibility and cannot be (text) searched.

Analysis: The current workflow towards publishing documents on government websites is broadly as follows:

The document is born digital – that means it is created on a computer.
The document is printed.
The document is stamped with the official seal and signed in ink by the authorized person(s).
The paper document is scanned.
The scanned image is converted into a PDF file.
The document is uploaded on the website and thereby published in the public domain.

In fact, at times, even gazette notifications and other printed documents are also scanned as images.

This approach has numerous problems, including the following:

First and foremost, such a practice is against the letter and spirit of Section 4 (1) (a) of the Right to Information Act, 2005.[1] that inter alia, mandates every public authority to “maintain all its records duly catalogued and indexed in a manner and form which facilitates the right to information under this Act and ensure that all records that are appropriate to be computerised are, within a reasonable time and subject to availability of resources, computerised and connected through a network all over the country on different systems so that access to such records is facilitated”.
This does not realize the enabling provision of the Information Technology Act, 2000[2] which gives legal sanctity to digital signatures. The digital image of a physical signature is not a digital signature in the eye of the law, though at times it is mistakenly believed to be so.
This does not address the problem of repudiation. That means a government official can say “I didn't sign that document” and there is no way to tell whether what he or she is saying is true. One of the key features of digital signatures is non-repudiability.
Scanned images of printed text cannot be searched for specific text (character, word or phrase) even by people without disabilities but for people with disabilities, the documents become totally inaccessible since the accessibility software cannot parse such scanned images – against the underlying tenets and objectives of the National Universal Electronic Accessibility Policy 2013.[3]
As an extension, content of such documents cannot be indexed by search engines (such as Google, Bing and Raftaar, etc.) and hence, unlikely to be located even if technically the same are in the public domain.

Proposed Solution: The following work flow is proposed for publishing documents electronically on government websites:

The document is born digital by preparing it in or through a computer system. Documents in Indian languages should be produced using Unicode based fonts.
The government official authorized to sign the same, must sign it digitally.
The document is uploaded in an open standard based format such as EPUB using a content management system and made available on the website such that it is available, accessible, indexable and searchable.

This will ensure democratization of information in its truest sense – making available information to the public at large and ensuring that it can be easily located and remains accessible to one and all.

The process of formatting should be standardized in such a way that semantics (such as heading styles, lists and tables) can be added to the text of the document. The Web Style Guide provides information on good practices for creating well-structured documents:

Standardizing the formatting process by creating different templates for different types of documents will ensure uniform accessibility of the documents as well as provide a standard look and feel across government documents.

India became a global pioneer by making the legal provision for computerised, indexed and duly catalogued public records. It is high time that India takes the lead by living up to the legislative intent under the Right to Information Act, Information Technology Act and the National University of Educational Planning and Administration, and thereby establishes a global best practice.

Admittedly, legacy documents should also be converted electronically to accessible formats though before such a rendering, due editorial oversight may be necessary along with use of technologies such as Optical Character Recognition (OCR).

[1]. Government of India. The Right to Information Act, 2005. No. 22 of 2005. Retrieved on November 30, 2014 from http://rti.gov.in/webactrti.htm.

[2]. Government of India. The Information Technology Act, 2000. No. 21 of 2000. Retrieved on November 30, 2014 from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill2000.pdf

[3]. Government of India. National Policy on Universal Electronic Accessibility. 2013. Retrieved on November 30, 2014 from http://deity.gov.in/sites/upload_files/dit/files/National Policy on Universal Electronics(1).pdf

For more details visit https://cis-india.org/accessibility/blog/availability-and-accessibility-of-government-information-in-public-domain