Centre for Internet and Society

WIPO Broadcast Treaty and Webcasting

pranesh — 2011-08-04T04:42:10Z

On Friday, 8 May 2009, at Shastri Bhavan, New Delhi, the Ministry of Information and Broadcasting held a stakeholders' briefing meeting on the Broadcast Treaty that has been on the table at the World Intellectual Property Organisation (WIPO). The purpose of that meeting was to inform the relevant stakeholders of the developments in Geneva, as well as to garner input from them regarding the stance to be adopted by India at the WIPO. Pranesh Prakash from the Centre for Internet and Society participated and made a presentation on webcasting, highlighting the differences between webcasting and broadcasting, and arguing that webcasting should not be part of the WIPO Broadcast Treaty.

First, we wish to applaud the Ministry of Information and Broadcasting for holding this stakeholders' meeting, which is a definite step towards greater transparency, and are grateful for having been invited to provide our input. The meeting was attended by representatives from various government offices and ministries, including the Ministry of Human Resource Development (which administers the Indian Copyright Act), broadcasters, broadcast associations, law firms, and civil society organisations. The Secretary of the Ministry of Information and Broadcasting inaugurated the session by talking of how the Broadcast Treaty involved the assessment and balancing of various interests while keeping 'public interest' foremost. This was followed by Mr. N. P. Nawani, Secretary General of the Indian Broadcasting Foundation (IBF), presenting on the concerns of the broadcasting industry. After this Prof. N. S. Gopalakrishnan, head of the School of Law, Cochin University of Science and Technology, spoke.

Prof. Gopalakrishnan covered many areas of relevance: the concept of broadcasting and the legal rights involved; the scheme of legal protection over broadcast signals and over the content of the signals, and the difference between the two; gaps in the international law covering broadcasting; details of the proposed broadcast treaty; the implications of the broadcast treaty and concerns of the Indian government; and unresolved issues.

Amongst the unresolved issues mentioned by Prof. Gopalakrishnan was that of webcasting and the problems related to that. The discussion below aims to shed some light on some of the problems created by the inclusion of webcasting in the broadcast treaty.

Legal regimes for broadcasting

At the national level, the law governing broadcasting is the Indian Copyright Act, 1957. Broadcasting is covered by many sections of the Indian Copyright Act, including: ss. 2(dd) (definition of "broadcast"), 2(ff) (definition of "communication to the public"), 37 (the section granting a special "broadcast reproduction right"), and 39A (containing exceptions to s.37). At the international level, broadcasting is covered by the Rome Convention, 1960 (which India has signed, but hasn't ratified); the Brussels Convention, 1974 (only pre-broadcast satellite signals); the TRIPS Agreement, 1994 per Article 14 (which doesn't mandate that broadcasting rights be granted directly to the broadcasters); the WIPO Performances and Phonograms Treaty, 1996 (WPPT) in Articles 2(f) and 15; and the proposed WIPO Treaty on the Protection of Broadcasting Organizations ("Broadcast Treaty"). In May 2006, provisions for webcasting were brought back into the Broadcast Treaty as part of the non-mandatory Appendix after having been excised in 2004 owing to protests by many countries on their inclusion. The current draft (SCCR/15/2 rev.) was prepared in September 2006 as an attempt to put together an all-inclusive document (with alternative versions of proposed provisions present in the document), and a diplomatic conference was planned to push the treaty through. In August 2007, WIPO released a 'non-paper' (SCCR/S2/Paper1) and dropped plans for the diplomatic conference, as there was still significant disagreement about the treaty. In November 2008, the WIPO chair released an informal paper (SCCR/17/INF/1), which advocated technological neutrality, and hence, presumably, that webcasting to be covered by the treaty.

Meaning of broadcasting and netcasting

Broadcasting is generally taken to be a point-to-multipoint transmission of audio-visual content. Hence, cable transmissions and Internet/Web transmissions (which are point-to-point) are usually not included when one uses the term "broadcasting". But there is no one common definition of "broadcasting". As things stand in the WIPO Broadcast Treaty, the definition of broadcasting (Art. 5(a)) does not cover cablecasting, which is separately defined in Art. 5(b), neither does it cover webcasting. However, the definition of "retransmission" as provided in the draft treaty is broad enough to cover Internet-based transmission, and hence could provide a backdoor via which webcasting is included. The rights covered by the all-inclusive draft WIPO Broadcast Treaty include the rights of and over: retransmission; communication to the public; fixation; reproduction; distribution; transmission following fixation; making available of fixed broadcasts; and pre-broadcast signals. The treaty also mandates legislative protection to systems of digital rights management (DRM) and technological protection measures (TPMs). This, coupled with post-fixation rights, grants broadcasters the rights to dictate what one can and cannot do with a broadcast, thus negating all fair dealing rights and possibly restricting the public domain as well. It may be noted that even content creators are not provided such rights in the vast majority of the world, and that fair dealing rights are much better safeguarded by copyright law. The latest proposal by the U.S. on the term "netcasting" is to be found in an informal paper presented at SCCR 15 [MS Word document], and has been criticised as overly expansive by civil society organisations such as Consumer Project on Technology (now Knowledge Ecology International).

Non-justifications for webcasting's inclusion

Webcasting is sought to be included within the Broadcast Treaty for a number of reasons, all of which are problematic. Firstly, there is the argument of technology neutrality, which advocates say is to ensure that the treaty is relevant into the future as well. However, adopting technology neutrality as the basis for doing so amounts to wilful blindness to technological advancements, and the benefits that such advancement provides, including lowered costs of infrastructure. Secondly, advocates argue that thanks to media convergence, the same content (which is usually digital) can be delivered through various communication networks. This disregards the need to establish the requirement for a new right to be created, and simply assumes that just because the function that the two (broadcasters and webcasters) perform are similar means that they operate in similar economic and social environments. In fact, webcasters work in a very different environment from broadcasters.

This is an environment where intense innovation and competition already exist, and don't need to be artificially created by means of a new property right in an international treaty. Furthermore, the United States, a country with extremely large and hugely profitable broadcasting networks, does not have a specific statute to protect broadcasters’ rights. Even it only has laws protecting the conditional-access regime. Second, much less investment is required to reach a set number of people through webcasting than through broadcasting -- and these people can be spread throughout the globe. Typically, a computer with a fast internet connection is all that is required. Given this, anyone can become a 'broadcasting organisation'. Additionally, IP addresses (in IPv6) are not limited, unless one considers 340 undecillion addresses to be 'limited'. This is a big difference from terrestrial broadcasting, where Hertzian frequencies are limited, and hence one has to pay a premium for them. Lastly, signal appropriation does not happen for sake of the signal, but for the content. Protection, thus has to be given to the content (and already is given, in the form of copyright law). Copyright owners who object to such appropriation, and who are often large multinational corporations, have proven more than willing to pursue those who appropriate their works – broadcasters are not necessarily in a better position to do so. This situation is aggravated with webcasting. Indeed, on the Web, something akin signal appropriation is not only not frowned upon, but often encouraged: embedding of audio and video from other servers on your own website is prevalent.

Problems if webcasting is included

Apart from the lack of justifications for going ahead with the treaty, especially when it seeks to create a separate property right over signals instead of merely providing for signal protection and includes webcasting (at least upon 'retransmission'), there are many problems that the treaty creates. Firstly, transaction costs will increase vastly, leading to a tragedy of the anticommons where no one ends up using the content because clearing all the surrounding rights is too difficult. On top of clearing and making payment for rights from the copyright holders, a person wishing to use parts of any content that has been broadcast/webcast would have to get the rights cleared from the first broadcaster/webcaster as well. This is inevitable if property-like rights are bestowed upon the act of distributing signal in the form of a broadcast or hosting audio and visual content for webcasting.

Secondly, materials in the public domain and openly-licensed content will become more difficult to gain access to, and the exercise of fair dealings with copyrighted content will be hampered. Since rights over signal are independent of rights over content, a copy of the public-domain work will have to be procured from an archive, which negates the very purpose of broadcasting and webcasting, which is to make content more easily accessible to a large number of people located over great distances. Additionally, limitations and exceptions are extremely difficult to negotiate and are of the 'ceiling' kind, limiting the limitations and exceptions that national legislatures can prescribe. Thus, the fair dealing rights over the signal will probably end up being more limited than the fair dealing rights over content. This makes the situation akin to anti-circumvention measures, which (in countries where they are legally recognised) have fewer limitations and exceptions than the content they protect.

