Centre for Internet and Society

Why Indians are turning down Facebook's free internet

praskrishna — 2016-01-17T16:25:10Z

Imagine a billion of the world’s poorest gaining overnight access to health information, education, and professional help — for free. Add to this one rich man who wants to make that dream a reality.

The article by Nimisha Jaiswal was published in the Global Post on January 13, 2016. Sunil Abraham was quoted.

That’s the invitation that Facebook has sent to India. Many there, however, are rejecting such benevolence.

Facebook has introduced its Free Basics project in 36 countries. The company claims that the app acts as a stepping-stone to the internet for those who are otherwise without access, by providing them with a few essential sites — or “basics” — to get started.

“We know that when people have access to the internet they also get access to jobs, education, healthcare, communication… We know that for India to make progress, more than 1 billion people need to be connected to the internet,” wrote Facebook CEO Mark Zuckerberg in a recent op-ed for a major Indian newspaper. “Free Basics is a bridge to the full internet and digital equality.”

However, net neutrality researchers and activists in India define it quite differently.

“Free Basics is a zero-rated walled garden that gives users a tiny subset of the world wide web,” Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, told GlobalPost.

The Free Basics app is part of Facebook’s Internet.org, a “zero-rating” internet service that provides limited access for no charge to the consumer. The original Internet.org was heavily criticized in India for violating net neutrality, the principle that all content on the web should be accessible to consumers at the same speed, without discrimination by providers.

Last spring, as part of a homegrown Save The Internet movement, over 1 million people wrote to the Telecom Regulatory Authority of India (TRAI) to protest services that disrupt net neutrality by providing only a small fraction of the internet to their users.

India’s Department of Telecommunications has already recommended that such platforms be disallowed. Before it makes its own recommendations this month, the TRAI asked concerned citizens for another round of input on zero-rating apps. The criticism has been so loud that, at the end of December, Free Basics’ local telecom partner was ordered to take the service down until a decision is reached.

Though Free Basics does not require payment from the websites it shares, Facebook’s competitors are unlikely to participate and provide user data to their rivals. And while there are currently no advertisements on Free Basics, Facebook reserves the right to introduce them in the future to garner revenue from their “walled-in” clients.

According to Abraham, such a platform harms free speech, privacy, innovation and diversity by adding another layer of surveillance and “censoring” the internet.

Mahesh Murthy, a venture capitalist who is part of India’s Save The Internet movement, puts it more bluntly.

“What Facebook wants is our less fortunate brothers and sisters should be able to poke each other and play Candy Crush, but not be able to look up a fact on Google, or learn something on Khan Academy, or sell their produce on a commodity market, or even search for a job on [Indian recruitment website] Naukri,” said Murthy.

Zuckerberg and Facebook’s India team have vigorously rebutted net neutrality activists in India, including Murthy, challenging their criticism of Free Basics and accusing activists of deliberately trying to prevent the masses from gaining internet access.

“Critics of the program continue to spread false claims — even if that means leaving behind a billion people,” wrote Zuckerberg in his Times of India op-ed.

According to Abraham, this is a misleading assertion. “They are falsely framing the debate, they are making it look like we have only two choices,” he told GlobalPost. “The choice is not between less people on the internet and unregulated [Free Basics].”

Several alternatives are being proposed. Abraham does not advocate a complete ban on Free Basics, instead suggesting a “leaky” walled garden where users would be given 100 MB of full internet access for every 100 MB of Free Basics consumed.

The Save the Internet campaign, however, wants Free Basics barred altogether. It proposes returning to previously implemented schemes like providing data on the purchase of a phone, or letting users access the full internet after watching an ad. The Universal Service Obligation Fund, set up by the Department of Telecommunications to provide affordable communication technology in rural areas, could also be used to finance free data packs.

While Facebook could potentially contribute to such funds to promote its connectivity goals, the millions of dollars it has spent loudly defending Free Basics in India suggest that the company is deeply attached to its own scheme.

Facebook has claimed that “more than four in five Indians support Free Basics,” according to a survey that it paid for. Indian users of the social network have received notifications encouraging them to send a template letter to the regulator in support of Free Basics. Even users in the US were “accidentally” notified to add their backing to the Indian campaign.

Some of the company's critics suggest that it is driven less by philanthropy, more by guaranteeing itself a stream of new users.

Murthy points out that a large number of the world’s population not yet on the internet are in India and China — and Facebook is banned in China. “So who becomes essential to Mark Zuckerberg’s balance sheet? Enter us Indians.”

While Indian activists agree that connectivity is an important goal, they insist that Free Basics in its current form is not the solution or even the only option right now. All it does is whets the appetite of the consumer, according to Abraham.

“You can compare Free Basics to when you go through the mall: You see the people selling cookies, and the aroma fills the whole mall,” he said. “That’s what Free Basics does — it gets you interested in the cookie. But it doesn’t solve the affordability question.”

For more details visit https://cis-india.org/internet-governance/news/global-post-nimisha-jaiswal-why-indians-are-turning-down-facebook-free-internet

Why having more CCTV cameras does not translate to crime prevention

manasa — 2019-09-25T02:13:28Z

Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

The article by Manasa Rao published by the News Minute quotes Pranav M. Bidare of CIS.

In August, a couple from Tamil Nadu’s Tirunelveli district made national headlines for their bravery. True to the Tamil adage ‘vallavanukku pullum aayudham’ (for the strong man, even a blade of grass is a weapon), when thieves entered their home, they fought them with chairs, slippers and even a bucket. Despite being armed with sickles, the masked miscreants fled the scene unable to match the counter-attack mounted by 70-year-old Shanmugavel and 65-year-old Senthamarai. The incident was caught on CCTV camera and the couple, whose video quickly went viral, was celebrated for their valour and made for the perfect social media feel-good story. However, as the news cycle was focused on them, senior police officers from the state and many commentators pointed to the importance of the CCTV camera footage. After all, the whole world watched their courage thanks to the CCTV camera affixed on the couple's front yard.

Since 2017, the Tamil Nadu Police has been aggressively pushing for citizens to install CCTV cameras. A techno-futuristic awareness campaign video released last year even roped in popular Kollywood star Vikram to help the police force. “If there are CCTV cameras, crimes are prevented, evidenced and importantly, it provides evidence in court. So, each of us will compulsorily fix a CCTV camera wherever we are,” says Vikram. In a bold declaration, the motto of the campaign affirms, “With CCTV everywhere, Tamil Nadu has become a place without crime.” At the end of the video Vikram suggests Big Brother is watching, stating, “Everything. Everywhere. We're watching.”

But do more CCTV cameras necessarily translate to crime prevention and deterrence? Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

What the numbers say

A study released in August by tech research group Comparitech ranked Chennai as 32nd out of 50 of the most surveilled cities in the world. The research group, with the use of government reports, police websites and news articles, puts the total number of cameras in the city at 50,000. With a 2016 estimated population of 1.07 crore in Chennai, that is 4.67 cameras per 1,000 people.

With the help of Numbeo, a crowd-sourced database of perceived crime rates, the study puts Chennai’s crime index at 40.39. On a scale of 0 to 100, this is an estimation of overall level of crime in a given city. This score means Chennai’s crime index is ranked ‘moderate’. Similarly, on a 100 point scale, the city's safety index— quite the opposite of crime index— is at 59.61. The higher the safety index, the safer a city is considered to be.

