Centre for Internet and Society

ISO/IEC JTC1/SC 27 Meetings

praskrishna — 2017-04-27T16:38:46Z

Udbhav Tiwari represented the Centre for Internet & Society in a series of meetings held at University of Waikato and Novotel in Hamilton, New Zealand between April 18 and 25, 2017.

The participation was by the virtue of our institutional membership in Information Systems Security Sectional Committee (LITD 17) at the Bureau of Indian Standards.

The first 5 days of the meetings (18 to 23 April, 2017) were the working group meetings, where Udbhav participated in Working Group 1 - Information security management systems and Working Group 5 - Identity management and privacy technologies. Udbhav's participation in WG1 was largely exploratory, where I made some connections and tagged projects for us to comment on prior to the next set of meetings. These projects were Cyber Security, Cyber Insurance, Government Use of the ISO 27001 Standards, International Framework for Cyber Security and the Standing Document on Regulatory Use of 27001.

In WG5, Udbhav was appointed as Co-Rapporteur in the Study Period on Smart Cities, which will go on for another 6 months. The plenary of SC 27 was held on April 24 and 25, 2017. The final resolutions from the Working Groups plenary can be accessed below:

WG1 Recommendations and Resolutions

WG5 Resolutions

For more details visit https://cis-india.org/internet-governance/news/iso-iec-jtc1-sc-27-meetings

Isha Suri

praskrishna — 2022-01-21T14:59:36Z

For more details visit https://cis-india.org/about/people/IshaSuri.png

Isha Suri

praskrishna — 2022-01-21T14:59:46Z

Isha Suri

For more details visit https://cis-india.org/about/people/copy_of_IshaSuri.png

Isha

praskrishna — 2022-02-01T01:27:24Z

Isha

For more details visit https://cis-india.org/about/people/copy2_of_IshaSuri.png

Is your facebook page your mini resume?

praskrishna — 2012-03-26T07:27:43Z

As privacy debates heat up across the world, Bangaloreans reveal the trend of employers asking job aspirants for their Facebook IDs and passwords has caught on here too. When Adil Pasha, 24, revealed at an advertising job interview that his main strength was creativity, his interviewers asked for his FB password to check his latest updates.

This was published in IBNLive on March 26, 2012 . Sunil Abraham is quoted in this.

They rejected him, as he was going through a break-up and had put up song lyrics as his status message. On the other hand, Sukanya Srinivasan, 19, got an internship chance at a leading IT firm solely based on her FB photo albums.

“A company recently rejected my application after looking at the number of people I’d blocked on my chat list. They thought I didn’t have good interpersonal skills. I might be a friendly, harmless flirt, but the company might think I could sexually harass women employees. If they see my photos at a party, they might think I’m an alcoholic,” said Kiran Giridhar (name changed), who has attended over 12 interviews in the last two months, where his social life mattered more.

Recently, Facebook chief privacy officer Erin Egan said they had seen a distressing increase in reports of employers seeking to gain access to people’s Facebook profiles or private information.

“The most alarming of these practices is the reported incidents of employers asking prospective or actual employees to reveal their passwords,” she wrote on the website’s privacy page. The controversy is now being fought on moral and ethical grounds.

"This is a privacy infringement but there is no provision in the law (IT Act-2008) that prohibits employers from asking for personal information. This is happening with the willingness of potential candidates. If a person finds it unacceptable, he/she shouldn’t share the password. Background checks are common as some companies deal with sensitive information. So it’s not illegal, but intrusive. I think some power relationships can be abused if they cross the social networking barrier — like a boss-employee and teacher-student relationship. Corporate policy should prevent such things," explained Sunil Abraham, executive director, Centre for Internet and Society.

For more details visit https://cis-india.org/news/facebook-page-mini-resume

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

praskrishna — 2017-02-27T01:56:28Z

Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization

Pranesh Prakash and Sunil Abraham have been quoted in this article published by Outlook on February 24, 2017.

The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.

“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally

Is the WIPO Treaty for Broadcasters Moving Forward at SCCR 27?

praskrishna — 2014-05-02T11:58:15Z

The WIPO treaty for the Protection of Broadcasting Organization: The Way Forward?

CIS statement at WIPO is quoted in this post submitted by Manon Ress to Knowledge Ecology International on April 29, 2014.

On day 2 of Standing Committee on Copyright and Related Rights (SCCR) 27, it looks as if the US delegation was showing the SCCR delegates a "way forward" for a new treaty for broadcasting organizations. It seemed as if US diplomacy was working efficiently and the US proposal was gathering support. However, while the US proposal was indeed gathering support, public interest groups and copyright owners also became more vocal in their opposition to the proposal on the table.

Let me highlight aspects of the first 2 days (Monday and Tuesday 28-29 April, 2014) of discussions on the treaty. Wednesday half day is in principle devoted to conclusions on the first topic of the SCCR 27 and will be dealt with in a separate blogpost.

On Monday, led by Martin Moscoso, a most efficient Chair, the delegates moved quickly through the text (with many alternatives) and discussed the various technological platforms as well as the various forms of transmission for broadcasting. They decided to come up (later) with a matrix to, if not clarify at least simplify the work on the proposal. Monday was about the object of protection (what is a signal?) and Tuesday was about Article 9. which is the Article about rights. The issues were: what are the rights that will be granted or not granted to the broadcasters in the treaty.
Until lunch time Tuesday, the mood was quite optimistic and it was no longer "if there is a treaty" ...but when there is a treaty. Delegates were chatting everywhere and one could almost feel a treaty fever coming to the SCCR again.

The discussions were quite diplomatic but also technical. The Delegates are, after all, copyright and related rights experts obviously enjoying arguing and debating, subject matter protection, scope and of course nature of rights. Here is the Secretariat comprehensive review of Article 9 which include the many Exclusive rights that are on the table.

SECRETARIAT: this very high level. We have for Article 9 on page 8 two alternatives, alternative A and Alternative B. Then we have Article 9 in the annex, a proposal from India and then we also, of course, have the new proposal on, in that document, annex 6, I believe this is covered in Article 6 of the cablecasting organizations.Starting with the working text,Ssccr/27/2rev. Both of these Articles, they deal with exclusive rights to authorize by broadcasting organizations, the first one lists fewer rights it covers retransmission, performance, the use of a pre-broadcast signal with them and then with the performance (?), it leaves it as a matter of domestic law to determine the conditions under which this may be exercised provided that the protection is adequate and effective.

Alternative B has a more extensive list of exclusive rights that broadcasting organizations may authorize.

Fixation, direct, indirect production, retransmission by any means, communication to the public, making available, transmission for the reception by the public following fixation and making available to the public of the original and copies of fixations of broadcasts with respect to this alternative, there are two subparagraphs, two and three, that address some flexibilities. Two says that the indirect reproduction and retransmission rights may be a matter for domestic law where the protection of the right is claimed to determine the conditions under which it may be exercised provided that the protection is adequate and effective.

It is possible under 3 to deposit a notification with the Director General saying that instead of the exclusive right of authorizing providing for in subparagraphs 2, 4, 5, 6 and 7 there could be a right to prohibit with a notification.

Then there's a general final subparagraph talking about adequate, effective legal protection to signals. With the means of the protection being governed by legislation of the country where the protection is claimed.