Thirdly, public benefit and access will seriously be harmed. It is conceivable that this treaty might hamper the Indian legislature's ability to pass statutes such as the Sports Broadcasting Signals (Mandatory Sharing with Prasar Bharati) Act, 2007, which mandate sharing of certain kinds of signals. Lawyers will claim that such statutes go against India's international obligations.

Differences between webcasting and broadcasting

To sum up, there are a large number of differences between broadcasting and webcasting.
Infrastructure: The expenditure required to establish the infrastructure for a webcasting unit is much less than that required for an equivalent (in terms of reach in terms of listeners). Even traditional broadcasting is not that expensive: fixed-frequency radio transmission kits have been known to cost as little as Rs. 50 (<http://news.bbc.co.uk/2/hi/south_asia/4735642.stm>. Thus, one of the biggest arguments for protection ('to recover investment') is taken away. The content producers' 'investment' is protected by copyright law.
Competition: Providing incentives to increase competition and hence public benefit is often a reason cited as a reason for introduction of a new property-like right. However, such incentives seem utterly redundant in the online market where becoming a webcasting organisation is trivial, and immense competition already exists.
Broadcasting vs. Uni- and Multicasting: The notion of 'broadcasting' does not exist in IPv6. The closest that a webcaster can come to broadcasting is 'multicasting' to a specific range of IP addresses. What one sees on the Web today is "unicasting", which is initiated by a request from the recipient and not by the webcaster.
Temporal limitations: Unlike traditional broadcasting (which does not include cable), content on demand is possible over the Web. By this, the temporal limitations faced by traditional broadcasting, which is ephemeral, are overcome. This opens up many possibilities that should not be hampered by creating an excessive legal regime (and that too a property regime) over webcasting.
Geographic limitations: While terrestrial broadcasting is limited in geographic scope (which satellite and cable-casting are less susceptible to), webcasting knows no geographic limitations. As long as an Internet connection is present, the content can be viewed anywhere. Additionally, granting a separate webcasting right will open up a jurisdicational can of worms.
Marginal costs of subscribers: While in terrestrial broadcasting, adding an additional receiver does not cost the broadcaster anything, in satellite television (direct-to-home), cable television and webcasting, each additional receiver means either additional infrastructure (cables and set-top boxes) or additional server load. In the case of webcasting, this marginal cost is small enough to ignore, especially given all the other reasons mentioned previously.

Conclusion

There are still a number of uncertainties surrounding the inclusion of webcasting in the Broadcast Treaty. Michael Nelson of the Internet Society points out that questions such as who the broadcaster is in a download grid, in distributed gaming, for webcasts of surveillance videos, etc., are unanswered. As the example of the download grid (a situation where the 'casting' is multipoint-to-point) shows, many Internet-specific scenarios have not been contemplated by the treaty negotiators. Situations which might soon be reality, such as peer-to-peer relaying of webcasts are also not contemplated, and the treaty would become a policy document preventing such technological innovations. Whether IPTV would be included within webcasting is also unclear. The WIPO chair in his informal paper noted, 'Finally, if after consideration of the options above (A/B) and possible other options, it will not in the present situation be possible to decide on the establishment of a new treaty, the SCCR should end these discussions through an express decision in order to avoid further spending of time, energy and resources to no avail. Such a decision could include a timetable for later revisiting and reconsidering the matter.' (SCCR/15/2 rev) SCCR should end these discussions which have gone on for more than a decade without any progress.

For more details visit https://cis-india.org/a2k/blogs/wipo-broadcast-treaty-and-webcasting

Winter School on Privacy, Surveillance and Data Protection

praskrishna — 2015-02-07T00:37:55Z

The Centre for Communication Governance (CCG) in collaboration with the UNESCO Chair on Freedom of Communication and Information at the University of Hamburg and the Hans Bredow conducted a week-long winter school on 'Privacy, Surveillance and Data Protection at National Law University, Delhi, from January 19 to 23, 2015.

The winter school focused on the law governing privacy in the EU and in India and covered issues ranging from surveillance to data protection. German and Indian members of faculty used interactive methods of teaching and group activities in each session, to help students from Germany, India and Israel contribute to the classroom and learn from each other.

Bhairav Acharya was a speaker at the event. He spoke on 'privacy theory'. More information here.

For more details visit https://cis-india.org/internet-governance/news/winter-school-on-privacy-surveillance-data-protection

Will You be Paid to Post a Picture?

nishant — 2014-03-06T11:58:41Z

The wave of free information production on the web is on the wane.

The article was published in the Indian Express on February 18, 2014

The age of volunteerism is officially over. The last decade of the mass adoption of the internet has been fuelled by endless human hours being spent in producing information which is the new currency of our times. The big transition to Web 2.0 began when the individual “user” became more than either an individual or the user. The individual found herself as a part of a collective, finding a voice and a community of others to belong to. Simultaneously, instead of being a passive consumer of the web, the user started producing data — blogs, videos, tweets, content management systems, online discussion boards, massively multiple online role-playing platforms, social network transactions — all of which became a part of the new Web’s widespread popularity.

Almost everything that we understand as the social web today is contingent upon people producing data in their interactions with the world around them. From knowledge producing websites like Wikipedia to entertainment platforms like YouTube, visualisation and data gathering spaces like Pinterest to photographs of self, food and cute animals on Instagram, political and social commentaries on Tumblr to Listicles and memes on Buzzfeed, the internet is a veritable smorgasbord of new information forms, formats and functions that are generated by the users.

What is possibly the most exciting about this burgeoning information universe has been the amount of free labour that goes into it, and often remains invisible. As digital labour scholar Trebor Schulz points out, the internet has become both a factory and a playground, where our leisure time is capitalised into producing work that sustains the new attention and information economies. For instance, the world’s largest social networking site, Facebook, does not produce any of its contents. It is, in fact, a system of information mining and sorting, which works as long as a growing user base continues to produce information on it. Tomorrow, if all of us stop producing Facebook, and only lurk on it, the platform will collapse. Which is why, Facebook continues to acquire new platforms and applications to be integrated into its universe.

Similarly, the real effort that goes into the sustenance of sites like Wikipedia, which has become the de facto reference for global knowledge systems, is carried out by unsung and invisible editors who patiently, meticulously, and without almost any expectation, continue to add, verify, strengthen and curate reliable information that we can use. When the non-profit organisation WikiMedia Foundation prides itself in running one of the least expensive websites in the top 10 most visited sites in the world, it is signalling its deep appreciation for the countless human hours that have made Wikipedia possible.

But, in recent years, there is noticeable stagnation in the wave of free information production on the Web. Oh, don’t get me wrong. We are producing an unprecedented amount of data — we are constantly being watched by surveillance technologies that detect biometric and genetic make-up of all our transactions, or we are inviting people to watch us on social network sites where we reveal some of our deepest secrets and desires, or we are watching ourselves, quantifying everything from things we ate to the number of hours we sleep. And yet, as we live in a world of Big Data, there is a definite decrease in people contributing to production of free information.

As the digital natives move from the web to mobile phones, traditional websites are already facing a crisis. News and media agencies that have celebrated the global citizen media networks have started realising that the individual user is more interested in local networks and information ecologies which are independent of mainstream conglomerates. And people are realising that their time and effort is worth money. They can be easily compensated for their online activities and gain reputation and importance.

The tension only becomes more palpable when people start realising that there are others who are being paid to work on the platforms that they are contributing to. We all knew that this model of depending on free information was not a sustainable one. But it seems the day has arrived, especially with the recent drives on Wikipedia to build specialised knowledge editors. In the last few months, we have seen people in the FemTechNet project — an academic activist feminist project that seeks to remind us of the intersections of feminism and technology in network societies — carry out “Wikistorming”, where students are adding pages of women’s contribution to technologies on Wikipedia. More recently, medicine students at University of Chicago have taken to correcting and adding accurate information to Wikipedia, which is often a source of health information.

Both of these are fantastic efforts to add to the platform that was the underdog that overthrew the mammoth encyclopaedia like The Encyclopaedia Britannica. We hope more specialised users in different locations, fields, disciplines and languages continue to edit and contribute to Wikipedia. However, it is also a signal that the generalist information producer is on the decline. We are transitioning into a new age, where people are going to need rewards, incentives and benefits for performing information transactions on the web. The user is no longer going to be available for free labour, and it is time we started thinking of “paid usership”.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-february-18-2014-nishant-shah-will-you-be-paid-to-post-a-picture

Will Only Legal Backing For Aadhaar Suffice?

praskrishna — 2016-03-16T02:31:52Z

Aadhaar is set to become mandatory, but the opponents of the scheme are not amused. Concerns about privacy of the Aadhaar number and the authenticity of the biometric data being collected have been expressed by people right from the beginning. But the government has not done much to address these issues.