The two other Indian cities on the list of 50 are New Delhi ranked No. 20 with 1,79,000 cameras for 1.86 crore people (9.62 cameras per 1,000 people) and Lucknow ranked at No. 40 with 9,300 cameras for 35.89 lakh people (2.59 cameras per 1,000 people). The capital's crime index is at 58.77 while its safety index is 41.23. The UP city on the other hand has a crime index of 45.30 and a safety index of 54.70.

Stating that the higher number of cameras ‘just barely correlates’ with a higher safety index and lower crime index, the study concludes, “Broadly speaking, more cameras doesn’t necessarily result in people feeling safer.” While the presence of CCTV cameras may not inherently be bad, experts say that they cannot become a substitute for tackling crime and its causes which transcend the realm of technology. These involve tailored and specific approaches which stem from community building.

The infallible CCTV myth

Pranav MB, policy officer at the Centre for Internet and Society in Bengaluru observes that in the long run, over-reliance on CCTV cameras would merely propel criminals to innovate, as opposed to helping deter the crime from taking place. He says, “While it seems intuitive that the presence of a CCTV camera will have a deterring effect on criminal activity, numerous studies over the past decade have concluded that this is not really the case. The idea of a deterring effect also relies on the assumption that the actors are making educated intelligent choices about their future, which is often not the case with persons that commit criminal acts. So the deterring effect of CCTV cameras is not likely to be much more than the already deterring effect that exists because of criminal law and law enforcement.”

Busting the myth that CCTV cameras are foolproof, Pranav adds that public infrastructure as simple as a streetlight could aid in safer neighbourhoods. “The fact remains, however, that if you are not using advanced technology, a simple mask will render you unidentifiable by most basic CCTV cameras. As more advanced and more expensive technology is used, you are only necessitating the need for innovation among criminals to identify new loopholes that they can exploit in the technology. This is not an argument that generally holds against the use of technology, but in the case of CCTV cameras, it has been seen that simple street lights much better serve the goal of deterrence of crimes,” he says.

However, cops disagree with the findings. One IPS officer who works with the police’s Law and Order department in Chennai tells TNM that the presence of CCTV cameras has helped them nab a range of criminals from chain-snatchers to stalkers who have hacked women to death. Praising the use of facial recognition software like FaceTagr that was introduced a few years ago, the officer says, “CCTV cameras have a dissuading effect on criminals. At the very least they serve as a warning but in most cases, we can easily match them to criminals on our existing local, station-wise database. Especially when it comes to areas like T Nagar, Purasawalkam or other crime-prone suburbs, CCTV cameras are an invaluable tool for law enforcement.”

“Even in cases of sexual abuse, street harassment or trafficking, private CCTV cameras have been helpful. Shop owners or residents have come forward with the footage in public interest,” he says, admitting that the Centre’s release of the long-pending National Crime Records Bureau (NCRB) statistics could show a correlation between the push to install CCTVs and crime rates.

With a lack of NCRB data, there are no statistical answers to whether indeed installation of CCTV cameras has helped lowering of crime rates. However, as per one report in The Hindu, the police report a 30% drop in the crime rate in the city following the installation of CCTV cameras. According to their estimate for chain snatching alone, the city police claims that the number of cases have dropped from 792 in 2012 to 538 following the installation of CCTV cameras in 2018.

Over-reliance on technology

Agreeing that law enforcement must be cautious while employing technology to solve crimes, Dr M Priyamvadha, associate professor at the Department of Criminology, University of Madras says her detailed interviews with over 200 incarcerated burglars across Tamil Nadu reveal that they are always on the lookout for a CCTV camera. “They simply use a jammer worth Rs 2,000 (a handy device that disrupts the signal range of a camera) to skirt the presence of a CCTV camera,” she reports. However, the professor cautions that one must not over-sell the capabilities of a CCTV camera in crime prevention.

“We must remember that CCTV cameras don't deter all crimes. If there is family or domestic violence, there won't be a CCTV camera inside the four walls of a house to reveal it. For burglaries, robberies and such offences, you can rely on CCTV cameras. How far it helps is a question mark. You can neither completely say it prevents crime nor that it is a waste,” she says.

The professor points out that even when deploying CCTV cameras across the city, law enforcement does not account for wear and tear and maintenance which forms an important part of monitoring security.

Echoing the sentiment, Pranav says that CCTV cameras primarily serve as sources of electronic evidence in criminal cases. “Their deterring effect has repeatedly been observed to not balance out the costs of installing and running them.”

Privacy, data protection concerns

Chennai-based independent tech researcher Srikanth points to the inherent surveillance dangers thanks to the centralised way in which the city police collects the CCTV data. “There is something concerning especially about Chennai City Traffic Police and other various city police’s approach to CCTV. The fundamental shift is that, at least in the city, these cameras are connected to the police control room. So data gets centrally collated. When centralization kicks in, power abuse isn't far away. This way it is far easier for police to destroy evidence,” he alleges.

Srikanth also points out, “CCTVs (especially connected ones) are usually funded by residents and/or merchants who spend their money in putting up the infrastructure, but freely give away the data to the police (often in good faith). There is no oversight on usage, storage, retention of this data and by sheer monopoly on law and order, the police is able to connect a vast number of private CCTVs on to its network.”

Significantly, he expresses concerns about there being no laws that govern the usage of CCTV footage by the police. “Even if one gives into the legitimate state aim to control crime, even if one can argue violation of privacy is proportional, there is no law around use of CCTV by police, let alone using them in investigations. That the state engages with private vendors (such as FaceTagr) and many others also provides these service providers access to data,” he explains.

Pranav also warns, “Furthermore, CCTV cameras also result in compromising the privacy of individuals, and if implemented by the state (as in the case of law enforcement), creates added surveillance risks. Compounding on this is the issue of the recorded video footage, which if stored/transmitted/managed in an non-secure manner creates data protection risks as well. This is especially true in India, where it is difficult to obtain the required infrastructure and expertise in running an effective and secure CCTV camera system.”

'Technology cannot replace interpersonal relationships'

Advising pragmatic thinking when it comes to crime prevention, professor Priyamvadha says that technology should complement what she calls the ‘human touch'. Junking the ‘holistic’ one-size-fits-all approach that is often paraded as a solution, the criminologist says that each crime requires a tailored method of tackling it. “For each and every crime, there is a different strategy. There maybe crimes committed by juveniles, crimes committed against women. For example, if female foeticide is rampant in a village, it is important to understand the village, the preferences of the people there and the caste practices present among them,” she observes.

While technology often allows law enforcement to cover more ground in cases of limited manpower, there’s also a chance the cameras could be seen as a substitute for forging interpersonal relationships between police and the people they seek to protect. “With quick transferring of cops nowadays, the local police station doesn’t have an understanding of the ongoings. Interpersonal relationships are more important than technological advances,” she notes.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-september-3-2019-manasa-rao-why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

Why having more CCTV cameras does not translate to crime prevention

Manasa Rao — 2019-12-05T23:26:25Z

The article by Manasa Rao was published the News Minute on September 3, 2019. Pranav M. Bidare was quoted.

What the numbers say

The infallible CCTV myth

Over-reliance on technology

Privacy, data protection concerns

'Technology cannot replace interpersonal relationships'

For more details visit https://cis-india.org/internet-governance/news/why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

Why did India fail to discover the ISIS Twitter handle?

praskrishna — 2014-12-27T03:27:16Z

India's surveillance system fails to track the servers of internet giants like Google or Facebook because these do not have servers in the country, says a leading cyber law expert.

