Centre for Internet and Society

An Interview with David Baines

praskrishna — 2011-11-08T09:33:07Z

Maureen Agena interviewed David Baines, Deputy Director, Mada (Qatar Assistive Technology Center). Maureen asked questions regarding the status of disabled persons in Qatar, the level of ICT accessibility awareness for PWDs in Qatar, efforts of the Qatar Government towards Mada relating to policy measurements, schemes for PWDs, etc.

Following is the transcript of an interview by Maureen, a CIS consultant from Uganda with David Banes, Deputy Director, Mada Assistive Technology Centre, Qatar:

What is the status of disabled persons in Qatar or Mada in terms of number, age and gender and the kind of the work Mada is engaged in?
There are officially some 10,000 disabled people in Qatar across a wide range of needs. This doesn’t include people who are ageing and acquiring moderate disabilities as a result of their age. Mada works with any disability, any age for any purpose, supporting both Qatari citizens and residents. We work with both men and women including the Arabic and non-Arabic speaking visitors.
What is the level of ICT accessibility awareness for PWDs in Qatar?
As more and more people in Qatar use ICT every day so the awareness of barriers is increasing. Mada has been working hard to raise public awareness through cinema, television and radio ads and even video ads in the local shopping malls! More importantly we are working hard to make sure that disabled people are aware of the potential of technology to change their lives, and so we work closely in partnership with other services for people with a disability to integrate accessibility activity.
Are there any efforts of the Qatar Government towards Mada in terms of policy measures, programmes, schemes for PWDs? How about efforts by companies or universities?
IctQatar currently has an e-accessibility policy out for consultation. The policy is wide ranging and offers detailed expectations across the public sector for websites, but also requires accessible ATM’s, telephone and emergency services to be introduced.
What is the situation of copyright law in Qatar?
Copyright and IPR are both respected in Qatar. We are delighted that creative commons is being introduced to the country allowing for alternative formats of documents to be more readily produced.
Do you have an exception in your copyright law permitting conversion into any format for the disabled without permission?
Not yet.
What is the level of development at Mada in terms of assistive technologies? Specifically screen readers in Arabic.
Mada is extremely busy in supporting both commercial and open source development of AT in Arabic. We have eight projects due to announce in the very near future. Screen readers are well developed in Arabic, but we are looking forward to seeing a more basic text to speech tool created to lower the cost of entry point for blind users on a limited budget.
Does Mada have any collaborative development with surrounding Arabic nations?
We welcome collaborations across the region and internationally. We speak regularly to organisations in Dubai, Abu Dhabi and then more widely to Egypt and Tunisia. Collaboration is very much central to our approach.
Approximately how many organizations are working actively in Qatar on accessibility for Persons with Disabilities? (Name any)
Mada is the hub for accessibility in Qatar. But we work closely with the Shafallah Center for Special Needs, Al Noor Institute for the Blind and Hamad Medical Corporation.
Kindly share some details about the different areas of work of Mada centre?
Probably best to look at our new updated website www.mada.org.qa, and http://mada.org ;http://twitter.com/madaQATC or http://facebook.com/madaQATC.
What do you feel are important factors/ resources which are helpful to you in your advocacy?
Maintaining effective networks both within Qatar and beyond. One ambition is to establish an online forum whereby the views of disabled people on priorities for digital inclusion can be gleaned.
And what are the kinds of resources that PWDs would find useful if they had access to?
Great levels of Arabic accessible digital content and Arabic supported assistive technologies.
There is a draft ICT accessibility legislation. What are the highlights of this draft policy?
The policy is wide ranging and identifies targets for government websites, banks and telecoms.
How long do you think it may take to get it adopted and what are the implications for the Government, NGOs, industry and others?
Unable to answer this currently.
Do you at Mada have any digital libraries for the blind? If yes, approximately how many books are there?
No. But we are collaborating with Bookshare internationally to deliver this.
Is Mada, Centre of Assistive Technology able to exchange books with neighbouring countries?
Yes, where licences allow, we choose Bookshare as our partner to encourage international sharing of books for the disabled community.
At Mada, you do focus a lot on training. What are your different target audiences?
Training people with a disability in both accessible IT training and assistive technologies
Professionals including teachers and therapists
Parents and family
IT professionals including Web developers
Human resource professionals and employers.
How many people have you trained to date?
Over 200 including the first accredited AT training in Qatar for 20 participants.
Anything about Mada disability legislation which is relevant to ICT accessibility?
N/A.
Did Qatar sign the UNCRPD? How is implementation going on?
Yes, Mada is a direct response to that action.
Any specific details about web accessibility, audits/ evaluations conducted to look at accessibility of public web sites- details. (Any report which is available in English?)
We are completing an initial benchmarking study currently – no details have yet been made available. We are completing around 2 full site audits a month on major private and govt sector websites and feedback is being provided directly to those organisations to develop an action plan.

Thank you

Maureen Agena

About the Mada Centre

Mada (Qatar Assistive Technology Centre) is committed to using assistive technologies (AT) as a means of creating more accessible workplaces. As part of connecting people with disabilities to the world of information and communication technology, Mada launched a nationwide accessibility initiative with its partners, Qatar Telecom (Qtel) and Vodafone Qatar on 7 December 2010. The purpose of the initiative named "Connected" will ensure that persons with disabilities do not have to pay more than others to use mobile telecommunications technology.

The centre enables adults and children with disabilities to use computers, mobile devices and the Internet at home by offering a full range of services and resources related to assistive technologies. At Mada, people of all ages, with any type of disability are able to visit the interactive resources centre to try out the latest assistive technology and access assessment and training services. The Mada team is able to assist in choosing a suitable solution through impartial and expert advice.

For more details visit https://cis-india.org/accessibility/interview-mada-centre

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.

Notes

[1].Hafeez, M., 2011. A tangled web of vengeance. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-03-28/mumbai/29353669_1_boyfriend-social-networking-police-officer [Accessed June 21, 2011].

[2].Adapted from the Wikipedia entry on IP Address.

[3].McIntyre, Joshua J., Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011. Available at SSRN: http://ssrn.com/abstract=1621102 [Accessed June 21, 2011] .

[4].Anon, 2010. Army officer held in city for child porn -. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-05-08/mumbai/28292650_1_hard-disks-obscene-clippings-downloading [Accessed June 15, 2011].

[5].Anon, 2011. Anti-Ambedkar page on Facebook blocked. Hindustan Times. Available at: http://www.hindustantimes.com/Anti-Ambedkar-page-on-Facebook-blocked/Article1-663383.aspx [Accessed May 24, 2011].

[6].Sarokin, David. Google Ordered to Reveal Blogger Identity in Defamation Suit in India:Gremach Infrastructure vs Google India [Internet]. Version 5. Knol. 2008 Aug 15. Available from: http://knol.google.com/k/david-sarokin/google-ordered-to-reveal-blogger/l9cm7v116zcn/7.

[7].Anon, 2009. Mumbai: Man held for blackmailing Anoushka Shanka. Rediff.com. Available at: http://news.rediff.com/report/2009/sep/20/police-arrest-man-for-blackmailing-anoushka-shankar.htm [Accessed May 24, 2011].

[8].Anon, 2010. Cyber cell nets Delhi teen for lewd online posts - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011].

[9].Hafeez, M., 2011. Police find runaway student “online” - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-02-17/mumbai/28554314_1_social-networking-networking-site-sim-card [Accessed June 21, 2011].

[10].Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[11].Ibid.

[12].This is not atypical. In the US, for instance, as Joshua McIntyre writes, “While various federal statutes protect similar data such as telephone numbers and mailing addresses as Personally Identifiable Information (PII), federal privacy law does not generally regard IP addresses as information worthy of protection. It has, therefore, become commonplace for litigants to subpoena ISPs to unmask online speakers. Many ISPs have no reason to fight these subpoenas and readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to the subscriber. Even when courts become involved, a full consideration of the online speaker’s privacy interests is far from certain” Joshua McIntyre, supra note 3 at p.5.

[13].Anon, 2011. User Data Requests - India. Google Transparency Report. Available at: http://www.google.com/transparencyreport/governmentrequests/IN/?p=2010-12&p=2010-12&t=USER_DATA_REQUEST&by=PRODUCT [Accessed June 29, 2011].

[14].Ibid.

[15].Anon, 2007. Orkut’s tell-all pact with cops. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson [Accessed June 15, 2011].

[16].In June 2011, Hotmail supplied IP Address details which enabled Delhi Police to trace, with further assistance from Airtel, the sender of obscene emails to a noted actress. Sharma, M., 2011. Priyanka Chopra’s cousin harrassed in Delhi. Mid-Day. Available at: http://www.mid-day.com/news/2011/jun/100611-news-delhi-priyanka-chopra-cousin-Meera-Chopra-harrassed.htm [Accessed June 28, 2011].

[17]. In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

[18].Thomas Philip, J., 2010. Intelligence Bureau wants ISPs to log all customer details. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps [Accessed June 28, 2011].

[19].The Monitoring Rules list 10 ‘cyber security’ concerns for which Monitoring may be ordered: (a) forecasting of imminent cyber incidents; (b) monitoring network application with traffic data or information on computer resource; (c) identification and determination of viruses/computer contaminant; (d) tracking cyber security breaches or cyber security incidents; (e) tracking computer resource breaching cyber security or spreading virus/computer contaminants; (f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force; (i) any other matter relating to cyber security.

[20].Respectively the INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF INFORMATION) RULES, 2009, G.S.R. 780(E) (2009), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/Itrules301009.pdf (last visited Jun 30, 2011). and INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009, G.S.R. 782(E) (2009), http://cca.gov.in/rw/resource/gsr782.pdf?download=true (last visited Jun 30, 2011).

[21].Section 69 lists the following grounds for which interception may be ordered : a) sovereignty or integrity of India, b) defense of India, c) security of the State, d)friendly relations with foreign States or e)public order or f)preventing incitement to the commission of any cognizable offence relating to above or g) for investigation of any offence.

[22].Rule 2(d) of the Monitoring and Collecting of Traffic Data Rules 2009.

[23].Telegraph (Amendment) Rules 2007, Available at: http://www.dot.gov.in/Acts/English.pdf [Accessed June 28, 2011].

[24].INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION), (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[25].The full list under Rule 3 includes : password; financial information such as Bank account or credit card or debit card or other payment instrument details ; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

[26].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[27].This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6..

[28].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?.

[29].The consequence of disobeying the rules is that the ‘body corporate’ is legally deemed not to have observed ‘reasonable security practices’. Section 43A penalizes such failure if it causes wrongful loss due to the disclosure.

[30].INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[31].The easily-affronted have thus been provisioned with a cheaper, swifter and more decisive means of curtailing free speech, where courts in India might have dithered ponderously instead Or they might not have. As of this writing, an obscure court in a Silchar, Assam issued an ex-parte injunction prohibiting the online publication of a highly-acclaimed biopic about Arindam Chaudhuri – a self-proclaimed ‘management guru’ who has gained notoriety in India due the questionable nature of a management institute that he runs. The choice of this particular court as the venue to file the suit, rather than one in New Delhi where both the plaintiff and the publisher reside, coupled Chaudhuri’s consistent success in obtaining such plenary gag-orders from this judge against any content he deems unflattering to himself, strongly suggests foul-play. Although this is not a typical case, it does caution against placing too much optimism on supposed judicial restraint and conservativeness. Anon, 2011. IIPM’s Rs500-million lawsuit against The Caravan. The Caravan, 3(6). Available at: http://caravanmagazine.in/Story/950/IIPM-s-Rs500-million-lawsuit-against-The-Caravan.html [Accessed June 28, 2011].

[32].See Ali, S.A., 2010. Cyber cell nets Delhi teen for lewd online posts. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011]. (“During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer.”); See also Rehman, T., 2008. A Case For Fools? Tehelka. Available at: http://www.tehelka.com/story_main40.asp?filename=Ws181008case_fools.asp [Accessed June 30, 2011].(“ The state police reportedly traced the email to the cyber café through its IP address. “We traced the email to a BSNL line. The BSNL has a cell in Bangalore to track such details. They traced the number to that particular cyber café in Shillong,” S.B. Singh, IGP (special branch) Meghalaya police told TEHELKA”)..

[33].Anon, 2010. Privacy Policy. Google Privacy Center. Available at: http://www.google.com/privacy/privacy-policy.html [Accessed June 28, 2011].

[34].Ibid.

[35].Anon, 2010. Privacy Policy. Facebook. Available at: http://www.facebook.com/policy.php [Accessed June 28, 2011].

[36].Ibid.

[37].R. M. Malkani v State Of Maharashtra AIR 1973 SC 157, 1973 SCR (2) 417.

[38].Eg. Title 18 US Code § 2703 provides for mandatory notice in case of wiretapping with a provision of ‘delayed notice’ where an ‘adverse result’ is apprehended such as (A) endangering the life or physical safety of an individual; (B) flight from prosecution; (C) destruction of or tampering with evidence; (D) intimidation of potential witnesses; or (E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. Title 18,2705., Available at: http://www.law.cornell.edu/uscode/18/usc_sec_18_00002705----000-.html [Accessed June 28, 2011].

[39].Ministry of Communications & IT. Letter to All Internet Service Providers. “Instructions under the ISP License regarding provisioning of Wi-Fi internet service under delicenced frequency band”, February 23, 2009. http://www.dot.gov.in/isp/Wi-%20fi%20Direction%20to%20ISP%2023%20Feb%2009.pdf (last visited Jun 30, 2011). Internationally, this does not appear to be an uncommon move. See Thompson, C., 2011. Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi. Huffington Post. Available at: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html [Accessed June 30, 2011]. (“In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.”).

[40].INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011., G.S.R. 315(E) (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[41].See State Of Maharashtra v. Natwarlal Damodardas Soni AIR 1980 SC 593 , 1980 SCR (2) 340.

[42].Supra note 15.

[43].Manocha, S., 2009. Cops no more interested in checking cyber cafes. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2009-08-03/lucknow/28172232_1_cyber-cafe-proper-records-ip-address [Accessed June 28, 2011]. (The cyber cafe owners claim that the registers which they maintain are seldom checked by the police. "I maintained the records properly which included recording of the name and address of the visitors and a photocopy of their identification proofs but not even once any cop had checked my records," said Rajeev, a cyber cafe owner in Aliganj. "It is this carelessness on the part of cops that gives those not maintaining proper records to carry on their business without any fear of the law," he added).

[44].Barrett, S., 2010. Blogger News Censored In India. Blogger News Network. Available at: http://www.bloggernews.net/124890 [Accessed June 28, 2011].

For more details visit https://cis-india.org/internet-governance/ip-addresses-and-identity-disclosures

Financial Inclusion and the UID

elonnai hickok — 2011-08-23T10:36:31Z

Since 2009, when Nandan Nilekani began to envision and implement the Unique Identification Project, the UID authority has promoted the UID/Aadhaar scheme as a tool of development for India - arguing that an identity will assist in bringing benefits to the poor, promote financial inclusion in India, and allow for economic and social development. In this blog entry I will focus on the challenges and possibilities of the UID number providing the residents of India a viable method of access to financial services across the country.

Why the UID could bring financial inclusion

In their strategy document “Exclusion to Inclusion with Micro payments” the UIDAI argues that a few of many challenges to successful financial inclusion in India for the poor have been: lack of identity, lack of accessibility of financial outlets, unreliability of infrastructure, high costs of banking, and the common presence of a middle man. For Indian banks the UID sites challenges such as: the high cost of transactions for banks servicing clients in rural areas, lack of infrastructure, costly processes of cash management, and high costs of IT.(UIDAI, 2010)The UID's solution to these obstacles is a system of financial services and micro payments based off of an individuals UID number, in which an individual with a UID number would be able to: open a bank account, make a payment, withdraw money, deposit money, and send remittances. The hope is that this system will allow banks to scale up their branch less banking, and reach out to larger populations. Residents having a bank account linked to their UID number is also key to the UID's larger scheme for subsidy delivery to the poor. Until all consumers who rely on government subsidies have a bank account linked to their UID number, the UID will not be able to implement a system of direct transfer of cash subsidies.(CNBC-TV18, 2011) For example, the UIDAI has started conducting a pilot disbursement of funds under the Mahatma Gandhi National Rural Employment Guarantee Scheme (MNREGS) to Jharkhand through Union Bank, ICICI Bank and Bank of India branches.(IBN-Live, 2011)

How the UID will bring financial inclusion

In their vision, the UIDAI has designed a system that involves bank branches enrolling individuals, bank branches establishing relationships with BC organizations, the use of Micro ATM's, and the use of the UID numbers for authentication in all financial transactions. In short the system of financial inclusion would work as follows:

Step 1. Enroll and obtain UID number

An individual enrolls for a UID number. During enrollment an individual shares his/her KYC information with the UIDAI. The UIDAI verifies the individuals KYC information, along with their other information, and issues the individual a UID number. If an individual already has a bank account at the time of enrollment they have the option to link their UID number to their bank account [1]

In India every bank must verify and confirm an individuals KYC information. This is to help reduce tax evasion and fraud. In December 2011, India's Ministry of Finance recognized the Aadhaar number has an officially valid identification to satisfy the KYC norms for opening bank accounts. By verifying an individuals KYC information at the enrollment stage the UIDAI is hoping reduce the amount of paperwork and time needed for an individual to open a bank account. In addition to satisfying KYC norms, the Government of India has also recognized the Aadhaar number as an acceptable form of identity for the purpose of obtaining a mobile connection. By having the UID number accepted for establishing both mobile connections and bank accounts, financial inclusion through mobile banking is encouraged as it allows for individuals who previously had no identity, to join the financial system and mobile network – thus allowing bank accounts to be more accessible than before, and aiding banks by simplifying the process of account opening.(Akhand Tiawari, Anurodh Giri, 2011)

Step 2. Open UID Enabled Bank Account
Now that the individual has a UID number they can open a bank account by presenting their UID number and thumb print to the bank branch for authentication. Currently the one bank enrolling citizens and issuing UID numbers and UID based ATM cards is the Bank of India.(Aggarwal, 2011) Bank of Maharashtra, State Bank of India and Indian Overseas Bank are currently waiting for approval from the UIDAI.(Chavan, 2011) In this scenario the UID number will be the only form of identification needed to open a bank account.

3.Make financial transactions with UID number
Once a UID Enabled Bank Account (UEBA) is opened, individuals can begin making financial transactions using their UID number and fingerprint. Individuals can access their UEBA through BC institutions. With a UEBA individuals have the option of using four basic banking services:

Store cash for savings through electronic deposits and withdraw only small amounts of cash
Make payments
Send and receive remittances
Acquire balance and transaction history

Transactions completed through the UID-enabled bank account work similarly to a prepaid mobile system. BC organizations, or Bank Correspondents, are organizations such as SHGs, kirana stores, dairy agents that larger banks develop a business relationship with. The BC organizations handle all transactions at the local level. Using BC organizations as financial outlets is meant to increase the penetration of financial outlets and make financial services more accessible in rural areas. How the process works is: a BC institution begins by depositing a certain amount of money with a larger banking institution. This ‘ prepaid balance’ paid by the BC institution changes with every transaction the BC institution makes. For example, when an individual makes a deposit it decreases as that money is then transferred into an individuals account, and increases when an individual withdraws money, because of the transaction fee that is charged to the individual. When the individual is making a deposit, he pays physical cash to the BC, who in turn makes an electronic transfer from the BC account to the individual's account. When making a withdrawal, the electronic transfer is made from the individual's account to the BC account, and the BC hands out physical cash to the customer, (UIDAI, 2010).

The micro ATM that is to be used at BC institutions is a hand held device, in this case a mobile phone, attached to a finger print reader. The micro ATM is meant to replace larger ATM’s and reduce the cost that banks incur when establishing full fledged ATM machines. The hand held device will be remotely accessed to the central server of the bank. Currently Italian tech company Telit Communication SpA, is hoping to provide the GSM wireless M2M modules that will allow the wireless device and the wired server to communicate with each other. (Kanth, 2011) The most significant difference between the micro ATM system and the traditional ATM system is that the BC employee executes the transaction.

Though having BC employees carry out financial transactions might eliminate the possibility of a fraudulent ATM being set up, it opens many possibly corrupt doors. How will it be ensured that the transaction is completed without fraud, and how can it be ensured that the Micro-ATM is not fraudulent, or that the BC organization itself is not fraudulent. Though this scenario might sound unlikely, the UID has already experienced difficulties with fake enrollment centers being set up, such as in Pune. (Gadkari, 2011), fake UID papers being issued, as was done in Patna(Tripathi, 2011) and enrollment centers illegally outsourcing work, as the IT company Tera Software was found doing (Prajakta, 2011). If these scenarios have all been tried, it is not unreasonable to see the same being tried with financial institutions.

Challenges to a system of authentication for financial transactions with the biometric based UID number

Not withstanding the fact that financial inclusion cannot be achieved only through an identity, focusing on the identity component of financial inclusion - in the report Low Cost Secure Transaction Model for Financial Services, published by Nitin Munjal, Ashish Paliwal, and Rajat Moona, from the Indian Institute of Technology, the authors note that present challenges in India to financial inclusion through access to financial institutions include(Munjal, Nitin Paliwal, Ashish Moona, 2011):

Currently financial transactions require network connectivity to take place. For financial transactions made in rural areas this has lead to both high costs for each transaction and to high fixed IT costs.
Current financial schemes such as mobile banking depend on network connectivity, making the network indispensable, yet 70% of the Indian population is rurally located with limited or no network connectivity.
Current financial service outlets are densely located in urban areas and not rural areas. Rural populations are financially excluded, as in most cases the completion of financial transaction require the presence of financial outlets.
Currently there are no easy safeguards to protect against fake ATMS or fraud, because the current Financial Service Model is based on blind trust of the service outlet – this allows for high rates of fake ATM’s being installed and fraud.
For an individual to access financial services, an identity is required. In most cases the poor lack an identity.

Clearly there are many obstacles that the UID identity card must overcome to successfully authenticate individuals in financial transactions and facilitate financial inclusion. For the system to be successful the UID must at the minimum do the following:

Accurately generate unique numbers
Capture accurate personal information
Ensure security of the database
Ensure that the technology is secure and accurate
Ensure that only necessary information is collected
Verify BC centers
Provide a secure network that can handle large numbers of transactions

Possible ways in which the system can go wrong include:

Inaccurate authentication
Delays in authentication
Fraud at the level of the BC institution
Over collection of personal information by banks
Linking of databases by banks, or other agencies
Network failure
Down time of the database

Though UID enabled bank accounts have yet to be officially established the UID is already experiencing many of the listed difficulties. For instance, in an Indian Express article published on June 15th, it was reported that banks are issuing additional UID forms that ask if individuals have credit cards, operate mobile or internet banking accounts, own a two wheeler or four wheeler, or live in a rented or personally owned accommodation. (Indian Express, 2011) Even more alarming is a recent news item from the Deccan Herald, which details the efforts that have been taken by NATGRID to access banking clients personal information, and NATGRID's proposal to tie banking information to a linked database containing information from bank accounts, railways, airlines, stock exchanges, income tax, credit card, immigration records, and telecom service providers. (Arun, 2011)The banks
have refused to give NATGRID access to clients personal information, but the ease at which NATGRID could track and collect information about individuals with the UID is chilling – especially if the UID is linked to almost every bank account in India. Several news reports have also shared experiences of confusion, inconsistent requirements, and unorganized enrollment centers, which place doubt in the accuracy of the information collected and the accuracy of the UID numbers issued.(Tripathi, 2011).

Looking at the technology and operational design of the UEBA system, though the scheme relies on mobile networks, it fails to eliminate the need for connectivity to the central server, because authentication of individuals biometric must be done through comparison of one fingerprint to the central server of all fingerprints. This will not only complicate the effectiveness of delivery of services, as it is possible for connectivity to be limited and slow, but it will also incur large network overhead costs for each transaction that is verified. Furthermore, even though the use of BC institutions as financial service outlets is meant to increases the availability of financial outlets, a dependency is created on BC institutions – as they must be present for any financial transaction to take place.
Additionally, individuals have no way of authenticating and verifying BC institutions. As mentioned earlier this allows for possible scenarios of fraud. Additionally, the UID has not provided any alternative method of identification in the case that the network or technology fails, or if an individuals biometrics are incorrectly rejected.

Could the SCOSTA standard be an option?

Many developing countries, like Kenya and Brazil, that face similar challenges to financial inclusion have looked towards smart cards as secure methods for authenticating individuals. In 2003 India also implemented a smart card approach to identity management. The SCOSTA standard smart card was introduced with the MNIC national identification scheme. Though the scheme was eventually dropped by the Indian Government, the SCOSTA smart card standard is still a valid option for authentication of individuals in financial transactions. A SCOSTA standard based approach for financial inclusion would include:

Authentication of an individuals key, pass-phrase, and pin. This is known as public keyinfrastructure. This will allow a person to protect their password and easily replace it if stolen.
Authentication through public key infrastructure would not depend on connectivity to thenetwork. This would allow for financial inclusion of populations not connected to networks and not be fully dependent on working networks.
Authentication through public key infrastructure establishes mutual trust of user and institution. This would lower the presence of fraudulent institutions and corrupt transactions.
Connection to a central server is not required for the authentication of an individual in a financial transaction. This will lower the cost of transactions and lower IT overhead costs (ibid Munjal, Nitin Paliwal, Ashish Moona, 2011)

Conclusion

Though it is hard to say that a fool proof system of authentication can easily be made, and that system will indeed promote financial inclusion, when comparing the biometric UID number with the SCOSTA standard smart card, there are many benefits to the SCOSTA standard such as ability of individuals to verify banking institutions, no need for connectivity to the central server, and the ability to easily replace lost or stolen pins and passwords. No matter what standard is implemented though, it is important to clearly look at the current implementation, technological, and operational challenges that identification schemes face and the possible ramifications of such challenges before adapting it as a ubiquitous system.

For more details visit https://cis-india.org/internet-governance/privacy_uidfinancialinclusion

Indian super-cops now patrol the www highway

praskrishna — 2011-08-19T06:48:48Z

There's discontent brewing in the Indian cyberspace. And it has to do with the government blocking content that it deems "objectionable". What has raised hackles of Internet freedom activists is a new set of rules that allow Internet service providers (ISPs) and blogging sites to remove "objectionable" content from the Web.

This Wednesday, in a written reply, minister of state for information and technology Sachin Pilot told the Lok Sabha that the recently notified rules under the IT Act to regulate the use of Internet, "don't give any power to the government to regulate the content"? Pilot added that the rules did not raise issues "pertaining to privacy and violation of freedom of speech and expression."

Are the rules likely to affect you and I? They may have already begun do so. Last fortnight, when surfers went on to popular file-sharing sites to download clips of a new Bollywood release, what they got instead was a screen with the message: This site has been blocked as per instructions of the Department of Telecom.

The fine print

The new rules demand that the intermediary notify users not to publish or use information that is derogatory, abusive, insulting or which violates intellectual property rights or impacts the sovereignty of the nation. In a country that has 81 million Internet users, this can never be easy.

The rules put the onus of intercepting, blocking and removing objectionable content on intermediaries — telecom service providers, search engines, social networking sites and online payment sites — turning them into super-cops of the Web. "Although the Act is an improvement on the previous one, the rules put too much onus on intermediaries," says Dr Subo Ray, President, Internet and Mobile Association of India (IAMAI). "The intermediaries have become the judge, the jury and the executioner," says Ray.

In a nation where social mores are in a flux, interpretation of what is objectionable under the new rules is wide and subjective, says technology lawyer Rodney D Ryder. "Content deemed 'disparaging', 'harassing', 'blasphemous' or 'hateful' can be blocked. But who will decide what is disparaging?"

The worst bit about such censorship, says Nikhil Pahwa, editor of Medianama, a portal that discusses issues related to digital media, is its opacity. "It is a distress signal for civil liberties and India's version of Egypt's kill-switch. With the UID, the government would know who I am. With the help of telecom operators, they can track me within 50 metres and with my mobile number, snoop in on my conversations. On top of that, do we need Internet rules that don't have a provision of appeal?"

Ryder concurs: "The regulations do not even provide a way for content producers to defend their work or appeal a decision to remove content. This is against the principles of natural justice."

The rules are a case of deceptive legislative drafting says cyber lawyer Pawan Duggal, chairman of Assocham's cyber law committee. "The provisions hide more than what they disclose. Cosmetically, the new rules says that if you are an intermediary, then you shall not be liable for any third-party data, information or communication link made available or hosted by you. Provided, and this is crucial, you follow a number of stringent conditions."

Duggal says many intermediaries in India are not aware of these conditions. "An intermediary will not be liable for any third-party data made available or hosted by it, provided it complies with the law, exercises due diligence, does not abet, conspire or play an active role in a criminal activity and further, provided that once it is notified of any offending activity, removes or disables access of the said offending content expeditiously. If it fails to fulfil one of the conditions, it is open to criminal exposure and civil exposure upto unlimited damages by way of compensation."

Is it gagging net freedom?

In China and Saudi Arabia, governments routinely censor content and redirect search requests to error pages. In Vietnam, bloggers who criticise the government are sometimes arrested. And in Cuba, there is talk of creating "a national Internet". Still, any talk of comparing India with these restrictive regimes is alarmist and stupid, says Ray of IAMAI.

But over the past few years, the government has been gradually building censorship muscle over the Internet, say activists. In 2006, it blocked Typepad, the blog hosting service and a bulk SMS site.

A right to information plea filed by the Bangalore-based Centre for Internet and Society reveals the government blocked 11 sites between 2008 and 2011 (see box). These range from sites hosting the predictable girl wallpapers and Kamasutra to blogs discussing the freedom of speech.

Yet, in his written reply to the Lok Sabha, Pilot insisted that the rules "do not give any power to the government to regulate the content".

If this sparks any discontent in you about privacy, freedom of speech and civil liberties, think twice before sharing the content on the Internet.

This article by Aasheesh Sharma was published in the Hindustan Times on August 6, 2011. The original can be read here.

For more details visit https://cis-india.org/news/indian-super-cops-patrol-www-highway

'Privacy Matters' Chennai

elonnai hickok — 2011-09-22T10:17:28Z

Privacy India invites individuals to attend “Privacy Matters”, a one day conference on August 6th 2011 at the Madras Institute of Development Studies, Chennai. Privacy India, Society in Action Group, IDRC, the Centre for Internet & Society, Citizen consumer and civic Action Group, and Madras Institute of Development Studies, Chennai have joined hands to organize this event.

The conference will focus on discussing the challenges to privacy that India is currently facing, with a focus on consumer privacy and telecommunications and privacy. The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, e.g., the TRAI Act for telephony or RBI Guidelines for Banks, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. This lack of uniformity has led to ironically imbalanced results. In India today one has a stronger right to privacy over telephone records than over one’s own medical records. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. – people who most need to know that sensitive information is protected.

The emergence of information and communications technologies over the past two decades has radically transformed the speed and costs of access to information. However, this enhanced climate of access to information has been a mixed blessing. Whilst augmenting our access to knowledge, this new networked information economy has also now made it much easier, quicker, and cheaper to gain access to intimate personal information about individuals than ever before. As people expose more and more of their lives to others through the use of social networks, reliance on mobile phones, global trade, etc., there has emerged a heightened risk of privacy violations in India. As privacy continues to be a growing concern for individuals, nations, and the international community, it is critical that India understands and addresses the questions, challenges, implications and dilemmas that violations of privacy pose.

Who We Are

Privacy India was set up in collaboration with the Centre for Internet & Society (CIS), Bangalore and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies and the media and the public in a number of countries (see www.privacyinternational.org). Its Advisory Board is made up of distinguished intellectuals, academicians, thinkers and activists such as Noam Chomsky, the late Harold Pinter, and others, and it has collaborated with organizations such as the American Civil Liberties Union (ACLU).

Agenda

Consumer Privacy

9:30 am - 5:00 pm

Time	Session
9:30 10:00	Registration
10:00 10:30	Welcome Saroja is a lawyer and is the co-ordinator at Citizen Consumer and Civic Action Group (CAG), which is a 26 years old non-profit, non-political,professional organization working towards protecting citizen’s rights in consumer and environmental issues and promoting good governance including transparency, accountability and participatory decision making. Introduction to Privacy India Prashant Iyengar is a practicing lawyer and lead researcher for Privacy India. He will present who Privacy India is, and the objectives of Privacy India's research. His presentation will focus on discussing privacy and telecommunications.
10:30 11:00	Key Note Address Dr. Santosh Babu is the Secretary of IT for the Tamil Nadu Government. He has started many e-governance projects within the government and has experience in advocacy rights for children and gender issues. His presentation will focus on sharing how privacy is understood and viewed by the Tamil Nadu government. Sashi Kumar Menon is a film maker, founder Chairman of theMedia Development Foundation, and founder President of Asianet. He has also authored and presented multiple television shows including Money Matters and Tana Bana. His presentation will focus on looking at the relationship between the media and privacy. R. Ramamurthy, is the Chairman, Cyber Society of India, and has over three decades of experience in Information Technology, and is a member of the technology committees CII and FICCI. In his presentation he will discuss the global perspectives of data privacy.
11:00 11:30	Tea Break
11:30 12:45	Session I Privacy and Telecommunications Mrs.Desikan is the Founder Trustee of Consumer Association of India, Chennai. In her presentation she will focus on discussing privacy and telecommunications in India. She will look at the threats to privacy that telecommunications pose, and the current protections over communications that India has in place. Usha Ramanathan is a practicing lawyer and civil rights advocate. Her presentation will focus on privacy and telecommunications from a legal perspective, as well as discussing the recently leaked Privacy Bill. Discussion
12:45 1:00	Privacy and Financial Transactions R. Sundarajan is an associate professor of information at the New York University. He has published multiple articles on issues related to IT. In his presentation he will be discussing the risks to privacy that financial transactions pose, and the safeguards that India has in place to protect ones privacy in financial transactions.
1:00 2:00	Lunch Break
2:00 2:45	Session II Privacy and Consumer Rights Dr. Revathi is an Associate Professor at the Dr. Ambedkar Law University in Chennai. In her presentation she will look at both the social and legal concept of consumer privacy in India, and how as consumers we are always exchanging personally identifiable information, and thus our privacy is always at risk. Mr. S. Martin, Advocate and Consumer Activist will speak on consumer rights, privacy, and the law. His presentation will focus on looking at what legal protections exist in India for consumers.
2:45 3:00	Discussion
3:00 4:00	Session III Privacy and Basic Rights/Needs Dr. N Manimekalai is the head of the gender studies department at the Bharabidasan University in Trychy. In her presentation she will seek to understand privacy from a perspective of individuals basic rights &needs. Specifically she will look at what is the connection between privacy and gender rights. R. Geetha is a trade unionist and feminist with Nirman Mazdoor Panchayat Sangam. She has worked closely with issues relating to labour rights and gender for more than three decades, and her presentation will focus on looking at how protecting labour rights of individuals also can work to protect their privacy.
4:00 5:00	Open Discussion and Question

See Dr. N.Manimekalai's presentation here

Read the full report here

VIDEO

For more details visit https://cis-india.org/internet-governance/events/privacymatterschennai

Access To Knowledge (A2K)

kaeru — 2016-03-16T15:30:24Z

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape. We prepared the India report for the Consumers International IP Watchlist, made submission to the HRD Ministry on WIPO Broadcast Treaty, questioned the demonisation of pirates, and advocated against laws (such as PUPFIP Bill) that privatize public funded knowledge.

Key Research

WIPO

Reports
WIPO Director General's Meeting with NGOs (Puneeth Nagraj, April 30, 2014). 31st Session of the Standing Committee on Trademarks (Puneeth Nagraj, April 29, 2014). CDIP-12 (Puneeth Nagraj, April 22, 2014). 26th SCCR: Consolidated Notes: Part 1, Part 2, and Part 3 (Nehaa Chaudhari, March 18 - 21, 2014). 9th Session of the WIPO Advisory Committee on Enforcement (Puneeth Nagraj, March 14, 2014).
Statements
29th SCCR: Statement on the Limitations and Exceptions for Education, Teaching, Research Institutions and Persons with Disabilities (Nehaa Chaudhari; December 20, 2014). 29th SCCR: 2nd (brief) Intervention on the Broadcast Treaty (Nehaa Chaudhari; December 11, 2014). 29th SCCR: Intervention on the Proposed Treaty for the Protection of Broadcasting Organizations (Nehaa Chaudhari; December 9, 2014). 28th SCCR: Limitations and Exceptions for Libraries and Archives (Nehaa Chaudhari, July 3, 2014). 28th SCCR: Proposed Treaty for the Protection of Broadcasting Organizations (Nehaa Chaudhari, July 2, 2014). 27th SCCR: Technical Measures of Protection on Limitations and Exceptions for Libraries and Archives (Nehaa Chaudhari, May 2, 2014). 27th SCCR: Orphan Works, Retracted and Withdrawn Works, and Works out of Commerce on Limitations and Exceptions for Libraries and Archives (Nehaa Chaudhari, May 1, 2014). 27th SCCR: WIPO Proposed Treaty for the Protection of Broadcasting Organizations (Nehaa Chaudhari, April 30, 2014). 26th SCCR: Limitations and Exceptions for Education, Teaching and Research Institutions and Persons with Other Disabilities (Nehaa Chaudhari, December 20, 2013). 26th SCCR: Limitations and Exceptions for Libraries and Archives (Nehaa Chaudhari, December 19, 2013). Closing Statement at Marrakesh on the Treaty for the Blind (Pranesh Prakash, June 28, 2013). Intervention on the Treaty for the Visually Impaired (Pranesh Prakash, April 25, 2013). 25th SCCR: Broadcast Treaty and Exceptions and Limitations for Libraries and Archives (Smitha Krishna Prasad, November 29, 2012). 24th SCCR: Exceptions & Limitations for Libraries and Archives (Pranesh Prakash, July 25, 2012). 23rd SCCR: WIPO Broadcasting Treaty (Pranesh Prakash, November 29, 2011). 22nd SCCR: WIPO Broadcast Treaty (Pranesh Prakash, June 22, 2011). 21st SCCR: Statement on the Work of the Committee (Nirmita Narasimhan, November 23, 2010). 19th SCCR: WIPO Broadcast Treaty (Pranesh Prakash, February 1, 2010).
Analysis / Comments / Submissions
Protection of Broadcasting Organizations: Technical Background Paper Prepared by the WIPO Secretariat (Nehaa Chaudhari; June 28, 2015). Protection of Broadcasting Organisations under the Proposed Treaty as Compared to Other International Conventions (Nehaa Chaudhari; December 21, 2014). Proposed WIPO Treaty for the Protection of Broadcasting Organizations (Nehaa Chaudhari, submitted to the Ministry of Human Resource Development, Government of India, December 7, 2013). Comments on the Broadcast Treaty and Exceptions and Limitations for Libraries and Archives (Smitha Krishna Prasad, November 29, 2012). Comment by CIS at ACE on Presentation on French Charter on the Fight against Cyber-Counterfeiting (Pranesh Prakash, December 1, 2011). Don't Shoot the Messenger: Speech on Intermediary Liability (Pranesh Prakash, July 8, 2011). CIS-TWN Analysis of WIPO Treaty for the Print Disabled (Pranesh Prakash, June 20, 2011). Comments to Ministry of Human Resource Development on WIPO Broadcasting Treaty (Pranesh Prakash, March 21, 2011).

Indian Law & Policies

Reports
Consumers International IP Watchlist 2012 (Pranesh Prakash, August 16, 2012). Consumers International IP Watchlist 2011 (Pranesh Prakash, May 17, 2011). Consumers International IP Watch List 2009 (Pranesh Prakash, June 5, 2009). A Guide to Key IPR Provisions of the Proposed India-European Union Free Trade Agreement (Glover Wright, July 13, 2010)
Analysis / Comments / Submissions
Can Judges Order ISPs to Block Websites for Copyright Infringement? - Part 1, Part 2, and Part 3 (Ananth Padmanabhan, January 30, 2014 - February 14, 2014). Copyrights and Copywrongs Why the Government Should Embrace the Public Domain (Pranesh Prakash, Yojana, Issue: August 2013). Draft Guidelines for Computer Related Inventions (Puneeth Nagraj, submitted to the office of the Controller General of Patents Designs & Trademarks, Mumbai, July 26, 2013). Science, Technology and Innovation Policy (Draft) (Snehashish Ghosh, submitted to the Department of Science and Technology, Ministry of Science and Technology, Government of India, November 26, 2012). Super Cassettes v. MySpace (Ujwala Uppaluri, October 30, 2012). Analysis of the Copyright (Amendment) Bill 2012 (Pranesh Prakash, May 23, 2012). Analysis of Copyright Expansion in the India-EU FTA (July 2010) (Snehashish Ghosh, February 20, 2012). Calling Out the BSA on Its BS (Pranesh Prakash, September 9, 2011). Thomas Abraham's Rebuttal on Parallel Importation (Pranesh Prakash, February 10, 2011). Indian Law and "Parallel Exports" (Pranesh Prakash, February 1, 2011). Why Parallel Importation of Books Should Be Allowed (Pranesh Prakash, January 25, 2011). Problems Remain with Standing Committee's Report on Copyright Amendments (Pranesh Prakash, December 16, 2010). Draft Patent Manual 2010 (Pranesh Prakash, December 5, 2010). Analysis of the Copyright (Amendment) Bill, 2010 (Pranesh Prakash, July 18, 2010). The 2010 Special 301 Report Is More of the Same, Slightly Less Shrill (Pranesh Prakash, May 13, 2010). Technological Protection Measures in the Copyright (Amendment) Bill, 2010 (Pranesh Prakash, April 28, 2010).
Articles (Journals / Magazines)
Intellectual Property Rights — Open Access for Researchers (Nehaa Chaudhari, UNESCO, March 2015). Pirates, Plagiarisers, Publishers (Prashant Iyengar, Economic & Political Weekly, February 26, 2011, Vol XLVI No 9). Exhaustion: Imports, Exports and the Doctrine of First Sale in Indian Copyright Law (Pranesh Prakash, Manupatra Intellectual Property Reports, February 25, 2011, Volume 1, Part 2, pp. 149-160). Of Jesters, Clowns and Pranksters: YouTube and the Condition of Collaborative Authorship (Nishant Shah, Journal of Moving Images, Number 8, December 2009). We’ve All Got Some Baggage (Lawrence Liang, Tehelka Magazine Vol 7, Issue 45, November 13, 2010). Exceptions and Limitations in Indian Copyright Law for Education: An Assessment (Lawrence Liang, The Land and Development Review, Volume 3, Issue 2, 2010)

Pervasive Technologies

Research Papers
Pervasive Technologies: Patent Pools (Nehaa Chaudhari, June 27, 2013). Patent Valuation and License Fee Determination in Context of Patent Pools (Vikrant Narayan Vasudeva, July 9, 2014). Fueling the Affordable Smartphone Revolution in India (Anubha Sinha; Good Life in Asia's Digital 21st Century Essay Collection; March 16, 2016).
Research Methodologies and Literature Surveys
Patent Landscaping (Rohini Lakshané; November 10, 2014) Intellectual Property in Mobile Application Development in India (Anubha Sinha; November 17, 2014). Access to Music through the Mobile (Maggie Huang; November 18, 2014). Sub Hundred Dollar Mobile Devices and Competition Law (Nehaa Chaudhari; November 25, 2014).

For more details visit https://cis-india.org/a2k/front-page

July 2011 Bulletin

praskrishna — 2012-07-30T07:00:26Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage:

Researchers@Work

RAW is a multidisciplinary research initiative. To build original research knowledge base, the RAW programme has been collaborating with different organisations and individuals to focus on its three year thematic of Histories of the Internets in India. Five monographs: Re: Wiring Bodies by Asha Achuthan, Archive and Access by Aparna Balachandran and Rochelle Pinto, Pornography and the Law by Namita Malhotra, The Leap of Rhodes or, How India Dealt with the Last Mile Problem – An Inquiry into Technology and Governance by Ashish Rajadhyaksha and Internet, Society and Space in Indian Cities by Pratyush Shankar were sent for peer review.

Upcoming Event in CEPT, Ahmedabad

Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum Workshop: Call for Participation [Deadline for submission – 26 July 2011; Participants to be selected by 30 July 2011; Workshop from 19 to 22 August 2011]

Digital Natives with a Cause?

Digital Natives with a Cause? is a knowledge programme initiated by CIS and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

The Digital Natives Newsletter

"Links in the Chain" is a bi-monthly publication which highlights the projects, ideas and news of the "Digital Natives with a Cause?" community members. It includes opinion posts by participants from the three workshops — Talking Back (Taipei, 15 – 18 August 2010), My Bubble, My Space, My Voice (Johannesburg, 6 – 9 November 2010) and From Face to the Interface (Santiago, 8 – 10 February 2011) as well as the facilitators, interviews with them, comics and cartoons highlighting current issues affecting the community, as well as current news and discussions happening at the project website, www.digitalnatives.in.

The Digital Dinosaurs [Links in the Chain, Volume 7]
Special Mid Year Edition [Links in the Chain, Volume 8]

Accessibility

Estimates of the percentage of the world's population that is disabled vary considerably. But what is certain is that if we count functional disability, then a large proportion of the world's population is disabled in one way or another. At CIS we work to ensure that the digital technologies, which empower disabled people and provide them with independence, are allowed to do so in practice and by the law. To this end, we support web accessibility guidelines, and change in copyright laws that currently disempower the persons with disabilities.

Featured Research

Accessibility Policy Making: An International Perspective (Revised Edition 2011) [A G3ict White Paper researched and edited by the Center for Internet and Society, Bangalore, India. Editor: Nirmita Narasimhan, Revised edition: May 2011]

Access to Knowledge (previously IPR Reform)

CIS believes that access to knowledge and culture is essential as it promotes creativity and innovation and bridges the gaps between the developed and developing world positively. Hence, the campaigns for an international treaty on copyright exceptions for print-impaired, advocating against PUPFIP Bill, calls for the WIPO Broadcast Treaty to be restricted to broadcast, questioning the demonization of 'pirates', and supporting endeavours that explore and question the current copyright regime.

Featured

Don't Shoot the Messenger: Speech on Intermediary Liability at 22nd SCCR of WIPO (speech by Pranesh Prakash at a side-event co-organized from 15 to 24 June 2011, by WIPO and the Internet Society on intermediary liability).

Openness

CIS believes that innovation and creativity should be fostered through openness and collaboration and is committed towards promotion of open standards, open access, and free/libre/open source software.

Documentary

People are Knowledge – Experimenting with Oral Citations on Wikipedia (co-produced by CIS in association with the Wikimedia Foundation, on Oral Citations in India and South Africa)

Featured

Opening Government: A Guide to Best Practice in Transparency, Accountability and Civic Engagement across the Public Sector (published by Transparency & Accountability Initiative, CIS contributed the section on Open Government Data).

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Its latest endeavour has resulted into these:

New Blog Post

RTI and Third Party Information: What Constitutes the Private and Public? [by Noopur Raval]

Events Organised

Socio-financial Online Networks: Globalizing Micro-Credit through Micro-transactional Networked Platforms – A Public Lecture by Radhika Gajalla [at CIS, Bangalore on 8 July 2011]
Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden [at TERI, Bangalore on 27 June 2011]

CIS is doing a project, ‘Privacy in Asia’. It is funded by Privacy International (PI), UK and the International Development Research Centre, Canada and is being administered in collaboration with the Society and Action Group, Gurgaon. The two-year project commenced on 24 March 2010 and will be completed as agreed to by the stakeholders. It was set up with the objective of raising awareness, sparking civil action and promoting democratic dialogue around challenges and violations of privacy in India. In furtherance of these goals it aims to draft and promote over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

Featured

Privacy & Media Law (by Sonal Makhija). The research examines the existing media norms governed by Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority, the constitutional protection guaranteed to an individual’s right to privacy upheld by the courts, and the reasons the State employs to justify the invasion of privacy.

Comments

Right to Privacy Bill 2010 — A Few Comments (by Elonnai Hickok). CIS has given specific recommendations and specific comments on the Right to Privacy Bill, 2010, which was introduced in the Rajya Sabha by Rajeev Chandrashekhar.

Event Report

Privacy Matters, Guwahati – the event was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS on 23 June 2011.

New Blog Entries

My Experiment with Scam Baiting (by Sahana Sarkar)
When Data Means Privacy, What Traces Are You Leaving Behind? (by Noopur Raval)
Video Surveillance and Its Impact on the Right to Privacy (by Elonnai Hickok)
Consumer Privacy in e-Commerce (by Sahana Sarkar)
An Overview of DNA Labs in India (by Shilpa Narani)
UID: Nothing to Hide, Nothing to Fear? (by Shilpa Narani)

News & Media Coverage

Indian SMEs still fail to harness the power of Net [Sunday Guardian, 19 June 2011]

Sorry Wrong Number [Telegraph, 3 July 2011]

Aadhaar’s moment of truth [Deccan Herald, 5 July 2011]
The Walls Have Ears [Outlook, issue, 11 July 2011]
Transparent Government, via Webcams in India [New York Times, 17 July 2011]; news also published in other languages in wprost (Polish), ictnews (Vietnamese) and @rret sur images(French)
NYT lauds Oommen Chandy’s 24/7 office webcast [Deccan Chronicle, 19 July 2011]
UID: The World’s Largest Biometric Database [International School on Digital Transformation, 21 July 2011]. Sunil Abraham made a presentation.
Facebook, my boyfriend is lousy [Bangalore Mirror, 24 July 2011]

Portal augurs well for transparency [The Hindu, 25 July 2011]

Follow us elsewhere

Get short, timely messages from us on Twitter

Follow CIS on identi.ca

Join the CIS group on Facebook

Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/july-2011-bulletin

Open Access to Scholarly Literature in India: A Status Report: Call for Comments

Prof. Subbiah Arunachalam and Madhan Muthu — 2012-12-14T10:26:24Z

The Centre for Internet and Society welcomes comments on the first draft of "Open Access to Scholarly Literature in India: A Status Report". This report, on open access to scholarly literature, with a special focus on scientific literature, has been written by Prof. Subbiah Arunachalam and Madhan Muthu. The report surveys the field of scholarly and scientific publication in India and provides a detailed history of the open access movement in India.

It notes that Indian science has "low but increasing research productivity helped by increasing investments on R&D, and low but moderately improving visibility", and that the best way to boost visibility and impact of Indian science are by pursuing a nation-wide open access policy.

Thus, it recommends that all publicly funded research in India should be made open access and provides suggestions on how this could best be achieved. It points out the need to go beyond open access mandates, to practical aspects like training of repository maintainers and of researchers for self-archiving. In addition, it points out the need for more effective advocacy and for a judicious mixture of both top-down and bottom-up approaches for bringing about the realization of the benefits of open access.

Please do write in to Prof. Subbiah Arunachalam (subbiah.arunachalam@gmail.com), Madhan Muthu (mu.madhan@gmail.com) and Pranesh Prakash (pranesh@cis-india.org) with your suggestions, criticisms, or general comments that you may have by Friday, August 12, 2011.

Please click below to access the document.

Open Access to Scholarly Literature in India [PDF, 1872 kb]
Open Access to Scholarly Literature in India [Word, 1964 kb]

This draft report was prepared in April 2011 and the authors will update it soon.

For more details visit https://cis-india.org/openness/blog-old/open-access-to-scholarly-literature

Portal augurs well for transparency

praskrishna — 2011-07-26T15:16:47Z

Data.gov.in will have meta-data, which will facilitate discovery of data and access from portals of ministries, says T Ramachandra. The article was published in the Hindu on 25 July 2011.

The unveiling of an official data access and sharing policy and the commissioning of a data portal (data.gov.in), which is on the anvil, will pave the way for digitally opening up the Central government data to the public.

"The data portal will be having meta-data [data about data], which will facilitate the discovery of the data and access from the portals of respective government departments/ministries. At present, the data policy is likely to cover the Central government and all activities funded by the Government of India," said R. Siva Kumar, CEO of National Spatial Data Infrastructure, and head of Natural Resources Data Management System, Department of Science and Technology.

Governmental data-holding organisations will prepare a negative list of non-shareable sensitive data, weighing the need to restrict public access given such considerations as security and privacy, against the obligation to share it with civil society and the scientific community. Apart from this, access to certain categories of data will be restricted.

The broad guidelines spelt out in the Right to Information Act will be followed and the list will be periodically reviewed. "All data outside the negative list will be proactively disseminated, and an oversight committee will facilitate policy implementation," said Dr. Kumar.

But does this mean that the public have to make specific requests for the unlocking of data-sets? “Data will be available through the data portal, and there will be no specific unlocking required. However, access to certain data may be through registration/authorisation,” he responded.

The sharing of such data might be tied to a pricing policy. "Pricing will be decided by the respective department/ministry. However, standardised parameters will be made available as guidelines for fixing the price," he said.

The draft of the proposed National Data Sharing and Accessibility Policy the government published some time ago indicates that the departments themselves can decide whether the data belongs to the ‘open access', ‘registered access,' or ‘restricted access' categories, with the policy neither mandating nor coming up with guidelines on how to do so, said Pranesh Prakash, programme manager, Centre for Internet and Society (CIS), a Bangalore-based NGO.

The CIS has recommended that the policy have the same scope as the RTI Act, and that all ‘public authorities,' as defined under the Act, be covered by it. Only the restricted categories (laid down in Sections 8 and 9 of the RTI Act) should be allowable for ‘restricted access.'

In a study on open government data in the Indian context, the CIS suggested that any policy be oriented towards meeting the requirements of a broad spectrum of citizenry. Specifically, sections that do not get to immediately benefit from advances in information technology. “Data mashing and private sector information products are important goals,” but the government itself should be proactive in creating the applications that show potential uses for the data.

The World Wide Web Consortium (W3C), the global body that sets web standards, has said governments, by putting their data on the Internet, facilitate greater transparency, deliver more efficient public services and encourage greater public and commercial use and re-use of government information.

Anil Bairwal, National Coordinator of the Association for Democratic Reforms, which is involved in disseminating election-related data through its website Electionwatch, says there is “huge public interest” in data, and that accessibility was of prime importance. For instance, election-related data was made available by the authorities in the PDF/image file formats. “This forces us to do a manual interpretation of every affidavit, which consumes a lot of time and energy. It would be helpful if this data was available in a portable open format via an online tool.”

Other countries have already made strides in furthering open data. Prominent examples are the U.K. government website, data.gov.uk, and the U.S. government's www.data.gov website, which is key to President Barack Obama's Open Government Initiative.

Read the original article published in the Hindu here

For more details visit https://cis-india.org/news/portal-augurs-well-for-transparency

Facebook, my boyfriend is lousy

praskrishna — 2011-07-25T10:07:37Z

While a sizeable chunk of users do not mind living their life in public, oversharing can have nasty repercussions in real life. This article by Sahana Saran was published in the Bangalore Mirror on 24 July 2011.

A wife wrote a bitchy remark about her mother-in-law on Facebook when her husband was out of town. A happy homecoming turned sour when the husband saw the comment. There was a huge showdown which finally led to divorce.

On the flip side, when Savita and Vinay’s (name changed) baby was about to be born a couple of years ago, the couple’s friend live-tweeted the whole childbirth process and the proud parents didn’t mind.

Oversharing on social networks by young people can have damaging results, say internet experts. Why does it happen?

"These days youngsters hook on to social networking sites, and you cannot blame them for seeking each other’s company because that is how they are at that age. There are more restrictions on children these days because of security and abuse issues which the earlier generation may not have encountered. For example, sleepovers which were much common earlier may now not be readily allowed. Their time outside their house is also monitored. Many schools these days have surveillance cameras or some form of curbs that might restrict students from having a private interaction. That is why they seek such interactions through the internet and social networks. Still in India, there is not really a need to press the panic button saying that they are becoming Facebook addicts," says Sunil Abraham, executive director of the Centre for Internet and Society, who is an internet behaviour expert.

Sunil quotes an analysis done in Poland to show how much social networking has become a part of young people’s lives. It showed that teenage girls who meet every day in school, go back home and immediately switch on their PCs and start interacting with each other again. And all through the day, they are on Skype and can see every single thing that each one of them are doing in their rooms in their respective homes. Studies done in the Philipines demonstrate how personal life is becoming public. A study by the Institute of Philippine Culture showed that many of those assessed were on Friendster and allow full access to information on their accounts and readily share details of activities, interests and contacts.

Is the situation different in India? Bhavana, a business management graduate in her 20s, says that what she puts up on her social networking account depends solely on her state of mind. But she ensures that messages are not too personal because earlier she had put up posts which backfired.

"Sometime ago we were celebrating my brother’s birthday and some misunderstanding happened during the celebrations and I was heaped with blame by friends and relatives on FB when I tried to justify myself. I was taken aback. Now, I am more careful about posting messages about sensitive topics," she says.

And when you let people know where you are through Google Latitude, you need to watch against saying offensive things.

"There have been instances of people gate-crashing parties following a Twitter or FB post; in China, mobs of people have attacked those whose views they oppose," adds Sunil.

What makes some people, who would never dream of whipping up controversies in the real world, so reckless when they are online?

"Most often, it is a way of being noticed, of getting attention. Everyone wants to have a popular public profile and telling the world about your opinions and your activities is a way of gaining attention. But new forms of communication are being invented every other day and each has an etiquette of its own," says Sunil.

According to Dr Thomas M J, there are two kinds of people who are the net — attention-seeking and anonymous. The anonymous generally never put personal details about themselves on social networks. "But the other group consists of those who are externally controlled. For such people any open media acts as a place to talk about themselves and they love being in that public space. Moreover, social networks give internet users the courage to say whatever they want because they can avoid face-to-face contact. Even if there is a response, it is muted because because it is not direct and they can escape confrontation," says Thomas.

Read the original article published in Bangalore Mirror here

For more details visit https://cis-india.org/news/facebook-my-lousy-boyfriend

Consumer Privacy in e-Commerce

sahana — 2012-03-28T04:53:17Z

Looking at the larger picture of national security versus consumer privacy, Sahana Sarkar says that though consumer privacy is important in the world of digital technology, individuals must put aside some of their civil liberties when it comes to the question of national security, as it is necessary to prevent societal damage.

What is Consumer Privacy?

In today’s digital economy generating consumer information is inevitable. Though some companies use the personal information they obtain to improve and provide more services to consumers, many companies use the information in an irresponsible manner.

In countries that do provide legal protection for consumer privacy, it is never protected as an absolute right. Consumer privacy is not considered an absolute right for three reasons:

What constitutes consumer privacy is culturally, contextually, individually defined
Consumer privacy often conflicts with other market rights
The ownership of a consumer's private information is debated — as consumer's believe they own the information and businesses believe they own the information.

In order to understand consumer privacy it is useful to outline the privacy expectations and strategies of both consumers and businesses, and to also examine the protection measures taken by firms to safeguard consumer information. The major privacy concerns held by consumer's can be broken down into three main domains:

Consumers want to be informed about the type of information that is being collected from them.
Consumers need to know that they a certain degree of control over the personal information that is being collected.
Consumers need to be assured that their personal information will be secure and will not be abused or stolen.

Though privacy has been defined by many as the "right to be let alone", its application in today’s modern world is not that straightforward. We live in a world where our purchasing behavior, both online and offline, is shared and used invisibly. For instance, if an individual uses a social networking site, it is possible for a third party application to access personal information that is shared. Similarly, if an individual uses a warranty card or loyalty card during a purchase, it is possible for third parties, like data brokers, to collect and use the individuals' personal information.

For instance,15 consumer privacy groups have filed a complaint against Facebook for limiting user's ability to browse anonymously. The complaint was regarding the fact that users only had the choice to designate personal information as publicly linkable, or to not provide information at all. Though Facebook claims to ensure users control over their personal data by allowing users to choose their privacy settings, it does not clarify that these setting can change at any given point. Moreover, the latest privacy embarrassment that hit Facebook proves again that Facebook does not protect users’ privacy. A few weeks ago Facebook admitted to passing personal information of its users onto different gaming applications. These gaming applications have in turn passed the information on to advertisers who otherwise could not have accessed the information.[1]

Breach of Privacy in Information Collection

Internet users often fear the loss of personal privacy, because of the ability businesses and their websites have to collect, store, and process personal data. For example, sites extract information from consumers through a form, and then record data about their user’s browsing habit. After collecting user information, the sites match the data with their personal and demographic information to create a profile of the user’s preferences, which is then used to promote targeted advertisements or provide customized services. The sites might also engage in web lining through which they price a consumer according to their profiles.

Online there are two main ways in which sites collect user information:

Sites collect information directly through a server software. Sites often use automatic software logs to do this.
A third party extracts information from the site without the consumer’s knowledge. Sites often place cookies on websites to extract user information.

Automatic software logs and third party cookie placement are two overlooked aspect of information collection. Cookies work by collecting personal information while a user surfs the net, and then feeds the information back to a Web server. Cookies are either used to remember the user, or are used by network advertising agencies to target product advertisements based on long term profiles of user’s buying and surfing habits. An example of a website that uses cookies is 'double click'. Web bugs are used by advertising networks to add information to the personal profiles stored in cookies. Web bugs are also used in junk email campaigns to see how many visits the site gets. Cookies and web bugs are just two out of hundreds of technologies used to collect personal information. [2]

Challenges Posed by Protection of Consumer Privacy

In conclusion, I would like to talk about the difficulty in maintaining a balance between the legal collections of information and protecting privacy of consumers. Above I demonstrated how this conflict arises between businesses and consumers — and is rooted in businesses wanting personal information for commercial reasons, and a user wanting protection and control over their own information. This conflict can also arise between consumers, businesses, and political bodies. An example that demonstrates this is the ongoing conflict between RIM (Research in Motion) and the Government of India. The Government of India has issued a warning against RIM saying that it would suspend its blackberry operations if they do not adhere to the Indian laws and regulations.

The Ministry of Home Affairs is demanding that RIM allow access to encrypted content that flows in and out of India. In other words the Government of India wants RIM to allow the security forces to have access to data sent using Blackberries by reducing encryption levels, or by providing the government with the decryption keys. The demand by the government is somewhat ironic as Blackberry manufacturers have developed the Blackberry encryption key to protect the consumers’ privacy during any business deal, so that information is not compromised. On the other side of the debate, the government is demanding access to Blackberry communications, because their inability to decrypt the codes makes countering the threats to national security difficult. This is especially true for a country like India, which is constantly facing threats from Maoists, and extremist Islamic groups.

This example highlights an important question: what is more important — national security or consumer privacy? In 2010, RIM agreed to negotiate access to consumer messages only where access requests are within local laws. Blackberry also agreed to not make any specific deals with consumers, and to make its enterprise systems security and confidentiality non-negotiable.

Conclusion

Though, consumer privacy is very important especially in a world of digital technology, however, when we speak of national security, I feel that individuals must set aside some of their civil liberties — at least to the extent that it is necessary to prevent societal damage. For a clearer understanding of national security vs consumer privacy look at the case of RIM Vs Indian Government in the following sites:

[1]http://www.ft.com/cms/s/0/198599e6-dc5f-11df-a0b9-00144feabdc0.html#axzz1O00LowtN

[2]http://cyber.law.harvard.edu/olds/ecommerce/privacytext.htmlFor an overview of some of these new data-collection technologies, along with some information on privacy-enhancing technologies such as P3P, see Developing Technologies.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy-e-commerce

UID: The World’s Largest Biometric Database

praskrishna — 2011-07-23T02:04:45Z

At the start of his presentation, Sunil Abraham pointed to two aerial drawings of cybercafes: one where each computer was part of a private booth, and one where the computers were in the open so the screens would be visible to any one. Which layout would be more friendly to women, and why, Abraham wanted to know. Some participants selected the first option, liking the idea of the privacy, while others liked the second option so that the cybercafe owner would be able to monitor users’ activities.

Abraham said he was surprised no one said option one looked like masturbation booths, adding that in May, India passed rules prohibiting the first design option to avoid just such an issue. This is despite a survey conducted of female college students, who liked the idea of privacy in cybercafés that typically are male-dominated.

Cybercafes are just one of the areas impacted by India’s plan for collecting and using biometrics to create unique individual identification cards.

Abraham focused his presentation on activists’ efforts to counter the government’s myths about a unique identification (UID) program.

One campaign image showed two soldiers on the border asking for an east-Asian looking person’s identification. The way to balance, or rectify, the drawing, Abraham said, would be to allow citizens to be able to ask the soldiers for the identification information.

The campaign, “Rethink UID Project,” included several images illustrating various problems with the plan. For example, one said: “Central storage of keys is a bad idea, so is central storage of our biometrics.” As Abraham explained, if storing a copy of your housekey at the police station does not make us feel more secure, then why wouldn’t storing our biometrics with the government also make us a little more scared?

In the Indian scheme, Abraham said, the government says biometrics will be used as an authentication factor in order to prove your identity, but from a computer science perspective, it’s a bad idea because it is so easy to steal biometrics. And, as Abraham pointed out, if your biometrics are stolen, it’s not possible for you to re-secure it—it’s not like getting a new ATM card and password, he said.

If this system of national UID was designed using digital keys instead of biometrics, then we would have a completely different configuration, Abraham said.

Centralized storage is nonnegotiable, and therefore the process of authentification is done through a centralized database, but with digital keys or digital signatures, authentification could be done on a peer basis, so citizen could authenticate border guards and vice versa.

Another image from the “Rethink UID Project” campaign pointed out that “Technology cannot solve corruption.” As Abraham said, problems of corruption in the subsidy system (food, loans, education, employment guarantee act in rural India, etc) won’t be fixed with biometrics. For example, if biometric equipment is installed at fair-price shops, before the shop owner gives the grain, the citizen would have to present biometrics, which would go through a centralized server and be authenticated, then the citizen would get the grain, and ultimately there would be a record saying this particular citizen collected this amount of subsidized grain at this particular time.

But there are a whole range of ways shop owners can compromise the system, Abraham said.

The first way: 30-50 percent of India is illiterate, so shop owner can say the biometrics were rejected by the server and the citizen would not know better. Or, the owner can say there was no connectivity so authentification didn’t go through, or the owner could say there was no electricity so the system won’t work, or the shop owner could give just part of the grain that the citizen is due.

Corruption innovates and terrorism innovates—if technology innovates, so does corruption, as it is not a static phenomenon, Abraham said. You can’t wish away human beings from technological configurations.

One village will have multiple biometric readers.

Abraham said they have proposed an alternative schema: remove readers from the shop, school, hospital, bank, etc., and have only one scanner at the local governance hall. Instead of the citizen becoming transparent to the government, the government should become transparent to the citizen. The shop owners should make transparent which IDs they have given how much grain to, and only if they are going to dispute the ID of a citizen, can they go to the local government administrative office to prove the ID.

Another image from the “Rethink UID Project” campaign said, “The poor and the rich: who do we track first?”

Abraham explained that one problem in India is “black money,” or money for which you don’t pay taxes because the accounts are in fake names in order to store money. Like creating fake bank accounts, he said it also would be easy to create fake biometrics by combining the handprints and eyes of multiple people to get a second fake ID. Also the system could be hacked into and iris images Photoshopped. Ghost ideas also could be created and then sold off. Because the rich will get their IDs behind closed doors, Abraham said, it will be easy for them to get multiple IDs, but the poor will not be able to.

Referring to “tailgating,” or when one ID is card swiped to gain entrance for multiple people, such as swiping one metro card and then two people walking through, Abraham noted that the problem is that the tailgating only is seen as a problem when it’s at the bottom of the pyramid, such as one woman goes to the fair-price shop to collect grain for five or six families so only one person has to lose a day’s wage instead of all five or six losing a day’s wages. Tailgating at the bottom if the pyramid is usually a question of survival, he said.

Thus, another image from the campaign showed a pyramid and said, “Transparency at the top first…before transparency at the bottom.”

The first principle is that expectations of privacy should be inversely proportional to power, so people who are really powerful, like NGOs, politicians, or heads of corporations, should have less privacy, and people who have very little power should have more privacy, Abraham said.

Also, from a business perspective, the nation gets greater return on its investment if surveillance equipment is trained on people at the top of the pyramid to catch big-time corruption, he said.

Most of the panic around the UID is over the transaction database. Beyond a databse storing everyone’s biometrics, another database will track transactions: every time you buy a mobile phone or purchase a ticket or access a cyber cafe or subsidies, thanks to UID, there will a record made in the transaction database, Abraham said.

Abraham said it is important to note that surveillance is not an intrinsic part of information systems, but once surveillance is engineered into information systems, both those with good intentions or bad intentions can take advantage of that surveillance capability.

The UID means there will be 22 databases available to 12 intelligence agencies, he said.

So when a girl enters into a cybercafé, first she will have to provide her UID, and then the café owner will photocopy the card, then the owner has the right to take a photo of the girl using his own camera, then the owner is supposed to maintain browser logs of her computer for a period of one year.

So the question then is how to assure accountability without surveillance?

The first possibility, Abraham said, is partial storage. The transaction database could store half the data, and the central database could store the other half, so the full 360-view of the data would not be available without a court order.

The second solution is a transaction escrow, where every time a record is put into the main database, it will be encrypted using 2-3 keys, and only if 3 agencies cooperate with keys, can the information be decrypted. Thus, it is targeted surveillance, not blanket surveillance.

To conclude his presentation, Abraham divided participants into four groups in order to design surveillance systems for internet surveillance, mobile technologies, CCTVs, and border control.

Sharon Strover spoke on behalf of the CCTV group, saying they ended up with more questions than anything else. They agreed there should be notices when cameras are in use, there should be public knowledge of who is doing surveillance and who has access to the footage, and the data shouldn’t be sold. But the group couldn’t decide which spaces warranted CCTVs and which not.

Abraham then pointed out that the next generation of CCTVs can read everybody’s irises as they pass the cameras—it’s in the lab now, and 2-3 years from the market, he said.

Next, Andy Carvin spoke on behalf of the mobile technologies surveillance group. Whether or not capturing metadata or content as well, the mobile phone company can collect it, but it shouldn’t be able to keep any identifiable information for the person – it should only be able to look at information in the aggregate. The rest of the information should be shipped to a non-governmental organization or government agency specialized in privacy, and 2 keys would be required: one from the judiciary and one from the NGO or governmental agency.

Smári McCarthy reported back for the Internet surveillance group, pointing out that data retention has been useful in criminal cases less than 0.2 percent of the time in one study, and another showed there has been no statistically significant increase in the number of criminal cases solved because of data retention. So, he said, the group concluded there should be no blanket surveillance, only court orders in certain criminal cases that define who will be under surveillance and for how long. Also, they wanted to see a transparency register available so the public could be informed about how many people are under surveillance currently and throughout year and other general information, such as the success rate—how many of these surveillances have led to criminal convictions or similar.

Finally, Summer Harlow spoke on behalf of the border control group, which said scanning of checked- and carry-on luggage is acceptable, but there should be no luggage searches without specific probable cause from intelligence agencies or if the scans pick up weapons or other contraband. Similarly, people could be subject to spectrum scans and drug/bomb sniffing dogs for weapons and contraband, but again they would not be physically searched by border agents without probable cause. Also, people and luggage could not randomly be searched based on the country of their passport or their flight destination or origin.

In summary, Abraham said, surveillance is like salt in food: it is essential in small amounts, but completely counter-productive if even slightly excessive.

Download Sunil's presentation here [PDF, 1389 kb]
Sunil Abraham made the presentation at the Gary Chapman International School on Digital Transformation on 21 July 2011. The original news published by International School on Digital Transformation can be read here
Read the schedule here

For more details visit https://cis-india.org/news/uid-worlds-largest-database

People are Knowledge – Experimenting with Oral Citations on Wikipedia

praskrishna — 2012-12-14T10:26:31Z

The Centre for Internet and Society in association with the Wikimedia Foundation has produced a documentary film "People are Knowledge". The film evolved out of a project on Oral Citations in India and South Africa funded by the Wikimedia Foundation, and undertaken by Wikimedia Foundation Advisory Board Member Achal Prabhala as a short-term fellowship, to help overcome a lack of published materials in emerging languages on Wikipedia. New Delhi-based filmmaker Priya Sen has directed the film, with additional assistance from Zen Marie who handled the shooting in South Africa. The film explores how alternate methods of citation could be employed on Wikipedia, documenting a series of specific situations with regards to published knowledge, and subsequently, with oral citations.

The Problem

Imagine a world with every individual having open access to the sum of human knowledge. But there is a problem — the sum of human knowledge is far greater than the sum of printed knowledge. For example, in India and South Africa, the number of books produced every year is nowhere near to the number of books being producing in UK. There is very little citable, printed material to rely on in the indigenous languages of India or South Africa. So it is difficult for the languages of these countries to grow its own Wikipedia. While there are significant media markets for Indian languages within and outside India, there is very little scholarly publishing in any language other than English. On the other hand, South African languages with the exception of English and Afrikaans have had a largely oral existence and only in recent times have started a publishing tradition, which is in nascent stages.

Total Production of Books in UK, South Africa and India as of 2005

UK: 161,000 books / 60 million people
South Africa: 6100 books/48 million people
India: 97,000 books/1100 million people

If we were to measure books produced in 2005 per person per country, the comparison is even more glaring:

UK: 1 book per 372 people
South Africa: 1 book per 7869 people
India: 1 book per 11,371 people

Source: Wikimedia page on Research: Oral Citations. For more details see here

As a result of such disparity, everyday, common knowledge — things known, observed and performed by millions of people — do not enter Wikipedia as facts because they haven’t been written down in a reliably published source. Hence, Wikipedia in countries like India and South Africa lose out on opportunities for growth.

While we are enthused about the rise of “small language Wikipedias”, it may not happen soon. Not with the present rules at least. Even if we were to convince every single person in the South with Internet access to become an active editor on Wikipedia, there is still a problem that they are going to run up against. That problem that currently bedevils everyone working in local languages in Asia and Africa, and nobody seems to have a control over it.

For Wikipedias in languages of the South, citations aren’t a problem when the articles being added are translations (for universally important topics, reliable citations are already there in English and other European languages). Assuming, however, that we all want the sphere of knowledge to be universally expanded — and not merely translated from languages of the North to languages of the South — there are two specific problems with finding citations for important local subject matters.

Published, citable resources may simply not exist. This is not just true of Sub-Saharan African languages (many of which use Latin script, have a relatively recent written history, and small or non-existent publishing markets) but also of several South Asian languages (even though they have non-Latin scripts, a relatively ancient written history and thriving publishing markets in news and entertainment).
Even when published scholarly resources exist, they may be inaccessible and thus effectively rendered invisible to Wikipedians. Libraries and archives in India and South Africa are usually not electronically indexed. Furthermore, they are not always conveniently located, and often impose a massive bureaucratic burden on the user to search, see, borrow from or even enter.

Oral Citations as a Possible Solution

Hindi Wikipedia has over 65,000 articles, Malayalam Wikipedia has about 15,000, and Northern Sotho Wikipedia has about 600. Many of these articles — especially when concerning subjects that are specific to a particular people or place — have no citations whatsoever. Yet, an editor — often several editors — created the articles in question. How? Simply put, and barring laziness and carelessness where citations are available, the basis of fact therein is orally circulated knowledge. Even today, in several parts of the world, people are knowledge. Therefore, an exercise where oral citations are collected and assembled — in a manner not different to that by which print sources are cited on Wikipedia, i.e., with diverse viewpoints, several sources, a rationale for authenticity — might be one way to capture this knowledge in a form that is recognisable to Wikipedia.

Anthropologists have been doing this for years — in the academy, it is called field work. The average Wikipedians certainly don’t have the capacity to replicate the arduous research programme of a doctoral student but they do have common sense and access to basic telecommunication facilities. So oral citations can:

Create externally verifiable authentication for a Wikipedia article that is based on experiential facts, but lacks citations simply because no printed source has recorded these facts to date.
Add to the set of published scholarly resources that document an existing fact, for example, in cases where the published sources are archaic or primarily foreign, and thus complete existing knowledge or correct its biases.

The Experiment

Achal Prabhala worked with Wikipedians across three languages in two different countries — Malayalam (40 million speakers) and Hindi (250 million speakers) in India and Northern Sotho (5 million speakers) in South Africa to see how oral citations might be received in the language communities they can benefit, discuss this idea with Wikipedians at large, not as a final solution but as a first step in understanding how we may expand our definition of reliable sources of knowledge beyond what is published in print, and what benefits such an expansion may bring and show this is an idea that takes hold, to create a set of clearly laid-out initial templates that others can use and build upon. Four collaborators: Shiju Alex, Mayur, Mohau Monaledi and Achal Prabhala, with additional help from Vijayakumar Blathur were finalised. Parts of the experiment were then filmed as an edited documentary.

The Pitfalls

There are numerous potential pitfalls[1] the most glaring of which is the principle of ‘No original research’. Naturally, we’re going to have to find a way to justify our approach, or work around it, or expand its meaning. Several people will welcome it, several people will object on all kinds of grounds, and several others possibly misusing and misinterpreting oral citations (i.e., without care to authenticity, diversity of opinion) in their work on Wikipedia.

However, this is the right thing to do. The problem is real. The solution being presented is a first step, not a final answer. Sure, people might have a problem with it, and sure, there may be heated objections to it; but overall, if it’s the right thing to do, it should be done, however strange it seems and however unsettling it is.

After all, if the status quo had to be respected absolutely, we wouldn’t have Wikipedia.

Note

[1]On a side note, Achal says that the pitfall to the pitfall is the status quo: literally thousands of articles without any citations whatsoever, a problem that no one notices because they’re in languages that the majority of current editors on Wikipedia do not understand – and a problem which is often overlooked by language communities in the south in favour of growth.

For recorded interviews, click here

Watch the movie below:

People are Knowledge (subtitled) from Achal R. Prabhala on Vimeo.

For more details visit https://cis-india.org/openness/blog-old/people-are-knowledge

Openness

kaeru — 2015-12-15T08:27:08Z

Innovation and creativity are fostered through openness and collaboration. The advent of the Internet radically defined what it means to be open and collaborative. The Internet itself is built upon open standards and free/libre/open source software. Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Key Works

Publications

Open Data Intermediaries in Developing Countries - A Synthesis Report, François van Schalkwyk, Michael Caňares, Sumandro Chattapadhyay, and Alexander Andrason, June 2015.
Opening Government: A Guide to Best Practice in Transparency, Accountability and Civic Engagement across the Public Sector, Transparency & Accountability Initiative, 21 July 2011.
Open Government Data in India (v2), Nisha Thompson, 19 August 2011.
Open Government Data Study, Glover Wright, Pranesh Prakash, Sunil Abraham and Nishant Shah, Transparency & Accountability Initiative, 20 May 2011
Critical Point of View: A Wikipedia Reader, Geert Lovink and Nathaniel Tkacz (eds), Institute of Network Cultures, 9 May 2011.
Open Access to Scholarly Literature in India: A Status Report: Call for Comments, Prof. Subbiah Arunachalam and Madhan Muthu, April 2011.
The Online Video Environment in India - A Survey Report, Siddharth Chadha, Benjamin Moskowitz and Pranesh Prakash, iCommons and the Open Video Alliance, October 2010.

Film

People are Knowledge – Experimenting with Oral Citations on Wikipedia, directed by Priya Sen and Zen Marie, Wikimedia Foundation, 22 July 2011.

Submissions

Comments on the draft National Data Sharing and Accessibility Policy, submitted to the Department of Science and Technology, June 2011.
CIS Comments on the Interoperability Framework for e-Governance (Phase I), submitted to the Department of Information & Technology, January 2011.

Workshops

Workshop on Open Data for Human Development, organised with UNDP India and Akvo to support officials from the Government of Sikkim to draft an implementation plan for the state level open data policy, June 2015.
Iraqi Public Data Scenario Workshop: A Summary, notes from a workshop organised with UNDP Iraq to support officials of the Government of Iraq to draft an open data policy and build usage scenarios for open government data, October 2012.

For more details visit https://cis-india.org/openness/front-page

Opening Government: A Guide to Best Practice in Transparency, Accountability and Civic Engagement across the Public Sector

pranesh — 2012-12-14T10:26:42Z

The Transparency & Accountability Initiative has published a book called “Opening Government: A Guide to Best Practice in Transparency, Accountability and Civic Engagement across the Public Sector”. We at the Centre for Internet & Society contributed the section on Open Government Data.

Cross-posted from the Transparency & Accountability Initiative blog.

Download the full report (PDF, 440 Kb)

Open Government Partnership

In January 2011, a small group of government and civil society leaders from around the world gathered in Washington, DC to brainstorm on how to build upon growing global momentum around transparency, accountability and civic participation in governance. The result was the creation of the Open Government Partnership (OGP), a new multi-stakeholder coalition of governments, civil society and private sector actors working to advance open government around the world — with the goals of increasing public sector responsiveness to citizens, countering corruption, promoting economic efficiencies, harnessing innovation, and improving the delivery of services.

In September 2011, these founding OGP governments will gather in New York on the margins of the UN General Assembly to embrace a set of high-level open government principles, announce country-specific commitments for putting these principles into practice and invite civil society to assess their performance going forward. Also in September, a diverse coalition of governments will stand up and announce their intention to join a six-month process culminating in the announcement of their own OGP commitments and signing of the declaration of principles in January 2012.

'Opening Government' report

To help inform governments, civil society and the private sector in developing their OGP commitments, the Transparency and Accountability Initiative (T/A Initiative) reached out to leading experts across a wide range of open government fields to gather their input on current best practice and the practical steps that OGP participants and other governments can take to achieve it.

The result is the first document of its kind to compile the state of the art in transparency, accountability and citizen participation across 15 areas of governance, ranging from broad categories such as access to information, service delivery and budgeting to more specific sectors such as forestry, procurement and climate finance.

Each expert’s contribution is organized according to three tiers of potential commitments around open government for any given sector — minimal steps for countries starting from a relatively low baseline, more substantial steps for countries that have already made moderate progress, and most ambitious steps for countries that are advanced performers on open government.

Chapters and Contributing Authors

Aid – Publish What You Fund
Asset disclosure - Global Integrity
Budgets – The International Budget Project
Campaign finance – Transparency International - USA
Climate finance – World Resources Institute
Fisheries – TransparentSea
Financial sector reform Global Financial Integrity
Forestry – Global Witness
Electricity – Electricity Governance Initiative
Environment – The Access Initiative
Extractive industries – The Revenue Watch Institute
Open government data – The Centre for Internet and Society - India
Procurement – Transparency International-USA
Right to information – Access Info and the Center for Law and Democracy
Service delivery – Twaweza

For more details visit https://cis-india.org/openness/blog-old/opening-government-best-practice-guide