The article was published in New Indian Express on March 14, 2016. Sunil Abraham was quoted.

“It does not matter what legislative backing they give it, it is still a surveillance programme. How can you have a privacy Bill for a surveillance programme? Legislative backing would be band-aid. I do not agree with it,” says Sunil Abraham, Executive Director of The Centre for Internet and Society. The society is a Bengaluru-based organisation looking at multi-disciplinary research and advocacy.

Abraham says that ever since the Aadhaar scheme was implemented, there was a massive degradation of civil liberties. “It is an opaque technology. Why should the government have such a database?” he asks.

Abraham says that the keys to the data should not have rested with the government where it is vulnerable. Instead, the government should have explored the concept of introducing smart cards issued to the citizen with the data stored on it.

Access to this data could not be had without the permission of the citizen, he says. At present, if something goes wrong or if the data is compromised, the government can always blame a lapse in technology, Abraham adds.

He questions the government’s logic where it assumes that only the poor section of society can misuse the benefits and says that it is well known that the problem exists in the supply chain and that the government has done nothing to address this.

Mathew Thomas of The Fifth Estate, an NGO, wonders what advantage the BJP suddenly found that they decided to pursue Aadhaar rather than send it to the trash bin as they had promised before the general elections.

Thomas says Aadhaar is flawed and is a fraud on the Constitution and the government has taken the money bill route simply to avoid a debate on it.

“Just passing a Bill is meaningless. This is radically wrong and we all know that protection of privacy is nonsense. How do they plan to plug the leakages? Have they even conducted a study, because there is no evidence of it. The correct beneficiary can get an LPG cylinder, but what is stopping the person from using it for an auto or for his car? That the government can lie to its own people is terrible,” he says.

A five-judge bench of the Supreme Court, which is hearing the matter on privacy concerns about Aadhaar, is expected to have a hearing by the end of this month.

For more details visit https://cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice

Will Aadhaar Act Address India’s Dire Need For a Privacy Law?

nehaa — 2016-04-05T16:01:06Z

The article was published by Quint on March 31, 2016.

The passage of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (will hereby be referred to as “the Act”) has led to flak for the government from privacy advocates, academia and civil society, to name a few.

To my mind, the opposition deserves its fair share of criticism (lacking so far), for its absolute failure to engage with and act as a check on the government in the passage of the Act, and the events leading up to it.

The government’s introduction of the Act as a ‘money bill’ under Article 110 of the Constitution of India (“this/the Article”) is a mockery of the constitutional process. It renders redundant, the role of the Rajya Sabha as a check on the functioning of the Lower House.

Article 110 limits a ‘money bill’ only to six specific instances: covering tax, the government’s financial obligations and, receipts and payments to and from the Consolidated Fund of India, and, connected matters.

The Act lies well outside the confines of the Article; the government’s action may attract the attention of the courts.

Political One-Upmanship


Finance Minister Arun Jaitley (left) listens to Reserve Bank of India (RBI) Governor Raghuram Rajan. (Photo: Reuters)

In the past, the Supreme Court (“the Court”) has stepped into the domain of the Parliament or the Executive when there was a complete and utter disregard for India’s constitutional scheme. In recent constitutional history, this is perhaps most noticeable in the anti-defection cases, (beginning with Kihoto Hollohan in 1992); and, in the SR Bommai case in 1994, on the imposition of the President’s rule in states.

In hindsight, although India has benefited from the Court’s action in the Bommai and Hollohan cases, it is unlikely that the passage of the Aadhaar Act as a ‘money bill’, reprehensible as it is, meets the threshold required for the Court’s intervention in Parliamentary procedure.

Besides, the manner of its passage, the Act warrants

Censure for its process
Its (in)compatibility with fundamental rights
The failure to incorporate the suggestions of the Yashwant Sinha-led Standing Committee to UPA’s NIDAI Bill
The possibility of surveillance that it presents
The lack of measures to protect personal information
Its inadequate privacy safeguards
The questions around the realisation of its stated purpose.

Instead, a part of the Aadhaar debate has involved political one-upmanship between the Congress and the BJP, pitting the former’s NIDAI Bill against the latter’s Aadhaar Act.

While an academic comparison between the two is welcome, its use as a tool for political supremacy would be laughable, were it not deeply problematic, given the many serious concerns highlighted above.

Better Than UPA Bill?


The Act may have more privacy safeguards than the earlier UPA Bill. (Photo: iStockphoto)

And while the Act may have more privacy safeguards than the earlier UPA Bill, critics have argued that they not up to the international standard, and instead, that they are plagued by opacity.

Additionally, despite claims that the Act is a significant improvement over the UPA Bill, it fails to address concerns, including around the centralised storage of information, that were raised by civil society members and others.

Perhaps most problematically, however, the Act takes away an individual’s control of her own information. Subsidies, government benefits and services are linked to the mandatory possession of an Aadhar number (Section 7 of the Act), effectively negating the ‘freedom’ of voluntary enrollment (Section 3 of the Act). This directly contradicts the recommendations of the Justice AP Shah Committee, before whom the Unique Identification Authority of India had earlier stated that enrollment in Aadhaar was voluntary.

To make matters worse, the individual does not have the authority to correct, modify or alter her information; this lies, instead, with the UIDAI alone (Section 31 of the Act). And the sharing of such personal information does not require a court order in all cases.


Kanhaiya Kumar speaking in JNU on 3 March 2016. (Photo: PTI)

It may be authorised by Executive authorities under the vague, ill-understood concept of ‘national security’, (Section 33(2) of the Act) which the Act does not define. We would do well to learn the dangers of leaving ‘national security’ open to interpretation, in the aftermath of the recent events at JNU.

These recent events around Aadhaar have only underscored the dire urgency for comprehensive privacy legislation in India and, the need to overhaul our data protection laws to meet our constitutional commitments along with international standards.

Meanwhile, constitutional challenges to the Aadhaar scheme are currently pending in the Supreme Court. The Court’s verdict may well decide the future of the Aadhaar Act, with the stage already set for a constitutional challenge to the legislation. The BJP’s victory in this case may be short-lived.

For more details visit https://cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law

Widening the Horizons of Surveillance - Lateral Surveillance Mechanisms

Mira Swaminathan & Shubhika Saluja — 2021-01-08T11:01:06Z

This paper sheds light on the issues and challenges associated with lateral surveillance mechanisms.

The pandemic has brought to light several fissures in existing patterns of governance-focussing on governmentality that snatches autonomy from the citizen and enmeshes it within existing power structures. Datafication through the phenomenon of lateral surveillance has been pushed across the globe as a way of combating human challenges in the 21st century, including those brought about by the pandemic.

Lateral surveillance is the act of ‘watching over’. Lateral surveillance differs from typical surveillance as the power dynamic between the one watching and the one being watched is not structural or hierarchical but more decentralized and balanced. The surveillance takes place between individuals themselves, without the involvement of any organizational entity such as the government. Looking back, the initiatives which encouraged lateral surveillance originated in the form of neighbourhood watch schemes and community policing initiatives in the United States and later spread across the world. These neighbourhood watch schemes enabled individuals to become the ‘eyes and ears’ of law enforcement agencies. With the advancements in technology, these neighbourhood watch and community building initiatives have transformed into easily accessible mobile applications, operated by law enforcement agencies or private entities, to mobilize citizens to monitor their surroundings or provide them with information sharing platforms to enable peer to peer or citizen communication. Though they aim to help in reducing the crime rates, improving the quality of life, building community pride and unity, they actually have many negative effects on people. This paper seeks to analyze the societal and legal implications of such technologies and provides recommendations to governments so that citizens’ rights are kept as a bare minimum threshold and not an option in a checklist.

While the essay released in May 2020 focused on the impact of lateral surveillance during COVID’19, this paper focuses largely on the history and evolution of lateral surveillance and the technologisation of the same. This paper also sheds light on the effects of lateral surveillance on the society and the challenges it poses to certain fundamental rights guaranteed under the Constitution.

Read the full paper here.

The research was submitted for review in May 2020 and accepted for publication in June 2020.