The article by Anita Babu was published in the Business Standard on December 26, 2014. Sunil Abraham gave his inputs.

Back in 2009, after the investigation team, probing into the 26/11 Mumbai terror attacks, almost cracked the case, it was the US’s Federal Bureau of Investigation (FBI) which connected the missing links by arresting David Headley, the mastermind.

Five years later, India is staring at a similar situation, when Bengaluru-based Mehdi Masroor Biswas, was allegedly found to be operating a pro-ISIS (Islamic State) Twitter handle. It was a British broadcaster, Channel 4, which blew the lid off Biswas’s activity. Soon after the report, Indian authorities swung into action. Last year, when communal violence broke out in some parts of Uttar Pradesh, a Pakistani news organisation reported that a fake video was being circulated to fan sentiments.

But, why have Indian agencies failed to detect such activities which pose a threat to the national security? A senior government official said intelligence agencies in the country scan the internet for leads. But, in the light of increased threats, systems need to be beefed up significantly. Perhaps, as a first step towards this, the home ministry on Wednesday formed a committee to prepare a road map for tackling cyber crimes in the country.

It will give suitable recommendations on all facets of cyber crime, apart from suggesting possible partnerships with public and private sector, non-governmental organisations and international bodies.

According to Sunil Abraham, executive director of a Bengaluru-based research organisation, the Centre for Internet and Society, it’s time we move closer towards intelligent and targeted surveillance, rather than mass surveillance. This will require monitoring a selected accounts or profiles, instead of tapping information from across the population. Old-fashioned detective work is also very important, as it has helped zero in on Biswas.

Another problem the country faces is that a lot of data is being pooled in by multiple agencies, but of little use. “We must free up our law enforcement agencies and intelligence services from the curse of having too much data,” Abraham adds. Since most of the internet companies are headquartered outside India, the authorities face a lot of difficulties in accessing information from these networks.

“India’s surveillance system fails to track the servers of internet giants like Google or Facebook because these do not have servers in the country. Our system is only confined within the country,” says Pavan Duggal, a leading cyber law expert.

Since the US has the capability to access information from telecom companies, service providers such as Twitter and Facebook and the consortia that run submarine cables, these companies cooperate in a much more effective and immediate manner, adds Abraham. “But these are things that we will never be able to do in India,” he adds.

For instance, India follows the mutual legal assistance treaty procedure, to gather and exchange information in an effort to enforce public laws or criminal laws. However, this is a time-consuming process and often takes up to two years before we get any data from these companies.

But due to the threat of cyber-terrorism being shared by both companies and governments, companies such as Google, Twitter and Facebook are cooperating more than before, experts say.

Internet and Jurisdiction Project, an international group that works towards ensuring digital coexistence, tries to get a procedural law between two countries in a harmonised manner and includes collection, storage, handling and processing of evidence.

More lubricating efforts should be undertaken internationally on these lines, say experts. Hopefully, the new committee will take steps in this direction.

For more details visit https://cis-india.org/internet-governance/news/business-standard-december-26-2014-anita-babu-why-india-failed-to-discover-the-isis-twitter-handle

Why Data Localisation Might Lead To Unchecked Surveillance

pranesh — 2018-10-16T14:08:34Z

In recent times, there has been a rash of policies and regulations that propose that the data that Indian entities handle be physically stored on servers in India, in some cases exclusively. In other cases, only a copy needs to be stored.

The article was published in Bloomberg Quint on October 15, 2018 and also mirrored in the Quint.

In April 2018, the Reserve Bank of India put out a circular requiring that all “data relating to payment systems operated by them are stored in a system only in India” within six months. Lesser requirements have been imposed on all Indian companies’ accounting data since 2014 (the back-up of the books of account and other books that are stored electronically must be stored in India, the broadcasting sector under the Foreign Direct Investment policy, must locally store subscriber information, and the telecom sector under the Unified Access licence, may not transfer their subscriber data outside India).

The draft e-commerce policy has a wide-ranging requirement of exclusive local storage for “community data collected by Internet of Things devices in public space” and “data generated by users in India from various sources including e-commerce platforms, social media, search engines, etc.”, as does the draft e-pharmacy regulations, which stipulate that “the data generated” by e-pharmacy portals be stored only locally.

While companies such as Airtel, Reliance, PhonePe (majority-owned by Walmart) and Alibaba, have spoken up in support the government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it.

Just this week, two U.S. Senators wrote to the Prime Minister’s office arguing that the RBI’s data localisation regulations along with the proposals in the draft e-commerce and cloud computing policies are “key trade barriers”. In her dissenting note to the Srikrishna Committee's report, Rama Vedashree of the Data Security Council of India notes that, “mandating localisation may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the IT-BPM (information technology-business process management) industry.”

Justification For Data Localisation

What are the reasons for these moves towards data localisation?

Given the opacity of policymaking in India, many of the policies and regulations provide no justification at all. Even the ones that do, don’t provide cogent reasoning.

The RBI says it needs “unfettered supervisory access” and hence needs data to be stored in India. However, it fails to state why such unfettered access is not possible for data stored outside of India.

As long as an entity can be compelled by Indian laws to engage in local data storage, that same entity can also be compelled by that same law to provide access to their non-local data, which would be just as effective.

What if they don’t provide such access? Would they be blacklisted from operating in India, just as they would if they didn’t engage in local data storage? Is there any investigatory benefit to storing data in India? As any data forensic expert would note, chain of custody and data integrity are what are most important components of data handling in fraud investigation, and not physical access to hard drives. It would be difficult for the government to say that it will block all Google services if the company doesn’t provide all the data that Indian law enforcement agencies request from it. However, it would be facile for the RBI to bar Google Pay from operating in India if Google doesn’t provide it “unfettered supervisory access” to data.

The most exhaustive justification of data localisation in any official Indian policy document is that contained in the Srikrishna Committee’s report on data protection. The report argues that there are several benefits to data localisation:

Effective enforcement,
Avoiding reliance on undersea cables,
Avoiding foreign surveillance on data stored outside India,
Building an “Artificial Intelligence ecosystem”

Of these, the last three reasons are risible.

Not A Barrier To Surveillance

Requiring mirroring of personal data on Indian servers will not magically give rise to experts skilled in statistics, machine learning, or artificial intelligence, nor will it somehow lead to the development of the infrastructure needed for AI.

The United States and China are both global leaders in AI, yet no one would argue that China’s data localisation policies have helped it or that America’s lack of data localisation polices have hampered it.

On the question of foreign surveillance, data mirroring will not have any impact, since the Srikrishna Committee’s recommendation would not prevent companies from storing most personal data outside of India.

Even for “sensitive personal data” and for “critical personal data”, which may be required to be stored in India alone, such measures are unlikely to prevent agencies like the U.S. National Security Agency or the United Kingdom’s Government Communications Headquarters from being able to indulge in extraterritorial surveillance.

In 2013, slides from an NSA presentation that were leaked by Edward Snowden showed that the NSA’s “BOUNDLESSINFORMANT” programme collected 12.6 billion instances of telephony and Internet metadata (for instance, which websites you visited and who all you called) from India in just one month, making India one of the top 5 targets.

This shows that technically, surveillance in India is not a challenge for the NSA.

So, forcing data mirroring enhances Indian domestic intelligence agencies’ abilities to engage in surveillance, without doing much to diminish the abilities of skilled foreign intelligence agencies.

As I have noted in the past, the technological solution to reducing mass surveillance is to use decentralised and federated services with built-in encryption, using open standards and open source software.

Reducing reliance on undersea cables is, just like reducing foreign surveillance on Indians’ data, a laudable goal. However, a mandate of mirroring personal data in India, which is what the draft Data Protection Bill proposes for all non-sensitive personal data, will not help. Data will stay within India if the processing happens within India. However, if the processing happens outside of India, as is often the case, then undersea cables will still need to be relied upon.

The better way to keep data within India is to incentivise the creation of data centres and working towards reducing the cost of internet interconnection by encouraging more peering among Internet connectivity providers.

While data mirroring will not help in improving the enforcement of any data protection or privacy law, it will aid Indian law enforcement agencies in gaining easier access to personal data.

The MLAT Route

Currently, many forms of law enforcement agency requests for data have to go through onerous channels called ‘mutual legal assistance treaties’. These MLAT requests take time and are ill-suited to the needs of modern criminal investigations. However, the U.S., recognising this, passed a law called the CLOUD Act in March 2018. While the CLOUD Act compels companies like Google and Amazon, which have data stored in Indian data centres, to provide that data upon receiving legal requests from U.S. law enforcement agencies, it also enables easier access to foreign law enforcement agencies to data stored in the U.S. as long as they fulfill certain procedural and rule-of-law checks.

While the Srikrishna Committee does acknowledge the CLOUD Act in a footnote, it doesn’t analyse its impact, doesn’t provide suggestions on how India can do this, and only outlines the negative consequences of MLATs.

Further, it is inconceivable that the millions of foreign services that Indians access and provide their personal data to will suddenly find a data centre in India and will start keeping such personal data in India. Instead, a much likelier outcome, one which the Srikrishna Committee doesn’t even examine, is that many smaller web services may find such requirements too onerous and opt to block users from India, similar to the way that Indiatimes and the Los Angeles Times opted to block all readers from the European Union due to the coming into force of the new data protection law.

The government could be spending its political will on finding solutions to the law enforcement agency data access question, and negotiating solutions at the international level, especially with the U.S. government. However it is not doing so.

Given this, the recent spate of data localisation policies and regulation can only be seen as part of an attempt to increase the scope and ease of the Indian government’s surveillance activities, while India’s privacy laws still remain very weak and offer inadequate legal protection against privacy-violating surveillance. Because of this, we should be wary of such requirements, as well as of the companies that are vocal in embracing data localisation.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance

Why 'Facebook' is More Dangerous than the Government Spying on You

maria — 2013-11-23T08:38:30Z

In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook.

Do you have a profile on Facebook? Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:

“Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”

The Indian Surveillance State

Following Snowden ’s revelations, there’s finally been more talk about surveillance. But what is surveillance?

David Lyon - who directs the Surveillance Studies Centre - defines surveillance as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”. Surveillance can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.

State Surveillance

The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a real issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!

The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:

1. They create surveillance schemes, such as the Central Monitoring System (CMS ), which carry out targeted and/or mass surveillance

2. They create laws, guidelines and license agreements, such as the Information Technology (Amendment ) Act 2008, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply

3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance

While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.

In particular, surveillance in India is regulated under five laws: the Indian Telegraph Act 1885, the Indian Post Office Act 1898, the Indian Wireless Telegraphy Act 1933, section 91 of the 1973 Code of Criminal Procedure (CrPc ) and the Information Technology (Amendment ) Act 2008. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.

While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the Information Technology (Amendment ) Act 2008 allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.

Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in “1984”. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The arrest of two Indian women last November over a Facebook post reminds us of this.

Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the UAS License Agreement regarding the Central Monitoring System (CMS ) not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued numerous guidelines and license agreements for ISPs and telecom operators, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new National Cyber Security Policy, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.

As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, India ’s Computer Emergency Response Team (CERT ) is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.

The Crime and Criminal Tracking and Network & Systems (CCTNS ) is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.

Similarly, the National Intelligence Grid (NATGRID ) is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.

However, the most controversial surveillance scheme being implemented in India is probably the Central Monitoring System (CMS). While several states, such as Assam, already have Internet Monitoring Systems in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.

And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the surveillance industry in India is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to CIS ’ India Privacy Monitor Map - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the DRDO ’s “Netra ” - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.

But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, ClearTrail Technologies is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with surveillance software which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the ISS surveillance trade shows, otherwise known as “the wiretappers’ ball”.

Corporate Surveillance

When I ask people about corporate surveillance, the answer I usually get is: “Corporations only care about their profit - they don’t do surveillance per se”. And while that may be true, David Lyon ’s definition of surveillance - as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” - may indicate otherwise.

Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, allow law enforcement to tap into their servers. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.

So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that surveillance involves the collection of personal data - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, is surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, “if the product is free , you are the product ”.

Now if we look at online corporations more closely, we can probably identify three categories:

1. Websites through which we buy products and hand over our personal details - e.g. Amazon

2. Websites through which we use services and hand over our personal details - e.g. flight ticket

3. Websites through which we communicate and hand over our personal details - e.g. Facebook

And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:

- Disclose such data to law enforcement agencies

- Allow law enforcement agencies to tap into their servers

- Sell such data to “third parties”

What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we consent to the handing over of our personal information. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of “choice”. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.

State Surveillance vs. Corporate Surveillance

Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, collects 20 times more data per day than the NSA in total. In addition, Facebook has claimed that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.

Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the analysis of data, which in turn involves pattern matching and profiling, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because we “choose” to hand over our data!

Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: convenience. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.

The irony in all of this is that, while many people reacted to Snowden ’s revelations on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.

In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a direct threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas they rarely react to what does not directly affect them. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.

University students have protested on the streets against the installation of CCTV cameras, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:

- Personal photos

- Biometrics (possibly through photos)

- Family members

- Friends and acquaintances

- Habits, hobbies and interests

- Location (through IP address)

- Places visited

- Economic standing (based on pictures, comments, etc.)

- Educational background

- Ideas and opinions (which may be political, religious, etc.)

- Activities

- Affiliations

The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that we can never really know how much data we are disclosing, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. It all really comes down to who is looking at our data, when and why.

For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is “Anarchism and other Essays ” by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.

In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.

Today, governments don’t judge us and take decisions based on our version of our data, but based on what our data says about us. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.

Most companies retain data indefinitely or for a long period of time, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, every bit of data may potentially entails various other bits of data that we are not even aware of. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an illusionary sense of control over their personal data.

Social network analysis software is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to match patterns. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.

In data mining, behavioural statistics are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we voluntarily disclose massive amounts of data about ourselves - is that it appears to come down to public control.

According to security expert Bruce Schneier, data today is a byproduct of the Information Society. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an indirect threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.

Hannah Arendt argued that a main prerequisite and component of totalitarian power is support by the masses. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, CCTV cameras are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as Spy Coca Cola cans - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the Central Monitoring System in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access choose to share their personal data through the use of social networking sites.

Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just convenient to be on Facebook. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.

In the long term, what does this mean? Well, it seems like we will probably be more acceptive towards more authoritarian power, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.

What’s particularly interesting though about surveillance today is that it is fueled and enabled through our freedom of speech and general Internet freedom. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the Chinese versions of Facebook and Twitter - it’s probably no coincidence.

While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t choose to hand over our personal data to begin with, none of the above would have been possible.

The real danger in the Digital Age is not necessarily surveillance per se, but our choice to voluntarily disclose our personal data.

For more details visit https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you

Who Minds the Maxwell's Demon (Revisiting Communication Networks through the Lens of the Intermediary)

sharath — 2013-03-05T07:37:37Z

A holistic reflection on information networks and it’s regulatory framework is possible only when the medium-specific boundary that has often separated the Internet and Telecom networks begins to dissolve, to objectively reveal points of contention in the communication network where the dynamics of network security and privacy are at large – namely, within the historic role of the intermediary at data/signal switching and routing nodes.

It is unfair to contextualize the history of the Internet without looking at how analog information networks like cable and wireless telegraph and later, the telephone, almost coincidentally necessitated the invention of automated networks for remote machine control and peer-to- peer communication over the Internet that promised to drastically reduce intermediary overheads. While the whole world was fraught in patent wars over wired private networks, the first nodes of the ‘open’ internet were built in a two-week global meeting of computer scientists who were flown down to simply prepare for ‘a public exhibition’ of the ARPANET in 1971.

While India only received it’s first telephone in New Delhi late into the 20^th century, “Telegraph Laws” to most of the Indian working class always remained an ominously urgent telegram that brought the news of a dear one who had taken seriously ill. And so, on a lateral note, it is apt to bring to light the life of one Mr Almond Brown Strowger, wherein the idea of an automatic telephone exchange was given birth to by the ‘business of death’.

The Automatic Telephone Exchange

Almond Strowger was an undertaker based in Missouri, in a town where there was yet another undertaker, who’s wife incidentally was an operator in the then manual telephone exchange. Strowger came to believe the reason he received fewer phone calls was that his business competitor’s wife ended up preferentially routing all callers seeking Strowger’s funeral services to her undertaker husband instead. Strowger conceived the initial idea in 1888 and patented ‘The Automatic Telephone Exchange’ in 1891. http://goo.gl/oieIJ

Popularly known as the ‘Strowger Switch’, the Step-by Step switch (SXS switch) consisted of two interfaces – One at the customer’s end that used telegraph keys (and later a rotary dial) to send a train of electric current pulses corresponding to the digits 0 -9 all the way to the exchange. The actual Strowger switch at the exchange, used an electromechanical device that could move vertically to select one of 10 contacts, and then rotated to select one of another 10 in each row – a total of 100 choices. Consequently was formed in 1892, the Strowger Automatic Telephone Exchange Company at Indiana with about 75 subscribers. Strowger later sold his patents for $10,000 in 1898 to the Automatic Electric Company, a competitor of Bell System’s Western Electric. His patents were eventually acquired by Bell systems for $2.5 million in 1916, showing just how much growth and investor interest the telephone industry had gained by then.

Switching Paradigms

The architecture of global communication was headed towards different ideals and directions. Most media historians contrast these methodologies into ‘circuit switching’ and ‘packet switching’, or a connection-oriented fault intolerant system on one hand and another connection-less fault tolerant protocol respectively, both of which were being developed concurrently. In reality however, a major driving factor were the stakeholders backing the infrastructure of the rapidly growing communication industry, who were looking for growing returns on their investments. And hence these parallel ramifications may also be looked at through the lens of closed proprietary and medium specific networks versus an open, shared, medium in-specific paradigm of information theory.

Circuit switching relied on an assured dedicated connection between 2 nodes, and was especially patronized by the industry that saw telecommunication as the latest fad in urban luxury (a key factor in the distinction of suburban areas as the affluent moved into urban areas that were ‘connected’ by telephone). Owners and manufacturers of the hardware infrastructure became the most significant stakeholders. The revenue model was based on the amount of time the network was used and hence was popular in analog voice telephone networks. The entire bandwidth of the channel was made available for the duration of the session along with a fixed delay between communicating nodes. Therefore, even if there was no information being transmitted during a session, the channel would not be made available to anyone else waiting to use it unless released by the previous party. Early telephone exchanges relied on manual labour to facilitate switching until the automated exchange came about.

Packet switching on the other hand, leaned towards the paradigm of shared bandwidth and resources, and more importantly approached communication with complete disregard to the medium of transmission, be it wired or wireless. Furthermore, it also disregarded the content, modality and form of communication with an objectified data-centric approach. Information to be transmitted was divided into structured “packets” or “capsules”. These packets were all ‘thrown’ into the shared network pool consisting of numerous other such packets, each with its own destination, to be carefully buffered, stored and forwarded by intermediary routers in the network. Apart from occasional packet loss, the time taken to send a message is indeterminate and is dependent on the overall traffic load on the network at any given time.

INTERFACE MESSAGE PROCESSOR and the ICCC ‘Hackathon’

Plans forged on into the early 1960s towards the development of an open architecture to enable network communication between computer systems, culminating in the invention of the ‘interface message processor’ that promised to herald the coming of an era of packet switching by enabling the ARPANET (Advanced Research Projects Agency Network), the first wide area packet switched network – and precursor to the world wide web as we know it today.

While the Information Processing Techniques Office (IPTO) had previously contracted Larry Roberts who in 1965 developed the first packet switched network between two computers , the TX-2 at MIT with a Q-32 in California, a growing need was felt to have a centralized terminal with access to multiple sites that would enable any computer to connect to any site. The first IMP was commissioned to be built by the engineering firm BBN (Bolt, Beranek and Newman, a professor student trio from MIT).

(The very first Interface Message Processor by BBN: Courtesy: http://goo.gl/tvo8n)

By 1971, the four original nodes that connected the ARPANET (viz, UCLA, Stanford Research Institute, University of Utah and University of California at Santa Barbara) had expanded to 15 nodes, but the lack of a common host protocol meant that a full-scale implementation and adoption of the ARPANET was far from complete. The time had come to allow the public to engage with the promising future that the Internet held. What entailed was the organization of first public International Conference on Computer Communication (1972) (http://goo.gl/PFhtL) under the umbrella of the IEEE Computer Society at the Hilton Hotel, Washington D.C. In many ways the event was the original version of a modern day new media art ‘hackathon’ and involved about 50 computer scientists who were flown in from around the globe alongside the likes of Vint Cerf and Bob Metcalfe. The deadline of a public demonstration provided the much-needed impetus to drive the network to functional completion. Exhibits included a variety of networked applications like the famed dialogue between the ‘paranoid patient’ chatbot PARRY and doctor ELIZA, motion control of the LOGO ‘Turtle’ across the network and remote access of digital files that were printed on paper locally. A milestone in distributed packet switching had been achieved and the stage had been set to compete with the archaic paradigm of circuit switched networks, even as delegates from AT&T (incidentally one of the funders of the event) watched on with the hope that the demonstration would run into a fatal glitch.

Who Minds the Maxwell's Demon

It may not be boldly evident from the vast corpus of policy research surrounding the regulation of communication networks (be it the issues of network security, privacy, anonymity, surveillance or billing systems) that key-points in the control system where dynamics play at large, are at the interfacing nodes and data/signal switches at either transceiver nodes as well as intermediary nodes. This is further underlined by the historical fact that the invention of the automatic telephone exchange was fuelled by the necessity to ensure a paradigm of unbiased circuit switching within the context of a networked business.

Just a glimpse at the number of patents that directly or indirectly refer to the Automatic Telephone Exchange patent shall bring to light myriad applications that range from “Linking of Personal Information Management Data”, “Universal Data Aggregation”, “Flexible Billing Architecture”, ”Multiple Data Store Authentication” , “Managing User to User Contact using Inferred Presence Detection” to various paradigms surrounding distributed systems for cache defeat detection, most of which are part of PUSH technology services that manage networked smartphone applications from instant messaging to email access. Other proposed systems for spectrum management and dynamic bandwidth allocation, such as policy alternatives to spectrum auction that entail frequency hopping at the transmitter level shall invariably depend on a centralized automated intermediary who shall in theory have transparent access to data flow. The role of routing intermediaries with specialized access, poses many interesting questions with regards to policy issues that surround network privacy and security.

This brings us back to the seemingly comical reference that this article makes to a mysterious entity named the ‘Maxwell’s Demon’. A thought experiment proposed by James Clerk Maxwell, involved a chamber of gas molecules at equilibrium that was divided into two halves along with a ‘door’ controlled by the “Maxwell’s Demon”. The demon had the ability to ‘open’ the door to allow faster than average molecules to enter one side of the chamber while slower molecules ended up on the other side of the chamber, causing the former side to heat up while the other side gradually cooled down, thereby establishing a temperature difference without doing any work, and thus violating the 2^nd Law of Thermodynamics. The parallel drawn in this article between networked switching intermediaries and the Maxwell’s demon does not go beyond this simple functional similarity.

However for the ambitious reader, it maybe interesting to note that ever since the invention of digital computers, scientists have actively pursued the paradox of Maxwell’s demon to revisit physical fundamentals governing information theory and information processing, which has involved analyzing the thermodynamic costs of elementary information manipulation in digital circuits – A study that probably constantly engages Google as they pump water through steel tubes to cool their million servers.

We shall save all this for another day, but on yet another related note, everytime say an email sent to an invalid address bounces back to your inbox as a “Mailer Daemon”, let it be known that the “Daemon” in Operating System terminology that refers to an invisible background process that the user has no control over, infact directly owes it’s etymology to the paradox of ‘Maxwell’s Demon’.

For more details visit https://cis-india.org/telecom/blog/who-minds-the-maxwells-demon

Who Governs the Internet? Implications for Freedom and National Security

sunil — 2014-04-05T16:23:36Z

The second half of last year has been quite momentous for Internet governance thanks to Edward Snowden. German Chancellor Angela Merkel and Brazilian President Dilma Rousseff became aware that they were targets of US surveillance for economic not security reasons. They protested loudly.

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African, American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable. Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” – and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014 See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated: 14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

For more details visit https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security

Wherever you are, whatever you do

sunil — 2012-03-21T10:12:05Z

Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/wherever-you-are-whatever-you-do

Where is the Regional Comprehensive Economic Partnership Headed?

sinha — 2016-09-17T14:15:05Z

The Regional Comprehensive Economic Partnership (RCEP) – the Asian answer to the Trans-Pacific Partnership (TPP) is still being furiously scripted.

The blog post was originally published in Spicy IP on September 7, 2016. It can be read here.

The US-led TPP and China-led RCEP were always touted as rivals racing to set global trade standards before the conclusion of the other. Well, TPP gunned ahead and is currently in the ratification phase, where as RCEP is yet to be concluded and talks may very well enter 2017. The latest round of RCEP talks ended last month and paints a worrisome picture for the global south, given that it will bring 3.5 billion people and 12% of world trade into its fold.

Free Trade Agreements (FTAs) do not enable zero-sum free trade. In fact, each country leaves with disproportionate gains and losses in their kitty, after the conclusion of the agreement. And the worst casualties are environment, public health, labour rights, SMEs and local markets. Since there is plenty of give and take occurring in a context of fluid foreign policy relations, it becomes imperative to locate the ‘barter’. Last month, Balaji wrote an excellent comparative analysis(I & II) of the RCEP IPR text, and this post complements that. I present a regional overview of negotiations and the impact on course of the agreement, as gathered from press coverage of the meetings and the leaks; and to provide a more wholesome picture of the barters, I discuss other relevant chapters at the end of this post. Further, as the negotiations are conducted in secrecy, different organisations and individuals have ‘leaked’ draft texts. KEI and bilaterals.org are two such organizations that regularly collate and release latest RCEP texts. I rely on RCEP’s IP Chapter(October 15, 2015 version) and Terms of Reference by the Working Group on Electronic Commerce(August 2015 version). Analysing the Telecommunications Services chapter is outside the scope of the post, and I link it here for the interest of our readers.

Impact on E-commerce

What is currently available are the terms for reference establishing the Working Group’s mandate on drafting a chapter on e-commerce. The document acknowledges the need for inclusion of a provision for special and differential treatment, and additional flexibilities to the least developed ASEAN countries. It draws a list of relevant elements for possible inclusion in the RCEP. I reproduce the list here (emphasis supplied is mine):

I. General Provisions

Cooperation
Electronic Supply of Services

II. Trade Faciliation

Paperless Trading
Electronic Signature and Digital Certification

III. Creating a Conducive Environment for Electronic Commerce

Online Consumer Protection
Online Personal Data Protection
Unsolicited Commercial E-mail
Domestic Regulatory Frameworks
Custom Duties
Non-Discriminatory Treatment of Digital Products

IV. Promoting Cross Border Electronic Commerce

Prohibition on Requirements Concerning the Location of Computing Facilities
Prohibition on Requirements Concerning Disclosure of Source Code
Cross- Border Transfer of Information by Electronic Means

While there is no clarity on customs duties, there is a mention of non-discriminatory treatment of digital products. While India has no law on non-discriminatory treatment of digital products, this may conflict with the Indian government’s policy on adoption of open source software for government use.

More alarmingly, the first prohibition restrains governments from mandating data localisation. The Trans-Pacific Partnership (TPP) and Trade in Services Agreement (TISA) also bar governments from making rules on data localisation, i.e. requiring physical situation of servers and storage in their countries’ territories. This is a worrisome provision because it may effectuate surreptitious surveillance. The prohibition on disclosure of source code is also troublesome and is aimed to stop examination and review of code in computing devices. This would effectively ban security researchers from finding security vulnerabilities in devices, and the if the provision is drafted like its counterpart in the TPP, there will also be prohibitions on checks by regulating authorities.

Re ‘Cross- Border Transfer of Information by Electronic Means’, the provision will be most likely drafted to favour big data and advertising companies’ operations enabling unrestricted transfer of personal data(like the TPP). If that is the case, then it will be in conflict with Rule 7 of the Information Technology (Reasonable security practices and sensitive personal data or information) Rules 2011, which permits cross-border flow of personal information only in situations where the recipient of the information complies with Indian data protection standards as a bare minimum.

Impact on farmer's seeds

RCEP is bound to hit farmers the worst: not only are countries reducing tariffs for increased import of agricultural products, there also exists an obligation to join the International Union for Protection of New Varieties of Plants (UPOV system), which would mandate members to introduce a new IPR: the breeders’ right over new plant varieties. Japan and Korea want RCEP members to join UPOV 1991, and Japan has proposed criminal penalties for the infringement of breeders’ rights.

While India has applied to become a member to the UPOV Convention, in 2001 it passed the Protection of Plant Varieties and Farmers’ Rights Act, and thereby built a sui generis system of protection (ambitiously trying to balance breeders’ rights and farmers’ rights). It will be naive to expect a similar attempt in balanced lawmaking by other countries. Furthermore, “…India’s current legislation is less stringent than UPOV 1991. It allows farmers to continue with their seed practices, except they cannot sell packaged seeds of protected varieties. The space for both small farmers and public breeders to freely work with seeds will be lost of RCEP goes the way of what Korea and Japan are proposing.” Using FTAs to reduce farmers’ freedom has been well documented, and you may read more on that here.

The text also desires all RCEP members to codify traditional knowledge and make it available to various patent offices. This push is widely regarded as problematic, as it is feared that documenting and digitization of existing knowledge may propel companies to use that information for commercial gains, to the detriment of the indigenous people and farming communities. On the other hand, it would be feasible to share such data in a confidential manner with patent offices, as India has done under the TKDL.

Massive reduction in tariffs

Tariffs emerged as an enormous sticking point in the August round, and there was pressure on India to eliminate tariffs completely. India proposed a differential tariff reduction plan, but countries kept pushing for a single-tier plan – particularly Japan. Finally, in what is seen as a big loss, India offered tariff cuts as high as 80% goods trade for all RCEP partners, except China. With China, India said that it was only comfortable with a 65% tariff cut initially, given the skewed trade deficit between China and India. It is worth noting that for India, RCEP will become the first FTA to forge trade partnerships with China, Australia,and New Zealand.

As a result of the heavy concession in tariffs, the Kerala Agriculture Minister has moved a cabinet note, and written a letter to the Centre expressing serious concerns on lowering of tariffs for agricultural products. He also requested to include Kerala in the RCEP pre-negotiation talks.

Staving off ISDS

Provisions on investor-to-state dispute settlement (ISDS) are being pushed by Japan and South Korea. Countries are not convinced about agreeing to this, especially India. In fact, India is in the process of rolling back on bilateral investment treaties, and has already moved for BIT termination with 57 countries. We’ve already seen ISDS being (mis)used by private entities against governments – there have been enough challenges to countries’ IPR laws and policies as well.

Mobilised Movements against the RCEP

Individuals and organizations are advocating for scrapping the RCEP, given the impact that it is expected to have on people’s rights and freedoms. A ‘People’s Strategy Meeting’ last month conducted large-scale sessions to inform civil society organizations, NGOs, trade unions, farmers groups and other peoples’ movements in the Asia-pacific region. Many have also been persistently calling out for a meeting with negotiators of their respective countries and for a public hearing on the RCEP. The Asia Pacific Research Network has released a policy brief on the RCEP, and you may read that here.

The road ahead

Looking at the larger picture, it is evident now that neo-FTAs’ focus on trade has descended into attacks on sovereign states’ economic and social policies.

With respect to the RCEP IPR text, India is trying to eliminate TRIPS plus provisions from the text. And after heavy concessions on the tariff front, it will be bargaining for liberalisation in services in the next rounds. India’s aim is to clinch a deal allowing for free-er movement of its workers and professionals. Further, the negotiations are going to proceed quickly now. Members are becoming desperate to lock down the text, and therefore, this year we will see more rounds than the usual scheduled ones. The urgency is driven largely by Japan and Korea – both of which wish to ratify the TPP soon and would like the RCEP to work in tandem.

In another worrisome development, Phillipines, Thailand and Indonesia have met with US trade officials on what they need to do to join the TPP, once it is implemented. These countries are considering making serious changes to their labour, environmental, IP, and other standards. Yesterday, US Prez. Obama arrived in Vietnam for the Asean summit, trying hard to sell the TPP. Japan and Korea are already TPP members, and if ASEAN countries come under TPP’s fold as well, we may see an upping of standards at the RCEP.

India will have to deploy serious negotiating chops at the upcoming rounds if it is remotely hopeful of steering the RCEP standards away from the TPP.

Author’s note: Added the sentence “On the other hand, it would be feasible to share such data in a confidential manner with patent offices, as India has done under the TKDL.”

For more details visit https://cis-india.org/a2k/blogs/spicy-ip-september-7-2016-anubha-sinha-where-is-the-regional-comprehensive-economic-partnership-headed

When #GOIBlocks, twitterati fly off their ‘handles’

praskrishna — 2012-08-26T05:56:19Z

Ever since the news broke mid-week that some genuine Twitter accounts and six spoof accounts were blocked, the social networking platform has been in a tizzy.

Published in the Hindustan Times on August 26, 2012. Pranesh Prakash is quoted.

Hashtags like #GOIblocks and variations on the same theme began “trending” and the twitterati, functioning like a virtual democracy, have been bombarding the world in real time with posts about the issue. 16 accounts of the 15 million twitter users in India, among them those of a few journalists, spoof accounts like @PM0India, a right-wing parody of @PMOIndia, the official twitter account of the Prime Minister’s office, and a few anonymous accounts like Barbarian Indian (@barbarindian) and Dosabandit (@dosabandit) were blocked.

While Narendra Modi turned his twitter display picture black in solidarity with the idea of freedom of speech (and was promptly termed a hypocrite with many like @JagPaws, who has 641 followers, tweeting, “Whoa!! Is he supporting Jihadi sites?”), Pankaj Pachauri, (49,827 followers) Communications Adviser to the Prime Minister’s office, has put up twitter rules and the National Security Advisor Shivshankar Menon’s ominously pro-surveillance keynote address at the release of the IDSA report on “India’s Cyber Security Challenge”.

Many like Nitin Pai @acorn, with 16,988 followers, founder of Takshashila Institute, a public policy think tank, tweeted that “under extraordinary circumstances, the govt must do whatever it can under the constitution to prevent loss of life” and added that targeted and temporary blocks of sites, facebook pages and twitter handles that spewed hate were acceptable. Others like film maker Harini Calamur (@calamur) (11,277 followers) who says she is against censorship tweeted that “Blocking internet handles & sites is silly” and “the Govt’s job is to uphold the constitution & protect our fundamental rights. Not make value judgements.” Much of the debate has led to a genuine exchange, sometimes making comrades of people from opposing camps. Kanchan Gupta, a journalist known for his pro-Hindutva views, whose twitter handle @KanchanGupta (26,424 followers) was among those blocked, accepted on TV that scores of “people from all communities” many of whom “disagreed violently” with him had extended their support on twitter.

Others like writer Shivam Vij (@Dilidurast), who has 3,296 followers, whom Hindutvawadis has often branded ‘pseudo sickular’, surprised baiters by speaking against the ban.

Many were strident in their criticism of the arbitrary nature of the blocks and tweeted that it was indicative of authoritarianism. “Internet blocks in India have been increasing in frequency&intensity. I wouldn't put this down to knee-jerk/foolishness.There is *intent*,” tweeted Nikhil Pahwa (@nixxin), founder and editor of @medianama. Others like business journalist Samidha Sharma @samidhas worried that the government’s frequent attacks on freedom of expression shows that it is “following china in all the wrong things”.

While Pranesh Prakash (@pranesh_prakash) of the Centre for Internet and Society tweeted, “They've blocked sites from all parts of the spectrum: Muslim right-wing, Hindu right-wing, neutral news sites, etc. No politics”, many others saw the move as a “self-serving” one. “Dear GoI: why not be honest enough to say that this web censorship has NOTHING to do with security+ all to do with your own arrogance” tweeted Sunny Singh (@sunnysingh_nw3).

For more details visit https://cis-india.org/news/www-hindustan-times-aug-26-2012-when-goi-blocks-twitterati-fly-off-their-handles

WhatsApp spy attack and after

Theres Sudeep — 2019-12-15T05:06:27Z

Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.

The article by Theres Sudeep was published in Deccan Herald on November 6, 2019. Aayush Rathi was quoted.

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.

Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.

It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after

What the government's draft IT intermediary guidelines say

Admin — 2019-02-13T00:31:29Z

Intermediaries will have to hand over to government agencies any information within 72 hours. Intermediaries will have to use automated tools to trace the person posting unlawful content.

The article by Abhijit Ahaskar was published in Livemint on February 12, 2019. CIS research was quoted.

With voices for regulating tech companies getting stronger in the wake of growing incidence of fake news being circulated through social media platforms, the Ministry of Electronics and Information Technology (MEITY) of India has decided to re-examine the Information Technology (IT) Intermediary Guidelines, 2011, under the IT Act, 2000.

Setting the wheel in motion, the ministry proposed a draft called Information Technology Intermediaries Guidelines (Amendment), 2018, and released the recommendations on its website for public comments in December 2018. The first round of comments ended on 31 January, 2019 and was made public last week. The second round of comments and counter-comments will close on 14 February, 2019.

What the draft proposes

The term intermediary refers to all tech companies that are hosting user data or are providing users with a platform for communication. This brings all internet, social media, telecom companies in its ambit.

The draft amendment proposes that intermediaries will have to hand over to governmentagencies any information that might be related to cyber security, national security and related with the investigation, prosecution or prevention of an offence, within 72 hours.

They will have to take down or disable content considered defamatory or against national security under Article 19 (2) of the Constitution within 24 hours on being notified by the appropriate government or its agency in addition to using automated tools to identify, remove and trace the origin of such content. Intermediaries with over 55 lakh users will be required to have a permanent registered office with physical address and a senior official who would be available for coordination with law enforcement agencies.

Concerns over the draft guidelines

Microsoft notes that the problem MEITY is trying to address is of fake news. “Existing regulations provide enough powers to work with social media platforms. There may be a case to bring out additional guidelines for certain types of intermediaries like social media platforms. There may also be a case to strengthen other laws which make the punishment of fake news and misuse of social media stringent. The focus should be on the perpetrators of the crime rather than the intermediaries," it has said in response to the guidelines. Regarding deployment of tools to proactively identify and remove unlawful content, Microsoft cautions that intermediaries will have to monitor all content passing through their systems for this, which is a violation of their individual privacy and right to freedom of expression. It will also be technically impractical due to the high cost of deploying such tech.

According to Broadband India Forum, one of the grounds for the Supreme Court striking down Section 66A of the IT Act, 2000, in Shreya Singhal vs Union of India was the vagueness of the terms used in the provision, such as offensive, menacing and dangerous, which invaded the right of free speech. However, words with a similar level of vagueness, such as grossly harmful, harassing and hateful exist in the proposed draft.

The Centre for Internet and Society (CIS) pointed out that existing laws provide enough teeth to the Indian agencies to act. For instance, Section 505 of the IPC has provisions to penalise disinformation while Sections 290 and 153A of the IPC have provisions if the disinformation is being used to create communal strife. CIS has also flagged the scope of the term unlawful as it is not clearly defined, leaving room for broad interpretation. On the traceability clause, CIS draws attention to the lack of clarity on whether it applies on just social media platforms and messaging services or all intermediaries.

This can be a bit of problem for ISPs which may have no access to contents of an encrypted communication sent and received on its network.

Threat to privacy

The traceability clause, which requires intermediaries to use automated tools to trace the person posting unlawful content, came in for a lot of criticism. While the Ministry in an official tweet in January 2018 clarified that it only requires intermediaries to trace the origin of messages which lead to unlawful activities without breaking encryption, experts believe it isn’t possible without lowering encryption standards or building a backdoor to access encrypted communications.

Amnesty International slammed the clause, arguing, “While governments can legitimately use electronic surveillance to protect people from crime, forcing companies to weaken encryption will affect all users’ online privacy. Such measures would be inherently disproportionate, and therefore impermissible under international human rights law."

Wipro in its response rues such a traceability requirement could lead to breaking of encryption on apps such as WhatsApp and Signal, and this will be a major threat to the privacy rights of citizens as enshrined in the Puttaswamy judgment of the Supreme Court.

Undue burden on small companies

Commenting on the 72 hours timeline for furnishing user data, the Internet Freedom Foundation says that such short deadline for compliance can only be fulfilled by large social media platforms. This might make smaller companies over compliant to government demands for immunity resulting in a total disregard for user privacy.

Regarding taking down of unlawful content, technology policy researchers form National Institute of Public Finance & Policy (NIPFP) caution that overzealous implementation along with over reliance on technological tools for the detection of unlawful content would lead to the curtailment of online speech. They pointed out the instance where Facebook had removed posts documenting the ethnic cleansing of Rohingyas as it had classified Rohingya organisations as dangerous militant groups.

For more details visit https://cis-india.org/internet-governance/news/livemint-abhijit-ahaskar-february-12-2019-what-the-governments-draft-it-intermediary-guidelines-say

What India can Learn from the Snowden Revelations

elonnai — 2013-10-25T07:29:57Z

Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.

The title of the article was changed in the version published by Yahoo on October 23, 2013.

Since the ‘Snowden revelations’, which uncovered the United States government’s massive global surveillance through the PRISM program, there have been reactions aplenty to their impact.

The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.

The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.

Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.

This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including India.

India’s reaction

After the first news of the Snowden revelations, the Indian Supreme Court agreed to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.

The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any government or individual can take against the US government or companies incorporated there.

In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take.

For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.

To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same.

In India, P. Rajeev, Member of Parliament from Kerala, has started a petition asking that the companies disclose information on Indian data given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.

The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been voiced by many, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal Mutual Legal Assistance Treaty process, it does not necessarily enhance the privacy of Indian data.

As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.

Snooping

The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India.

For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually set up servers in Mumbai and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from Skype and Google. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.

Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive.

The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.

The gaps in the Indian surveillance regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, India is in the process of realizing a privacy legislation.

In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote The Report of the Group of Experts on Privacy, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.

The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.

For example, telecoms in India are now required to include user location data as part of the ‘call detail record’ and be able to provide the same to law enforcement agencies on request under provisions in the Unified Access Service and Internet Service Provider Licenses.

At the same time, the Government of India is in the process of putting in place a Central Monitoring System that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.

Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.

If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.

Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.

Policy vacuum

For any government, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe.

When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.

In 2013, the International Principles on the Application of Human Rights to Communications Surveillance were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications.

When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.

Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.

For more details visit https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations

What Does Facebook's Transparency Report Tell Us About the Indian Government's Record on Free Expression & Privacy?

pranesh — 2015-04-05T05:08:37Z

Given India's online population, the number of user data requests made by the Indian government aren't very high, but the number of content restriction requests are not only high on an absolute number, but even on a per-user basis.

Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany. Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do. I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.

Since the Prime Minister of India Shri Narendra Modi has stated that "transparency and accountability are the two cornerstones of any pro-people government", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.

At the same time, Facebook's Global Government Requests Report implicitly showcases governments as the main causes of censorship and surveillance. This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.

For more details visit https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy