Centre for Internet and Society

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

Digital Rights and ISP Accountability in India: An Analysis of Policies and Practices

Anubha Sinha, Yesha Tshering Paul, and Sherina Poyyail — 2025-01-23T10:04:44Z

This report presents a comprehensive evaluation of India's four largest Internet Service Providers (ISPs)—Reliance Jio, Bharti Airtel, Vodafone-Idea (Vi), and BSNL—examining their commitment to digital rights and transparency.

Read the full report here.

India's four largest Internet Service Providers (ISPs)—Reliance Jio, Bharti Airtel, Vodafone-Idea (Vi), and BSNL collectively serve 98% of India's internet subscribers, with Jio and Airtel commanding a dominant market share of 80.87%. The assessment comes at a critical juncture in India's digital landscape, marked by a 279.34% increase in internet subscribers from 2014 to 2024, alongside issues such as proliferation of internet shutdowns.

Adapting the Ranking Digital Rights' (RDR) 2022 methodology framework for its 2022 Telco Giants Scorecard, our analysis reveals significant disparities in governance structures and commitment to digital rights across these providers. Bharti Airtel emerges as the leader in governance framework implementation, maintaining dedicated human rights policies and board-level oversight. In contrast, Vi and Jio demonstrate mixed results with limited explicit human rights commitments, while BSNL exhibits the weakest governance structure with minimal human rights considerations. Notably, all ISPs lack comprehensive human rights impact assessments for their advertising and algorithmic systems.

The evaluation of freedom of expression commitments reveals systematic inadequacies across all providers. Terms and conditions are frequently fragmented and difficult to access, while providers maintain broad discretionary powers for account suspension or termination without clear appeal processes. There is limited transparency regarding content moderation practices and government takedown requests, coupled with insufficient disclosure about algorithmic decision-making systems that affect user experiences.

Privacy practices among these ISPs show minimal evolution since previous assessments, with persistent concerns about policy accessibility and comprehension. The investigation reveals limited transparency regarding algorithmic processing of personal data, widespread sharing of user data with third parties and government agencies, and inadequate user control over personal information. None of the evaluated ISPs maintain clear data breach notification policies, raising significant concerns about user data protection.

The concentrated market power of Jio and Airtel, combined with weak digital rights commitments across the sector, raises substantial concerns about the state of user privacy and freedom of expression in India's digital landscape. The lack of transparency in website blocking and censorship, inconsistent implementation of blocking orders, limited accountability in handling government requests, insufficient protection of user rights, and inadequate grievance redressal mechanisms emerge as critical areas requiring immediate attention.

As India continues its rapid digital transformation, our findings underscore the urgent need for both regulatory intervention and voluntary industry reforms. The development of standardised transparency reporting, strengthened user rights protections, and robust accountability mechanisms will be crucial in ensuring that India's digital growth aligns with fundamental rights and democratic values.

For more details visit https://cis-india.org/internet-governance/blog/digital-rights-and-isp-accountability-in-india-an-analysis-of-policies-and-practices

Govt websites to get new addresses

praskrishna — 2012-06-11T03:27:19Z

The government today said by December all its websites would switch over to IPv6 — the next generation Web standard that enables the creation of trillions of new Internet addresses and provides higher levels of security.

Click to read the original published by the Telegraph on June 7, 2012. Nishant Shah is quoted.

Internet protocol version 6 (IPv6) went live across the globe today, with leading online giants, including Google, Facebook, Yahoo! and Microsoft (Bing), introducing the new standard on their products and services.

Experts said Internet users would not feel any impact because of the shift.

At present, websites run on IPv4, a 27 year-old standard that allows just over four billion unique IP addresses, which are the sequence of numbers used to identify a device.

Each Internet-enabled device — computer, tablet or smartphone — needs its own IP address to connect to the Internet. However, because of the shortage of addresses, many devices have to share them, limiting the ability of the security agencies to track the exact device involved in a security breach.

Networking giant Cisco has predicted that 18.9 billion devices will be online by 2016.

Switching to IPv6 will ensure a unique IP address for each device.

“IPv6 is designed to handle security issues better... All government websites will be IPv6-compatible by December. For the country as a whole, the road map for transitioning to IPv6 is by 2020,” telecom secretary R. Chandrashekhar said.

Internet traffic that moves over to the new protocol is encrypted. Systems in IPv6 ensure that the traffic gets to the correct destination without being intercepted, analysts said.

To ensure a smooth transition and avert an abrupt disruption, both systems (IPv4 and IPv6) will work simultaneously for the next few years.

“The future of our connected networks is IPv6. Not only is it more efficient and faster than IPv4, which we are currently working with, it is also more reliable and secure,” said Nishant Shah, director (research) at the Bangalore-based Centre for Internet and Society.

India has 35 million IPv4 addresses against a data user base of about 360 million.

In addition, with the government targeting 160 million and 600 million broadband customers by the year 2017 and 2020, respectively, the need to move to IPv6 becomes more crucial. Moreover, there is a strong security requirement to provide unique IP address to each individual user.

The IT department has taken various steps, including organising workshops, to encourage state governments to hold pilot projects.

Twenty-seven government websites have been brought under IPv6 platform.

For more details visit https://cis-india.org/news/govt-websites-to-get-new-addresses

RTI on Officials and Agencies Authorized to Intercept Telephone Messages in India

praskrishna — 2013-07-15T05:23:54Z

In an RTI mailed on April 17, 2013, the Centre for Internet and Society sought comprehensive information on the officials and agencies authorized to intercept telephone messages in India.

A portion of the RTI still awaits response, as it was redirected to the Department of Electronics and Information Technology. But on May 23, 2013 Rakesh Mittal of the Ministry of Home Affairs responded in brief and directed us to the 2007 Amendment to the 1885 Indian Telegraph Act.

Referring to rule 419-A of the amendment and the Ministry of Home Affairs website, we find that within central government the power to order communications surveillance is normally reserved for Union Home Secretary, a position held by Shir Anil Goswami as of June 30, 2013 (previously R.K. Singh). The amendment goes on to say, “In unavoidable circumstances,” however, such an order can be commanded by a Joint Secretary who has been authorized by Union Home Secretary Goswami. On the federal level, the Ministry of Home Affairs includes nearly 20 such Joint Secretaries able to be authorized for making interception commands.