For more details visit https://cis-india.org/internet-governance/widening-the-horizons-of-surveillance

Widening the Horizons of Surveillance - Lateral Surveillance Mechanisms

Mira Swaminathan & Shubhika Saluja — 2021-01-08T11:10:55Z

This paper sheds light on the issues and challenges associated with lateral surveillance mechanisms.

Read the full paper here.

The research was submitted for review in May 2020 and accepted for publication in June 2020.

For more details visit https://cis-india.org/internet-governance/blog/widening-the-horizons-of-surveillance-lateral-surveillance-mechanisms

Why We Should All Worry About The Mandatory Imposition Of Aadhaar

praskrishna — 2017-03-27T15:02:10Z

It appears that with each passing day, the government is linking an increasing number of benefits and government services to the 12-digit biometric-based Aadhaar number for Indians, despite growing concerns around its data privacy and security.

The article by Rimin Dutt and Ivan Mehta was published by Huffington Post on March 24, 2017. Sunil Abraham was quoted.

Aadhaar, which collects among other information, citizens' iris scans and fingerprints and stores them into a centralised database for a prolonged time with only loose guidelines and no pre-existing laws to ensure the privacy of that data, is now linked to no less than 38 government schemes, including the government's latest directive –- that Aadhaar become mandatory for tax filing and securing PAN numbers -- introduced by Finance Minister Arun Jaitley earlier this week.

Jaitley openly admitted on Wednesday in the Parliament that the government, in effect, would be forcing people to get Aadhaar in an effort to increase tax compliance.

Aadhaar's use, by no means, is restricted to government agencies alone. A growing number of private financial institutions are now fulfilling their "Know Your Customer" or e-KYC formalities by making Aadhaar compulsory. The government is also in the process of making Aadhaar the basis of all financial transactions.

While the timing of the government's aggressive push of Aadhaar, in itself, is raising eyebrows among political observers, there are some serious concerns about this unique experiment that deserve stronger scrutiny.

Why disregard the Supreme Court?

In making Aadhaar mandatory for filing taxes and securing core taxpayer identity, the government has openly gone against a Supreme Court order from last year that explicitly stated that the Aadhaar Card scheme is "purely voluntary" and cannot be made mandatory until the court has decided on this.

The government has defended its move, saying it is allowed to do so under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.

However, as Gopal Krishna, a member of the Citizens Forum for Civil Liberties, writes in Business Today, the passage of the Act by the Parliament "does not automatically imply that any agency can make UID/Aadhaar compulsory disregarding the Supreme Court's orders."

According to Krishna, in doing so, the government is "clearly stepping beyond" the mandate of the Aadhaar Act, and also acting in contempt of the Parliament, according to him.

In addition, if tax evasion was the driving factor behind the move, it begs the question — wouldn't forcing people to get Aadhaar actually do the opposite by adding another layer of hassle?

Indeed, tax experts have noted how this requirement may hinder tax collection. Archit Gupta, Founder & CEO ClearTax.com, a tax service provider told HuffPost India, "The [Aadhaar] announcement is likely to be a dampener to tax filers, specially first-timers ... FY 2016-17 filing is expected to see a large number of first-time filers due to demonetisation efforts, and this move may make them more guarded."

Why not strengthen PAN?

The government already has an extensive mandate for the Permanent Account Number (PAN) cards, which are required to validate several important services or for undertaking transactions such as buying and selling property or jewellery worth over ₹2 lakhs. Last year, the government, in fact, said that the National Pension System (NPS) scheme would accept PAN cards over Aadhaar cards to validate new customers.

On Wednesday, however, Jaitley said PAN cards have been misused by certain people to evade taxes, and there are reports that Aadhaar may become the ultimate authenticating document. However, the continued and growing use of PAN along with Aadhaar adds an extra layer of formalities for citizens to access government services, which are their constitutionally guaranteed rights.

How safe is Aadhaar anyway?

Depending on who you talk to, the safety concerns of Aadhaar come up as a pressing issue, especially in the wake of a recent security incident when the Unique Identification Authority of India initiated police action against entities associated with Axis Bank including Suvidhaa Infoserve and e-sign provider eMudhra, which had allegedly engaged in unauthorised authentication and impersonation by illegally storing Aadhaar biometrics.

Earlier this month, in a separate incident, security researcher Srinivas Kodali warned Indian authorities of a website that was leaking Aadhaar demographic data of over five lakh minors, as well as the existence several parallel databases that had key identification data linked to Aadhaar, Scroll reported.

In the absence of any privacy laws in India, these security concerns have assumed even greater significance.

UIDAI, the authority behind Aadhaar, has maintained the technology behind Aadhaar is robust and that it uses advanced encryption to transmit and store data. It specifically denied that any breach of centralised data took place in the Axis Bank incident, saying the case was an isolated incident.

However, in a rather ironic twist in the Aadhaar Act, which itself contains no provisions to address privacy concerns, any legal action against any misuse or theft of Aadhaar data can only be initiated by UIDAI, leaving citizens with no legal recourse should a breach occur.

That represents an obvious conflict of interest as it gives exclusive power to the very authority that is responsible for the security and confidentiality of identity information and authentication records, PRS Legislative Research, has noted.

In addition, the controversial Aadhaar Act contains several other inherent dangers such as the potential to profile citizens based on the linking of other databases with Aadhaar by studying patterns of behaviour.

"Techniques such as running computer programmes across datasets for pattern recognition can be used for various purposes such as detecting potential illegal activities...However, these can also lead to harassment of innocent individuals who get identified incorrectly as potential threats," noted PRS Legislative.

There are currently no safeguards to prevent inappropriate profiling, instances of which could increase as more and more private organisations link their data to Aadhaar, and potentially exploit data for commercial purposes without the consent of citizens.

The US, in comparison, has laws in place that require agencies that collects data to submit an annual report to US Congress on all such data mining activities.

Other unresolved concerns

There are several other concerns related to the widespread use of Aadhaar card and the power it is afforded under the Aadhar act. The act allows UIDAI to collect biometric information beyond iris and fingerprint scans, for example, to include other bio-data such as DNA, noted PRS.

The act also allows private agencies to use Aadhaar, which contradicts an earlier stated objective of the scheme that sought to restrict the use of Aadhaar for only government expenditures.

"It allows private persons to use Aadhaar as a proof of identity for any purpose. This provision will enable private entities such as, airline, telecom, insurance, real estate etc. companies, to require Aadhaar as a proof of identity for availing their services," PRS has noted.

There's also the worrying prospect of Aadhaar being used as a surveillance tool by the government, instead of an e-governance technology, Sunil Abraham, executive director of research organisation, Centre for Internet and Society, told the The Hindu Business Line, adding biometrics only make citizens transparent to the state and not the state transparent to citizens.

"We warned the government six years ago, but they ignored us," said Abraham.

Krishna has a more dire warning: "The JAM Trinity -- Jan Dhan Yojana, Aadhaar and mobile numbers -- may well be a fish bait to trap unsuspecting citizens into the world's biggest transnational biometric database to turn them into subjects under surveillance forever in the name of a set of welfare and anti-poverty policies.

What has been done to address the security concerns?

It is unclear what the government or UIDAI may have done in the wake of the security incident to upgrade its systems. According to an expert HuffPost Post India talked to, many third party apps that are using Aadhar data may not be screened or audited for security, which is a huge worry.

Kodali told HuffPost India that Aadhaar has potential design issues when it comes to information security.

"By design it allows anyone store information of the Aadhaar holder through [application programming interface]. This is creating many parallel databases with Aadhaar as a key," he said.

He notes that security is an afterthought for many institutions and companies.

"UIDAI and the architects of Aadhaar do not accept that data can be a liability instead of an asset," he said. "The mandatory nature of Aadhaar without the right infrastructure and skilled workforce is not just a cyber security issue, but a national security issue."

When will India get privacy laws?

No one quite knows. But there's a growing call for a need for strict privacy laws, given the move towards digital financial transactions and growing e-commerce use. Most advanced economies including the US, the UK, France, Australia and New Zealand have enacted privacy laws.

However, in India, the right to privacy still doesn't exist despite it being recognised by even the UN charter of human rights. Article 12 of the Universal Declaration of Human Rights states, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The potential for cyber criminals to misuse citizen data isn't lost on even prominent IT industry experts.

Recently, the chief of IT industry body Nasscom R Chandrashekhar told PTI that personal data of online consumers can never be fully secure, emphasising the need for strict consumer protection laws. "More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT," he said.