The Annex includes various proposals and the Chair asked each proponents to explain:
For example, here is the US Intervention:
quote

The U.S. proposal for discussion is found in the annex at page 4, we first suggested this concept a year ago at intercessional meeting and fleshed it out in actual language at the last SCCR session. As we described then, the goal of our suggested language for discussion is to try to cut through the same debate of the scope of rights for this treaty that's been going on for in the range of 15 years now. What we were attempting to do was to identify a single core right, that would be very narrowly focused to address the fundamental concerns of broadcasters, to do so within the scope of the General Assemblies mandate to deal with signal protection, signal-based protection. As you see from the language, I won't go in a lot of detail, we have described this before, we would suggest that no post-fixation rights would be required at the international level, just protection for the signal itself and that after fixation we would be relying on protection for the content rather than the signal so not through this treaty, but through other treaties and through national laws.

So the way we formulated it was to focus on simultaneous or near simultaneous retransmission to the public of both the signal and the pre-broadcast signal because the broadcasters had made a case for the need of protection for pre-broadcast signal as well. As you can see from our proposed definition for discussion purposes we would define near simultaneous retransmission to be a transmission that's delayed only to the extent necessary to accommodate time differences or to facilitate the technical transmission of the signal. So recognizing that -- well sometimes there's a delay but we would be talking about delays of something more like seconds and hours rather than years.

What we would also like to do at this point, rather than spend many hours having everyone discuss again what their original proposals were, perhaps there's a way forward that this committee could consider. We do have a number of complex alternatives with multiple rights for Article 9 before us at this point.

And in the interest of being able to make progress, we would like to put forth an idea for consideration. In the discussion of our proposal for discussion purposes of this new approach we have not yet in the meetings that we have held since we first put it forward, we have not yet heard opposition to the Treaty covering at least that much and the main area of this agreement seems to be whether there should also be additional rights particularly relating to post-fixation uses. So one suggestion we put forward for consideration on how to move forward in this meeting would be to see if we can as a committee try to narrow the range of choices before us and there are a number of ways that this can be done. One possibility would be to say that one choice is the U.S. suggested approach in our proposal for discussion, and the other main choice would be to start with that, but then also add some version of the various post-fixation rights that other Delegations have proposed as the alternative. Maybe there's a way that the proponents could combine some of their catalog of rights into a shorter catalog or a single more general right dealing with post fixation uses and then although certainly the United States isn't in a position to agree to such a broader catalog, we would have a clearer idea of what the two main fundamental approaches are, and that would help us all clarify the situation and present the alternatives to be negotiated as we move forward and make it easier to look for potential compromises.

I don't know if that's entirely clear, and I would be I don't know if that's entirely clear, and I would be glad to describe in more detail what we were thinking about, but we put this out for everyone's consideration as a possible way to move forward rather than just to continue to go in circles with everyone explaining their own position. And again, you know, as we keep saying, we want to stress that all we're talking about again is a international minimum and that doesn't prevent anyone from having the entire catalog of rights that they may have in their current national system to preserving those rights and urging others to adopt them as well. We're looking for something that we can all agree to at international level.

This US Proposal which is about a narrow right (a signal-based approach) and also a way to limit the proposals on the table by having only two fundamental approaches on the table. The signal-based narrow approach or the US proposal by contrast with the catalog of rights proposed by the EU (and its supporters).

One had to note that what was in December for SCCR 26, an informal US proposal in the annex, had gathered many supporters. For example, the US proposal was supported in some ways by India:

INDIA: Good morning, Mr. President.
I think Belarus, the Distinguished Delegate from Belarus and the Distinguished Delegate from the U.S. started the day with good morning, with good initiatives. We're open to discuss those issues. Going back to the comments made by the Distinguished Delegate from belarus, we do agree that no additional protection to the content should be given because content, the content, it is either author or the performer, asper the convention or the WCPT or the sin graphic producer, the producer of the sin graphic or the sound performing. Already the protection, is that.

What we need to protect here, it is the signal as said by the Distinguished Delegate of the United States also. The signal-based approach, that's what it says, the signal has to be protected. If you look at the definition of signal which India has given in annex, Article 5, page 1, it clearly said that the signal means an electronically generated carrier consisting of a specific program whether encrypted or not and then encryption, it is the dpm, we all know that, you know that that's the business model, the technical model followed by most. Coming to the program carried by the signal, that's the broadcast content.

So we have to see what exactly the signal is carrying the broadcast. It contains, you know, various types of Intellectual Property that's a copyrighted material that we can divide into four main categories. One is, of course, the program content, whether it is in-house production, created by -- acquired from the content owner, and then the other content is the advertisement, and then the moment you will see these two things, each has its own look and appearance just like CNN or BBC, the moment that content is on the screen, you know this is CNN content, you know that this is BBC content, even the same if their live casting, this, you see, in the Standing Committee, you know how it is different, it is a CNN journalist, a B cc journal. Then becomes the way they arrange the content, that's the full thing. The way it is presented. So, these are the four things, the signal, broadcast content, content, so various licensing and arguments are there. The advertising appearing between the few seconds in the BBC journal is different than what advertisement of the CNN and apart from the look and feel of the journal, and then coming to the proposal I would like to briefly explain and make sure we're given the Article 9. It is totally based on the signal-based approach in what we have explained here that the broadcasting organization hall enjoy the right to prohibit if done without authorization the rebroadcast of the signal through traditional procedure casting means, so rebroadcast not only the broadcast, the rebroadcast has to be protected. Here the question of fixation comes, you know, the fixation to be allowed only for the purposes of the rebroadcasting are in the near simultaneous broadcast, which was our Distinguished Delegate from the U.S. was telling, maybe deferred on the delayed -- unless you fix it, you don't do that. Coming to the simultaneous broadcasting, the U.S. Delegate was talking about, here simultaneous in the traditional sense only, it is clear it is a signal-base aid approach in the traditional sense, not the webcasting or simulcasting, what we need to protect here, if any unscrupulous guy, unauthorized manner taking this program-carrying signal, putting it over the internet, the investment of that broadcaster has to be protected. So that's what our proposal talks about, not about the simulcasting, live screaming and other platforms. So there -- otherwise, we will be including the webcasting and simulcasting in the traditional approach. In the traditional platform doesn't carry the webcasting of the simulcasting in the traditional sense and also in the webcasting. That's the simulcasting, doing the same thing, in two different platforms.The simulcasting can be allowed here in the traditional sense, if the BBC wants to, at the same time, broadcasting the same problem, the reach of the B cc in that territory would be different and it is different, they're covering different parts of the world.

So, that's what I would approach here. Then with that, the Distinguished Delegate from U.S. raising the post mixation rights, one significant until appears on the screen, there is l. C or led, nowadays the technology, it is crazy. It is on the screen. So only the content, not the signal. So the fixation of signal, then post-fixation don't come in the signal-based approach. What we need to do is the Protection of Country the signal and if fixation is coming, that fixation is allowed only for the rebroadcast, deferred or delayed broadcast purposes. We'll come back in these issues as the further discussion continues.
Thank you.
And by by Mexico.
> MEXICO: Thank you, Chairman. It gives me great pleasure to see you Chairing and you have the full support of my Delegation in all your work and moving forward in the topics of this committee such valuable work from Mexico. I would like to thank the Secretariat for the document that they provided us with in such a punctual manner. Thank you for helping us with our work. I would like to recall all Delegations. That we need to be seeking the establishment of general standards to feel more comfortable within the legal framework of these particular topic. We shouldn't be looking for participation on any individual basis because we will move forward with our work.