A listing of the original question requests are given below:

Please provide a list containing name, rank and office address of the officers/agencies authorized by the Central Government to issue an order for interception under section 5(2) of the Telegraph Act, 1885
Please provide a list containing name, rank and office address of the officers authorized to issue interception orders under Rule 419A(1) of the Telegraph Rules, 1951 in unavoidable circumstances when such orders cannot be issued by the secretary to the Government of India, Ministry of Home Affairs.
Please provide a list containing the name, rank and office address of the officers/agencies designated as “competent authority” in terms of the Rule 419A(1) proviso of the Telegraph Rules, 1951.
Please provide a list of the agencies authorized by the Central Government to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under section 69(1) of the Information Technology Act, 2000.
Please provide a list of the agencies authorized by the Central Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource under section 69-B of the Information Technology Act, 2000.
Please provide a list containing name, rank and office address of the officers/agencies authorized to issue interception orders under Rule 3, first proviso, of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
Please provide a list of the agencies authorised to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009.

For more details visit https://cis-india.org/internet-governance/resources/rti-on-officials-and-agencies-authorized-to-intercept-telephone-messages-in-india

India's centralised snooping system facing big delays

praskrishna — 2013-07-15T06:35:05Z

Central Monitoring System lacks algorithms, database and data.

This blog post by Phil Muncaster was published in "The Register, UK" on July 9, 2013. The Centre for Internet & Society is mentioned.

After recent revelations about governments snooping on their own citizens, it's nice to know that not every such effort is going smoothly, as India’s much criticised NSA-style Centralised Monitoring System (CMS) is facing big delays after it emerged that the project is still missing the vital software which will allow analysts to search comms data.

The nation's Department of Telecommunications has now told the Center for Development of Telematics (C-DoT), which is installing the system, to speed things up, according to official documents seen by the Wall Street Journal.

The Rs.4 billion (£47.8m) CMS was originally conceived as a way of allowing the authorities to lawfully intercept voice calls and texts, emails, social media and the geographical location of individuals.

However, the Intelligence Bureau, which will be manning the system, has delayed its introduction for several reasons.

Firstly, mobile operators in only seven of the sub-continent’s 22 service areas have been connected to the CMS, leaving holes in its reach.

There’s also a major issue in that the system currently lacks the search algorithms needed to identify specific documents, meaning that as it stands operatives would have to search every email in the CMS to find the one they’re looking for.

The datacentre where intercepted data is to be stored is also apparently not yet ready, while the country’s Central Bureau of Investigation has yet to be given access to the system, causing further delays.

At a time when mass government monitoring of communications networks is a hot topic around the world thanks to Edward Snowden’s NSA revelations, rights groups have roundly slammed India’s CMS plans.

Human Rights Watch branded the scheme “chilling” in a strongly worded response, while India’s Centre for Internet and Society warned that the country currently doesn’t have privacy laws which could protect individuals from potential abuse of the system.

A Stop ICMS campaign has also been launched online in an attempt to mobilise opposition to the plans.

For more details visit https://cis-india.org/news/theregister-uk-phil-muncaster-july-9-2013-indias-centralised-snooping-system-facing-big-delays

India’s Central Monitoring System: Security can’t come at cost of privacy

praskrishna — 2013-07-15T06:43:21Z

During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).

Danish Raza's article was published in FirstPost on July 10, 2013. Sunil Abraham is quoted.

The surveillance project, described as the Indian version of PRISM, will allow the government to monitor online and telephone data of citizens. prism-milind-deora-cms-central-monitoring-system/” target=”_blank”>

The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.

A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It merely states that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”

One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.

“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.

There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.

Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”

Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”

Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?

“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”

Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”

For more details visit https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy

The DNA Profiling Bill 2007 and Privacy

elonnai — 2012-03-21T09:40:56Z

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective.

Introduction

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.

In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.

Background Facts about DNA and DNA testing:

What is DNA: DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].

What is a DNA profile/ DNA database, and how can it be used/misused:

When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].

DNA testing in India:

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].

India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.

Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11].

Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13].

The Complexity of privacy and DNA collection/ testing:
As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.

Can DNA evidence be considered self-incriminating evidence?
According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that
“To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”

Critique of the DNA Profiling Bill 2007

Does India already have sufficient legislation?
The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.

Lack of requirement for additional evidence: The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20].

Scope for DNA Collection: The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles.

Clear definition of when collection of DNA samples can be taken: The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].

Privacy Principles: The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill.

Obligations for DNA laboratories: Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section.

Storage of DNA profiles and samples: Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete.

Conflicting Clauses: Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted.

Access: According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.

Offenses: Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.

Redress: The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.

Delegation of powers: The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board.

Access by law enforcement agencies: The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].

Public interest: The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.

Contamination of DNA samples: Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.

Audits: The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].

Indices Held by DNA Banks: Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.

Communicating of DNA Profile with Foreign States: Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only.

Access to Data Banks for administration purposes: Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].

Enforcement for the removal of innocents: Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].

Ability to access one’s own DNA Profile: A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].

Clear Definition of identity: Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39].

Transparency of the DNA board: Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].

Restricted use of DNA database: Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes.

Probability of error published: Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].

Cost analysis: The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].

Bibliography

http://www.cdfd.org.in/
http://ghr.nlm.nih.gov/handbook/basics/dna
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22
Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002
http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies
http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml
http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263
http://www.cdfd.org.in/servicespages/dnafingerprinting.html
ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf
http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf
http://www.dnalabsindia.com/
http://www.truthlabs.org/
AIR 1961 SC 1808
The Prisoners Identification Bill was most recently amended 1981
http://lawcommissionofindia.nic.in/51-100/report87.pdf
http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245
Email conversation with Dr. Wallace from Genewatch UK. April 2nd
Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)
2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense.
2(1)(vii) “crime scene index” means an index of DNA profiles derived from
forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;
or (b) on or within the body of the victim, or a person reasonably
suspected of being a victim, of an offense (DNA Profiling Bill)
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291
Section (1) (xv) –(xvi) of DNA Profiling Bill
Section 19 of DNA Profiling Bill
Section 41(i) (ii) of DNA Profiling Bill
Section 45, and section 46 of DNA Profiling Bill
Section 49 (1) of DNA Profiling Bill
Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,
also form committees of the members and delegate to them the powers
and of the Board as may be specified by the regulations.
Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300
Section 17 (2) of DNA Profiling Bill
Section 22 of DNA Profiling Bill
Section 28 of DNA Profiling Bill
Section 35 (1) of DNA Profiling Bill
Section 39 of DNA Profiling Bill
http://www.genewatch.org/sub-539478
http://www.genewatch.org/sub-539478
http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376
Email conversation with Dr. Wallace from Gene Watch UK April 2nd
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill

Draft Law Would Prohibit Showing ‘Disputed Areas’ on Maps of India

subha — 2016-05-15T13:05:41Z

Maps that label geographic areas of conflict as “disputed” territories in India could put one behind bars for seven years with 1B Indian Rupees (US$15M) penalty if a recently proposed bill becomes law.