To be sure, Aadhaar has been lauded by several prominent experts and economists, and it is, undoubtedly, an ambitious project to potentially aid financial inclusion for a large population that has historically been outside of a formal financial services net. India also has one of the lowest tax compliance rates, making tax collection a priority for the government.

Recently, Paul Romer, World Bank's chief economist told Bloomberg, "The system in India is the most sophisticated that I've seen ... It's the basis for all kinds of connections that involve things like financial transactions. It could be good for the world if this became widely adopted."

But given the sensitivity of citizen biometrics data and potential for misuse, the government ought to be held accountable for its proper use and ensure enough safeguards are put in place before its imposition on each citizen.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-rimin-dutt-ivan-mehta-march-24-2017-why-we-should-all-worry-about-the-mandatory-imposition-of-aadhaar

Why The New Government Policy Mandating Panic Buttons On Phones Isn’t Going To Protect Women

praskrishna — 2016-05-15T09:45:36Z

Recently, the Union Minister for Communications and Information Technology Mr Ravi Shankar Prasad tweeted about new rules mandating a panic button in every cell phone sold in the country from January 2017. To keep ladies safe, of course.

The story by Madhura Kadaba was published in the Ladies Finger on May 14, 2016. Rohini Lakshané was quoted.

According to a statement released by the Telecommunications Ministry, the panic button will be activated by pressing a designated button on a smartphone or by holding down both ‘5’ and ‘9’ keys on a basic phone. Pressing the panic button is expected to alert police and designated friends or relatives, similar to apps launched previously by police departments like Himmat.

It followed remarks from the Union Minister for Women and Child Development, Ms Maneka Gandhi, in the Lok Sabha in December 2015. “Every cell phone will have an in-built panic button. Now, all new cell phones will be made with panic buttons. But in case of all old cell phones, you can go to the person who owns the company or the dealer and they will adjust it for you. If a woman is in trouble, she can just press the button on the cell phone and she will immediately get help.”

Two days later, reacting to concerns that the mandate could increase mobile phone costs, Mr Ravi Shankar Prasad said, “Manufacturers… have given their support. My expectation is that they will render their support in social justice and women security.”

After a point, it almost becomes a farce — the government’s continuous search for grand, one-stop solutions to dealing with sexual violence. We had the vast coffers of the Nirbhaya fund, which went nowhere. It had tech solutions coming out of its 1000-crore ears. It included plans for setting up control rooms in 114 cities within 9 months back in 2014 and surveillance cameras in all public transport vehicles including autos! Who was going to be watching the feed of these cameras, if ever by some vast change in the face of humanity such a thing happened, you may wonder? Or as journalist Revati Laul wrote, “Given that police stations across the country are short staffed, given how many of them cannot even afford paper to file a first information report (FIR) or fuel for the police personnel’s motorbike, just how will the appearance of these control rooms change that? How will switchboards help if police stations in even big cities like Varanasi have too few vehicles to cater to the existing load of emergencies they have to deal with?” But hush, don’t interrupt when Daddy is talking.

Recently, we published an investigation into the one-stop centres promised by the Nirbhaya fund. These centres are supposed to provide services like assistance in lodging FIRs, medical assistance for medical examinations, and therapy. On paper, Delhi is supposed to have 6. Good luck locating them because they don’t exist. Most of the staff of the hospitals where the centers were to be located were clueless about the program.

But perhaps we should forget the tiresome past and move to the shiny button-filled future. We asked Rohini Lakshane, a technology expert and Program Officer at the Centre for Internet and Society what she thought of panic buttons. Recently she reviewed a bunch of personal safety apps geared toward women and was very unimpressed. About the government’s new plan, she said, “GPS accuracy in India can sometimes be patchy and not very accurate, and continuous location tracking drains the battery, something that could be problematic for people with phones that do not have good GPS hardware or a long battery life.” Lakshane added, “The app would also enable tracking by family members, which can increase the chance of intimate partner abuse and violence. There have been instances in which apps that provide real-time location or periodic updates of the location of a person to a contact have enabled abuse by intimate partners or by members of the family.” In short, you are unlikely to get the help you need in case of stranger danger and continue to face whatever oppression you maybe facing from your ‘loved ones’.

Which brings us to the biggest problem with panic buttons, the idea that what Indian women should live in fear of scary strangers outside the house.

The story by Madhura Kadaba was published in The Ladies Finger on May 14, 2016. Rohini Lakshane was quoted. The story by Madhura Kadaba was published in the Ladies Finger on May 14, 2016. Rohini Lakshane was quoted.

In fact, carefully conducted research shows over and over again that Indian women are most likely to face violence from their families, within their homes. The Mumbai programme RAHAT’s report shows that 91 percent of the accused in reported cases of rape were by known persons. Add on the fact if you have even a fleeting acquaintance with a man who attacks you the police are additionally reluctant to do anything.

Not that the police like to file complaints if you have been raped by a stranger. That way they are quite equal opportunity about ignoring complaints.

Perhaps we should have a panic button in our phones after all. A daily reminder that you should fear rape, in case for a moment you had decided to stop worrying. A daily reminder that if you do get raped you must remember to press a button that goes nowhere. A great metaphor for how we deal with victims of sexual violence in India.

For more details visit https://cis-india.org/internet-governance/news/why-the-new-government-policy-mandating-panic-buttons-on-phones-isn2019t-going-to-protect-women

Why NPCI and Facebook need urgent regulatory attention

sunil — 2018-06-12T02:07:42Z

The world’s oldest networked infrastructure, money, is increasingly dematerialising and fusing with the world’s latest networked infrastructure, the Internet.

The article was published in the Economic Times on June 10, 2018.

As the network effects compound, disruptive acceleration hurtle us towards financial utopia, or dystopia. Our fate depends on what we get right and what we get wrong with the law, code and architecture, and the market.

The Internet, unfortunately, has completely transformed from how it was first architected. From a federated, generative network based on free software and open standards, into a centralised, environment with an increasing dependency on proprietary technologies.

In countries like Myanmar, some citizens misconstrue a single social media website, Facebook, for the internet, according to LirneAsia research. India is another market where Facebook could still get its brand mistaken for access itself by some users coming online. This is Facebook put so many resources into the battle over Basics, in the run-up to India’s network neutrality regulation. an odd corporation.

On hand, its business model is what some term surveillance capitalism. On the other hand, by acquiring WhatsApp and by keeping end-toend (E2E) encryption “on”, it has ensured that one and a half billion users can concretely exercise their right to privacy. At the time of the acquisition, WhatsApp founders believed Facebook’s promise that it would never compromise on their high standards of privacy and security. But 18 months later, Facebook started harvesting data and diluting E2E.

In April this year, my colleague Ayush Rathi and I wrote in Asia Times that WhatsApp no longer deletes multimedia on download but continues to store it on its servers. Theoretically, using the very same mechanism, Facebook could also be retaining encrypted text messages and comprehensive metadata from WhatsApp users indefinitely without making this obvious.

My friend, Srikanth Lakshmanan, founder of the CashlessConsumer collective, is a keen observer of this space. He says in India, “we are seeing an increasing push towards a bank-led model, thanks to National Payments Corporation of India (NPCI) and its control over Unified Payments Interface (UPI), which is also known as the cashless layer of the India Stack.”

NPCI is best understood as a shape shifter. Arundhati Ramanathan puts it best when she says “depending on the time and context, NPCI is a competitor. It is a platform. It is a regulator. It is an industry association. It is a profitable non-profit. It is a rule maker. It is a judge. It is a bystander.”

This results in UPI becoming, what Lakshmanan calls, a NPCI-club-good rather than a new generation digital public good. He also points out that NPCI has an additional challenge of opacity — “it doesn’t provide any metrics on transaction failures, and being a private body, is not subject to proactive or reactive disclosure requirements under the RTI.”

Technically, he says, UPI increases fragility in our financial ecosystem since it “is a centralised data maximisation network where NPCI will always have the superset of data.” Given that NPCI has opted for a bank-led model in India, it is very unlikely that Facebook able to leverage its monopoly the social media market duopoly it shares with in the digital advertising market to become a digital payments monopoly.

However, NCPI and Facebook both share the following traits — one, an insatiable appetite for personal information; two, a fetish for hypercentralisation; three, a marginal commitment to transparency, and four, poor track record as a custodian of consumer trust. The marriage between these like-minded entities has already had a dubious beginning.