I recall that any international Treaty has to be based on general principles and not on details and the details should be stipulated in the respective domestic legislation of each Member State. On that note I would like to support the proposals from the Distinguished Delegate from the United States that we should, yes, move forward in this way with the work of this committee
And by Japan:
JAPAN: Good morning, Mr. Chair.
Good morning, everyone. I'm speaking on behalf of the Japanese Delegation.
We're in the position to support the suggestion by the Distinguished Delegates from the U.S. to put to option related to scope of protection. With respect to scope protection, some Member States seems to find great value in wide variety of rights including fixation rights, including the right of production and the right of making available after the fixation. For such members, post-fixation rights should be included in this Treaty. On the other hand, some Member States are of the view that the minimum fixation rights, simultaneous or near simultaneous retransmission and the right of pre-broadcast is enough under this Treaty.

Here we would like to point out that in order to find the way forward in our discussion more flexible approach may be necessary. From our perspective one possible way while setting the common denominator among all Member States of subject matters for minimum mandatory protection, other rights which not all the members must -- most members think is necessary and this is treated as the subject matter for optional protection. Of course, even if we take such an approach we have to further discuss which rights should be mandatory protection and which rights should be optional protection.

And by South Africa:
SOUTH AFRICA: Thank you very much, Mr. Chairman.
In fact, I would like to associate myself with the previous speaker, Mexico and the U.S. I think it would be better to have just a general and another scope of rights for the broadcasters sips we're dealing with the signal-based approach and so as always to avoid having to include issues and list of issues that are covered by other Treaties. It may cause a problem in the long run in the sense that some Member States may find themselves want to be a part of this Treaty having to do a balancing act as to whether they need to join into this Treaty to be parties to the other Treaties or to the other issues that are being included in this particular Treaty. It would favor a very narrow, general scope of rights as I think the U.S. has captured that very well. I think it will help us to move forward. Otherwise we'll never -- a long, protracted kind of discussion and we have a very good experience in this, we have been looking at this for a very long time and part of the problems lie in this -- having a very long list of rights and so on, so on. I think that domestic legislation can do justice into the catalog of rights that Member States will now want to prescribe.

But things were not that easy with the EU:
EUROPEAN UNION: Thank you very much, Mr. Chairman. Good morning to everyone. We tried to look at all the possibilities and options on the table and tried to think of some matrix as you proposed yesterday for which we have to find for both the object of protection and for the rights. Looking at what was presented and discussed today, we tried to put this into some kind of order also in response to the proposal by the Delegation of The United States. What I will present now is our understanding of where we understand with these discussions on various rights and, of course, there may be rates where we have not understood properly.

To us, it seems that there is a consensus in the room as to simultaneous, as to the right to authorize a prohibited or prohibit simultaneous retransmission by any means. As long as we talk about simultaneous retransmission we think from the discussions that took place here, but everybody agrees with simultaneous transmission, that should be covered by the catalog of rights.
Then the other category, the important category here, are any transmissions from fixation. In our view, we should in a way separate the discussion on transmission from fixation from other post fixation points. I think often we use here the term simultaneous retransmission versus post-fixation rights. I think there is a bit of a more nuance to the situation here because we have the post fixation rights because of the reproduction and distribution which we'll talk about later. We have the core right here, the core right which is a retransmission from fixation.
In the U.S. proposal there is also an element of such transmission from fixation as far as we understand, but it is limited. It is limited by technical means and limited in time because it is only to take account of time zones.

In other alternatives that we have on the table as far as we understand in the working document, alternative A, Alternative B, the proposal which was presented today by Belarus on behalf of some members of the CACEEC group, and to the extent that we understand the proposal of the Delegation of India, all these proposals include the right to authorize and prohibit only the right to prohibit in case of the proposal from India transmissions from fixation. We have -- atlas the way we see it, on one side we have the U.S. proposal with transmissions from fixations limited in some way and specifically in time, and then we have a number of proposals where we have transmissions from fixations included. For us, that would be the second block after the simultaneous retransmission, the second block to look at is this block of transmission from fixation. Within this block there are a number of Delegations that in the very explicit way include the so-called making available right. This is the case of Alternative B in the working document, this is the case of the proposal -- proposal presented by Belarus today and this of course has been the position of the European Union as well.

So that's for us, the second thing to look at, maybe to put in this matrix.

We would like to somehow maybe separate this block of transmissions from fixation from what we usually call post-fixation rights. When we move to post-fixation rights you have -- this is always interesting, helpful to look at the table proposed by by the Japanese Delegation, there are a number of rights so that you have the right of fixation itself, of course, that's not exactly post-fixation rights but I think belongs to this group of rights, reproduction and distribution and the right of public performance in places without accessible, for repayment of the fee. All these rights, we think belong to this third block. To be looked at.
Of course, there are certain overlaps, when you look at the various proposals, some extend to all the rights, some extend to only some of these rights. In our view, these three groups are -- it is something to be looked at.

Further, I think if we look at this, if we create in matrix in that sense, it will help us to move further. Then, of course, for us, the next step of the discussion is to then understand in more detail various proposals and I'll just give a couple of examples. I think it is clear for everybody in the room to understand the proposal of the United States on near simultaneous transmission T will have to be very clear what is near simultaneous means, and especially since it is limited in time, in the U.S. today, they indicated, that limited in time not in terms of years, but rather in terms of hours or let's say shorter periods of time, it is very important to know how this would be, how it would be understood and how it works in practice. I think as regards to proposal from India, one thing for us is still maybe not entirely clear is this reference that in all cases the protection has to be subject to the extent of rights acquired from the owners of copyright and related rights. That's, for example, in terms of transmissions of sport events, which are not covered by copyright, we don't understand how this would be covered or whether the proposal of India is, but these would not be covered at all by these Treaties but there is a number of issues that we can go into more depth with each of these proposals. I think that the final, final block is what kind of rights are we talking about in terms of exclusive rights, rights to prohibit. That's all other rights.

In a number of these proposals, we have the right to offer us and prohibit, why for example in the proposal from India we have clearly right to prohibit. That's the final element of the matrix with which we have to look at because maybe not necessarily for all of the rights we have to have the same right. In the sense the same category of right. Maybe we can have some rights that are exclusive rights and for some rights, rights to prohibit, of course, we should not finally forget the protection for the pre-broadcast signal because we have not mentioned it today, but I think on that element also there is quite a broad consensus to have this as a right to the protection for pre-broadcasting. Thank you very much.
After quite a few confused and confusing interventions, the US took the floor again urging the delegates to separate the two main issues, what are we trying to protect and with what rights:
United States.

A lot of issues have been raised in the last round of interventions. I do think it is important to keep our minds fixed on the idea that there is two separate issues and one is the scope or object of protection and the other is what the nature of the rights are. Sometimes I think we're conflating them in the discussions, if we look at the matrix, the object of protection, what that is, I just wanted to note one more time while we've got the broadcasters in the room that I do think there is still some open questions that would be good to get answers to if not -- if it is not possible to get the answers this week, then the next time that this committee meets, and those were my questions about to what extent the uses of new technology described by the BBC and summarized in Japan's little summary document, to what extent the uses of new technology have become standard and how widely adopted they are among broadcasters in different countries and of different types and sizes. I think that would be helpful to know.

Also where the piracy takes place, where it is that those who are Pirating, getting the signals from would be useful to know as well and I partly raise these questions because to the extent we're debating the inclusion of or consideration of simulcasting, deferred, on demand transmission signals, in addition to the question of what extent the piracy problems would be covered by copyright in the content and another question with could be could this be seen an an issue of infringe.

Rather than the issue of protection. If we're protecting over the air broadcast signals, is the problem that the piracy of those signals is taking place using the simulcast versus using the actual over the air broadcast. That's why I see the issues as related, and I think it would be helpful to get more answers to those questions as we look at whatever matrix is prepared.

In terms In terms of the rights, the Article 9 issues, the EU asked a number of questions, I think the Delegate from the EU is correct that there's -- it is not just that the rights are prefixation and post fixation, there is probably at least three different types of things we're talking about. In the language the U.S. has proposed for discussion we're not presuming that the existence of a fixation at any point along the way negates the right, not at all. In fact, you certainly could have a simultaneous, near simultaneous near transmission of the public even where the retransmission is made from a fixation and indeed some technologies may require the use of a fixation to enable the retransmission.

I think what we're focusing on is the idea that there is no right to control the fixation itself or what is otherwise done with subsequent copies, including consumer copying, that would not fall within the right.

Then, just to say that we appreciated the comments from the Delegate of Brazil and also wanted to clarify our proposal was really a matter of process, not substance. We agree with Russia that we're looking to move this forward and so even though our view is that a single right rather than a combination is the most likely way to be able to make progress and move the debate forward, and achieve an outcome, we also think we could make progress here this week if we could simplify the full range of rights that are on the table and figure out a way to present two options for consideration and further negotiation.

That would only be for purposes of the negotiation rather than an agreement on substance at this point, that that's the right approach so then each of us could still be able to convince other Member States of our own view or to find some way to accommodate the concerns once we see what the two approaches clearly are.

It is a matter of process to be able to move forward from the complex text that we currently have before us.

Then just finally, we also agree that we still have open the exact wording of what the right would be in Article 9, is it a right to authorize, exclusive right to authorize, a right to prohibit, prevent, maybe at this point in time we need to keep those things in brackets also for further consideration, negotiation, including the issue razed by the E.U. Delegate that possibly the exact wording may be different depending on what the right is that we're talking about.

Following the US intervention, India discussed the very many different kind of piracy. Then, the Chair gave the floor to the NGOs and before lunch, the NAB (the demandeur for the treaty) made some clarifications related to the Monday presentation by the BBC (the red button or on demand webcast of BBC programs). Which was followed by KEI which stated:
quote.

This is not a treaty about copyright piracy but a special ride for broadcasters. I think it is not a good idea to sort of refer to cases where there is already a right, the copyright owners have (kei) unless you make it relevant to what's discussed here this week. IP rights are a form of regulation, and they create monopolies, rights to exclude, new layers of rights to clear, a shrinking of the public domain, and more obligations for consumers, libraries, businesses to pay more money not to copyright holders,but to the distributors of content. Don't go overboard. Don't approach this like you're a rich relative giving gifts to nephews and nieces, interventions should be narrow and only where they're actually needed to solve a problem like signal piracy to the extent that it is understood and can be remedied through an instrument, or to achieve a predictable, a desired redistribution of income to broadcasters. You're in this case extending rights to entirely new beneficiaries, it is not just people that broadcast in radio and television which was what the Rome convention addressed and make the service available that no one could charge for. Now you're talking about pay services protected by under legal protections such as regulatory provisions, contracts, theft of service laws, you're talking about cable tv service shut off if you didn't pay, cable -- satellite services that are shut off if you don't pay, you're talking about a wide-range of internet delivery issues and people are talking about post fixation rights.

You have what the BBC has described, you have people talking about services now provided under services in the United States such as hulu using platforms like these decidings, tablet computers, the explosion of services, and most of the people doing most of the innovative services outside of BBC are not here demanding a WIPO treaty but doing things, it is working, exploding and it is happening without this new form of regulation. So, I would say conclude by saying that the Rome convention or the WPPT or the Beijing treaty should not be the basis of the rights. Those rights already exist, they address different issues. You're talking about something new today and this new thing should be justified by some coherent explanation of a problem you are trying to solve and should be comfortable because of the cost of the regulation you're introducing to the information society is somehow justified by the benefit.

The Chair called then on the American Society of Archivists:

Thank you, Mr. Chair. On behalf of the society of American Archivists, the largest organization of archivists, we want to commend you for the continued wise chairmanship of the srcr and thank you to the Secretariat for the excellent support of the Committee's work. For decades archives included not just paper records but also important sound and video recordings, many of which have come from broadcasters. These are invaluable documents for connecting society to its past. Think of a major event in the past 15 years, the fall of the Berlin wall or the collapse of the twin towers on September 11th, without the video images that were created, these are the documents that will provide the stuff of history that connects future users to the archives. Thus, regardless of whatever measures are put into place to provide the signal protection that broadcasters need, the new rights should not add any further layers on the already existing copyright protection that exists in the content. Over the long passage of time the archives have to span, and given the vigories of institutions that disappear with regularly, adding a new right on broadcast content would add imher rationally for the orphan work in providing abscess to the dock ministry sector that is such an important part of society's historical record. After the lunch break, eIFL took the floor. The giddy mood of "moving forward" that we had witnessed in the morning was slowly changing (the momentum keep changing said a broadcaster sitting behind me).
[...]
eIFL: As stated at previous sessions of this Committee we see no compelling public policy reason for a new international treatment on the protection of broadcast organisations because piracy of broadcast signals is adequately dealt with under existing laws and treaties as outlined in the earlier statement by KEI. And the creation of a new layer of rights that affects access to content is of great concern to librarians because it imposes an additional barrier on access to knowledge especially to content in the public domain.

As stated which the Delegation of Ecuador, a new layer of rights will in addition to creating problems for users create froshes rights holders of content that will impact on their ability to freely licensed their works. Libraries have practical experience of such over protection caused by multiple layers of rights. For example, a library in northern Europe wanted to publish a sound recording from their archive that was originally broadcast in the 1950s. The recording was taken from a rebroadcast in the 1980s. And all of the performers'rights had expired and the authors waived their fees due to the importance of the work, the library had to pay $10,000 for the permission to use the recording because the signal protection applied also to the the retransmission.

So for many libraries, as you can imagine, such costs are out of the question. As a result, socially valuable works remain inaccessible in libraries and archives, depriving the public of the enjoyment of their work. So Distinguished Delegates, please consider the costs to taxpayers and society as well as the perceived benefits of this proposed treaty. Thank you.

After the Libraries, --except for the European Broadcasters under ACT which came to support the NAB and the proposed treaty--, other consumer/public interest groups such as TACD and CIS (India) followed by many many right holders (copyright holders or as they say at WIPO content owners) such as IFPI, FILA, BCC and FIAPS (representing authors, performers, music producers) took the floor one after the other to express their strong opposition to the proposed treaty. The main point for the Music industry representative was that before the broadcasters get a new exclusive rights, they should first recognize the rights of the music producers and pay for music that they broadcast. While this is actually happening in many countries already, the US broadcasters do not pay and that should change first according to the IFPI. Finally (and that was a surprise for many), a representative from Direct TV attending the SCCR for the first time expressed its strong concerns for a treaty that would give broadcasters exclusive rights and thus more power to control the media market.

Here is the Indian NGO CIS statement:
We have some concerns regarding the intended scope and language of Article 9 in Working Document SCCR/27/2 Rev. We believe that this expands the scope of this proposed treaty and is likely to have the effect of granting broadcasters rights over the content being carried and not just the signal. On this issue, we have two brief observations to make:

First- Article 9 envisages fixation and post fixation rights for broadcasting organizations- for instance among others, those of reproduction, distribution and public performance This, we believe is not within the mandate of this Committee, being as it is, inconsistent with a signal based approach.

Second- we express our reservations on the inclusion of “communication to the public” reflected in Article 9 Alternative B, which also relates to the definition of communication to the public under alternative to d of Article 5 of this document. Communication to the public is an element of copyright and governs the content layer, as distinct from the “broadcast” or “transmission” of a signal.

Therefore, attempts to regulate “communication to the public” would not be consistent with a signal based approach.Notes during the excellent IFPI statement as well as statements by the other copyright owners will be in my next blog for your enjoyment.

For more details visit https://cis-india.org/news/knowledge-ecology-international-manon-ress-april-29-2014-is-wipo-treaty-for-broadcasters-moving-forward-at-sccr-27

Is the govt caught in the 'censorship' web?

praskrishna — 2012-09-04T06:54:25Z

NDTV aired a one-hour debate on censorship in "We the People" episode hosted by Barkha Dutt on August 26, 2012. Pranesh Prakash participated in the discussions as a speaker.

Pranesh Prakash responded to Barkha Dutt's question on what does a government do in a time of social unrest:

"I think in a time of social unrest there is leeway provided in laws for the government to take action. The law existing and the law allowing for it is a very different matter from the government actually making use of it. There are as shown in the United Kingdom, much better ways of combating situations of riots. As we have seen in India for instance, there are people who provoke riots from podiums yet don't get arrested and as we have seen in the UK, there are people who take part in riots and have been punished a great deal."

Video

See the full debate on NDTV

For more details visit https://cis-india.org/news/www-ndtv-com-we-the-people-aug-26-2012-is-the-govt-caught-in-the-censorship-web

Is the govt bid to regulate content on the Internet a good thing?

praskrishna — 2011-12-08T07:12:24Z

The recent move by Union Minister Kapil Sibal to engage leading Internet platform providers like Google, Facebook, etc in regulating content has seen netizens react in different manners. The question of freedom of expression vis-a-vis objectionable content has come to the fore. Pranesh Prakash who deals with such issues on a regular basis at the Centre for Internet and Society was answering questions (more like comments) live on CNN-IBN's chat feature on December 7, 2011.

Q: OK... then how about this... People report abuse against a page...and after some hits that report will go to the governmental organization, and they will decide on what action to take... this may include hiring of some IT services company to do that and gives more employment to people too. Anyways thanks for replying to my questions.

Asked by: Tilak Kamath

A: How about just approaching courts, who are in a far better position to judge what is legal and what is illegal under Indian law than any IT services company or government organization.

Q: Suppose a group of rabble rousers does indeed use a forum and become violent, (the group being identifiable) would the state have the right to ask the forum to be discontinued?

Asked by: Zeus

A: Of course (if what you meant is 'the right to ask the forum to remove the violence-inciting content'). Indeed, this is how ultra-left wing and ultra-right wing publications that advocate violence (which is an imminent threat) are proscribed in India. And the same laws already apply for online fora. But just as you wouldn't ban a newspaper like DNA for carrying an offensive article (such as the anti-Muslim screed written by Subramanian Swamy a few months back), and just as the postal service wouldn't be discontinued for carrying Maoist letters, a forum shouldn't be banned for offensive content. There is no need for a new 'self-regulation code', since the 'report abuse' links found on many of these sites are exactly that: self-regulation.

Q: Article 19(2) of our constitution places arbitrary and subjective restrictions on free speech - public order, decency, morality are all subjective, according to the whims and fancies of those who are in control. Aren't you concerned this is going down the exact path (ignoring that this is impractical to begin with)?

Asked by: Karunakaran

A: No, because there is a rich jurisprudence laid down by the Supreme Court of what is and what isn't a "reasonable restriction". While I do believe that our Constitution does go beyond what the International Covenant on Civil and Political Rights (to which India is a signatory) allows for, Article 19(2)'s interpretation by the Supreme Court and the High Courts have been very progressive for the most part.

Q: The government has a mandate to govern and keep the society in harmony and take care of law & order... If no check on the expressions of netizens the chances of a spark generating debate can escalate to violence given the extremism we see today. The media in print as well as electronic we know & see does it's CENSORING, calling it as editing and publishing only what it likes and wants.This style is for all including CNN-IBN.The difference is in media, the EDITOR gets responsible in case of offensive or blashphemous material gets published. Social network the responsibility seems missing. Freedom always needs to be enjoyed with discipline. How do you the minority indisciplined netizens, who are there and no denying on that ?

Asked by: sundar1950in

A: I believe that killing speech is not the right way to prevent violence. Indeed, a newspaper editor in the Maldives recently noted that they have had less violence committed against the newspaper office ever since they allowed for online comments. Speech often allows people to vent out violence instead of acting it out. Violence should be curbed by reining in those who're committing it, and those who're inciting it on the ground. At any rate, the laws that apply to inciting violence in print apply to the Web also, and no new rules need to be drafted.

Q: Thanks for the information on the report abuse button. but can't we have a Governmental agency regulating websites like FB or Google... they can't say no, cos India is a Huge market for such companies.. and why don't we find many ultra offensive posts about the U.S. or other countries, as we find for Indians..

Asked by: Tilak Kamath

A: That would be a very bad idea. Governments don't have a regulatory agency to dictate what letters post-offices shouldn't carry, nor what articles newspapers shouldn't publish. They should definitely not have a regulatory agency dictate what status updates Facebook or Google+ should and shouldn't carry. You don't find ultra-offensive posts about the U.S. because you aren't looking around. They're *everywhere*, even more so than those that bad-mouth India. Yet, such offensive speech is the price we have to pay (gladly, I should add) for democracy and the freedom of speech.

Q: The idea to ban any post on something that would lead to communal strike is fine however, I feel this is not the intention. The intention is clearly political and due to the Anna movement becoming popular thanks to the posts on the internet as also certain remarks on the Gandhi family in particular and Congress leaders specifically has led to this decision. Kapil Sibal is a smart alec and he knows that this can be used against any adverse comments against them.

Asked by: Arun

A: I am less suspicious of Mr. Sibal. I believe, especially after speaking with some senior lawyer friends of his, that he genuinely believes what he is doing to be required and legal and constitutional, and not for the appeasement of one or two Congress leaders. That, however, does not make his suggested solution correct. Multiple High Courts' decisions have held otherwise, and the Supreme Court's decision in Ajay Goswami v. Union of India also provides them support.

Q: One best possible thing is to advertise the Report Abuse button on the Internet, don't you think so? again there should be proper authentication to do so to avoid miscreants blocking some good pages unnecessarily.

Asked by: Tilak Kamath

A: I believe that the "Report Abuse" option available on most large social media and social network websites is useful, but it is also potentially dangerous since it allows a private party (such as Facebook or Google), rather than a court, to dictate what content is and isn't acceptable, to the possible detriment of larger society.

Q: Good evening sir, my question is that it is legal to pre-screen the private data of users by sites and to interfere between their privacy.

Asked by: Shrey Goswami

A: Whether this proposal by Shri Sibal necessarily involves an invasion of privacy is an open question, since the details of the proposal as as yet not fully sketched out. On Google Plus and Facebook, one can restrictedly share information. Will such restricted sharing also have to be pre-screened, or only information that is going to be available to all members of the public? The proposal still consists only of press articles and a press conference held by the Minister. Even assuming it only require pre-screening of information that is going to be publicly accessible, it imposes too high a burden on intermediaries, and is impractical. And, as you might be aware, only very limited pre-censorship is allowed in India, and such a general requirement of pre-censorship does not seem to be constitutional, in my opinion.

Q: Yes, we were browsing FB yesterday and some content in there, could not be opened in front of my children. So Content is not always good, and there must be some kind of screening. Again, the current trend in India, to think that whatever the government does is not at all a good one. Governing must be left to government and not to news channels/civil society, etc. This looks dangerous, and sad no one is realising this.

Asked by: Narayanan S

A: Perhaps I should allow former Supreme Court Justice Hidyatullah's words speak for themselves: "Our standards must be so framed that we are not reduced to a level where the protection of the least capable and the most depraved amongst us determines what the morally healthy cannot view or read." - Justice Hidyatullah in K.A. Abbas v. Union of India. In the Janhit Manch case, the Bombay High Court held: "By the present petition what the petition seeks is that this court which is a protector of free speech to the citizens of this country, should interfere and direct the respondents to make a coordinated and sustained effort to close down the websites as aforestated. Once Parliament in its wisdom has enacted a law and has provided for the punishment for breach of that law any citizen of this country including the Petitioner who is aggrieved against any action on the part of any other person which may amount to an offence has a right to approach the appropriate forum and lodge a complaint upon which the action can be taken if an offence is disclosed. Court in such matters, the guardians of the freedom of speech, and more so a constitutional court should not embark on an exercise to direct State Authorities to monitor websites. If such an exercise is done, then a party aggrieved, depending on the sensibilities of persons whose view may differ on what is morally degrading or prurient will be sitting in judgment, even before the aggrieved person can lead his evidence and a competent court decides the issue. The Legislature having enacted the law a person aggrieved may file a complaint."

Q: Kapil Sibal has not been able to give conviction to objectionable content as social unrest can't take place through web and it needs well oiled machinery and as far as using offensive language against politicians is concerned it won't be curtailed through web and it will require better self regulation among politicians rather than being irresponsible

Asked by: Rij

A: I agree completely.

Q: Do you feel that Government (Congress in particular ) is trying to impose restrictions on social media to stifle the peoples anger against the Government and its leaders due to various scams and corruption?

Asked by: Santosh

A: No. I am taking Mr. Sibal's words at face value, that what they are trying to prevent is hate speech, inciting speech. Still, the means of doing so are undemocratic, ignorant of how the Internet functions, and liable to have very harmful consequences on our polity.

Q: Are our laws going to be like those in gulf countries with respect to censorship? In the name of communal messages, is there a motive to censor something else?

Asked by: Gaurav

A: It doesn't matter what the 'ulterior motive' is, and I'm not sure there is one. The touchstone should should be that of our Constitution and Article 19(1)(a), which guarantees freedom of speech and expression with the Article 19(2) laying down the reasons for which reasonable restrictions can be laid down. And in many ways our laws are worse than those in Saudi Arabia. There at least when a website is blocked or content removed the public is notified when they try and access the content. In India, there is no such notification.

Q: Is this being done as the politicians on the whole and congressmen in particular are not upon notwithstanding how true the comment is. Is it particular so when they are charry if any adverse comment is made on the Gandhis. All these politicians who have opted for public life need to be open for adverse comments as they are in the public limelight and or it is their privilege.

Asked by: Arun

A: The examples being cited by Kapil Sibal are of harming religious sentiments and inciting hatred. Be that as it may, even if the content deserves to be removed—and I can't comment until I see the content he finds offensive—doing so by mandating pre-censorship by intermediaries with liability fixed on them otherwise is a wrong way of going about it.

* The chat is over. Read the original published in IBN Live Chat here

For more details visit https://cis-india.org/news/ibn-live-chat-with-pranesh

Is That a Friend on Your Wall?

praskrishna — 2011-08-04T10:36:46Z

Before you start reading today’s column, have a look at the person sitting next to you. It might be a family member if you are at home, a friend in the club, a stranger in a cafe or a fellow commuter on the bus. Now take a moment to figure out how much you trust that person. The intensity of your trust would depend upon your familiarity, your social relationship and the time you’ve known that person.

However, what remains constant in all these different equations is the process by which trust is established in physical spaces.

How do we trust somebody? How do we know that we are safe with them? We rely on answers like “instincts”, “vibes” or “feelings”, which cannot be easily quantified or explained. The reason we do not have rational explanations for why and how we trust somebody is because we depend upon a social design of trust from the beginning of our social interactions. As young children, we were told not to speak with strangers or accept candy from them. As adults, we were taught that people who look like us and sound like us are probably safer for us. We learn, through signs and experience, on how to be safe in our daily life. Some signs are obvious, like “Beware of pickpockets”.

Others are learned, the way somebody looks at us, warns us of impending danger. We have learned now to decode physical appearances, intonations, backgrounds and body language in order to develop relationships of trust with people we meet.

Often, these relationships are mitigated by structures that we trust. We believe that students who study with our children are not going to cause them harm because their schools would have vetted out undesirable people. In public places, we are not paranoid that a gunman is going to start shooting at us because we believe that the law and order systems would have produced conditions of safety.

However, when we go online, the instincts which we have been trained in to decode people’s social performances suddenly become inadequate. Social cues online are difficult to decipher.

We no longer have the luxury of studying people “in-person”. Instead, we have to engage with them on interfaces, where their avatars become the faces that we talk to. As the famous cartoon goes, a dog on a laptop is telling another canine friend, “On the internet, nobody knows you are a dog!” For digital natives who populate these virtual worlds with great ease, this is perhaps one of the biggest challenges. Without having the social design that helps them evolve measures of safety or the advice of older generations (there are no older digital natives!), it becomes difficult for them to figure out how to trust somebody online. This lack of design often informs the paranoia about predators, about young users being exploited by those more skilled at navigating the environments, about bullying and exclusion that often happens in the online space. The digital immigrants or settlers look to the digital native for clues about how to trust somebody online.

Economic structures like banks, corporates and governments advise people on how to trust transactions online. Your bank has probably sent you information about phishing scams. Companies like Facebook also warn you to check URLs and warn you when you navigate to a page outside the Facebook universe. Governments are investing in hi-tech encryption services which can protect citizen data against fraud or misuse.

Browsers like Firefox have their own parsing techniques which warn you about the possible dubiousness of a webpage. All these measures, while they help to protect us online, still do not help us in determining how and why we trust somebody online.

This is a question that needs to be emphasised because the solutions do not reside in technology implementations. Just like trust is not a technology problem, the answers to the questions are also not going to be within technologies.

As we begin the second decade of the 21st century, it is time to start figuring out how we shall learn to identify elements of digital identities. Reminders and signposts about not sharing sensitive information online; a trust-based design system where users are empowered with credentials by their participation in the community and trust ratings provided by their peers will become an integral part of digital identities. We need to learn how to analyse online identities by making database searches, reading through the larger narratives of the avatars by using reference sites that can validate information about the user, and remember that online conversations also carry an element of risk. This will help decode digital behaviour and ensure that we make informed choices about trust online.

Read the original in Indian Express here

For more details visit https://cis-india.org/digital-natives/blog/is-that-a-friend

Is India's government becoming Big Brother?

praskrishna — 2013-06-05T09:39:53Z

India's new Central Monitoring System will give officials unprecedented access to calls, texts, and online activity.

The blog post by Talia Ralph and Jason Overdorf was published in Global Post on May 9, 2013. Pranesh Prakash is quoted.

The government has quietly started putting into place its new Central Monitoring System, a project that will give it access to its citizens' telephone calls, texts, and online activities.

The system, in development since 2009, will enable state agencies to monitor all digital interactions, the Times of India reported.

Work on CMS has been kept quiet for the past few years, although the newspaper reported that several government agencies ordered specialized equipment and systems for monitoring telecommunications.

India's government has steadily been increasing its access to telecommunications since the 2008 Mumbai bombings to help track militants and illegal activities.

The country — one of the world's fastest-growing internet markets — enacted its information technology law in 2000, and amended it twice, in 2008 and again in 2011.

As PCWorld described the new system,

The CMS will have central and regional databases to help central and state-level enforcement agencies intercept and monitor communications, the government said. It will also have direct electronic provisioning of target numbers by government agencies without any intervention from telecom service providers, it added. It will also feature analysis of call data records and data mining of these records to identify call details, location details, and other information of the target numbers.

Internet freedom activists and privacy experts worry the project offers far too much access to citizens' communications. They say official agencies allegedly misused and leaked tapped phone conversations, while the government has sought to quash dissent and silence critics on the internet under the guise of preventing hate speech.

"In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome," Pranesh Prakash, the director of policy at the Center for Internet and Society, told the Times of India.

"Further, this has been done with neither public nor parliamentary dialog, making the government unaccountable to its citizens," he added.

The government last year blocked mobile phones and shut down social media sites ostensibly to prevent communal riots, but in the process blocked some 16 Twitter handles known to be critical of the government.

Critics of the CMS movement wrote a blog post arguing that the Indian government wants to use the law to censor "hate speeches and government criticism."

"We know the government today hates public criticizing it," the group Stop ICMS wrote on their blog. "The recent arrests of people for tweeting or posting on Facebook has proved that. Govt. does not like criticism that can be seen by everyone on the Internet."

The CMS program is in place in a "preliminary state" right now, with the full version expected to be in place by August 2014.

For more details visit https://cis-india.org/news/global-post-talia-ralph-jason-overdorf-may-9-2013-is-indias-govt-becoming-big-brother

Is India the next frontier for Facebook?

praskrishna — 2014-11-05T00:43:00Z

Pushing to bring hundreds of millions of Indians into the online world, Facebook founder Mark Zuckerberg on Thursday called for expanding his pet project to provide free mobile Internet for developing countries into India.

The article by Rama Lakshmi was published in Washington Post on October 9, 2014. Sunil Abraham was one of the signatories.

Zuckerberg, 30, the billionaire founder of the Facebook empire, arrives in India at a time when Facebook is losing its luster among American teens, but India’s vast market has yet to be fully tapped. A democratic country with a growing economy like India’s, with 1.2 billion people, two-thirds of whom are under the age of 35, is a market the company cannot afford to ignore.

India has the third-largest population of Internet users in the world at 205 million now, ranking after the United States and China. Yet the majority of its rural poor don’t have Internet access, and less than a tenth of its people, about 100 million, are on Facebook.

“Connectivity can’t be restricted to just the rich and powerful,” Zuckerberg said at a conference on connectivity in New Delhi. Rather, he said, it’s a basic “human right.”

Zuckerberg hopes to use his Internet.org connectivity initiative, which he started with a handful of other tech companies in 2013, to expand Indians’ online footprint and promote Facebook. He said the program will set aside $1 million to help develop local language apps for farmers, women and students in developing countries, including India.

In the past year, Zuckerberg said, Internet.org helped nearly 3 million people around the world gain access to the Internet and Facebook by working with cellphone operators in Indonesia, the Philippines, Paraguay, Tanzania and Zambia. In those countries, cellphone users signed up for data plans that included free but limited access to health and job information, Wikipedia, Google — and, of course, Facebook.

About 4.4 billion people in the world have no access to the Internet, and “the offline population is . . . disproportionately rural, low income, elderly, illiterate, and female,” said a report by McKinsey and Facebook. Countries such as Egypt, India and Indonesia face the greatest challenges with respect to incentives and infrastructure, the report said.

“It took 10 years for India to touch 100 million Internet users, but it grew to 200 million in just the last two years,” said Subho Roy, president of the Internet and Mobile Association of India. There are 930 million cellphone users in India today. “Cellphones have acted as the primary driver pushing Internet usage in the last two years,” Roy said.

Researchers note that new users’ first experience on the Internet is often on Facebook.

The free basic services that Facebook has promoted in different countries help cellphone users “to experience the Internet, use some things, to understand why it would be valuable for them and get exposure to other services that they might over time want to pay for,” Zuckerberg said.

But many critics say that commerce is driving Zuckerberg’s push for connectivity rather than philanthropy. They say many new users may not pay for wider Web access and that can create entrenched monopolies for companies like Facebook and Google.

“You are allowing people to roam the walled garden of Internet for free. But if they don’t pay to use unlimited Web access, you are also creating monopolies and blocking competition in the Internet space,” said Sunil Abraham, executive director of the Center for Internet and Society in Bangalore. “But in India, we are so hungry for Internet access that we cannot afford to look a gift horse in the mouth. Until India builds physical Internet infrastructure, this will help us in the short term to get connected.”

Zuckerberg said cellphone operators are free to choose which services they want to include in the package: “There is no rule that says that Facebook or any other company has to be included in this. All we are saying is that this is a model that works to get more people on the Internet.”

And Facebook’s India push is not all about chasing numbers, Zuckerberg said.

“The sheer numbers are obviously a very important part of it,” he said. “If you can do it in a country like India, you are improving hundreds of millions, or maybe a billion, people’s lives, whereas doing it in almost any other country, you wouldn’t be able to have that impact.”

India’s new prime minister, Narendra Modi, a user of social media, has set an ambitious target of building a broadband highway connecting 250,000 village councils across the country in the next three years. Zuckerberg said he will meet Modi on Friday to “see how Facebook can help” in India’s new connectivity drive.

For more details visit https://cis-india.org/internet-governance/news/washington-post-october-9-2014-rama-lakshmi-is-india-the-next-frontier-for-facebook

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

Is India Ignoring its own Internet Protections?

praskrishna — 2012-01-17T05:33:40Z

India’s information technology law of 2008 limits the liability of Internet companies for material posted on their Web sites by users, including anything government regulators deem objectionable. The firms are supposed to be notified of offensive content — by users or the authorities — and then remove it when legally warranted.

If that’s how the system is supposed to work, then why did the Indian government just sanction a criminal lawsuit against Google, Facebook and 19 other companies that all but ignores those protections in the information technology law?

That is one of the most puzzling elements of the legal drama over free speech on the Web that is unfolding in New Delhi.

The case against the companies, brought by Urdu weekly journalist Vinay Rai, accuses them of violating various provisions of India’s criminal code by allowing material that is mocking or offensive to religious and political figures to stay on their social networking sites. There are charges of inciting communal passions and disturbing public order – catchall stuff normally meant to give police tools to rein in hooligans.

The punishments for these criminal offenses can include several years of jail time and stiff fines. That these elements of the criminal code are now being used to target Internet companies is somewhat bizarre, especially when one considers the apparently careful lawyering that went into drafting protections for Internet companies a few years ago.

As Google and others fight the charges – today they are continuing an appeal in Delhi High Court to quash the case – they will likely make the case that the courts cannot ignore India’s I.T. law. “It isn’t a trivial defense – the court cannot dismiss it,” said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, a civil liberties advocacy group. “The I.T. act provides immunity to (Internet companies) and that should be the default starting position.”

A spokesman for India’s telecom ministry did not immediately respond to a request for comment. We’ve described Mr. Rai’s rationale for filing the lawsuit in a separate post.

The crackdown on Web companies couldn’t come at a worse time for the emerging Internet sector in India, which many analysts believe has a potential to grow from about 100 million users to more than 300 million within a few years if nurtured. Facebook and Google representatives declined to comment on the case.

The protections for Internet firms are fairly clear in Section 79 of the 2008 law, known as India’s I.T. Act Amendments. An “intermediary,” or Internet firm, “shall not be liable for any third party information, data or communication link.” There are several caveats, of course – the company can’t initiate or solicit the harmful post and can’t coordinate with the offender. Under the rules that India put into place last April to implement the act, companies must remove material that is “grossly harmful, harassing, blasphemous, defamatory” as well as anything “ethnically objectionable, disparaging” or “otherwise unlawful in any manner.”

Internet companies and civil society advocates weren’t happy with those guidelines, finding them far too draconian and subjective. But at least the law required that the companies be notified of such content and be given a chance to remove it within 36 hours. (The punishments for not removing offensive content within 36 hours would depend on the underlying laws governing that content in India; in general, prison time and fines would both be possible.)

In the case of the Vinay Rai lawsuit, such procedures don’t appear to have been followed. Google has told the court it hasn’t seen the allegedly offensive material or been notified about it. Mr. Rai says he didn’t flag the content to Google or others, because he believed his duty as a citizen was to notify the government.

What was the point of passing the I.T. law if it’s being swept to the side?

The article by Amol Sharma was published in the Wall Street Journal on 16 January 2012

For more details visit https://cis-india.org/news/is-india-ignoring-its-own-internet-protections

Is freedom of expression under threat in the digital age?

praskrishna — 2013-02-03T10:50:52Z

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

This post by Mahima Kaul was published in Index on Censorship on January 18, 2013.

Index on Censorship, in partnership with The Editors Guild of India, hosted a debate in New Delhi on Tuesday (15 January) asking, “Is freedom of expression under threat in the digital age?” Discussing the topic were Ajit Balakrishnan (founder and Chief Executive of rediff.com), Index on Censorship CEO Kirsty Hughes, Sunil Abraham (Executive Director of the centre for Internet and Society), and Professor Timothy Garton Ash, Director of the Free Speech Debate project.

Sunil Abraham questioned the idea of technology specific “internet freedom” that has been advocated by many not least the US Secretary of State Hillary Clinton. He said there was for instance much greater freedom and diversity on Indian TV than in the US. He also argued that that this freedom does not seem to extend to a right of access to knowledge, as demonstrated by the charges brought against open access activist and developer Aaron Swartz, who committed suicide earlier this month. Swartz was facing charges for allegedly downloading 4.8 million academic articles from subscription-only digital library JSTOR.

Abraham said one unintentional effect of censorship by governments is that it teaches citizens how to protect themselves online. Finally, he questioned the Indian government’s draconian laws and arbitrary actions in the digital realm, wondering whether this is the authorities’ way of warning future netizens about “acceptable online behaviour”, to condition the public not to criticise the government and to create a chilling effect.

Digital

Is freedom of expression under threat in the digital age?

18 Jan 2013

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

Freedom of expression is always under threat and in need of defending, argued Timothy Garton Ash. However, he didn’t think the threat was particularly high today in the digital realm — rather the threats to privacy were what were particularly concerning online. With 76.8 per cent of India’s 1.2 billion population connected by mobile phone, there is an extraordinary opportunity for the prevalence of freedom of expression brought about by new technologies. But he said there are also a lot of challenges to free expression in India — and that “swing states” such as Brazil and India will be very important in determining where the global conversation goes on freedom of expression

Ajit Balakrishnan, founder of web portal Rediff.com, explained that many of the problems that have occurred in the digital realm in India have to do with poor drafting of legislation. He was particularly concerned about intermediary liability and explained why and how intermediaries roles needed protecting. He also explained that government officials have genuine problems with phrasing, and that when it comes to the application of these laws, understanding them and when they should be applied will take another 25 years. He added that the country is challenged by a legal system ill-equipped for coping with new technologies.

Kirsty Hughes said that freedom of expression is a universal right, meant to be applied across borders not just within countries. She said that while the digital domain allowed a big expansion in freedom of expression there were risks we are heading towards a more controlled net, a partially censored net, and a fragmented net (for instance with Iran attempting to build its own internet disconnected from the rest of the world). She said that some of the negative reactions by government to social media in India were seen to in the UK where there had been a trend towards criminalising supposedly offensive comment — although the new interim guidelines on social media prosecutions were a step in the right direction. Hughes emphasised three main concerns — state censorship, privatisation of censorship and the role of big companies, and mass surveillance. She pointed out that the British government had pushed for extensive surveillance with the Communications Data Bill, but this has now been shelved after a critical report from MPs.

Ramanjit Singh Chima, policy adviser for Google, said that the question is not about absolute freedom, but about what is appropriate and lawful. He emphasised that in the US, judges had strongly defended free expression online as they saw the digital world as a powerful space for free exprssion. He pointed out how effective social media tools, including Google’s own products, have become in helping during emergency situations like natural disasters and terrorist attacks. He also pointed out that the internet is not only about free expression but business as well. The internet contributes to 1.6 per cent of India’s GDP. Singh Chima said positive judgements by US and EU courts protect the users, adding that regulation for the net should be appropriate for its engineering.

For more details visit https://cis-india.org/news/index-on-censorship-mahima-kaul-january-18-2013-is-freedom-of-expression-under-threat-in-the-digital-age