The article was published in Global Voices on May 11, 2016.

The controversial bill, also known as Geospatial Information Regulation Bill 2016 would make it illegal to “depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.”

If approved, it could put large corporations like Google (with its Google map), free and open source projects like Wikipedia and Open Street Map, and several other organizations in trouble for showing areas of conflict as disputed. Pakistan-Occupied Kashmir (PoK) and Arunachal Pradesh near the China border are two well-known examples of such areas.

The Indian government ruled by Bharatiya Janata Party (BJP) under the leadership of Prime Minister Narendra Modi has been quite critical of the depiction of the PoK and China border in Arunachal Pradesh.

If passed in the parliament as law, it could prevent Indians and foreigners, government employees and people traveling in ships and aircrafts that are registered in India, to acquire geospatial imagery or data. To acquire such data, one needs to obtain permissions from the security vetting authority.

In recent years, the Indian government has targeted numerous foreign publications including Al Jazeera for showing distorted maps of India that excluded parts of the state of Jammu and Kashmir and even another state Arunachal Pradesh. While the bill does not explicitly mention these efforts, it seems to fall in line with these previous attempts to control the free flow of geospatial information.

A news article about the proposed bill published on the portal MediaNama explains how the potential law could affect map portals like Open Street Map and Google Maps, taxi, e-commerce and public safety sites and many other services that allow marking and sharing coordinates. “Most digital photographs contain location meta-data, and by sharing your photos online, you’re adding to a repository of data related to man-made phenomenon,” suggests the same article. Open data advocates also have published list of 25 different services, seven major news portals, and 14 nonprofits that would be affected if the bill is approved.

The Open Data community of India also has come up with a campaign “SaveTheMap” to draft a request to the government to not pass the bill. The draft request states:

Request for comments / suggestions on draft “The Geospatial Information Regulation Bill, 2016” To regulate the acquisition, dissemination, publication and distribution of geospatial information of India which is likely to affect the security, sovereignty and integrity of India, a draft “The Geospatial Information Regulation Bill, 2016” has been prepared. Copy of the draft “The Geospatial Information Regulation Bill, 2016” is attached herewith for comments/suggestions. The comments/suggestions on the draft Bill may be forwarded to the Joint Secretary (Internal Security-I), Ministry of Home Affairs, North Block, New Delhi at email id: jsis@nic.in within 30 days.

There has been a lot of discussion with hashtag #GeoSpatialBill and humorous comments on social media:

Many have already started tweeting with the hashtag #savethemap:

Twitter user Prasanto Roy explained the implications of geospatial bill for various companies including Google, Uber and Open street maps:

Here's what other experts have to say:

Arup. R writes in Geospatial World:

This Act needs to be dropped. In its attempt to cover all bases it has been made so broadband and all encompassing that it may actually impede the progress of work on Geospatial systems and therefore on key Government programmes and projects. The Act does not take into account the fact that with the advent of the Cloud, Data as a Service, Software as a Service and Platform as a Service there is no need for ‘persons’ to possess data. They can just access data, do their work and retain only the final results. This Act does not, in fact cannot, even begin to comprehend the paradigm shift in geospatial technologies which makes it a non-starter.

India does need a Geospatial Information Act, but it has to be an enabling and encouraging Act that makes for faster and better implementation of programmes, not a regressive and punitive Act as the proposed one.

Devdutta Tengshe writes about the overreaching ambit of Geospatial bill on Medium:

Worst of all, it (the bill) is trying to implement Security by Obscurity, which is expecting the country to become secure by hiding information from its citizens. This is dangerous, because the real mischief creators, be they terrorists, Foreign government agencies, or domestic criminals, will most likely have access to kind of data from foreign sources, and will not even think about getting permits and licenses from these Indian Authorities.

Cyber law expert Pavan Duggal told The Wire:

The draft legislation has the intrinsic problem that it has been given extra-territorial applicability in terms of jurisdiction. It is applicable to any person anywhere in the world. We have historically seen that such jurisdiction does not work well in practical terms. What if global players do not want to take your licence or subject themselves to your jurisdiction?

Duggal further spoke about how the law could impact the growth of e-commerce and m-commerce in India.

Under this law, Google Maps will be illegal without a licence, which means that all mobile or e-commerce applications working on Google Maps will also become illegal. The licence will also only be applicable to the concerned person. So if I am a taxi aggregator like Ola or Uber, I will have to get a separate licence over and above what Google Map has.

Indian Express calls the Geospatial bill a death note for Cartography:

The draft Geospatial Information Regulation Bill of 2016 is so perfectly ridiculous that one can only hope that it falls off the map before it can be tabled in the House. Publishers the world over have learned, to their bewildered amusement, that India censors maps of itself. Now, to strike fear into their anti-national gizzards, the government has invoked an official map censor, a babu-led organisation whose prior permission will be required to publish geospatial information, which is newspeak for maps. Failure to correctly depict the borders of India could attract a fine of up to Rs 100 crore, before the poor offending bozo is dragged away to the cooler for seven years. With this draft, the government has embarked on a journey without maps, which must rapidly become directionless.

Not the first time around?

Meanwhile, this clearly isn't the first time that services such as Google Maps have come under the federal scanner in India. In 2014, India's prime investigation agency Central Bureau of Investigation (CBI) had launched a probe into Google Maps’ irregularities in Mapathon 2013 and had accused the company of running the competition without procuring proper governmental permissions. But the agency had called off the case citing lack of ‘adequate evidence to corroborate the allegations’.

For more details visit https://cis-india.org/a2k/blogs/draft-law-would-prohibit-showing-2018disputed-areas2019-on-maps-of-india

Understanding Aadhaar and its New Challenges, May 26-27, 2016

sumandro — 2016-05-26T10:29:43Z

A workshop on “Understanding Aadhaar and its New Challenges” is being organised by the Centre for Studies in Science Policy, Jawaharlal Nehru University, and the Centre for Internet and Society, during May 26-27. It is also supported by the Centre for Communication Governance at NLU Delhi, Free Software Movement of India, Knowledge Commons, PEACE, and Center for Advancement of Public Understanding of Science & Technology. This is a legal and technical workshop to be attended by various key researchers and practitioners to discuss the current status of the implementation of the project, in the context of the passing of the Act and the various ongoing cases.

Workshop Programme

First Day, May 26

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. Ram Kumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Deptt of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Aadhaar - International Dimensions Prof. Chinmayi Arun, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in other parts of the world Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea
18:00-19:00	Video Presentations

Second Day, May 27

9:30-11:00	Privacy, Surveillance, and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-10:30	Aadhaar: Broad Issues - I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-13:30	Video Presentations
13:30-14:30	Lunch
14:30-15:30	Aadhaar: Broad Issues - II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan (TBC) - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Conclusion

For more details visit https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016

India's Proposed Map Law Prompts Outcry

praskrishna — 2016-05-29T09:30:31Z

In India, proposed legislation to ban use of maps or satellite images of the country without approval from the government has led to an outcry and triggered an online campaign called “Save The Map.”

The article by Anjana Pasricha was published in Voice of America on May 17, 2016. Pranesh Prakash was quoted.

The controversy is not just over stiff penalties of up to $15 million for a wrong depiction of India’s borders, but that in a digital era, the law would potentially disrupt a host of businesses and start-ups such as taxi-hailing services.

Reasons

The draft Geospatial Information Regulation Bill seeks to regulate the use of mapping and satellite data for two reasons: secure the country’s strategic installations from enemies and terrorists and ensure that its political boundaries are correctly depicted. The government says it will not create barriers to business.

But Internet experts say the sweeping proposed law will affect ordinary people using mobiles and laptops, all new-age companies such as food-delivery and e-commerce, apps, as well as Apple and Google map products.

Nikhil Pahwa, founder of the website MediaNama, calls location data the core fabric of all digital services.

“What the government has ended up doing is making pretty much every single app illegal because they all use geospatial data and they wont have a license. If you take a photograph, it has location data. If you use Uber to hail a cab, it uses maps and it shows taxi cabs on the map. If I WhatsApp my location to a friend to pick me from a particular location, I am generating geospatial information,” he said.

Nikhil Pahwa, founder of the website MediaNama, calls location data the core fabric of all digital services.

Complications for ordinary citizens

The draft law requires anyone wanting to use, publish or own maps or geospatial data to apply for a license, which will be considered by a security vetting committee.

The Bangalore-based Center for Internet and Society (CIS) has also slammed the new bill, saying it takes India back more than three decades when businesses were governed by a maze of bureaucratic licenses and permits.

“What it does, it puts in place a license raj for all use of mapping technologies. That just does not make sense. No other country in the world has this regressive mapping law,” said Pranesh Prakash at CIS.

Internet opposition

A volunteer-led internet campaign called “Save The Map” led by Bangalore-based tech experts, is steadily gathering momentum. It is calling on people to petition the government against the bill in its present form. It seeks to replicate an extremely successful campaign called “SavetheInternet” which built public opinion and put pressure on the government to ensure equal access to the internet.

The government has sought to calm the growing concerns, saying the bill is only in a preliminary stage and it has invited feedback and suggestions from the public until June 4.

Officials point to India’s growing security concerns, specially since an armed attack at a strategic air base in Pathankot in northern India earlier this year, allegedly mounted by Pakistan-based terrorists. Speaking to an Indian newspaper, Junior Home Minister Kiren Rijiju said the bill is necessary because “India as a responsible country must have provisions to secure its boundary and territory.

However Prakash of CIS points out that the new bill will not necessarily prevent terror groups from getting hold of geospatial data to target Indian installations because they don’t need maps generated inside India to access such information.

“They need satellite imagery and they need maps, period. Now this law does not actually prevent such maps from being created, it does not prevent satellite images of India being captured. What it does is prevent Indians from doing so. So it won't prevent foreign-based terrorists, especially state-backed terrorists, from attacking India,” he said.

Internet and public policy experts agree that the government could impose restrictions on mapping and satellite images of strategic and sensitive locations in the country.

Huge fines

The eye-popping fines of up to $15 million and jail terms of up to seven years proposed for incorrect depiction of India’s borders have also caused surprise.

India has always insisted maps should show Kashmir in the north, which is claimed by both India and Pakistan and the state of Arunachal Pradesh in the northeast, which China claims, within Indian political boundaries.

Foreign magazines and newspapers which failed to do so were only allowed to circulate in the country after the words “Boundaries of India shown in this map are not correct” were stamped over maps that did not conform to India’s interpretations of its borders.

Google already offers slightly altered versions of its maps inside India, showing the disputed regions of Kashmir and Arunachal Pradesh as part of India.

Independent political analyst Ajoy Bose said New Delhi has long been very sensitive over how these two territories are depicted. “It has always been a source of annoyance to successive governments, but this government being ultranationalist in nature is very particular about India’s geographical boundaries being correctly shown, and therefore it is taking much more drastic action,” he said.

For more details visit https://cis-india.org/internet-governance/news/voice-of-america-may-17-2016-anjana-pasricha-india-proposed-map-law-prompts-outcry

Submission by the Centre for Internet and Society on Draft New ICANN By-laws

vidushi — 2016-05-31T02:49:45Z

The Centre for Internet & Society sent its comments on the Draft New ICANN Bylaws. The submission was prepared by Pranesh Prakash, Vidushi Marda, Udbhav Tiwari and Swati Muthukumar. Special thanks to Sunil Abraham for his input and feedback.

We at the Centre for Internet and Society are grateful for the opportunity to comment on the draft new ICANN by-laws. Before we comment on specific aspects of the Draft by-laws, we would like to make a few general observations:

Broadly, there are significant differences between the final form of the by-laws and that which has been recommended by the participants in the IANA transition process through the ICG and the CCWG. They have been shown to be unnecessarily complicated, lopsided, and skewed towards U.S.-based businesses in their past form, which continues to reflect in the current form of the draft by-laws.

The draft by-laws are overwrought, but some of that is not the fault of the by-laws, but of the CCWG process itself. Instead of producing a broad constitutional document for ICANN, the by-laws read like the worst of governmental regulations that go into unnecessary minutiae and create more problems than they solve. Things that ought not to be part of fundamental by-laws — such as the incorporating jurisdiction of PTI, on which no substantive agreement emerged in the ICG — have been included as such.

Simplicity has been seen as a sin and has made participation in this complicated endeavour an even more difficult proposition for those who don’t choose to participate in the dozens of calls held every month. On specific substantive issues, we have the following comments:

Jurisdiction of ICANN’s Principal Office

Maintaining by-law Article XVIII, which states that ICANN has its principal office in Los Angeles, California, USA, these Draft by-laws make an assumption that ICANN’s jurisdiction will not change post transition, even though the jurisdiction of ICANN and its subsidiary bodies is one of the key aspects of post transition discussion to be carried out in Work Stream 2 (WS2). Despite repeated calls to establish ICANN as an international community based organisation (such as the International Red Cross or International Monetary Fund), the question of ICANN's future jurisdiction was deferred to WS2 of the CCWG-Accountability process. All of the new proposed by-laws have been drafted with certainty upon ICANN's jurisdiction remaining in California. Examples of this include the various references to the California Civil Code in the by-laws and repeated references to entities and structures (such as public benefit corporations) in the fundamental by-laws of the ICANN that can only be found in California.

This would make redundant any discussion in WS2 regarding jurisdiction, since they cannot be implemented without upending the decisions relating to accountability structures made in WS1, and embedded in the by-laws.

CIS suggests an provision expressly be inserted in the by-laws to allow changes to the by-laws in WS2 insofar as matters relating to jurisdiction and other WS2 issues are concerned, to make it clear that there is a shared understanding that WS2 decisions on jurisdiction are not meant to be redundant.

Jurisdiction of the Post-Transition IANA Authority (PTI)

The structure of the by-laws and the nature of the PTI in Article 16 make its Californian jurisdiction integral to the very organisation as a whole and control all its operations, rights and obligations. This is so despite this issue not having been included in the CWG report (except for footnote 59 in the CWG report, and as a requirement proposed by ICANN’s lawyers, to be negotiated with PTI’s lawyers, in Annex S of the CWG report). The U.S. government’s requirement that the IANA Functions Operator be a U.S.-based body is a requirement that has historically been a cause for concern amongst civil society and governments. Keeping this requirement in the form of a fundamental by-law is antithetical to the very idea of internationalizing ICANN, and is not something that can be addressed in Work Stream 2.

CIS expressed its disagreement with the inclusion of the U.S-jurisdiction requirement in Annex S in its comments to the ICG. Nothing in the main text of the CWG or ICG recommendations actually necessitate Californian jurisdiction for the PTI. Thus, clearly the draft by-laws include this as a fundamental by-law despite it not having achieved any form of documented consensus in any prior process. This being a fundamental by-law would make shifting the PTI’s registered and principal office almost impossible once the by-laws are passed.

No reasoning or discussion has been provided to justify the structure, location and legal nature of the PTI. The fact that the revenue structure, by-laws and other details have not even been hinted at in the current document, indicate that the true rights and obligations of PTI have been left at the sole discretion of the ICANN while simultaneously granting it fundamental by-law protection. This is not only deeply problematic on front of delegation of excessive responsibility for a key ICANN function without due oversight but also leads to situation where the community is agreeing to be bound to a body whose fundamental details have not even been created yet, and yet is a fundamental by-law.

CIS would therefore suggest that the PTI related clauses in the by-laws be solely those on which existing global Internet community consensus can be shown, and the PTI’s jurisdiction is not something on which such consensus can be shown to exist. Therefore the by-laws should be rewritten to make them agnostic to PTI’s jurisdiction. Further, CIS suggests that the law firm appointed for PTI be non-American, since U.S.-based law firms capable law firms in Brazil, France, and India.

We would also like to note that we have previously proposed that PTI’s registered office and ICANN’s registered office be in different jurisdictions to increase jurisdictional resilience against governmental and court-based actions.

Grandfathering Agreements Clause

A fair amount of discussion has taken place both in the CCWG mailing list about Section 1.1 (d)(ii), which concerns the inclusion of certain agreements into the scope of protection granted to ICANN from its Mission and Objective statement goals. CIS largely agrees with the positions taken by the IAB and CCWG in their comments of demanding the removal of parts B, C, D E and F of Section 1.1(d)(ii) as all of these are agreements that were not included in the scope of the CCWG Proposal and a fair few of these agreements (such as the PTI agreement) have not even been created yet. This leads to practical and legal issues for the ICANN as well as the community as it restricts possible accountability and transparency measures that may be taken in the future.
CIS as its suggestion therefore agrees with the IAB and CCWG in this regard and supports the request by them that demand by these grandfathering provisions be removed.

Inspection Rights

Section 22.7 severely limits the transparency of ICANN’s functioning, and we believe it should be amended.

(a) It limits Inspection Requests to Decisional Participants and does not allow for any other interested party to make a request for inspection. While the argument has been made that Californian law requires inspection rights for decisional participants, neither the law nor CCWG’s recommendations require restricting the inspection rights to decisional participants. CIS’s suggestion is to allow for any person in the public to make a request for examination, but to have to declare the nature of the public interest behind requests for non-decisional participants, so that an undue number of requests are not made for the purpose of impairing the operations of the organisation.

(b) The unclear but extremely limited definition of ‘permitted scope’, which does not allow one to question any ‘small or isolated aspect’ of ICANN’s functioning, where there is no explicit definition of what constitutes the scope of matters relevant to operation of ICANN as a whole, leaving a loophole for potential exploitation. CIS suggests the removal of this statement and to allow only for limitations listed in Section 22.7 (b) for Inspection Requests.

(3) There is no hard deadline provided for the information to be made available to the querying body, thus allowing for inordinate delays on the part of the ICANN, which is open to abuse. CIS suggests the removal of the clause ‘or as soon as reasonably practicable thereafter’ in this section.

(4) The need for insisting that the material be used only for restricted purposes. CIS suggests that as a step towards ICANN’s transparency, it is essential that they allow the use of the information for any reason deemed necessary by the person demanding inspection. There is no clear reason to require restriction to EC proceedings for non-confidential material. This requirement should be removed.

Work Stream 2 Topics

Section 27.2, which covers necessary topics for WS2, currently does not include key aspects such as PTI documents, jurisdictional issues, etc. In this light, we suggest that they be included and a clause be inserted to indicate that this list of topics is indicative and the CCWG can expand the scope of items to be worked on in WS2 as well as make changes to work completed in WS1 (such as these by-laws) to meet WS2 needs as well.

FOI-HR

Section 27.3 (a) requires the FOI-HR to be approved by "(ii) each of the CCWG-Accountability’s chartering organizations..” which is inconsistent with the CCWG proposal that forms the basis for these by-laws. The requirement of formal approval from every Chartering Organisation in the current draft is inconsistent with Annex 6 of the CCWG proposal, that has no such requirement.

CIS strongly advocates for a change in the bylaw text to align with the intent of the CCWG Accountability report, and to reflect that the process of developing the FOI-HR shall follow the same procedure as Work Stream 1.

Contracts with ICANN

Section 27.5 currently states that “Notwithstanding the adoption or effectiveness of the New by-laws, all agreements, including employment and consulting agreements, entered by ICANN shall continue in effect according to their terms.”

As the section currently stands, there is a possibility that prior to the creation of by-laws, agreements that may be in contravention of the by-laws may be brought forth intentionally before the commencement of the operation of ICANN’s Mission statement in the said by-laws. The clause may be updated as follows to avoid this —

“Notwithstanding the adoption or effectiveness of the New by-laws, all agreements, including employment and consulting agreements, entered by ICANN shall continue in effect according to their terms, provided that they are in accordance with ICANN’s Mission Statement.”

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-draft-new-icann-bylaws

CPRsouth 2016 – Young Scholars Programme

praskrishna — 2016-05-30T02:01:21Z

Rohini Lakshané, Amber Sinha and Vidushi Marda have been selected to attend the two-day Young Scholars' Programme to be held in Zanzibar, Tanzania in early September this year. The programme is a part of the CPRSouth conference.

Read the original announcement published by CPRSouth here.

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar, and will include sessions on cutting-edge developments on ICT policy and regulation in the South and discussion of the research-policy interface.

30 Young Scholars from Africa and the Asia-Pacific region will be selected to participate in a tutorial programme taught by recognised scholars and practitioners from Africa and Asia, and they will attend the main conference thereafter.

Tutorials are scheduled to be held on the 6^th and 7^th of September 2016, prior to the main CPRsouth conference.

Who will qualify?

Masters/PhD students in Economics, Public policy, Communications and Journalism
Officers of government/regulatory agencies undertaking ICT policy research, developing/gathering indicators (monitoring and evaluation)
Staff of private companies in the communication industries working in regulatory affairs
Officers in NGOs/INGOs working in policy and regulation
Researchers from think tanks, university research centres
Journalists covering communication public policy and regulation

Seminar

The seminar will cover a number of topics of the two days, such as:

policy analysis using supply-side or demand-side data;
ICT impact analysis;
convergence, net neutrality;
funding broadband network extension, open access networks, spectrum;
sector and competition regulation;
research to policy interventions;
Internet governance – privacy, surveillance, human rights online; and
introduction to big data, open data.

(2016 tutorial programme still to be confirmed)

Previous tutorial presentations can be accessed at http://www.cprsouth.org/

Application deadline: 22 April 2016

Application guidelines

Applications should be submitted via this link by 22 April 2016, and must contain the following:

one-page curriculum vitae; and
one-page write-up outlining why you wish to become an African or Asia-Pacific based expert capable of contributing to ICT related policy and regulatory reform in the region

Applicants’ write-ups and biographies should be in a single word document, and named: CPRsouth2016_YoungScholar_ApplicantLastName.

Kindly note: Late applications and applications that do not conform to the prescribed format above will automatically be disqualified.

Review Criteria

Applications will be reviewed according to the following criteria:

content of application;
evidence of interest in, and commitment to, policy-relevant research for Africa or the Asia-Pacific region;
quality of writing; and
gender and country representation

The selection committee may contact your supervisor or mentor before making the final selections.

Candidates selected to participate in the tutorial programme must:

provide a one-page research proposal upon acceptance onto the tutorial programme
participate in all tutorial sessions
participate in the entire CPRsouth 2016 conference

Funding

Selected young scholars who are passport holders of, and travelling from, low and middle income countries within the Asia Pacific and Africa (as classified by the World Bank http://data.worldbank.org/about/country-classifications/country-and-lending-groups#Low_income) will be provided with:

lowest-cost economy airfare to conference destination (less USD 150 registration fee);
ground transfers between the conference venue and airport; and
twin sharing accommodation on bed and breakfast basis, 5 lunches and 1 dinner for the duration of the conference and tutorials (6 – 10 September 2016). Not all meals are covered.

The registration fee for young scholars to attend the conference and tutorials is USD150, and airfares will be reimbursed less this registration fee. Participants will be required to cover:

transport to and from airports in their home countries;
visa fees (if any);
meals not provided; and
any other incidental costs

As the registration fee is so low and should be met personally even if there is no institutional support for attendance of the course and conference, please note that only under exceptional circumstances of extreme financial hardship may the organisers consider a waiver of the conference registration fee. Such waivers will be considered on a case-by-case basis and only where a scholar would otherwise be prevented from attending the YS programme and conference.

Visas

Letters of invitation will be provided for purposes of visa applications after participant selections have been made. Participants are responsible for securing their own visas to enter Tanzania, and are strongly advised to initiate visa approval procedures immediately on receipt of confirmation of their participation.

Kindly direct all enquiries to Ondine Bello: admin@researchictafrica.net orinfo@CPRsouth.org

For more details visit https://cis-india.org/internet-governance/news/cprsouth-2016-2013-young-scholars-programme

Internet L@w

praskrishna — 2016-05-30T02:07:00Z

Vanya Rakesh will attend the Internet law course organized by the University of Geneva from 20 June 2016 to 1 July 2016 as part of the Geneva Summer School.

Study Internet Law in Geneva, where the World Wide Web was born!

Topics that will be covered include cybersecurity, digital privacy and online surveillance, free speech, consumer protection, legal issues of social media, dangers of cloud computing, Internet and telecom infrastructure, intellectual property, antitrust, and much more...

This is a unique opportunity to gain hands-on experience in the framework of an Internet law clinic and to discuss cutting edge Internet law and policy issues with academics, practitioners, representatives of global policy makers, international organizations and leading institutions, including the Berkman Center for Internet and Society at Harvard University, the International Telecommunication Union (ITU) and the World Intellectual Property Organization (WIPO).

For its first and second sessions (in June 2014 and 2015), the Internet l@w summer school welcomed participants from very diverse background and countries including Argentina, China, Egypt, Germany, India, Italy, Lithuania, Ukraine and the US.

Discover an international city in the heart of Europe. Participate in an exciting social programme, including excursions and social gatherings, and build a global network of new friends as well as of Internet law and policy experts.

A video testimony of participants to the 2014 edition is available here!

Equivalence of 6 ECTS credits.

Please note: Changes to the draft program may be made at any time prior to the start of the course.

More Info, click here.

For more details visit https://cis-india.org/internet-governance/news/internet-l-w

Criminal Defamation and the Supreme Court’s Loss of Reputation

bhairav — 2016-06-03T03:05:14Z

The Supreme Court’s refusal, in Subramanian Swamy v. Union of India, to strike down the anachronistic colonial offence of criminal defamation is wrong. Criminalising defamation serves no legitimate public purpose; the vehicle of criminalisation – sections 499 and 500 of the Indian Penal Code, 1860 (IPC) – is unconstitutional; and the court’s reasoning is woolly at best.

The article was published in the Wire on May 14, 2016.

Politics and censorship

Two kinds of defamation actions have emerged to capture popular attention. First, political interests have adopted defamation law to settle scores and engage in performative posturing for their constituents. And, second, powerful entities such as large corporations have exploited weaknesses in defamation law to threaten, harass, and intimidate journalists and critics.

The former phenomenon is not new. Colonial India saw an explosion of litigation as traditional legal structures were swept away and native disputes successfully migrated to the colonial courts. These included politically-motivated defamation actions that had little to do with protecting reputations. In fact, defamation litigation has long become an extension of politics, in many cases a new front for political manoeuvring.

The latter type of defamation action is far more sinister. Powerful elites, both individuals and corporations, have cynically misused the law of defamation to silence criticism and chill the free press. By filing excessive and often unfounded complaints that are dispersed across the country, which threaten journalists with imprisonment, powerful elites frighten journalists into submission and vindictively hound those who refuse to back down. Such actions are called Strategic Lawsuits against Public Participation (SLAPPs) which Rajeev Dhavan warns have created a new system of censorship.

Petitions and politicians

Defamation originates from the concept of scandalum magnatum – the slander of great men – which protected the reputations of aristocrats. The crime was linked to sedition, so insulting a lord was akin to treason. In today’s neo-feudal India, political leaders are contemporary aristocrats. Investigating them can invite devastating consequences, even death. Most of the time, they retaliate through defamation law. Since the criminal justice system is most compromised at its base, where the police and magistrates directly interact with people, the misuse of criminal defamation law hurts ordinary citizens.

This is different from politicians prosecuting each other since they rarely, if ever, suffer punishment. Of all the petitions before the Supreme Court concerning the decriminalisation of defamation, the three that received the most news coverage were those of Subramanian Swamy, Rahul Gandhi, and Arvind Kejriwal. They are all politicians, their petitions were made in response to defamation complaints filed by rival politicians. On the other hand, there are numerous cases which politicians have filed against private members of civil society to silence them. When presented with these concerns, the Supreme Court simply failed to seriously engage with them.

The architecture of defamation

Defamation has many species, a convoluted history, and complex defences. Defamation can be committed by the spoken word, which is slander, or the written word, which is libel. The historical distinction between these two modes of defamation is based on the permanence of written words. Before the invention of the printing press, the law was chiefly concerned with slander. But as written ideas proliferated through mass publication technologies, libel came to be viewed as more malevolent and the law visited serious punishments on writers and publishers.

Such a distinction presumes a literate readership. In largely illiterate societies, the spoken word was more potent. This is why films and radio have long attracted censorship and state control in India. Before mass publishing forked defamation into libel and slander, there existed only the historical crime of libel. Historical libel had four species: seditious libel, blasphemous libel, obscene libel, and defamatory libel.

Seditious libel, which has been repealed in Britain, prospers in India as the offence of sedition which is criminalised by section 124A of the IPC. Blasphemous libel, repealed in Britain, fares well in India as the offence of blasphemy under section 295A of the IPC. Obscene libel, as the offence of obscenity, is criminalised by section 294 of the IPC. And defamatory libel, repealed in Britain, which is the offence of criminal defamation that the Subramanian Swamy case upheld, continues to exist under section 499 of the IPC.

Confusing harms

Of the many errors that litter the Supreme Court’s May 13, 2016 judgment in the Subramanian Swamy case, perhaps the most egregious is the failure to recognise the harm that criminal defamation poses to a healthy civil society in a free democracy. At the crux of this mistake is the Supreme Court’s failure to distinguish between private injury and social harm. Two people may, in their private capacities, litigate a civil suit to recover damages if one feels the other has injured her reputation. This private action of defamation was not in issue before the court.

On the other hand, by criminalising defamation, why should the state protect the reputations of individuals while expending public resources to do so? This goes to the concept of crime. When an action is serious enough to harm society it is criminalised. Rape strikes at the root of public safety, human dignity, equality, and peace, so it is a crime. A breach of contract only injures the party who was expecting the performance of contractual duties; it does not harm society, so it is not a crime. Similarly, a loss of reputation, which is by itself difficult to quantify, does no harm to society and so it should not be a crime.

Truth and the public good

It may be argued, and the Supreme Court hints, that at its fundament, society is premised on the need for truth; so lies should be penalised. This is where defamation law wanders into moral policing. In Indian and European philosophies, truth is consecrated as a moral good. The Supreme Court quotes from the Bhagavad Gita on the virtue of truth. But while quotes like these are undoubtedly meaningful, they have no utility in a constitutional challenge. In reality, society is composed of truth, lies, untruths, half-truths, rumour, satire, and a lot more. In fact, the more shades of opinion there are, the livelier that society is. So lies should not invite criminal liability.

If we concede the moral debate and arrive at a consensus that the law must privilege truth over lies, then truth alone should be a complete defence to defamation. If the law criminalises untruth, then it must sanctify truth. That means when tried for the crime of defamation, a journalist must be acquitted if her writing is true. But the law and the Supreme Court require more. In addition to proving the truth, the journalist must prove that her writing serves the public good. So speaking truth is illegal if it does not serve the public good.

In fact, truth has only recently been recognised as a defence to defamation, albeit not a complete defence. This belies the social foundations of criminal defamation law. The purpose of the offence is not to uphold truth, it is to protect the reputations of the powerful. But what is reputation? The Supreme Court spends 25 pages trying to answer this question with no success. Instead, the court declares that reputation is protected by the right to life guaranteed by Article 21 of the Indian Constitution but it offers no sound reasoning to support this claim. The court also fails to explain why the private civil action of defamation is insufficient to protect reputation.

The constitution and constitutionalism

There are two core constitutional questions posed by the Subramanian Swamy case. They are:

Does the crime of defamation fall within one of the nine grounds listed in Article 19(2) of the constitution; and
Are sections 499 and 500 of the IPC which criminalise and punish defamation reasonable restrictions on the right to free speech?

Article 19(2) contains nine grounds in the interests of which a law may reasonably restrict the right to free speech. Defamation is one of the nine grounds, but the provision is silent as to which type of defamation, civil or criminal, it considers. However, B.R. Ambedkar’s comments in the Constituent Assembly arguably indicate that criminal defamation was intended to be a ground to restrict free speech.

The answer to the second question lies in measuring the reasonableness of the restriction criminal defamation places on free speech. If the restriction is proportionate to the social harm caused by defamation, then it is reasonable. However, restating an earlier point, criminalising defamation serves no legitimate public purpose because society is unconcerned with the reputations of a few individuals. Even if society is concerned with private reputations, the private civil action of defamation is more than sufficient to protect private interests. Further, the danger that current criminal defamation law poses to India’s free speech environment is considerable. Dhavan says: “Defamation cases [are] a weapon by which the rich and powerful silence their critics and censor a democracy.”

The Subramanian Swamy case highlights several worrying trends in India’s constitutional jurisprudence. The judgment is delivered by one judge speaking for a bench of two. Such critically significant constitutional challenges cannot be left to the whims of two unelected and unaccountable men. Moreover, from its position as the guarantor of individual freedoms, the Supreme Court appears to be in retreat. This will have far-reaching and negative consequences for India’s citizenry. If the court fails to enhance individual freedoms, what is its constitutional role? The judiciary would do well to stay away from policy mundanities and focus on promoting India’s democratic project, lest it injure its own reputation.

For more details visit https://cis-india.org/internet-governance/blog/criminal-defamation-and-the-supreme-court2019s-loss-of-reputation

Women's Safety? There is an App for That

rohini — 2017-01-10T02:48:34Z

“After locking ourselves in a room for more than 6 days, this is what we came out [sic] with. Join us in helping make WOMEN feel SAFE,” read a gloating press release about a smartphone app for women to notify their near ones that they were in distress. It was one among many such PRs frequently landing in my mailbox after the rape and murder of a young student on board a private bus in Delhi in 2012.

The article by Rohini Lakshané was published in Gender IT.org on May 19, 2016. This was also mirrored by Feminism in India on January 9, 2017.

The incident had spurred protests across the country and made international headlines. Along with all this came a slew of new “women’s safety” apps. Existing ones, many of which had fizzled out, were conveniently relaunched. My own experience of user-testing such apps in India back then was that they were unreliable at best and dangerously counterproductive at worst. Some of them were endorsed by governments and celebrities and ended up being glorified despite their flaws, their technical and systemic handicaps never acknowledged at all.

There are myriad mobile phone apps meant to be deployed for personal safety, but their basic functioning is more or less the same: the user activates the app (by pressing a button, shaking the device or similar cue), which sends a distress message containing the users’ location to pre-defined contacts. Some apps include additional artefacts such as a short audio or video recording of the situation. Some others augment this mechanism by alerting the police and other agencies best placed to respond to the emergency. For example, the Companion app for students living on campus notifies the university along with police. The SOS buttons in taxi-hailing apps such as Uber enable the user’s contacts to follow the cab’s GPS trail and notify them and the cab company’s “incident response team” of emergencies. Apps such as Kitestring would treat the lack of the user’s response within a time-window as the trigger for a distress message. All their technical wizardry perhaps makes it easy to lose sight of the fact that technology is not a saviour but a tool or an enabler, that technology alone cannot be the panacea of a problem that is deeply complex and, in reality, rooted in society and governance.

The Indian government announced last month that every phone sold in the country from January 2017 should be equipped with a panic button that sends distress flares to the police and a trusted set of contacts. Nearly half the phones sold in India cost USD 100 or less. Prices are kept so low by sacrificing features and the quality of the hardware; there are a lot of phones with substandard GPS modules, poor touchscreens, slow processors, bad cameras, tiny memory, and dismal battery life. They run on different versions of different operating systems, some of them outdated. All of these factors would determine if someone is able to use the app at all and how quickly they and their phone would be able to respond to an emergency. Additionally, mobile phone signals become thin or shaky in areas with a high number of users and buildings located cheek-by-jowl. Even when the mobile hardware is good and the mobile signal usable, GPS accuracy can be spotty and constant location tracking would hog battery. These issues would affect the efficacy of any app. Besides, there is too much uncertainty for an app developer to factor in. (Two years ago, I learnt about an app called Pukar, then operational in collaboration with police departments in four cities in India. Pukar solved the problem of potential inaccuracy of the GPS location by getting the user’s contacts to tell the police where the person in distress might be.) Designing a one-size-fits-all safety app is almost impossible. The app that rings a loud alarm when triggered may save someone’s life or spoil the chances of someone who is trying to get help while hiding. Different people may be vulnerable to different kinds of distress situations and an app can at best be optimised for some target user groups.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea.

In the end, the “technical” problems may actually be problems of economic disparity. Making it mandatory for people to own phones equipped with certain hardware or requiring them to upgrade to more reliable devices would drive the phones out of the financial reach of many. Indian manufacturers have expressed concerns that the proposed panic button would raise costs for them as well the end buyers. Popularising a downloadable app and informing its target users how to install and work it correctly needs a marketing blitzkrieg, which is something only the state or well-funded developers can afford. The New Delhi police department runs a dedicated control room for reports arriving from its safety app, Himmat (the word for courage in many Indian languages). It’s an expensive affair.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea. It puts the onus of “keeping women safe” on members of their social circles or on intermediaries and private parties such as cab companies, while absolving law enforcement agencies of their failing to provide security. It opens doors to victim blaming in case someone is unable to use the app at the right time in the right way, or if the app fails.

On the contrary, an app that does loop in the police raises concerns about surveillance and protection of data available to the police, which is especially problematic in places such as India where there is no law for privacy or data protection. Alwar, one of the cities where Pukar was implemented, is super-populated with a large geographical area and a high crime rate. Police departments in such places tend to be overworked and understaffed. Without significant policing reforms, it is questionable whether they will be able to respond in time. A sting operation done by two media outlets on 30 senior officials of the New Delhi police department in 2012 showed the cops blaming victims of sexual violence with gay abandon. “If girls don't stay within their boundaries, if they don't wear appropriate clothes, then naturally there is attraction. This attraction makes men aggressive, prompting them to just do it [sexual assault]," reads one of their nuggets. “It's never easy for the victim [to complain to the police]. Everyone is scared of humiliation. Everyone's wary of media and society. In reality, the ones who complain are only those who have turned rape into a business," goes another. An app that lets known people monitor someone’s location also poses the risk of abuse, coercion and surveillance by intimate partners or members of the family.

Unfortunately, there is no app for reforming a morass in law enforcement or dismantling patriarchy.

For more details visit https://cis-india.org/internet-governance/blog/gender-it-rohini-lakshane-may-19-2016-womens-safety-there-is-an-app-for-that