Previously, every financial technology wanting direct access to the NPCI infrastructure had to have a tie-up with a bank. But for Facebook and Google, as they are large players, it was decided to introduce a multi-bank model. This was definitely the right thing to do from a competition perspective. But, unfortunately, the marriage between the banks and the internet giant was arranged by NPCI in an opaque process and WhatsApp was exempted from the full NPCI certification process for its beta launch.

Both NPCI and Facebook need urgent regulatory attention. A modern data protection law and a more proactive competition regulator is required for Facebook. The NPCI will hopefully also be subjected to the upcoming data protection law. But it also requires a range of design, policy and governance fixes to ensure greater privacy and security via data minimisation and decentralisation; greater accountability and transparency to the public; separation of powers for better governance and open access policies to prevent anti-competitive behaviour.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-june-10-2018-sunil-abraham-why-npci-and-facebook-need-urgent-regulatory-attention

Why Indians are turning down Facebook's free internet

praskrishna — 2016-01-17T16:25:10Z

Imagine a billion of the world’s poorest gaining overnight access to health information, education, and professional help — for free. Add to this one rich man who wants to make that dream a reality.

The article by Nimisha Jaiswal was published in the Global Post on January 13, 2016. Sunil Abraham was quoted.

That’s the invitation that Facebook has sent to India. Many there, however, are rejecting such benevolence.

Facebook has introduced its Free Basics project in 36 countries. The company claims that the app acts as a stepping-stone to the internet for those who are otherwise without access, by providing them with a few essential sites — or “basics” — to get started.

“We know that when people have access to the internet they also get access to jobs, education, healthcare, communication… We know that for India to make progress, more than 1 billion people need to be connected to the internet,” wrote Facebook CEO Mark Zuckerberg in a recent op-ed for a major Indian newspaper. “Free Basics is a bridge to the full internet and digital equality.”

However, net neutrality researchers and activists in India define it quite differently.

“Free Basics is a zero-rated walled garden that gives users a tiny subset of the world wide web,” Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, told GlobalPost.

The Free Basics app is part of Facebook’s Internet.org, a “zero-rating” internet service that provides limited access for no charge to the consumer. The original Internet.org was heavily criticized in India for violating net neutrality, the principle that all content on the web should be accessible to consumers at the same speed, without discrimination by providers.

Last spring, as part of a homegrown Save The Internet movement, over 1 million people wrote to the Telecom Regulatory Authority of India (TRAI) to protest services that disrupt net neutrality by providing only a small fraction of the internet to their users.

India’s Department of Telecommunications has already recommended that such platforms be disallowed. Before it makes its own recommendations this month, the TRAI asked concerned citizens for another round of input on zero-rating apps. The criticism has been so loud that, at the end of December, Free Basics’ local telecom partner was ordered to take the service down until a decision is reached.

Though Free Basics does not require payment from the websites it shares, Facebook’s competitors are unlikely to participate and provide user data to their rivals. And while there are currently no advertisements on Free Basics, Facebook reserves the right to introduce them in the future to garner revenue from their “walled-in” clients.

According to Abraham, such a platform harms free speech, privacy, innovation and diversity by adding another layer of surveillance and “censoring” the internet.

Mahesh Murthy, a venture capitalist who is part of India’s Save The Internet movement, puts it more bluntly.

“What Facebook wants is our less fortunate brothers and sisters should be able to poke each other and play Candy Crush, but not be able to look up a fact on Google, or learn something on Khan Academy, or sell their produce on a commodity market, or even search for a job on [Indian recruitment website] Naukri,” said Murthy.

Zuckerberg and Facebook’s India team have vigorously rebutted net neutrality activists in India, including Murthy, challenging their criticism of Free Basics and accusing activists of deliberately trying to prevent the masses from gaining internet access.

“Critics of the program continue to spread false claims — even if that means leaving behind a billion people,” wrote Zuckerberg in his Times of India op-ed.

According to Abraham, this is a misleading assertion. “They are falsely framing the debate, they are making it look like we have only two choices,” he told GlobalPost. “The choice is not between less people on the internet and unregulated [Free Basics].”

Several alternatives are being proposed. Abraham does not advocate a complete ban on Free Basics, instead suggesting a “leaky” walled garden where users would be given 100 MB of full internet access for every 100 MB of Free Basics consumed.

The Save the Internet campaign, however, wants Free Basics barred altogether. It proposes returning to previously implemented schemes like providing data on the purchase of a phone, or letting users access the full internet after watching an ad. The Universal Service Obligation Fund, set up by the Department of Telecommunications to provide affordable communication technology in rural areas, could also be used to finance free data packs.

While Facebook could potentially contribute to such funds to promote its connectivity goals, the millions of dollars it has spent loudly defending Free Basics in India suggest that the company is deeply attached to its own scheme.

Facebook has claimed that “more than four in five Indians support Free Basics,” according to a survey that it paid for. Indian users of the social network have received notifications encouraging them to send a template letter to the regulator in support of Free Basics. Even users in the US were “accidentally” notified to add their backing to the Indian campaign.

Some of the company's critics suggest that it is driven less by philanthropy, more by guaranteeing itself a stream of new users.

Murthy points out that a large number of the world’s population not yet on the internet are in India and China — and Facebook is banned in China. “So who becomes essential to Mark Zuckerberg’s balance sheet? Enter us Indians.”

While Indian activists agree that connectivity is an important goal, they insist that Free Basics in its current form is not the solution or even the only option right now. All it does is whets the appetite of the consumer, according to Abraham.

“You can compare Free Basics to when you go through the mall: You see the people selling cookies, and the aroma fills the whole mall,” he said. “That’s what Free Basics does — it gets you interested in the cookie. But it doesn’t solve the affordability question.”

For more details visit https://cis-india.org/internet-governance/news/global-post-nimisha-jaiswal-why-indians-are-turning-down-facebook-free-internet

Why having more CCTV cameras does not translate to crime prevention

manasa — 2019-09-25T02:13:28Z

Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

The article by Manasa Rao published by the News Minute quotes Pranav M. Bidare of CIS.

In August, a couple from Tamil Nadu’s Tirunelveli district made national headlines for their bravery. True to the Tamil adage ‘vallavanukku pullum aayudham’ (for the strong man, even a blade of grass is a weapon), when thieves entered their home, they fought them with chairs, slippers and even a bucket. Despite being armed with sickles, the masked miscreants fled the scene unable to match the counter-attack mounted by 70-year-old Shanmugavel and 65-year-old Senthamarai. The incident was caught on CCTV camera and the couple, whose video quickly went viral, was celebrated for their valour and made for the perfect social media feel-good story. However, as the news cycle was focused on them, senior police officers from the state and many commentators pointed to the importance of the CCTV camera footage. After all, the whole world watched their courage thanks to the CCTV camera affixed on the couple's front yard.

Since 2017, the Tamil Nadu Police has been aggressively pushing for citizens to install CCTV cameras. A techno-futuristic awareness campaign video released last year even roped in popular Kollywood star Vikram to help the police force. “If there are CCTV cameras, crimes are prevented, evidenced and importantly, it provides evidence in court. So, each of us will compulsorily fix a CCTV camera wherever we are,” says Vikram. In a bold declaration, the motto of the campaign affirms, “With CCTV everywhere, Tamil Nadu has become a place without crime.” At the end of the video Vikram suggests Big Brother is watching, stating, “Everything. Everywhere. We're watching.”

But do more CCTV cameras necessarily translate to crime prevention and deterrence? Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

What the numbers say

A study released in August by tech research group Comparitech ranked Chennai as 32nd out of 50 of the most surveilled cities in the world. The research group, with the use of government reports, police websites and news articles, puts the total number of cameras in the city at 50,000. With a 2016 estimated population of 1.07 crore in Chennai, that is 4.67 cameras per 1,000 people.

With the help of Numbeo, a crowd-sourced database of perceived crime rates, the study puts Chennai’s crime index at 40.39. On a scale of 0 to 100, this is an estimation of overall level of crime in a given city. This score means Chennai’s crime index is ranked ‘moderate’. Similarly, on a 100 point scale, the city's safety index— quite the opposite of crime index— is at 59.61. The higher the safety index, the safer a city is considered to be.

The two other Indian cities on the list of 50 are New Delhi ranked No. 20 with 1,79,000 cameras for 1.86 crore people (9.62 cameras per 1,000 people) and Lucknow ranked at No. 40 with 9,300 cameras for 35.89 lakh people (2.59 cameras per 1,000 people). The capital's crime index is at 58.77 while its safety index is 41.23. The UP city on the other hand has a crime index of 45.30 and a safety index of 54.70.

Stating that the higher number of cameras ‘just barely correlates’ with a higher safety index and lower crime index, the study concludes, “Broadly speaking, more cameras doesn’t necessarily result in people feeling safer.” While the presence of CCTV cameras may not inherently be bad, experts say that they cannot become a substitute for tackling crime and its causes which transcend the realm of technology. These involve tailored and specific approaches which stem from community building.

The infallible CCTV myth

Pranav MB, policy officer at the Centre for Internet and Society in Bengaluru observes that in the long run, over-reliance on CCTV cameras would merely propel criminals to innovate, as opposed to helping deter the crime from taking place. He says, “While it seems intuitive that the presence of a CCTV camera will have a deterring effect on criminal activity, numerous studies over the past decade have concluded that this is not really the case. The idea of a deterring effect also relies on the assumption that the actors are making educated intelligent choices about their future, which is often not the case with persons that commit criminal acts. So the deterring effect of CCTV cameras is not likely to be much more than the already deterring effect that exists because of criminal law and law enforcement.”

Busting the myth that CCTV cameras are foolproof, Pranav adds that public infrastructure as simple as a streetlight could aid in safer neighbourhoods. “The fact remains, however, that if you are not using advanced technology, a simple mask will render you unidentifiable by most basic CCTV cameras. As more advanced and more expensive technology is used, you are only necessitating the need for innovation among criminals to identify new loopholes that they can exploit in the technology. This is not an argument that generally holds against the use of technology, but in the case of CCTV cameras, it has been seen that simple street lights much better serve the goal of deterrence of crimes,” he says.

However, cops disagree with the findings. One IPS officer who works with the police’s Law and Order department in Chennai tells TNM that the presence of CCTV cameras has helped them nab a range of criminals from chain-snatchers to stalkers who have hacked women to death. Praising the use of facial recognition software like FaceTagr that was introduced a few years ago, the officer says, “CCTV cameras have a dissuading effect on criminals. At the very least they serve as a warning but in most cases, we can easily match them to criminals on our existing local, station-wise database. Especially when it comes to areas like T Nagar, Purasawalkam or other crime-prone suburbs, CCTV cameras are an invaluable tool for law enforcement.”

“Even in cases of sexual abuse, street harassment or trafficking, private CCTV cameras have been helpful. Shop owners or residents have come forward with the footage in public interest,” he says, admitting that the Centre’s release of the long-pending National Crime Records Bureau (NCRB) statistics could show a correlation between the push to install CCTVs and crime rates.

With a lack of NCRB data, there are no statistical answers to whether indeed installation of CCTV cameras has helped lowering of crime rates. However, as per one report in The Hindu, the police report a 30% drop in the crime rate in the city following the installation of CCTV cameras. According to their estimate for chain snatching alone, the city police claims that the number of cases have dropped from 792 in 2012 to 538 following the installation of CCTV cameras in 2018.

Over-reliance on technology

Agreeing that law enforcement must be cautious while employing technology to solve crimes, Dr M Priyamvadha, associate professor at the Department of Criminology, University of Madras says her detailed interviews with over 200 incarcerated burglars across Tamil Nadu reveal that they are always on the lookout for a CCTV camera. “They simply use a jammer worth Rs 2,000 (a handy device that disrupts the signal range of a camera) to skirt the presence of a CCTV camera,” she reports. However, the professor cautions that one must not over-sell the capabilities of a CCTV camera in crime prevention.

“We must remember that CCTV cameras don't deter all crimes. If there is family or domestic violence, there won't be a CCTV camera inside the four walls of a house to reveal it. For burglaries, robberies and such offences, you can rely on CCTV cameras. How far it helps is a question mark. You can neither completely say it prevents crime nor that it is a waste,” she says.

The professor points out that even when deploying CCTV cameras across the city, law enforcement does not account for wear and tear and maintenance which forms an important part of monitoring security.

Echoing the sentiment, Pranav says that CCTV cameras primarily serve as sources of electronic evidence in criminal cases. “Their deterring effect has repeatedly been observed to not balance out the costs of installing and running them.”

Privacy, data protection concerns

Chennai-based independent tech researcher Srikanth points to the inherent surveillance dangers thanks to the centralised way in which the city police collects the CCTV data. “There is something concerning especially about Chennai City Traffic Police and other various city police’s approach to CCTV. The fundamental shift is that, at least in the city, these cameras are connected to the police control room. So data gets centrally collated. When centralization kicks in, power abuse isn't far away. This way it is far easier for police to destroy evidence,” he alleges.

Srikanth also points out, “CCTVs (especially connected ones) are usually funded by residents and/or merchants who spend their money in putting up the infrastructure, but freely give away the data to the police (often in good faith). There is no oversight on usage, storage, retention of this data and by sheer monopoly on law and order, the police is able to connect a vast number of private CCTVs on to its network.”

Significantly, he expresses concerns about there being no laws that govern the usage of CCTV footage by the police. “Even if one gives into the legitimate state aim to control crime, even if one can argue violation of privacy is proportional, there is no law around use of CCTV by police, let alone using them in investigations. That the state engages with private vendors (such as FaceTagr) and many others also provides these service providers access to data,” he explains.

Pranav also warns, “Furthermore, CCTV cameras also result in compromising the privacy of individuals, and if implemented by the state (as in the case of law enforcement), creates added surveillance risks. Compounding on this is the issue of the recorded video footage, which if stored/transmitted/managed in an non-secure manner creates data protection risks as well. This is especially true in India, where it is difficult to obtain the required infrastructure and expertise in running an effective and secure CCTV camera system.”

'Technology cannot replace interpersonal relationships'

Advising pragmatic thinking when it comes to crime prevention, professor Priyamvadha says that technology should complement what she calls the ‘human touch'. Junking the ‘holistic’ one-size-fits-all approach that is often paraded as a solution, the criminologist says that each crime requires a tailored method of tackling it. “For each and every crime, there is a different strategy. There maybe crimes committed by juveniles, crimes committed against women. For example, if female foeticide is rampant in a village, it is important to understand the village, the preferences of the people there and the caste practices present among them,” she observes.

While technology often allows law enforcement to cover more ground in cases of limited manpower, there’s also a chance the cameras could be seen as a substitute for forging interpersonal relationships between police and the people they seek to protect. “With quick transferring of cops nowadays, the local police station doesn’t have an understanding of the ongoings. Interpersonal relationships are more important than technological advances,” she notes.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-september-3-2019-manasa-rao-why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

Why having more CCTV cameras does not translate to crime prevention

Manasa Rao — 2019-12-05T23:26:25Z

The article by Manasa Rao was published the News Minute on September 3, 2019. Pranav M. Bidare was quoted.

What the numbers say

The infallible CCTV myth

Over-reliance on technology

Privacy, data protection concerns

'Technology cannot replace interpersonal relationships'

For more details visit https://cis-india.org/internet-governance/news/why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

Why did India fail to discover the ISIS Twitter handle?

praskrishna — 2014-12-27T03:27:16Z

India's surveillance system fails to track the servers of internet giants like Google or Facebook because these do not have servers in the country, says a leading cyber law expert.

The article by Anita Babu was published in the Business Standard on December 26, 2014. Sunil Abraham gave his inputs.

Back in 2009, after the investigation team, probing into the 26/11 Mumbai terror attacks, almost cracked the case, it was the US’s Federal Bureau of Investigation (FBI) which connected the missing links by arresting David Headley, the mastermind.

Five years later, India is staring at a similar situation, when Bengaluru-based Mehdi Masroor Biswas, was allegedly found to be operating a pro-ISIS (Islamic State) Twitter handle. It was a British broadcaster, Channel 4, which blew the lid off Biswas’s activity. Soon after the report, Indian authorities swung into action. Last year, when communal violence broke out in some parts of Uttar Pradesh, a Pakistani news organisation reported that a fake video was being circulated to fan sentiments.

But, why have Indian agencies failed to detect such activities which pose a threat to the national security? A senior government official said intelligence agencies in the country scan the internet for leads. But, in the light of increased threats, systems need to be beefed up significantly. Perhaps, as a first step towards this, the home ministry on Wednesday formed a committee to prepare a road map for tackling cyber crimes in the country.

It will give suitable recommendations on all facets of cyber crime, apart from suggesting possible partnerships with public and private sector, non-governmental organisations and international bodies.

According to Sunil Abraham, executive director of a Bengaluru-based research organisation, the Centre for Internet and Society, it’s time we move closer towards intelligent and targeted surveillance, rather than mass surveillance. This will require monitoring a selected accounts or profiles, instead of tapping information from across the population. Old-fashioned detective work is also very important, as it has helped zero in on Biswas.

Another problem the country faces is that a lot of data is being pooled in by multiple agencies, but of little use. “We must free up our law enforcement agencies and intelligence services from the curse of having too much data,” Abraham adds. Since most of the internet companies are headquartered outside India, the authorities face a lot of difficulties in accessing information from these networks.

“India’s surveillance system fails to track the servers of internet giants like Google or Facebook because these do not have servers in the country. Our system is only confined within the country,” says Pavan Duggal, a leading cyber law expert.

Since the US has the capability to access information from telecom companies, service providers such as Twitter and Facebook and the consortia that run submarine cables, these companies cooperate in a much more effective and immediate manner, adds Abraham. “But these are things that we will never be able to do in India,” he adds.

For instance, India follows the mutual legal assistance treaty procedure, to gather and exchange information in an effort to enforce public laws or criminal laws. However, this is a time-consuming process and often takes up to two years before we get any data from these companies.

But due to the threat of cyber-terrorism being shared by both companies and governments, companies such as Google, Twitter and Facebook are cooperating more than before, experts say.

Internet and Jurisdiction Project, an international group that works towards ensuring digital coexistence, tries to get a procedural law between two countries in a harmonised manner and includes collection, storage, handling and processing of evidence.

More lubricating efforts should be undertaken internationally on these lines, say experts. Hopefully, the new committee will take steps in this direction.

For more details visit https://cis-india.org/internet-governance/news/business-standard-december-26-2014-anita-babu-why-india-failed-to-discover-the-isis-twitter-handle

Why Data Localisation Might Lead To Unchecked Surveillance

pranesh — 2018-10-16T14:08:34Z

In recent times, there has been a rash of policies and regulations that propose that the data that Indian entities handle be physically stored on servers in India, in some cases exclusively. In other cases, only a copy needs to be stored.

The article was published in Bloomberg Quint on October 15, 2018 and also mirrored in the Quint.

In April 2018, the Reserve Bank of India put out a circular requiring that all “data relating to payment systems operated by them are stored in a system only in India” within six months. Lesser requirements have been imposed on all Indian companies’ accounting data since 2014 (the back-up of the books of account and other books that are stored electronically must be stored in India, the broadcasting sector under the Foreign Direct Investment policy, must locally store subscriber information, and the telecom sector under the Unified Access licence, may not transfer their subscriber data outside India).

The draft e-commerce policy has a wide-ranging requirement of exclusive local storage for “community data collected by Internet of Things devices in public space” and “data generated by users in India from various sources including e-commerce platforms, social media, search engines, etc.”, as does the draft e-pharmacy regulations, which stipulate that “the data generated” by e-pharmacy portals be stored only locally.

While companies such as Airtel, Reliance, PhonePe (majority-owned by Walmart) and Alibaba, have spoken up in support the government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it.

Just this week, two U.S. Senators wrote to the Prime Minister’s office arguing that the RBI’s data localisation regulations along with the proposals in the draft e-commerce and cloud computing policies are “key trade barriers”. In her dissenting note to the Srikrishna Committee's report, Rama Vedashree of the Data Security Council of India notes that, “mandating localisation may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the IT-BPM (information technology-business process management) industry.”

Justification For Data Localisation

What are the reasons for these moves towards data localisation?

Given the opacity of policymaking in India, many of the policies and regulations provide no justification at all. Even the ones that do, don’t provide cogent reasoning.

The RBI says it needs “unfettered supervisory access” and hence needs data to be stored in India. However, it fails to state why such unfettered access is not possible for data stored outside of India.

As long as an entity can be compelled by Indian laws to engage in local data storage, that same entity can also be compelled by that same law to provide access to their non-local data, which would be just as effective.

What if they don’t provide such access? Would they be blacklisted from operating in India, just as they would if they didn’t engage in local data storage? Is there any investigatory benefit to storing data in India? As any data forensic expert would note, chain of custody and data integrity are what are most important components of data handling in fraud investigation, and not physical access to hard drives. It would be difficult for the government to say that it will block all Google services if the company doesn’t provide all the data that Indian law enforcement agencies request from it. However, it would be facile for the RBI to bar Google Pay from operating in India if Google doesn’t provide it “unfettered supervisory access” to data.

The most exhaustive justification of data localisation in any official Indian policy document is that contained in the Srikrishna Committee’s report on data protection. The report argues that there are several benefits to data localisation:

Effective enforcement,
Avoiding reliance on undersea cables,
Avoiding foreign surveillance on data stored outside India,
Building an “Artificial Intelligence ecosystem”

Of these, the last three reasons are risible.

Not A Barrier To Surveillance

Requiring mirroring of personal data on Indian servers will not magically give rise to experts skilled in statistics, machine learning, or artificial intelligence, nor will it somehow lead to the development of the infrastructure needed for AI.

The United States and China are both global leaders in AI, yet no one would argue that China’s data localisation policies have helped it or that America’s lack of data localisation polices have hampered it.

On the question of foreign surveillance, data mirroring will not have any impact, since the Srikrishna Committee’s recommendation would not prevent companies from storing most personal data outside of India.

Even for “sensitive personal data” and for “critical personal data”, which may be required to be stored in India alone, such measures are unlikely to prevent agencies like the U.S. National Security Agency or the United Kingdom’s Government Communications Headquarters from being able to indulge in extraterritorial surveillance.

In 2013, slides from an NSA presentation that were leaked by Edward Snowden showed that the NSA’s “BOUNDLESSINFORMANT” programme collected 12.6 billion instances of telephony and Internet metadata (for instance, which websites you visited and who all you called) from India in just one month, making India one of the top 5 targets.

This shows that technically, surveillance in India is not a challenge for the NSA.

So, forcing data mirroring enhances Indian domestic intelligence agencies’ abilities to engage in surveillance, without doing much to diminish the abilities of skilled foreign intelligence agencies.

As I have noted in the past, the technological solution to reducing mass surveillance is to use decentralised and federated services with built-in encryption, using open standards and open source software.

Reducing reliance on undersea cables is, just like reducing foreign surveillance on Indians’ data, a laudable goal. However, a mandate of mirroring personal data in India, which is what the draft Data Protection Bill proposes for all non-sensitive personal data, will not help. Data will stay within India if the processing happens within India. However, if the processing happens outside of India, as is often the case, then undersea cables will still need to be relied upon.

The better way to keep data within India is to incentivise the creation of data centres and working towards reducing the cost of internet interconnection by encouraging more peering among Internet connectivity providers.

While data mirroring will not help in improving the enforcement of any data protection or privacy law, it will aid Indian law enforcement agencies in gaining easier access to personal data.

The MLAT Route

Currently, many forms of law enforcement agency requests for data have to go through onerous channels called ‘mutual legal assistance treaties’. These MLAT requests take time and are ill-suited to the needs of modern criminal investigations. However, the U.S., recognising this, passed a law called the CLOUD Act in March 2018. While the CLOUD Act compels companies like Google and Amazon, which have data stored in Indian data centres, to provide that data upon receiving legal requests from U.S. law enforcement agencies, it also enables easier access to foreign law enforcement agencies to data stored in the U.S. as long as they fulfill certain procedural and rule-of-law checks.

While the Srikrishna Committee does acknowledge the CLOUD Act in a footnote, it doesn’t analyse its impact, doesn’t provide suggestions on how India can do this, and only outlines the negative consequences of MLATs.

Further, it is inconceivable that the millions of foreign services that Indians access and provide their personal data to will suddenly find a data centre in India and will start keeping such personal data in India. Instead, a much likelier outcome, one which the Srikrishna Committee doesn’t even examine, is that many smaller web services may find such requirements too onerous and opt to block users from India, similar to the way that Indiatimes and the Los Angeles Times opted to block all readers from the European Union due to the coming into force of the new data protection law.

The government could be spending its political will on finding solutions to the law enforcement agency data access question, and negotiating solutions at the international level, especially with the U.S. government. However it is not doing so.

Given this, the recent spate of data localisation policies and regulation can only be seen as part of an attempt to increase the scope and ease of the Indian government’s surveillance activities, while India’s privacy laws still remain very weak and offer inadequate legal protection against privacy-violating surveillance. Because of this, we should be wary of such requirements, as well as of the companies that are vocal in embracing data localisation.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance