Centre for Internet and Society

Sustainable Smart Cities India Conference 2015, Bangalore

vanya — 2015-09-21T02:24:19Z

Nispana Innovative Platforms organized a Sustainable Smart Cities India Conference 2015, in Bangalore on 3rd and 4th September, 2015. The event saw participation from people across various sectors including Government Representatives from Ministries, Municipalities, Regulatory Authorities, as well as Project Management Companies, Engineers, Architects, Consultants, Handpicked Technology Solution Providers and Researchers. National and International experts and stakeholders were also present to discuss the opportunities and challenges in creating smart and responsible cities as well as citizens, and creating a roadmap for converting the smart cities vision into a reality that is best suited for India.

The objective of the conference was to discuss the meaning of a smart city, the promises made, the challenges and possible solutions for implementation of ideas by transforming Indian Cities towards a Sustainable and Smart Future.

Smart Cities Mission

Considering the pace of rapid urbanization in India, it has been estimated that the urban population would rise by more than 400 million people by the year 2050[1] and would contribute nearly 75% to India’s GDP by the year 2030. It has been realized that to foster such growth, well planned cities are of utmost importance. For this, the Indian government has come up with a Smart Cities initiative to drive economic growth and improve the quality of life of people by enabling local area development and harnessing technology, especially technology that leads to Smart outcomes.

Initially, the Mission aims to cover 100 cities across the countries (which have been shortlisted on the basis of a Smart Cities Proposal prepared by every city) and its duration will be five years (FY2015-16 to FY2019-20). The Mission may be continued thereafter in the light of an evaluation to be done by the Ministry of Urban Development (MoUD) and incorporating the learnings into the Mission. This initiative aims to focus on area-based development in the form of redevelopment, or developing new areas (Greenfield) to accommodate the growing urban population and ensure comprehensive planning to improve quality of life, create employment and enhance incomes for all, especially the poor and the disadvantaged.[2]

What is being done?

The Smart City Mission will be operated as a Centrally Sponsored Scheme (CSS) and the Central Government proposes to give financial support to the Mission to the extent of Rs. 48,000 crores over five years i.e. on an average Rs. 100 crore per city per year.The Government has come up with 2 missions:Atal Mission for Rejuvenation and Urban Transformation (AMRUT) and Smart Cities Mission for the purpose of achieving urban transformation.The vision is to preserve India’s traditional architecture, culture & ethnicity while implementing modern technology to make cities livable, use resources in a sustainable manner and create an inclusive environment. Additionally, Foreign Direct Investment regulations have been relaxed to invite foreign capital and help into the Smart City Mission.

What is a Smart City?

Over the two-day conference, various speakers shared a common sentiment that the Governments’ mission does not clearly define what encompasses the idea of a Smart City. There is no universally accepted definition of a Smart City and its conceptualization varies from city to city and country to country.

A global consensus on the idea of a smart city is a city which is livable, sustainable and inclusive. Hence, it would mean a city which has mobility, healthcare, smart infrastructure, smart people, traffic maintenance, efficient waste resource management, etc.

Also, there is a global debate at United Nations regarding developmental goals. One of these goals is gender equality which is very important for the smart city initiative. According to this, a smart city must be such where the women have a life free from violence, must be made to participate and are economically empowered.

Promises

The promises of the Smart City mission include:

Make a sustainable future, reduce carbon footprint, adequate water supply, assured electricity supply, proper sanitation, including solid waste management, efficient urban mobility and public transport, affordable housing especially for the poor, robust IT connectivity and digitalization, good governance, especially e-Governance and citizen participation, sustainable environment, safety and security of citizens, particularly women, children and the elderly, and health and education.

The vision is to preserve country’s traditional architecture, culture & ethnicity while implementing modern technology. It was discussed how the Smart City Mission is currently attracting global investment, will create new job opportunities, improve communications and infrastructure, decrease pollution and ultimately improve the quality of living.

Challenges

The main challenges for implementation of these objectives are with respect to housing, dealing

with existing cities and adopting the idea of retro-fitting.

Also, another challenge is that of eradicating urban poverty, controlling environment degradation, formulating a fool-proof plan, proper waste management mechanism, widening roads but not at the cost of pedestrians and cyclist and building cities which are inclusive and cater to the needs of women, children and disabled people.

Some of the top challenges will include devising a fool-proof plan to develop smart cities, meaningful public-private partnership, increasing the renewable energy, water supply, effective waste management, traffic management, meeting power demand, urban mobility, ICT connectivity, e-governance, etc., while preparing for new threats that can emerge with implementation of these new technologies.

What needs to be done?

The following suggestions were made by the experts to successfully implement government’s vision of creating successful smart cities in India.

Focus on the 4 P’s: Public-Private-People Partnership since people very much form a part of the cities.
Integration of organizations, government bodies, and the citizens. The Government can opt for a sentiment analysis.
Active participation by state governments since Land is a state subject under the Constitution. There must be a detailed framework to monitor the progress and the responsibilities must be clearly demarcated.
Detailed plans, policies and guidelines
Strengthen big data initiatives
Resource maximization
Make citizens smart by informing them and creating awareness
Need for competent people to run the projects
Visionary leadership
Create flexible and shared spaces for community development.

National/International case studies

Several national and international case studies were discussed to list down practical challenges to enable the selected Indian cities learn from their mistakes or include successful schemes in their planning from its inception.

Amsterdam Smart City: It is said to be a global village which was transformed into a smart city by involving the people. They took views of the citizens to make the plan a success. The role of big data and open data was highly emphasized. Also, it was suggested that there must be alignment with respect to responsibilities with the central, state and district government to avoid overlap of functions. The city adopted smart grid integration to make intelligent infrastructure and subsidized initiatives to make the city livable.
GIFT City, Gujarat: This is an ICT based sustainable city which is a Greenfield development. It is strategically situated. One of the major features of the City is a utility tunnel for providing repair services and the top of the tunnel can be utilized as a walking/jogging track. The city has smart fire safety measures, wide roads to control traffic, smart regulations.
TEL AVIV Smart City, Israel: It has been named as the Mediterranean cool city with young and free spirted people. The city comprises of creative class with 3 T’s-talent, technology and tolerance. The city welcomes startups and focuses on G2G, G2C and C2C initiatives by adopting technologically equipped initiatives for effective governance and community building programmes.

Participation

The event saw participation from people across various sectors including Government Representatives of Ministries, Municipalities, Regulatory Authorities, as well as Project Management Companies, Engineers, Architects, Consultants, Handpicked Technology Solution Providers and Researchers.

Foundation for Futuristic Cities: The conference saw participation from this think tank based out of Hyderabad working on establishing vibrant smart cities for a vibrant India. They are currently working on developing a "Smart City Protocol" for Indian cities collaborating with Technology, Government and Corporate partners by making a framework for Smart Cities, Big Data and predictive analytics for safe cities, City Sentiment Analysis, Situation Awareness Tools and mobile Apps for better city life by way of Hackathons and Devthons.
Centre for SMART cities, Bangalore: This is a research organization which aims to address the challenge of collaborating and sharing knowledge, resources and best practices that exist both in the private sector and governments/municipal bodies in a usable form and format.
BDP – India (Studio Leader – Urbanism): The Organization is based out of Delhi and is involved in providing services relating to master planning, urbanism, design and landscape design. The team includes interior designers, engineers, urbanists, sustainability experts, lighting designers, etc. The vision is to help build and create high quality, effective and inspiring built spaces.
UN Women: It is a United Nations Organization working on gender equality, women empowerment and elimination of discrimination. They strive to strengthen rights of women by working with women, men, feminists, women’s networks, governments, local authorities and civil society to create national strategies to advance gender equality in line with national and international priorities. The UN negotiated the 2030 Agenda for Sustainable Development in August 2015 (which would be formally adopted by World leaders in September 2015) and it feature 17 sustainable development goals, one of them being achievement of gender equality and empowerment of all women and girls.
Elematic India Pvt. Ltd.: The Company is a leading supplier of precast concrete technology worldwide providing smart solutions for concrete buildings to help enable build smart cities with safe infrastructure.

Conclusion

The event discussed in great detail about what a smart city would look like in a country like India where every city has different demographics, needs and resources.

The Participants had a mutual understanding that a city is not gauged by its length and width, but by the broadness of its vision and height of its dream. The initiative of creating smart cities would echo across the country as a whole and would not be limited to the urban centers. Hence, the plan must be inclusive in implementation and right from its inception, the people and their needs must be given due consideration to make it a success. The issue of the road ahead was resonating in the minds of many, as to how would this exactly happen. Hence, the first step, as was suggested by the experts, was to involve the citizens by primarily informing them, taking their suggestions and planning the project for every city accordingly. While focusing on cities which would be made better by human ingenuity and technology, along with building mechanism for housing, commerce, transportation and utilities, it must not be forgotten that technology is timely, but culture is timeless. The cities must not be faceless and community space must be built with walkable spaces with smart utilization of limited resources. Also, it must be ensured that the cities do not cater to the needs of the elite and skilled population, but also the less privileged community. Adequate urban mapping must be done to ensure placement for community facilities, such as restrooms, trash bins, and information kiosks.

A story shared from personal experience by an expert Architect in building Green infrastructure was highly instrumental in setting the tone of the conference and is bound to stay with many of the participants. The son of the Architect, a small child from Baroda left his father speechless when he questioned him about the absence of butterflies from the Big City of Mumbai since he used to play with butterflies every morning in his hometown in Gujarat. The incident was genuinely thought provoking and left every architect, government representative and engineer thinking that before they step on to build a smart cities with technologically equipped infrastructure and utilities - can we, as a country, come together and ensure to build a smart city with butterflies? Can we pay equal attention to sustainability, environment and requirements of a community in the smart city that is envisioned by the Government to make the city livable and inclusive?

Questions that I, as a participant, am left with are:

Building a Greenfield project is comparatively easier than upgrading the existing cities into Smart ones, which requires planning and optimum utilization of resources. The role of local bodies needs to be strengthened which would primarily require skilled workforce, beginning from planning to execution. Therefore, what must be done to make the current cities “Smarter” and how encourage and fund ordinary citizens to redefine and prioritize local needs?
The conference touched upon the need for a well-planned policy framework to govern the smart cities; however, what was missing was a discussion on the kind of policies that would be required for every city to ensure governance and monitor the operations. Chalking out well thought of urban policies is the first step towards implementation of the Project and requires deliberation in this regard.
The Government plans seem to cater to the needs of a handful of sections of the society and must focus on safety of women, chalk out initiatives to build basic utilities like public toilets, plan the infrastructure keeping in mind the disabled individuals, etc.

This is of paramount importance since it is necessary for the Government to consider who would be the potential inhabitants of these future smart cities and what would be their particular needs. Before the cities are made better by use of technology, there is a requirement of more toilets as a basic utility. Thus, instead of focusing on technological advancement as the sole foundation to make lives of the people easy, the cities must have provision of utilities which are accessible to develop livable smart cities. Hence, what measures would the Government and other bodies involved in the plan take to ensure that the urban enclaves would not oversee the under privileged class?

Another issue that went unnoticed during the two-day event was pertaining to the Fundamental Rights of individuals within the city. For example, the right of privacy, right to access services and utilities, right to security, etc. These basic rights must be given due recognition by the smart city developers to uphold the spirit of these internationally accepted Human Rights principles. Therefore, it is important to ask how these future cities are going to address the rights of its people in the cities?

Apart from plans of working on waste management, another important factor that must not be overlooked is sustainability in terms of maximization of the available resources in the best possible ways and techniques to be adopted to stop the fast paced degradation of the environment.

The conference could suggest more solutions to adopt measures like rain water harvesting, better sewage management in the existing cities.

Also, the importance of big data in building the smart cities was emphasized by many experts. However, the question of regulation of data being generated and released was not talked about. Use of big data analytics involves massive streaming of data which required regulation and control over its use and generation to ensure such information is not misutilised in any way. In such a scenario, how would these cities regulate and govern big data techniques to make the infrastructure and utilities technologically efficient on one hand, but also to use the large data sets in a monitored fashion on the other?

An answer to these crucial issues and questions would have brought about a lot of clarity in minds of all the officials, planners and the potential residents of the Smart Cities in India.

[1] 2014 revision of the World Urbanization Prospects, United Nations, Department of Economic and Social Affairs, July 2014, Available at : http://www.un.org/en/development/desa/publications/2014-revision-world-urbanization-prospects.html

[2] Smart Cities, Mission Statement and Guidelines, Ministry of Urban Development, Government of India, June 2015, Available at : http://smartcities.gov.in/writereaddata/SmartCityGuidelines.pdf

For more details visit https://cis-india.org/internet-governance/blog/sustainable-smart-cities-india-conference-2015-bangalore

Transformaking 2015 : International Summit on Critical and Transformative Making, Yogyakarta

sharath — 2016-06-18T18:00:08Z

Transformaking 2015 brought together makers, scientist, hackers, bricoleurs, researchers, artists, designers and other interdisciplinary practitioners from across the globe in a series of Residency and Research Program, Symposium, Exhibition, Fair, and Satellite Projects. It was held from August 10 to September 20, 2015. Transformaking 2015 was organized by HONF Foundation & CATEC (Culture Arts Technoloy Empowerment Community) in partnership with the Centre for Internet & Society (CIS), Common Room, Crosslab, and Nicelab.

More information on the event can be accessed on this website. I presented a talk Open Spectrum and Open Science – Policy and Future Opportunities. I was also a speaker in a panel Encouraging Innovations through Communication and Open Source Culture with fellow panelists Tom Rowlands (Future Everything), Gustav Hariman (Common Room, Bandung) and Colette Tron (Alphabetville) and moderated by Sachet Manandhar of Karkhana Labs, Nepal.

As with many other societies, Indonesia has a distinct maker culture that goes back centuries. The rise of collective movements in the network culture following the digital revolution — with associated terms such as DIY (do-it-yourself), DIWO (do-it-with-others), open source, maker and hacker spaces — only reinvigorates and replicates traditional production practices at the grass-roots level: verbal passing of knowledge both vertical (between generations) and horizontal (among community members), voluntary communal division of labour, inventiveness to overcome limited infrastructures, driven by the need to find solutions for a better life rather than personal profit. Our forefathers were the genuine makers.

The burgeoning maker movement has been receiving growing recognition as it demonstrates great potential to address concerns and provide innovative solutions at a local, citizen level where established socio-political systems fail. As the makers and associated maker culture come into contact with large industries, they run the risk of being reduced into commodities. A critical attitude is essential to keep the maker movement genuine with lessons from our forefathers in mind and catalyze practices create solutions and sustainable implementations in a process of transformative making — or Transformaking.

The summit aimed to:

Create a forum for all stakeholders to discuss views, practices, questions, and issues in the realm of critical making movement
Exhibit projects that create tangible, transformative solutions at a citizen level
Produce usable tools and define dissemination strategies for catalyzing local transformations globally

The following is a note on the Conception of the Summit:

Conception of the Summit - Why 'Transformaking'?

The act of Making is not new, and has been an ongoing process over centuries of mankind, ever since the invention of Neanderthal tools, the wheel, cultural artifacts and practices, to the modern day space shuttle and modes of communication. Today’s networked knowledge society is catalyzing and affecting the process of Making and knowledge production in interesting ways by mediating the co-located and instantaneous access, dissemination and sharing of information amongst people across vast distances.

The notion of free labour accompanying a rising participation in the gift economy of network culture, is loaded with words such as DIY, Open Knowledge, Open Data, Free & Open Source, that blurs the lines of distinction between production & consumption, labour & cultural expression, and has transcended both the puritan new left movement on one hand and the neo-liberal free market ideology on the other.

There has evidently been a marked shift in the site of labour — from the factory to society, that autonomists have called ‘the social factory’ which challenges the very notion of capitalism from the inside. In Pierre Lévy’s own words — A shift from the Cartesian model of thought based on the singular idea of cogito (I think) to a collective or plural cogitamus (we think), seems to be the unifying goal represented by various models and spaces for thinking such as Makercultures, Think Tanks, Maker Movements, Maker Labs & Hacker/Maker Spaces.

This change in the process of making and knowledge production is further underlined by contextualized maker activity geared towards fueling change, thereby challenging traditional modes of production and consumption, creative and cultural expression, structures of societal organization, ownership, access, intellectual property and copyright regimes, models of participative democracy, citizen science and civic governance in a process of Transformative Making or –what we call – ‘Transformaking’.

Transformaking: The International Summit on Critical and Transformative Making 2015 shall bring together makers, hackers, bricoleurs, educators, researchers, theorists, artists and designers to:

A Symposium to self reflect, debate and put forth views with regards to their respective practices and dissect various complexities and questions that surround the areas of Critical and Transformative Making.
An Exhibition on Critical Making featuring completed and contextualized projects and productions.
Produce a tangible outcome, of the first International Summit, that focuses on collating diverse views, practices and usable tools along with strategizing modes of academic publication and dissemination for furthering meaningful local transformations, globally.

For more details visit https://cis-india.org/a2k/blogs/transformaking-2015-international-summit-on-critical-and-transformative-making-yogyakarta

International Open Data Charter: Comments by CIS

sumandro — 2015-09-08T11:01:01Z

The second meeting of Stewards of the International Open Data Charter is in progress in Santiago, Chile, where the revisions made to the Charter based on the comments received during the public consultation period that ended on July 31, 2015, are being re-discussed and finalised by the Stewards. Here we are sharing the comments submitted by us on the first public draft of the Charter published during the International Open Data Conference in Ottawa, Canada, in May 2015. The comments include those submitted by Sumandro and Sharath Chandra Ram.

The draft International Open Data Charter and all the submitted comments can be accessed here: http://opendatacharter.net/charter/

Comments on the Public Draft

Note: The text below contains excerpts from the public draft of the Charter, followed by submitted comments in bold.

1) The world is witnessing the growth of a global movement facilitated by technology and digital media and fuelled by information – one that contains enormous potential to create more accountable, efficient, responsive, and effective governments and businesses, and to spur economic growth.

The word ‘movement’ can perhaps be replaced by ‘transformation.’ ‘Movement’ tends to suggest some kind of unity of purpose or objective, which is not perhaps what is meant here. Also, is it possible to add ‘transparent’ to ‘accountable, efficient, responsive, and effective’?

Open data sit at the heart of this global movement.

Perhaps ‘transformation’ and not ‘movement’.

2) Building a more democratic, just, and prosperous society requires transparent, accountable governments that engage regularly and meaningfully with citizens. Accordingly, there is an ongoing effort to enable collaboration around key social challenges, to provide effective oversight of government activities, to support economic development through innovation, and to develop effective, efficient public policies and programmes.

Perhaps insert ‘sustainable’ before ‘economic development’. In the second sentence, none of the action phrases (‘enable collaboration’ and ‘effective oversight’ and ‘innovation’ and ‘develop effective, efficient’) are speaking about either democracy or justice. The focus seems to be completely on effectiveness. Phrases like ‘transparent’, ‘accountable’, and ‘participatory’ should be introduced here.

Open data is essential to meeting these challenges.

The above point clarifies why ‘data is essential’ but not why ‘open data is essential’. The connection between democracy and justice on one hand, and open data on the other is not yet articulated clearly.

3) Effective access to data allows individuals and organisations to develop new insights and innovations that can generate social and economic benefits to improve the lives of people around the world, and help to improve the flow of information within and between countries. While governments collect a wide range of data, they do not always share these data in ways that are easily discoverable, useable, or understandable by the public.

Along with allowing ‘insights’ and ‘innovations’ to develop, can it also be highlighted that open data make decisions and processes transparent?

This is a missed opportunity.

I agree with above comments that it is perhaps better to articulate this not as ‘missed opportunity’ but to highlight this as the very ‘opportunity’ that the open data agenda is interested in capturing.

4) Today, many people expect to be able to access high quality information and services, including government data, when and how they want. Others see the opportunity presented by government data as one which can provide innovative policy solutions and support economic and social benefits for all members of society. We have arrived at a point at which people can use open data to generate value, insights, ideas, and services to create a better world for all.

This point may also mention that some people are interested in using government data to open up government decisions and processes and make them transparent, which is a necessary condition for making the government accountable.

6) Providing access to government data can drive sustainable and inclusive growth by empowering citizens, the media, civil society, and the private sector to identify gaps, and work toward better outcomes for public services in areas such as health, education, public safety, environmental protection, and governance. Open data can do this by:

Perhaps ‘democratic participation’ can be added after ‘sustainable and inclusive growth’. That is: ‘Providing access to government data can drive sustainable and inclusive growth, and democratic participation, by empowering citizens…’

7) Open government data can be used in innovative ways to create useful tools and products that help to navigate modern life more easily. Used in this way, open data are a catalyst for innovation in the private sector, supporting the creation of new markets, businesses, and jobs. These benefits can multiply as more private sector and civil society organisations adopt open data practices modelled by government and share their own data with the public.

The incentive for private sector and CSOs to open up data is not clear. Overall benefit may rise with them opening up data, but how does a private company / CSO benefit by opening up its data?

8) We, the adherents to the International Open Data Charter, agree that open data are an under-used resource with huge potential to encourage the building of stronger, more interconnected societies that better meet the needs of our citizens and allow innovation and prosperity to flourish.

Along with ‘stronger’ and ‘more interconnected’, please mention ‘more transparent’ and ‘more democratic’. Also it is not clear what is meant by ‘stronger’. ‘[B]etter meet the needs of our citizens’ does not necessarily suggest a more democratic or just society, but a more effective welfare distribution system. Please add ‘… and empower the citizens to ensure accountability of the government.’

9) We therefore agree to follow a set of principles that will be the foundation for access to, and the release and use of, open government data. These principles are:

Open Data by Default;
Quality and Quantity;
Accessible and Useable by All;
Engagement and Empowerment of Citizens;
Collaboration for Development and Innovation

Does it makes sense to remove the ‘Quantity and Quality’ point and merging it with ‘Accessible and Usable by All’? Data quantity and quality issues, along with those related to publication of data, can all logically follow under the topic of data access and use. For example, highly aggregated data published once a year without documentation is not really usable data.

10) We will develop an action plan in support of the implementation of the Charter and its Technical Annexes, and will update and renew the action plan at a minimum of every two years. We agree to commit the necessary resources to work within our political and legal frameworks to implement these principles in accordance with the technical best practices and timeframes set out in our action plan.

We (at CIS) strongly feel that the Charter should also prescribe that along with the national Action Plan, Open Data Citizen’s Charters are created for various levels and verticals of the government. This will clarify data publication responsibilities and targets at ministerial and sub-national (including city) governmental levels, and will allow for much more effective monitoring (national and international) of the Action Plan implementation process.

‘[A]t a minimum of every two years’ reads a bit unclear. Does it mean that the Action Plan should be renewed only after two years and not before, or that the Action Plan should be renewed every two years or before that?

11) We recognise that free access to, and the subsequent use of, government data are of significant value to society and the economy, and that government data should, therefore, be open by default.

Along with clarifying the scope of ‘government data,’ the idea of ‘open’ in the context of data needs a clear definition as an independent point. The document is getting into ‘open by default’ without clarifying what is ‘open’, including both necessary and sufficient conditions.

12) We acknowledge the need to promote the global development and adoption of tools and policies for the creation, use, and exchange of open data and information.

I agree with Mike Linksvayer. This is a great opportunity for the Charter to connect the open data agenda with the wider open agendas, especially that of free and open source softwares. It is very important that this point promotes ‘global development of free and open source tools’.

Extending the comment by Jose Subero, along with ‘tools’ and ‘policies’, it will be great to have a mention of ‘standards’ here, which is critical for ensuring ‘interoperability’ and thus ‘harmonisation’.

13) We recognise that the term ‘government data’ is meant in the widest sense possible. This could apply to data held by national, federal, and local governments, international government bodies, and other types of institutions in the wider public sector. This could also apply to data created for governments by external organisations, and data of significant benefit to the public which is held by external organisations and related to government programmes and services (e.g. data on extractives entities, data on transportation infrastructure, etc).

It is wonderful that the point promotes a wide understanding of ‘government data’ but at the same time it should also define a necessary core understanding of data, just to ensure that governments do not interpret this point too narrowly.

Further, a focus only on data created by public agencies can perhaps be too narrow (for the necessary/core understanding of ‘government data’). With public services delivered increasingly by private agencies and public-private-partnerships, it is crucial that ‘government data’ should explicitly include any data coming out of a process funded by public money (the process may be carried out by a public agency or not). This is an extremely important point from a developing country perspective.

14) We recognise that there is domestic and international legislation, in particular pertaining to security, privacy, confidentiality, intellectual property, and personally-identifiable and other sensitive information, which must be observed and/or updated where necessary.

From a developing country perspective, it is very important that the Charter does not keep this critical point dependent on domestic and international legislations. International legislation may not be very developed for all of the mentioned topics, and many countries may not have existing domestic legislations on these topics either. The Charter should mention an internationally acceptable list of concerns / criteria for not opening up data. The list may include the topics mentioned here, like privacy and national security. This need not be a list of sufficient criteria, but of necessary ones.

15) We will:

develop and adopt policies and practices to ensure that all government data is made open by default, as outlined in this Charter, while recognising that there are legitimate reasons why some data cannot be released;

'Administrative reforms’ are most often crucial to make government data ‘open by default, and the same should be mentioned along with ‘policies’ and ‘practices’.

provide clear justifications as to why certain data cannot be released;

This is a great point. Perhaps it can be added that all government agencies should produce a list of all data assets maintained by them, point out the ones that cannot be made open, and provide clear justification as to why those cannot be released. This comment pre-empts 19.1. Perhaps this point about providing justification for not releasing data can be merged with 19.1.

develop the leadership, management, oversight, and internal communication policies necessary to enable this transition to a culture of openness.

Along with ‘leadership, management, oversight, and internal communication’, is it possible to add ‘incentives’? This is often overlooked in implementing open data policies.

16) We recognise that governments and other public sector organisations hold vast amounts of information that may be of interest to citizens, and that it may take time to identify data for release or publication.

17) We also recognise the importance of consulting with citizens, other governments, non-governmental organisations, and other open data users, to identify which data to prioritise for release and/or improvement.

18) We agree, however, that governments’ primary responsibility should be to release data in a timely manner, without undue delay.

Points 16-18 seem to suggest that the ‘quantity and quality’ issue is mostly one of prioritisation. This can be misleading. This is perhaps the ‘quantity’ issue, but not at all the ‘quality’ issue.

19) We will:

...
release high-quality open data that are timely, comprehensive, and accurate in accordance with prioritisation that is informed by public requests. To the extent possible, data will be released in their original, unmodified form and at the finest level of granularity available, and will also be linked to any visualisations or analyses created based on the data, as well as any relevant guidance or documentation;

Please add ‘human- and machine-readable’ along with ‘timely, comprehensive, and accurate’.

Put ‘, and’ between ‘, and accurate’ and ‘in accordance’.

‘Relevant guidance or documentation’ should be mentioned before, and not after, ‘visualisations or analyses’.

ensure that accompanying documentation is written in clear, plain language, so that it can be easily understood by all;

Add that the documentation should be ‘comprehensive’, along with being written in plain language.

make sure that data are fully described, and that data users have sufficient information to understand their source, strengths, weaknesses, and any analytical limitations;

Regarding ‘Full description of data’ — Aggregate data must be accompanied by low level raw data along with details of analytical methods used to arrive at figures. This allows for verification as well as alternate views and detection of statistical anomalies.

ensure that open datasets include consistent core metadata, and are made available in human- and machine-readable formats under an open and unrestrictive licence;

Is this the necessary definition of ‘open data’? If so, it should be much higher up.

allow users to provide feedback, and continue to make revisions to ensure the quality of the data is improved as needed; and

This point should clarify if it is talking about making revisions of the data itself (its content), or how it is being published (its form), or both?

apply consistent information lifecycle management practices, and ensure historical copies of datasets are preserved, archived, and kept accessible as long as they retain value.

The ‘as long as they retain value’ part seems vague. Who is going to take this decision about value? Is it possible to rephrase this as ‘as long as they are demanded by data users’?

21) We recognise that open data should be made available free of charge in order to encourage their widest possible use.

Maybe ‘government data’ and not ‘open data’ (open data already means it is available gratis). Also, along with ‘free of charge’ maybe add ‘under open license’, as that is a critical requirement for ‘widest possible use.’

22) We recognise that when open data are released, they should be made available without bureaucratic or administrative barriers, such as mandatory user registration, which can deter people from accessing the data.

I strongly believe that this point should be removed. Registration of the data user can also be very useful for the government agencies to track demand and actual usage of their datasets. Instead of the government agencies doing such kind of tracking as a background process, it is much better if the data usage monitoring of all users is done transparently. Along with perhaps a public dashboard of data usages of the users of an open data portal. As long as the registration barrier does not involve an approval process by the government agency, it can be allowed.

A more general point should be added as part of this principle, regarding no-discrimination (or approval process) among data users interested in accessing and using of open government data.

23) We will:

release data in open formats and free of charge to ensure that the data are available to the widest range of users to find, access, and use them. In many cases, this will include providing data in multiple formats, so that they can be processed by computers and used by people; and

Please add ‘open license’ along with ‘open formats’ and ‘free of charge’.

24) We recognise that the release of open data strengthens our public and democratic institutions, encourages better development, implementation, and assessment of policies to meet the needs of our citizens, and enables more meaningful, better informed engagement between governments and citizens.

Perhaps add ‘, and makes them transparent’ after ‘strengthens our public and democratic institutions’. Please also add ‘monitoring’ along with ‘development, implementation, and assessment’.

25) We will:

implement oversight and review processes to report regularly on the progress and impact of our open data initiatives;

The functioning of these ‘oversight and review processes’ must be open and transparent themselves. The reporting should be public.

engage with community and civil society representatives working in the domain of transparency and accountability to determine what data they need to effectively hold governments to account; encourage the use of open data to develop innovative, evidence-based policy solutions that benefit all members of society, as well as empower marginalised groups; and

This must also include a point regarding the government proactively seeking data demands from citizens, CSOs, academics, and the private sector.

‘as well as empower marginalised groups’ is too vague. Perhaps it can be made into a separate point, and qualified with what kinds of empowerment is needed – from demanding data, to accessing and using data, to be aware of the data collected from such groups by the government agencies.

be transparent about our own data collection, standards, and publishing processes, by documenting all of these related processes online.

This should be part of point 19.

26) We recognise the importance of diversity in stimulating creativity and innovation. The more citizens, governments, civil society, and the private sector use open data, the greater the social and economic benefits that will be generated. This is true for government, commercial, and non-commercial uses.

The diversity point is almost already made with points 20-21 – widest possible users lead to widest possible use.

28) We will:

...
engage with civil society, the private sector, and academic representatives to determine what data they need to generate social and economic value;

This is also covered under the Principle 3.

provide training programs, tools, and guidelines designed to ensure government employees are capable of using open data effectively in policy development processes;

This should be part of Principle 1.

encourage non-governmental organisations to open up data created and collected by them in order to move toward a richer open data ecosystem with multiple sources of open data;

I agree with ABS. Why not ‘non-governmental organisations and the private sector’?

Also the document shifts back and forth between ‘civil society organisations’ and ‘non-governmental organisations’. If both mean the same in this document, then it should use only one.

General Comments on the Charter

1. Why not merge the Principle 4 and 5 so as to describe an overall situation of engagement and collaboration. The ends can be commercial acts or towards democratic practices, but the existing principles do not make much a difference between the two types of acts.

2. Further, can a new principle be added at the end that would address the implementation process of the Action Plan? Specifically, it should clarify how the implementation itself be an open process, with not only the Action Plan but annual reports regarding the status of implementation. This principle may connect to the work being done by the Implementation WG.

For more details visit https://cis-india.org/openness/international-open-data-charter-comments-by-cis

Data Flow in the Unique Identification Scheme of India

vidushi — 2015-09-03T17:02:44Z

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback

These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:[1]

Data Capture

Filling out an enrollment form – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center.

Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.

The 'introducer' system: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.

Vulnerability: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.[2]

Categories of data for enrollment: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.

Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..[3]

Verification of Resident’s Documents: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”[4]

Vulnerability: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency” and states that the “Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.” [5] The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.

Data collection for enrollment: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.

Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.[6] There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse[7] and loss of data is a very real possibility, and irregularities have been reported as well.[8] By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.

Import pre-enrolment data into Aadhaar enrollment client, Syncing NPR/census data into the software: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.

Vulnerability: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.

Resident’s consent: for “whether the resident has agreed to share the captured information with organizations engaged in delivery of welfare services.”

Vulnerability: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.

Biometric exceptions: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.

Vulnerability: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. [9]

Operator checks if resident wants Aadhaar enabled bank account: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.

Vulnerability: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.

Capturing biometrics- The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.[10] The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.[11]

Vulnerabilities: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.[12] Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.

After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.

Operator Sign off – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.

Vulnerability: Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.[13]

After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.

Document Storage, Back up and Sync

After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.

Vulnerability: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. [14]

Transfer of Demographic and Biometric Data Collected to CIDR

“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.

Vulnerability: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database[15] but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.

Data De-duplication and Aadhar Generation at CIDR

On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.

Vulnerability:

This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.[16]
The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. [17]
General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,[18] and innumerable examples of faulty Aadhaar cards being issued.[19]

[1] Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[2] UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram, Economic Times, (Jan 31, 2012), http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register.

[3]See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[4]http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[5] Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf

[6] Arindham Mukherjee, Lola Nayar, Aadhaar,A Few Basic Issues, Outlook India, (December 5, 2011), http://dataprivacylab.org/TIP/2011sept/India4.pdf.

[7] Aadhaar: UIDAI probing several cases of misuse of personal data, The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.

[8] Harsimran Julka, UIDAI wins court battle against HCL technologies, The Economic Times, (October 4, 2011), http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm.

[9] Chetan Chauhan, UIDAI cancels 3.84 lakh fake Aadhaar numbers, The Hindustan Times, (December 26, 2012), http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx.

[10] Usha Ramanathan, “Inclusion project that excludes the poor”, The Statesman (July 4, 2013).

[11] UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html.

[12] Snehal Sengupta, Queue up again to apply for Aadhaar, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko

[13] Chauhan, supra note 7.

[14] Usha Ramanathan, Three Supreme Court Orders Later, What’s the Deal with Aadhaar? Yahoo News, (April 13, 2015), https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html.

[15] Usha Ramanathan, “Threat of Exclusion and of Surveillance”, The Statesman (July 2, 2013).

[16] Over 9 Crore Aadhaar enrolments rejected by UIDAI, Zee News (May 8, 2015).

[17] Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[18] Surabhi Agarwal, Duplicate Aadhar numbers within estimate, Live Mint (March 5, 2013).

[19] Usha Ramanathan, “Outsourcing enrolment, gathering dogs and trees”, The Statesman (August 7, 2013).

For more details visit https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

CIS Human DNA Profiling Bill 2015

praskrishna — 2015-09-02T17:04:31Z

For more details visit https://cis-india.org/internet-governance/blog/cis-human-dna-profiling-bill-2015

CIS brings Nadustunna Charithra magazine under by CC BY SA licence

hasan — 2016-06-18T18:07:46Z

As a part of its content donation initiative, the Centre for Internet & Society's Access to Knowledge team (CIS-A2K) has brought all issues of Nadustunna Charithra magazine under Creative Common Licence.

CIS-A2K has received 74 issues as of now from the Telugu Jaati foundation. These issues shall be published by A2K on a blog site under CC BY SA licence to make it a reliable reference resource and adhere Wikipedia guidelines.

Nadustunna Charithra magazine has dealt extensively with Telugu semantics and Telugu Cultural history and we hope to upload all the issues to Telugu Wikisource. These magazines will also serve as handy reference guides for Telugu Wikipedians and shall act as a major referencing and citation resource.

CIS-A2K has also been successful in acquiring 250 song books (booklets that have the lyrics of songs featured in a film) of Telugu movies for content donation. These song books serve as introduction to the film itself. They contain lyrics of the songs, poster of the movie, details of the cast and crew, a short synopsis both in Telugu and English along with photographs of the lead actors. As of now CIS-A2K has been able to locate song books for most of the films produced between 1930-1954.

These resources shall also help the Telugu community in coming up with new/improved articles related to Telugu cinema. With most of the basic information regarding a film available in the song book, we expect that the Telugu community along with active cooperation from A2K shall create GA quality articles and this content donation will also help in improving stubs that were created earlier.

CIS-A2K is extremely grateful for the support received by the Telugu community during this content donation initiative and would like to thank in person Mr. Bhaskarnaidu, Mr. Gullapalli Nageshwara Rao who have been part of these conversations and helped us identify the resources to be re-licensed.

For more details visit https://cis-india.org/a2k/blogs/cis-brings-nadustunna-charithra-magazine-under-by-cc-by-sa-licence

August 2015 Bulletin

praskrishna — 2015-10-27T00:25:02Z

We are happy to share with you the eighth issue of the Centre for Internet and Society (CIS) newsletter (August 2015). The past editions of the newsletter can be accessed at http://cis-india.org/about/newsletters.

Highlights

Researchers at Work programme has published a book titled Digital Activism in Asia Reader exploring in detail digital activism in Asia. The Reader was edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun. The pre-publication drafts of two sections written by Sumandro Chattapadhyay for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon have been posted for open-review process. As part of the 'Studying Internets in India' series, RAW published blog entries on Governing Speech on the Internet and Mock-Calling - Ironies of Outsourcing and the Aspirations of an Individual. NVDA team conducted a workshop at Jeevan Jyoti School for the Blind, Varanasi from August 26 to 28, 2015. Eighty five students and 13 teachers took part in the training programme. NVDA team had conducted another workshop earlier in Nashik. The workshop was conducted in June. A batch of 17 Special Educators and teachers of the blind attended the workshop. Maggie Huang, Arpita Sengupta and Paavni Anand as part of the Pervasive Technologies project co-authored a research paper that seeks to compare the publicly available information on the websites of music collective management organizations ("CMOs") operating within India, the United States, and the United Kingdom. Amulya Purushothama, Nehaa Chaudhari and Varun Baliga in a blog entry have delved into the question of what the mandate of the Sectoral Innovation Council is, what its activities are, and what vision for IPR development in India has it put forth. An RTI Application has been filed by CIS to attain information on these issues. In a blog post, Amulya Purushothama announced our new MHRD IPR Chair Series and has charted the sequence of events, starting from the establishment of MHRD IPR Chairs, to discussions surrounding their purpose and functioning, to concerns surrounding the lack of information about the IPR Chairs, the first round of RTIs that CIS had filed in regard to this and the responses it solicited. Subhashish Panigrahi interviewed Prateek Pattanaik. Prateek has not just digitized as many as 54 Odia-language poetry dating early 18th century but has also annotated, both poetic and prosaic translation in his blogs "Sri Jagannatha" and "Utkal Sangeet". He has also published a complete book "Kisora chandranana champu" on Odia Wikisource. A recent entrant into the Odia Wikimedia community, Prateek is also the youngest Odia Wikimedian. Rohan George and Elonnai Hickok in a blog post analyzed consent, big data and data protection that examines in detail why the principle of consent is providing us increasingly less of an aegis in protecting our data. Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh on behalf of CIS submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015. Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar co-authored an article titled Security: Privacy, Transparency and Technology. The article was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2. Elonnai Hickok in a blog post titled A Review of the Policy Debate around Big Data and Internet of Things has done an analysis as to how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things. The Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist. Vipul Kharbanda analyses this in a blog entry. Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations. Elonnai Hickok has provided an initial evaluation of how Big Data could impact India's current data protection standards. Elonnai Hickok has provided a comparison of Human DNA Profiling Bill 2012 vs. the Human DNA Profiling Bill 2015, CIS's main recommendations vs. the 2015 Bill, Sub-Committee Recommendations vs. the 2015 Bill, and the Expert Committee Recommendations vs. the 2015 Bill. CIS submitted its comments to the non-paper on the UNGA Overall Review of the Implementation of the WSIS outcomes, evaluating the progress made and challenges ahead. In a policy brief, Vipul Kharbanda has analyzed the different laws regulating surveillance at the state and central level in India and calls out ways in which the provisions are unharmonized. The brief then provides recommendations for the harmonization of surveillance law in India. Hardnews interviewed Sunil Abraham about the future of the internet in India. The article was published in their August edition. Shyam Ponappa in an Op-ed published by Business Standard has given an analysis on the reasons of the number of dropped calls on our mobile phones.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing a project on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here. The project on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India got over and the compilation has been printed.

NVDA and eSpeak

Monthly Updates

August 2015 Report (Suman Dogra; July 31, 2015).

Event Reports

Training in eSpeak Marathi (Organized by NVDA team; National Association for the Blind; Nashik; June 22 - 23, 2015). The workshop was held in the month of June but the report got published later in August.
Training in eSpeak Hindi (Organized by NVDA team; Jeevan Jyoti School for the Blind; Varanasi; August 26 - 28, 2015).

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Pervasive Technologies

Blog Entries

Methodology: Patent Landscaping in the Indian Mobile Device Market (Rohini Lakshané; November 10, 2014). This blog post published last year has been recently updated.
Comparative Transparency Review of Collective Management Organisations in India, United Kingdom and the United States (Maggie Huang, Arpita Sengupta and Paavni Anand; August 1, 2015).

Other (Copyright and Patent)

Blog Entries

CCI Participation at the Upcoming 3rd International Conference on IPR and Competition (Amulya Purushothama; August 5, 2015). CIS wrote to the Competition Commission of India Chairman on August 5, 2015 about participation at a conference organised by Ericsson and concerns regarding conflict of interest. We also had several other NGOs sign on to the letter.
MHRD IPR Chair Series: Introduction (Amulya Purushothama; August 10, 2015). Aditya Garg assisted in research and writing.
National IPR Policy Series: What Have the Sectoral Innovation Councils Been Doing on IPR (Nehaa Chaudhari and Varun Baliga; August 13, 2015). Amulya Purushothama assisted with research and writing.

Media Coverage

Competition Commission of India chariman's participation in Assocham conference raises conflict of interests (Rema Nagarajan; The Times of India; August 6, 2015).
Assocham event sparks row over conflict of interest by CCI (Dilasha Seth and Deepak Patel; Business Standard; August 6, 2015).

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entry

Odia Wikisource has a new Wikisourcer, and he is the youngest in the Odia Wikimedia community! (Subhashish Panigrahi; August 21, 2015).

Events Co-organized

Annamaya Library edit-a-thon (Organized by CIS-A2K and Telugu Wikipedia Community; August 6, 2015; Andhra Loyola College; Vijaywada).
International Workshop on Digitization and Archiving (Organized by CIS-A2K and Wikipedia Community; August 19 - 21, 2015). Rahmanuddin Shaik was one of the trainers.

FOSS

Participation in Events

Workshop on digital collaborations in Tamil-language, Tamil Virtual Chennai (Organized by Tamil Virtual University, Anna University Campus, Chennai; August 8 - 9, 2015). Dr. U.B. Pavanaja atttended this event.
Open Innovation, entrepreneurship, and our digital future (Organized by iSpirit; Bangalore; August 13, 2015). Rohini Lakshané attended the event. Rohini wrote a report on this .

Media Coverage

CIS gave its inputs to the following:

Telugu Wikipedia Edit-a-thon at ALC (Eenadu; August 6, 2015)
Telugu Wiki Edit-a-thon in ALC (Eenadu; August 6, 2015)
Rare Telugu religious and historical work preserved at Annamacharya library to come on Wikisource! (The Hans India; August 7, 2015).
ಗ್ರಾಮೀಣ ಪ್ರದೇಶದ ಆರ್ಥಿಕ ಪ್ರಗತಿಯಿಂದ ದೇಶದ ಆರ್ಥಿಕ ಪ್ರಗತಿ ಸಾಧ್ಯವಾಗುತ್ತದೆ. (Mangalorean.com; August 13, 2015).
ವಿಕಿಪಿಡಿಯ ಮುಕ್ತವಾಗಿ ಬಳಸಿ: ಡಾ.ಪವನಜ (Karavali Karnataka; August 14, 2015).
ಬೆಳ್ತಂಗಡಿ:ಎಲ್ಲಾ ಕಾಲಕ್ಕೂ ಲಭ್ಯ ಇರುವ ಸ್ವತಂತ್ರ ಹಾಗೂ ಮುಕ್ತ ವಿಶ್ವಕೋಶ ವಿಕಿಪೀಡಿಯಾ-ಪವನಜ (SahilOnline; August 14, 2015).
Talamaddale on August 23 (Hindu; August 16, 2015).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

Privacy

Article

Security: Privacy, Transparency and Technology (Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar; Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2 ; August 19, 2015).

Submission

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015 (Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh; August 27, 2015).

Blog Entries

Policy Paper on Surveillance in India (Vipul Kharbanda; August 3, 2015).
Comparison of the Human DNA Profiling Bill 2012 with: CIS recommendations, Sub-Committee Recommendations, Expert Committee Recommendations, and the Human DNA Profiling Bill 2015 (Elonnai Hickok; August 10, 2015).
Right to Privacy in Peril (Vipul Kharbanda; August 13, 2015).
Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data (Vanya Rakesh; August 26, 2015).
Are we Throwing our Data Protection Regimes under the Bus? (Elonnai Hickok and Rohan George; August 29, 2015).
Supreme Court Order is a Good Start, but is Seeding Necessary? (Elonnai Hickok and Rohan George; August 29, 2015).

Big Data

Blog Entries

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Elonnai Hickok; August 11, 2015).
A Review of the Policy Debate around Big Data and Internet of Things (Elonnai Hickok; August 17, 2015).

Participation in Event

The Changing Landscape of ICT Governance and Practice - Convergence and Big Data (Co-organized by Innovation Center for Big Data and Digital Convergence, Yuan Ze University, Taiwan; August 24 - 25, 2015). Sharat Chandra Ram was granted the Young Scholar Award 2015 to attend theYoung Scholar Workshop followed by main CPRSouth2015 conference (Communication Policy Research South) conference.

Free Speech and Expression

Submission

CIS submission to the UNGA WSIS+10 Review (Jyoti Panday; August 9, 2015),

Cyber Security

Upcoming Event

Bangalore Chapter Meet of DSCI (Co-organized by DSCI and CIS; September 26, 2015). Melissa Hathaway, Commissioner, Global Commission for Internet Governance and Sunil Abraham will be speaking at this event.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Op-ed

Those Dropped Calls (Shyam Ponappa; Business Standard; August 5, 2015 and Organizing India Blogspot; August 6, 2015).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Books

Digital Activism in Asia Reader (edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay, with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun; August 8, 2015).

Books Chapters

Civil Society Organisations and Internet Governance in Asia - Open Review (Sumandro Chattapadhyay; Asia Internet History Vol. 3, edited by Prof. Kilnam Chon). Comments are invited.
Civil Society Organisations and Internet Governance in India - Open Review (Sumandro Chattapadhyay; Asia Internet History Vol. 3, edited by Prof. Kilnam Chon). Comments are invited.

Accepted Paper Abstract

Studying the Emerging Database State in India: Notes for Critical Data Studies (Sumandro Chattapadhyay; August 2, 2015). The paper has been provisionally accepted.

Blog Entries

Mock-Calling - Ironies of Outsourcing and the Aspirations of an Individual (Sreedeep; August 6, 2015).
Governing Speech on the Internet: From the Free Marketplace Policy to a Controlled 'Public Sphere' (Smarika Kumar; August 28, 2015).

News & Media Coverage

CIS gave its inputs to the following media coverage:

Why the DNA Bill is open to misuse: Sunil Abraham (Kanika Datta; Business Standard; August 1, 2015)
Porn ban: People will soon learn to circumvent ISPs and govt orders, expert says (Karthikeyan Hemalatha; The Times of India; August 2, 2015).
Indian government orders ISPs to block 857 porn websites (John Ribeiro; IDG News and PC World; August 2, 2015)
India blocks access to 857 porn sites (BBC; August 3, 2015).
India launches crackdown on online porn (James Crabtree; Financial Times; August 3, 2015).
Proxies and VPNs: Why govt can't ban porn websites? (Siladitya Ray; August 3, 2015; Hindustan Times)
Nanny state rules porn bad for you (Anahita Mukherji; The Times of India; August 4, 2015).
Ban on pornography temporary, says government (Business Standard; August 4, 2015)
Porn block in India sparks outrage (Australian; August 5, 2015).
Indian Porn Ban is Partially Lifted But Sites Remain Blocked (Sean Mclain; Wall Street Journal; August 5, 2015)
Genetic Profiling: Is it all in the DNA? (Ullekh N.P.; The Open Magazine; August 7, 2015)
India partially lifts Porn Ban? (Nazhat Khan; DESI blitz; August 7, 2015)
Net Neutrality: India is a Key Battleground (Abeer Kapoor; Hardnews; August 10, 2015)
Stats from 2014 reveal horror of scrapped section 66A of IT Act (Aloke Tikku; Hindustan Times; August 20, 2015).
The seedy underbelly of revenge porn (Sandhya Soman; The Times of India; August 23, 2015).
The new tattler in town (P. Anima; Hindu Businessline; August 28, 2015).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the mediation and reconfiguration of social and cultural processes and structures by the internet and digital media technologies.

► Follow us elsewhere

CIS - Twitter: http://twitter.com/cis_india
Access to Knowledge - Twitter: https://twitter.com/CISA2K
Access to Knowledge - Facebook: https://www.facebook.com/cisa2k
Access to Knowledge - E-Mail: a2k@cis-india.org
Researchers at Work - E-Mail: raw@cis-india.org
Researchers at Work - Mailing List: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, Access to Knowledge, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/august-2015-bulletin

Supreme Court Order is a Good Start, but is Seeding Necessary?

Elonnai Hickok and Rohan George — 2015-09-07T13:21:58Z

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Introduction

On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled  'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2

Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.

What is Seeding?

In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4

According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.

Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8

How does the seeding process work?

The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9

Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10

According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11

In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13

What are the concerns with seeding?

With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access,  consent and choice.  To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.

The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform,  and that profiling of individuals can take place through the linking of data points via the Ginger platform.

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:

The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15

In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.

These include:

The Process of Seeding

Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that  "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".

However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of  proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the  Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:

Access: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.

Consent: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:

"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."

"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number.

"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17

Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of  consenting  to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18

Withdrawing Consent: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.

Verification and liability: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22

The Scope of the UIDAI's mandate and the necessity of seeding

Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.

On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.

In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system,  seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26

Conclusion

Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?

Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.

[1]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[2]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12^th 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/

[3]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf

[4]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf

[5]. Version 1.0 pg. 2

[6]. Version 1.0 pg. 19

[7]. Version 1.1 pg. 3

[8]. Version 1.1 pg. 7

[9]. Version 1.1 pg. 5 -7

[10]. Version 1.1 pg. 7-13

[11]. Version 1.0 pg 19-22

[12]. Version 1.0 pg. 4

[13]. Version 1.1 pg. 5, figure 3.

[14]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf

[15]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[16]. Version 1.1 pg. 18

[17]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf

[18]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27^th 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece

[19]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15^th 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms

[20]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544

[21]. Version 1.1 pg. 3

[22]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf

[23]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[24]. Version 1.0 pg.3

[25]. Version 1.0 pg.4

[26]. Version 1.1 pg. 3

[27]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21^st, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece

[28]. For example see: Salil Tripathi. A dangerous convergence. July 31^st. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html

For more details visit https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015

Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh — 2015-09-02T17:09:04Z

The Centre for Internet & Society (CIS) submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015.

The Centre for Internet and Society is a non-profit research organisation that works on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. It engages in academic research to explore and affect the shape and form of Internet, along with its relationship with the Society, with particular emphasis on South-South dialogues and exchange. The Centre for Internet and Society was also a member of the Expert Committee which was constituted in the year 2013 by the Department of Biotechnology to discuss the draft Human DNA Profiling Bill.

Missing aspects from the Bill

The Human DNA Profiling Bill, 2015 has overlooked and has not touched upon the following crucial factors :

Objects Clause

An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the Bill should incorporate an objects clause that makes clear that

“DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity, therefore forensic DNA profiling should only have probative value and not be considered as conclusive proof.

The Act recognises that all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA and in order to protect this right to privacy the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times.”

Collection and Consent

The Bill does not contain provisions regarding instances when the DNA samples can be collected from the individuals without consent (nor does the Bill establish or refer to an authorization procedure for such collection), when DNA samples can be collected from individuals only with informed consent, and how and in what instances individuals can withdraw their consent. The issue of whether DNA samples can be collected without the consent of the individual is a vexed one and requires complex questions relating to individual privacy as well as the right against self incrimination. While the question of whether an accused can be made to give samples of blood, semen, etc. which had been in issue in a wide gamut of decisions in India has finally been settled by section 53 of the Code of Criminal Procedure, which allows collection of medical evidence from an accused, thus laying to rest any claims based on the right against self incrimination. However there are still issues dealing with the right to privacy and the violation thereof due to the non-consensual collection of DNA samples. This is an issue which needs to be addressed in this Act itself and should not be left unaddressed as this would only lead to a lack of clarity and protracted court cases to determine this issue. An illustration of this problem is where the Bill allows for collection of intimate body samples. There is a need for inclusion of stringent safeguard measures regarding the same since without such safeguards, the collection of intimate body samples would be an outright infringement of privacy. Further, maintaining a database for convicts and suspects is one thing, however collecting and storing intimate samples of individuals is a gross violation of the citizens’ right to privacy, and without adequate mechanisms regarding consent and security, stands at a huge risk of being misused.

Privacy Safeguards

Presently, the Bill is being introduced without comprehensive privacy safeguards in place on issues such as consent, collection, retention, etc. as is evident from the comments made below. Though the DNA Board is given the responsibility of recommending best practices pertaining to privacy (clause 13 (l)) – this is not adequate given the fact that India does not have a comprehensive privacy legislation. Though section 43A and associated Rules of the Information Technology Act would apply to the collection, use, and sharing of DNA data by DNA laboratories (as they would fall under the definition of ‘body corporate’ under the IT Act), the National and State Data Banks and the DNA Board would not clearly be body corporate as per the IT Act and would not fall under the ambit of the provision or Rules. Safeguards are needed to protect against the invasion of informational privacy and physical privacy at the level of these State controlled bodies. The fact that the Bill is to be introduced into Parliament prior to the enactment of a privacy legislation in India is significant as according to discussions in the Record Notes of the 4h Meeting of the Expert Committee - “the Expert Committee also discussed and emphasized that the Privacy Bill is being piloted by the Government. That Bill will over-ride all the other provisions on privacy issues in the DNA Bill.”

Lack of restriction on type of analysis to be performed

The Bill currently does not provide any restriction on the types of analysis that can be performed on a DNA sample or profile. This could allow for DNA samples to be analyzed for purposes beyond basic identification of an individual – such as for health, genetic, or racial purposes. As a form of purpose limitation the Bill should define narrowly the types of analysis that can be performed on a DNA sample.

Purpose Limitation

The Bill does not explicitly restrict the use of a DNA sample or DNA profile to the purpose it was originally collected and created for. This could allow for the re-use of samples and profiles for unintended purposes.

Annual Public Reporting

The Bill does not require the DNA Board to disclose publicly available information on an annual basis regarding the functioning and financial aspects of matters contained within the Bill. Such disclosure is crucial in ensuring that the public is able to make informed decisions. Categories that could be included in such reports include: Number of DNA profiles added to each indice within the databank, total number of DNA profiles contained in the database, number of DNA profiles deleted from the database, the number of matches between crime scene DNA profiles and DNA profiles, the number of cases in which DNA profiles were used in and the percentage in which DNA profiles assisted in the final conclusion of the case, and the number and categories of DNA profiles shared with international entities.

Elimination Indice

An elimination indice containing the profiles of medical professionals, police, laboratory personnel etc. working on a case is necessary in case they contaminate collected samples by accident.

Clause by Clause Recommendations

As stated the Human DNA Profiling Bill 2015 is to regulate the use of DNA analysis of human body substances profiles and to establish the DNA Profiling Board for laying down the standards for laboratories, collection of human body substances, custody trail from collection to reporting and also to establish a National DNA Data Bank.

Comment:

As stated, the purpose of the DNA Human Profiling Bill is to broadly regulate the of DNA analysis and establish a DNA Data Bank. Despite this, the majority of provisions in the Bill pertain to the collection, use, access etc. of DNA samples and profiles for civil and criminal purposes. The result of this is an 'unbalanced Bill' - with the majority of provisions focusing on issues related to forensic use. At the same time the Bill is not a comprehensive forensic bill – resulting in legislative gaps.
Additionally, the Bill contains provisions beyond the stated purpose. These include:

Facilitating the creation of a Data Bank for statistical purposes (Clause 33(e))
Establishing state and regional level databanks in addition to a national level databank (Clause 24)
Developing procedure and providing for the international sharing of DNA profiles with foreign Governments, organizations, institutions, or agencies. (Clause 29)

Recommendation:

The Bill should ideally be limited to regulating the use of DNA samples and profiles for criminal purposes. If the scope remains broad, all purposes should be equally and comprehensively regulated.
The stated purpose of the Bill should address all aspects of the Bill. Provisions beyond the scope of the Bill should be removed.

Chapter 1: Preliminary

Clause 2: This clause defines the terms used in the Bill.

Comment: A number of terms are incomplete and some terms used in the Bill have not been included in the list of definitions.

Recommendation:

The definition of DNA Data bank manager - clause 2 (1)(g) - must be renamed as National DNA Data bank manager.
The definition of “DNA laboratory” in clause 2(1)(h) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.

The definition of “DNA profile” in clause 2(1)(i) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person. The definition of “DNA profile” does not restrict the analysis to forensic DNA profiles: this means additional information, such as health-related information could be analyzed and stored against the wishes of the individual, even though such information plays no role in solving crimes.

The term “known sample” that is defined in clause 2(1)(m) is not used anywhere outside the definitions clause and should be removed.

The definition of “offender” in clause 2(1)(q) is vague because it does not specify the offenses for which an “offender” needs to be convicted. It is also linked to an unclear definition of the term “under trial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offenses such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.

The term “proficiency testing” that is defined in clause 2(1)(t) is not used anywhere in the text of the DNA Bill and should be removed.

The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule making powers under Chapter IX, clause 58. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.

The term “suspect” defined in clause 2(1)(za) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").

The term volunteer defined in clause 2(zf) only addresses consent from the parent or guardian of a child or an incapable person. This term should be amended to include informed consent from any volunteer.

Chapter II: DNA Profiling Board

Clause 4: This clause addresses the composition of the DNA Profiling Board.

Comment: The size and composition of the Board that is staffed under clause 4 is extremely large. The number of members remains to be 15, as it was in the 2012 Bill.

Recommendation: Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be reduced to no more than five members. The Board must contain at least:

One ex-Judge or senior lawyer
Civil society – both institutional and non-institutional
Privacy advocates

Note: The reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This recommendation has not been incorporated.

Clause 5(1): The clause specifies the term of the Chairperson of the DNA Profiling Board to be five years and also states that the person shall not be eligible for re-appointment or extension of the term so specified.

Comment: The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed.

Recommendation: Clause 4 should be amended to mention the appointment of the Chairperson and other Members.

Clause 7: The clause requires members to react on a case-by-case basis to the business of the Board by excusing themselves from deliberations and voting where necessary.

Comment: This clause addresses the issue of conflict of interest only in narrow cases and does not provide penalty if a member fails to adhere to the laid out procedure.

Recommendation: The Bill should require members to make full and public disclosures of their real and potential conflicts of interest and the Chairperson must have the power to prevent such members from voting on interested matters. Failure to follow such anti-collusion and anti-corruption safeguards should attract criminal penalties.

Clause 12(5): The clause states that the board shall have the power to co-opt such number of persons as it may deem necessary to attend the meetings of the Board and take part in the proceedings of the board, but such persons will not have the right to vote.

Comment: While serving on the Expert Committee, CIS provided language regarding how the Board could consult with the public. This language has not been fully incorporated.

Recommendation: As per the recommendation of CIS, the following language should be adopted in the Bill: The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities.

Clause 13: The clause lays down the functions to be performed by the DNA Profiling Board, which includes it’s role in regulation of the DNA Data Banks, DNA Laboratories and techniques to be adopted for collection of the DNA samples.

Comment: While serving on the Expert Committee, CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Furthermore, this clause delegates a number of functions to the Board that places the Board in the role of a manager and regulator for issues pertaining to DNA Profiling including functions of the DNA Databases, DNA Laboratories, ethical concerns, privacy concerns etc.

Recommendation: As per CIS’s recommendations the functions of the Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Towards this, the Board should be comprised of separate Committees to address these different functions. At the minimum, there should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues. Additionally:

Clause 13(j) allows the Board to disseminate best practices concerning the collection and analysis of DNA samples to ensure quality and consistency. The process for collection of DNA samples and analysis should be established in the Bill itself or by regulations. Best practices are not enforceable and do not formalize a procedure.
Clause 13(q) allows the Board to establish procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies. This procedure, at the minimum, should be subject to oversight by the Ministry of External Affairs.

Chapter III: Approval of DNA Laboratories

Clause 15: This clause states that every DNA Laboratory has to make an application before the Board for the purpose of undertaking DNA profiling and also for renewal.

Comment: Though the Bill requires DNA Laboratories to make an application for the undertaking DNA Profiling, it does not clarify that the Lab must receive approval before collection and analysis of DNA samples and profiles.

Recommendation: The Bill should clarify that all DNA Laboratories must receive approval for functioning prior to the collection or analysis of any DNA samples and profiles.

Chapter IV: Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training

Clause 19: This clause defines the obligations of a DNA laboratory. Sub-section (d) maintains that one such obligation is the sharing of the 'DNA data' prepared and maintained by the laboratory with the State DNA Data Bank and the National DNA Data Bank.

Comment: ‘DNA Data’ is a new term that has not been defined under Clause 2 of the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records? It is also unclear in what manner and on what basis the information would be shared.

Recommendation: The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks. The flow of and access to data between the State DNA Data Bank and National DNA Data Bank should also be established in the Bill.

Clause 22: The clause lays down the measures to be adopted by a DNA Laboratory and 22(h) includes a provision requiring the conducting of annual audits according to prescribed standards.

Comment:

The definition of “audit” under Chapter VI in clause 22 under ‘Explanation’ is relevant for measuring the training programmes and laboratory conditions. However, the term “audit” is subsequently used in an entirely different manner in Chapter VII which relates to financial information and transparency.
The standards for the destruction of DNA samples have not been included within the list of measures that DNA laboratories must take.

Recommendation:

The definition of ‘audit’ must be amended or removed as it is being used in different contexts. The term “audit” has a well established use for financial information that does not require a definition.
Standards for the destruction of DNA samples should be developed and included as a measure DNA laboratories must take.
Clause 23: This clause lays down the sources for collection of samples for the purpose of DNA profiling. 23(1)(a) includes collection from bodily substances and 23(1)(c) includes clothing and other objects. Explanation (b) provides a definition of 'intimate body sample'.

Comment:

Permitting the collection of DNA samples from bodily substances and clothing and other objects allows for the broad collection of DNA samples without contextualizing such collection. In contrast 23(b) Scene of occurrence or scene of crime limits the collection of samples to a specific context.
This clause also raises the issue of consent and invasion of privacy of an individual. If “intimate body samples” are to be taken of individuals, then this would be an invasion of the person’s right to bodily privacy if such collection is done without the person’s consent (except in the specific instance when it is done in pursuance of section 53 of the Criminal Procedure Code).

Recommendation:

Sources for the collection of DNA samples should be contextualized to prevent broad, unaccounted for, or unregulated collection. Clause (a) and (c) should be deleted and replaced with contexts in which the collection DNA collection would be permitted.
The Bill should specify circumstances on which non-intimate samples can be collected and the process for the same.
The Bill should specify that intimate body samples can only be taken with informed consent except as per section 53 of the Criminal Procedure Code.
The Bill should require that any individual that has a sample taken (intimate and non-intimate) is provided with notice of their rights and the future uses of their DNA sample and profile.

Chapter V: DNA Data Bank

Clause 24:This clause addresses establishment of DNA Data Banks at the State and National Level. 24(5) establishes that the National DNA Data Bank will receive data from State DNA Data Banks and store the approved DNA Profiles as per regulations.

Comment:

As noted previously, ‘DNA Data’ is a new term that has not been defined in the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records?
The process for sharing Data between the State and National Data Banks is not defined.

Recommendation:

The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks.
The process for the National DNA Data Bank receiving DNA data from State DNA Data Banks and DNA laboratories needs to be defined in the Bill or by regulation. This includes specifying how frequently information will be shared etc.

Clause 25: This clause establishes standards for the maintenance of indices by DNA databanks. 25(1) states that every DNA Data Bank needs to maintain the prescribed indices for various categories of data including an index for a crime scene, suspects, offenders, missing persons, unknown deceased persons, volunteers, and other indices as may be specified by regulation. 25(2) states that in addition to the indices, the DNA Data Bank should contain information regarding each of the DNA profiles. It can either be the identity of the person from whose bodily substance the profile was derived in case of a suspect or an offender, or the case reference number of the investigation associated with such bodily substances in other cases. 25(3) states that the indices maintained shall include information regarding the data which is based on the DNA profiling and the relevant records.

Comment:

25(1): The creation of multiple indices cannot be justified and must be limited since collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast. Specifically a 'volunteer' index could possibly be used for racial/community/religious profiling.
25(2): This clause requires the names of individuals to be connected to their profiles, and hence accessible to persons having access to the databank.
25(3) The clause states that only information related to DNA profiling and will be stored in an indice. Yet, it is unclear what such information might be. This could allow inconsistencies in data stored in an indice and could allow for unnecessary information to be stored on an indice.

Recommendation:

25(1) Ideally, DNA databanks should be created for dedicated purposes. This would mean that a databank for forensic purposes should contain only an offenders’ index and a crime scene index while a databank for missing persons would contain only a missing persons indice etc. If numerous indices are going to be contained in one databank, the Bill needs to recognize the sensitivity of each indice as well as the difference between each indice and lay down appropriate and strict conditions for collection of data for such indice, addition of data into the indice, as well as use, access, and retention of data within the indice.
25(2) DNA profiles, once developed, should be maintained with complete anonymity and retained separate from the names of their owners. This amendment becomes even more important if we consider the fact that an “offender” may be convicted by a lower court and have his profile included in the data bank, but may get acquitted later. However, till the time that such person is acquitted, his/her profile with the identifying information would still be in the data bank, which is an invasion of privacy.
25(3) What information will be stored in indices should be clearly defined in the Bill and should be tailored appropriately to each category of indice.

Clause 28: This clause addresses the comparison and communication of DNA profiles. 28(1) states that the DNA profile entered in the offenders or crime scene index shall be compared by the DNA Data Bank Manger against profiles contained in the DNA Data Bank and the DNA Data Bank Manager will communicate such information with any court, tribunal, law enforcement agency, or approved DNA laboratory which he may consider appropriate for the purpose of investigation. 28(2) allows for any information relating to a person's DNA profile contained in the suspect's index or offenders' index to be communicated to authorised persons.

Comment:

28(1) (a-c) allows for the DNA Bank Manager to communicate the following: 1.) if the DNA profile is not contained in the Data Bank and what information is not contained, 2.) if the DNA profile is contained in the data bank and what information is contained, and if in the opinion of the Manager, 3.) the DNA profile is similar to one stored in the Databank. These options of communication are problematic as they 1. allow for all associated information to be communicated – even if such information is not necessary, 2.) Allows for the DNA Databank Manager to communicate that a profile is 'similar' without defining what 'similar' would constitute.
28(1) only addresses the comparison of DNA profiles entered into the offenders index or the crime scene index against all other profiles entered into the DNA Data Bank.
28(1) gives the DNA Data Bank manager broad discretion in determining if information should be communicated and requires no accountability for such a decision.
28(2) only addresses information in the suspect's and offender's index and does not address information in any other index.

Recommendation:

Rather than allowing for broad searches across the entire database, the Bill should be clear about which profiles can be compared against which indices. Such distinctions must take into consideration if a profile was taken on consent and what was consented to.
Ideally, the response from the DNA Databank Manager should be limited to a 'yes' or 'no' response and only further information should be revealed on receipt of a court order.
The Bill should define what constitutes 'similar'
A process for determining if information should be communicated should be established in the Bill and followed by the DNA Data Bank Manager. The Manager should also be held accountable through oversight mechanisms for such decisions. This is particularly important, as a DNA laboratory would be a private body.
Information stored in any index should be disclosed to only authorized parties.

Clause 29: This clause provides for comparison and sharing of DNA profiles with foreign Government, organisations, institutions or agencies. 29(1) allows the DNA Bank Manager to run a comparison of the received profile against all indices in the databank and communicate specified responses through the Central Bureau of Investigation.

Comment: This clause allows for international disclosures of DNA profiles of Indians through a procedure that is to be established by the Board (see clause 13(q))

Recommendation: The disclosure of DNA profiles of Indians with international entities should be done via the MLAT process as it is the typical process followed when sharing information with international entities for law enforcement purposes.

Clause 30: This clause provides for the permanent retention of information pertaining to a convict in the offenders’ index and the expunging of such information in case of a court order establishing acquittal of a person, or the conviction being set aside.

Comment: This clause addresses only the retention and expunging of records of a convict stored in the offenders index upon the receipt of a court order or the conviction being set aside. This implies that records in all other indices - including volunteers - can be retained permanently. This clause also does not address situations where an individuals DNA profile is added to the databank, but the case never goes to court.

Recommendation: The Bill should establish retention standards and deletion standards for each indice that it creates. Furthermore, the Bill should require the immediate destruction of DNA samples once a DNA profile for identification purposes has been created. An exception to this should be the destruction of samples stored in the crime scene index.

Chapter VI: Confidentiality of and Access to DNA Profiles, Samples, and Records

Clause 33: This provision lays down the cases and the persons to which information pertaining to DNA profiles, samples and records stored in the DNA Data Bank shall be made available. Specifically, 33(e) permits disclosure for the creation and maintenance of a population statistics Data Bank.

Comment:

This clause addresses disclosure of information in the DNA Data Bank, but does not directly address the use of DNA samples or DNA profiles. This allows for the possibility of re-use of samples and profiles.
There is no limitation on the information that can be disclosed. The clause allows for any information stored in the Data Bank to be disclosed for a number of circumstances/to a variety of people.
There is no authorization process for the disclosure of such information. Of the circumstances listed – an authorization process is mentioned only for the disclosure of information in the case of investigations relating to civil disputes or other civil matters with the concurrence of the court. This implies that there is no procedure for authorizing the disclosure of information for identification purposes in criminal cases, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for the purpose of taking defence by an accused in a criminal case, and for the creation and maintenance of a population statistics Data Bank.

Recommendation:

The Bill should establish an authorization process for the disclosure of information stored in a data bank. This process must limit the disclosure of information to what is necessary and proportionate for achieving the requested purpose.
Clause 33(e) should be deleted as the non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The use of the database for statistical purposes should be limited to purposes pertaining to understanding effectiveness of the databank.
Clause 33(f) should be deleted as it is not necessary for DNA profiles to be stored in a database to be useful for civil purposes. Instead samples for civil purposes are only needed as per the relevant case and specified persons.
Clause 33(g) should be deleted as it allows for the scope of cases in which DNA can be disclosed to by expanded as prescribed.

Clause 34: This clause allows for access to information for operation maintenance and training.
Comment: This clause would allow individuals in training access to data stored on the database for training purposes. This places the security of the databank and the data stored in the databank at risk.
Recommendation: Training of individuals should be conducted via simulation only.

Clause 35: This clause allows for access to information in the DNA Data Bank for the purpose of a one time keyboard search. A one time keyboard search allows for information from a DNA sample to be compared with information in the index without the information from the DNA sample being included in the index. The clause allows for an authorized individual to carry out such a search on information obtained from an DNA sample lawfully collected for the purpose of criminal investigation, except if the DNA sample was submitted for elimination purposes.
Comment: The purpose of this clause is unclear as is the scope. The clause allows for the sample to be compared against 'the index' without specifying which index. The clause also allows for 'information obtained from a DNA sample' rather than a profile. Thus, the clause appears to allow for any information derived from a DNA sample collected for a criminal investigation to be compared against all data within the databank – without recording such information. Such a comparison is vast in scope and open to abuse.
Recommendation: To ensure that this provision is not used for conducting searches outside of the scope of the original purpose, only DNA profiles, rather than 'information derived from a sample' should be allowed to be compared, only the indices relevant to the sample should be compared, and the search should be authorized and justified.
Clause 36 : This clause addresses the restriction of access to information in the crime scene index if the individual is a victim of a specified offense or if the person has been eliminated as a suspect of an investigation.

Comment:

This clause only addresses restriction of access to the crime scene index and does not address restriction of access to other indices.
This clause only restricts access to the indice for certain category of individual and for a specific status of a person. Oddly, the clause does not include authorization or rank as a means for determining or restricting access.

Recommendation:

This clause should be amended to lay down standards for restriction of access for all indices.
Access to all information in the databank should be restricted by default and permission should be based on authorization rather than category or status of individual.

Clause 38: This clause sets out a post-conviction right related to criminal procedure and evidence.

Comment: This clause would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights.

Recommendation: This clause should be deleted and the issue of post conviction rights related to criminal procedure and evidence referenced to the appropriate legislation. Clause 38 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.] The person must be duly accorded with a right to know rules may provide for- the authorized persons to whom information relating to a person’s DNA profile contained in the offenders’ index shall be communicated. Alternatively, this right could be limited only to accused persons who’s trial is still at the stage of production of evidence in the Trial Court. This suggestion is being made because unless the right as it currently stands, is limited in some manner, every convict with the means to engage a lawyer would ask for DNA analysis of the evidence in his/her case thereby flooding the system with useless requests risking a breakdown of the entire machinery.

Chapter VII: Finance, Accounts, and Audit

Clause 39: This clause allows the Central Government to make grants and loans to the DNA Board after due appropriation by Parliament.

Comment: This clause allows the Central Government to grant and loan money to the DNA Board, but does not require any proof or justification for the sum of money being given.

Recommendation: This clause should require a formal cost benefit analysis, and financial assessment prior to the giving of any grants or loans.

Chapter VIII: Offences and Penalties

Chapter IX: Miscellaneous

Clause 53: This clause allows protects the Central Government and the Members of the Board from suit, prosecution, or other legal proceedings for actions that they have taken in good faith.

Comment: Though it is important to take into consideration if an action has been taken in good faith, absolving the Government and Board from accountability for actions leaves little course of redress for the individual. This is particularly true as the Central Government and the Board are given broad powers under the Bill.

Recommended: If the Central Government and the Board will be protected for actions taken in good faith, their powers should be limited. Specifically, they should not have the ability to widen the scope of the Bill.

Clause 57: This clause states that the Central Government will have the powers to make Rules for a number of defined issues.

Comment: 57(d) allows for the regulations to be created regarding the use of population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control.

Recommendation: 57(d) should be deleted as any use for the creation of a population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control is beyond the scope of the Bill.

Clause 58: This clause empowers the Board to make regulations regarding a number of aspects related to the Bill.
Comment: There a number of functions that the Board can make regulations for that should be defined within the Bill itself to ensure that the scope of the Bill does not expand without Parliamentary oversight and approval.
Recommendation: 58(2)(g) should be deleted as it allows the Board to create regulations for other relevant uses of DNA techniques and technologies, 58(2)(u) should be deleted as it allows the Board to include new categories of indices to databanks, and 58(2) (aa) should be deleted as it allows the Board to decide which other indices a DNA profile may be compared with in the case of sharing of DNA profiles with foreign Governments, organizations, or institutions.

Clause 61: This clause states that no civil court will have jurisdiction to entertain any suit or proceeding in respect of any matter which the Board is empowered to determine and no injunction shall be granted.

Comment: This clause in practice will limit the recourse that individuals can take and will exclude the Board from the oversight of civil or criminal courts.

Recommendation: The power to collect, store and analyse human DNA samples has wide reaching consequences for people whose samples are being utilised for this purpose, specially if their samples are being labeled in specific indexes such as “index of offenders”, etc. The individual should therefore have a right to approach the court of law to safeguard his/her rights. Therefore this provision barring the jurisdiction of the courts should be deleted.

Schedule

Schedule A: The schedule refers to section 33(f) which allows for disclosure of information in relation to DNA profiles, DNA samples, and records in a DNA Data Bank to be communicated in cases of investigations relating to civil disputes or other civil matters or offenses or cases listed in the schedule with the concurrence of the court.

Comment: As 33(f) requires the concurrence of the court for disclosure of information, it is unclear what purpose the schedule serves. If the Schedule is meant to serve as a guide to the Court on appropriate instances for the disclosure of information stored in the DNA databank – the schedule is too general by listing entire Acts, while at the same time being too specific by naming specific Acts. Ideally, courts should use principles and the greater public interest to reach a decision as to whether or not disclosure of information in the DNA databank is appropriate. At a minimum these principles should include necessity (of the disclosure) and proportionality (of the type/amount of information disclosed).

Recommendation: As we recommended the deletion of clause 33(f) as it is not necessary to databank DNA profiles for civil purposes, the schedule should also be deleted.

Note: The schedule differs drastically from previous drafts and from discussions held in the Expert Committee and recommendations agreed upon. As per the Meeting Minutes of the Expert Committee meeting held on November 10th 2014 “The Committee recommended incorporation of the comments received from the members of the Expert Committee appropriately in the draft Bill...Point no. 1 suggested by Mr. Sunil Abraham in the Schedule of the draft Bill to define the cases in which DNA samples can be collected without consent by incorporating point no. 1 (I.e 'Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the code of Criminal Procedure, 1973)”

Download CIS submission here. See the cover letter here.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015

Workshop on Open Data for Human Development - Sessions Report

sumandro — 2015-08-28T08:16:09Z

CIS facilitated a workshop on open data policy and tools for government officials from Sikkim, Meghalaya, and Tripura, and those from Bhutan and Maldives, in June 2015. The workshop was co-facilitated with Akvo, DataMeet, and Mapbox, and was supported by International Centre for Human Development of UNDP India. Here we share the workshop report and other related documents. The report is written by Sumandro, along with Amitangshu Acharya of Akvo.

Day 01, June 03, 2015

The first day of the workshop began with Mr. Prem Das Rai, Honourable MP, Loksabha, Sikkim, briefly addressing the participants. He contextualised the workshop against the background of technological changes and emerging opportunities of governance through effective usages of data. Dr. A.K. Shiva Kumar, Director of the International Centre for Human Development (IC4HD), UNDP India, welcomed the participants and initiated a panel discussion on data, ICTs and governance. The panel had three speakers: Mr. Srivatsa Krishna, IAS and Secretary, Department of Information Technology, Biotechnology, and Science and Technology, Government of Karnataka; Dr. B. Gangaiah, Additional Director General, Centre for Good Governance, Hyderabad; and Sunil Abraham, Executive Director, the Centre for Internet and Society, Bengaluru and Delhi.

Mr. Krishna spoke about the strategies adopted in setting up IT and ITES clusters in Cyberabad, Andhra Pradesh and in Bengaluru, Karnataka. He noted that tax cuts and accelerated land allocation are key to incentivising the private sector to set up IT and ITES units. Another major concern is that of ensuring supply of good quality IT workers. He also emphasised on the need for governments to build effective public facing electronic services - either in the form of Nemmadi Kendras, where people can physically go to access various government services, or in the form of mobile applications that bring different civic services into one digital interface, like Bangalore One and Karnataka Mobile One.

Dr. Gangaiah gave an extensive overview of the idea and applications of open data in the contexts of governance and development. He noted that government data (in India) often suffers from criticisms related to quality, as well as the lack of availability of the same in public domain. The key problems, he identified, for opening up government data in India are that most often the data is collected by a government agency for a very specific purpose, and the steps required to ensure wider circulation and use of the same is not taken (such as lack of documentation and interoperability of data); and that the government agencies most often consider the collected data as a source of power, and hence as something to be retained and not disclosed in full details. The slides from Dr. Gangaiah’s presentation can be accessed here.

Mr. Abraham’s presentation highlighted several areas of concern when deploying data-driven techniques and solutions for human development challenges. He described how the current phase of open data discussions by central and state governments in India represent the third phase of ‘openness’ in governance in India. While the first phase focused on usage of Free/Libre Open Source Softwares in building electronic governance applications and information systems, the second phase involved embracing of open software standards and formats across government information systems and IT solutions. It is very important to note that with the third phase of openness focusing on opening up of data and information, both of these earlier foci of free and open source softwares, and open standards and interoperability are returning as complementary components to ensure seamless publication of open government data. However, he argued, when deploying data-driven techniques and solutions for human development challenges, it is imperative to remember three things: 1) collection of data is a time- and effort-consuming task, and hence must be optimised so as to not to take away time and effort from actual developmental interventions, 2) bad quality of development data is a structural problem, often emanating from the data being not useful to the person actually collecting it, and 3) availability of data does not automatically change or open up the process of decision-making.

The second session of the day started with a detailed presentation by Mr. T. Samdup, Joint Director, Department of Information Technology, Government of Sikkim, on the context, the making, and the salient features of the Sikkim Open Data Acquisition and Accessibility Policy (SODAAP), 2014. He explained that the Policy mandates setting up of an online state data portal that will host all data sets generated by various agencies of the Government of Sikkim, and making such data available, subject to concerns of privacy and security, across all state government agencies and the citizens in general. The key needs driving this Policy have been that for availability of accurate and timely data on various aspects of human development in the state, as well as for reducing expenses and confusions due to duplication of data collection efforts. The slides from Mr. Samdup’s presentation can be accessed here.

The presentation by Mr. Samdup was followed by one by Mr. Sumandro Chattapadhyay of the Centre for Internet and Society on an initial set of questions and concerns that should be addressed by the implementation plan of the SODAAP. He took a detailed look at the four objectives mentioned in the Policy document, and discussed what tasks, decisions, and deliberations are needed to achieve each of those. In conclusion, he listed a set of core components of the implementation process that must also be discussed in the implementation plan document, namely: 1) governance and oversight structure for implementation, 2) incentivising government personnel for opening up data across departments, including financial support for the same, 3) metadata, documentation of data collection process, and implementing unique identifiers, and 4) developing processes of sharing of data between the Union and the state government, especially in reference to national Management Information Systems. The slides from Mr. Chattapadhyay’s presentation can be accessed here.

These presentations were followed by a general discussion on various aspects of the SODAAP and the challenges to be overcome during its implementation. This session provided a general introduction to the SODAAP, especially for workshop participants who are not from Sikkim, and also set up the key questions to be discussed and answered while preparing the first draft of the SODAAP implementation plan.

After the second session ended, the participants were asked to individually write down the key challenges they identify for the implementation process of SODAAP. These responses were compiled by Sumandro and made available as a reference document for the implementation plan. The chart below summarises these responses.

In the third session of the day, Joy Ghosh and Amitangshu Acharya of Akvo talked about the challenges of collecting structured born-digital data from the grassroots level, and how using mobile-based applications, like Akvo FLOW, can address such challenges. Akvo FLOW runs on all Android-based smartphones, and allows ground level development workers to directly feed data into the phone, as well as collect related materials like GPS location and photographs, based upon a form that is centrally designed and downloaded into their phones by the development workers. The data is then kept in the phone till it is sent back to the main server, where data coming from all different surveyors using the same form is shown on a map-based interface for easy navigation of the data across space and time. In this session, Mr. Acharya first introduced the participants to the issues around digital data collection, touching upon issues of ethics, capacity, prioritisation of data collection process along with tools. Mr. Ghosh then took over to describe the functioning of the tool, and then distributed several smartphones, pre-loaded with Akvo FLOW, among the participants for an applied data collection exercise where the participants walked around the NIAS campus and collected data using the FLOW interface. They returned to see their data mapped and analysed on the online dashboard. Their presentation can be accessed here.

Day 02, June 04, 2015

The second day started with two consecutive presentations by Mr. Thejesh GN of DataMeet, and Mr. Sivaram Ramachandran of Mapbox on the tools and techniques for working with statistical data and with geospatial data, respectively. The former presentation took the participants through the stages of working with statistical data: from collecting and finding data, to cleaning and validating, and finally analysing the data. Various free and open source tools for each of these stages were also discussed in brief, such as PDF Tables and Tabula for converting PDF tables to spreadsheets, Open Refine for cleaning data, and RAW and DataWrapper for generating web-based dynamic charts. The latter presentation explored the various ways in which geospatial data can be used to inform and support decision-making, and the tools that can be used to render and present geospatial data in forms that are accessible for decision-makers within government and also for individual users. Mr. Ramachandran presented the various free and open source tools available for working with geospatial data, such as Mapbox Studio, Quantum GIS, and Leaflet JS. He also gave a brief introduction to OpenStreetMap, the wiki-like user-contributed global map data platform. Both the presentations can be accessed here and here, respectively. After this session, the participants were divided into two groups. One group engaged further with tools and techniques of working with statistical and geospatial data. The second group took part in a series of exercises to identify and document the current data flows and bottlenecks thereof across several key departments of Government of Sikkim.

The group engaging in applications of various software tools for working with statistical and geospatial data was facilitated by Mr. Thejesh and Mr. Ramachandran. This group worked with a sample statistical data set, taking it across the stages of finding, cleaning, analysing, and visualising as discussed earlier. The participants used the online version of Tableau to create dynamic charts. Afterwards, they were introduced to various methods of contributing and downloading data from the OpenStreetMap, including directly adding data points through the online editor named iD. The participants went out in the NIAS campus to collect geospatial data about various natural and human-made features of the campus, such as trees, pathways, etc.

The second group working on documenting data flows and identifying bottlenecks was facilitated by Mr. Chattapadhyay, Mr. Acharya, and Ms. Rajashi Mukherjee from Akvo. The group was further divided into department-wise teams, one each for the Department of Health, the Department of Economic Statistics, Monitoring, and Evaluation (DESME), the Human Resource Development Department (HRDD), and representatives from Gram Panchayat Units. The exercise began with each of the teams discussing and drawing the flow of data for one of the major data set maintained by the agency concerned. The data flows were drawn by identifying key moments of its processing (such as primary collection, verification, digitisation, analysis, storage, reporting, etc.), the actors involved in that moment, the tools and data formats relevant for each moment, and which agency finally stores and uses the data. Once these processes were described on paper, the next part of the exercise focused on identifying which challenges exist at which part of these data flows. This was followed up by a ranking of all these challenges, in terms of how critically they affect the ability of the agency concerned to use and share the final data. All the teams worked separately, and conversed with the facilitators as needed, to develop the data flow diagrams and identify the key challenges.

The major common challenges noted by these teams were: 1) delays in collection, verification, and digitisation of data, 2) inability of state government agencies to access data collected as part of centrally-funded welfare schemes, and 3) parallel systems of data collection employed by different departments leading to duplication of efforts and data.

Several interesting insights came through in this exercise. For example, data related to education is collected both by the HRDD, and the Sarva Shiksha Abhiyaan (SSA). However, SSA data is not shared with the HRDD. Also, the HRDD publishes all its data, including the name of students, on their website, making it publicly available. One of the data challenges identified by the HRDD was their difficulty in tracking if scholarship money is reaching the suitable students. When a student moves from one school to another, the records do not get updated easily. This leads to different schools continuing to receive funds for the same scholarship. Aligning school records is important to prevent such leakages.

After these two grouped exercises, all the participants gathered back so that the data flows diagrams and identification of key challenges documented by departmental teams could be presented to the entire group. Each team presented their data flow diagram, and discussed challenges and opportunities. This created a context for different departments to discuss what kind of data they often needed from each other, and how there was neither a platform for inter-departmental discussion on such issues, nor systems that facilitate the same. There was an agreement that an open data platform could address this issue to a great extent. The discussion also highlighted that the most significant data collecting government agency in Sikkim is DESME, however, it does not publish any data in machine-readable formats, and does not even have a website.

This data flow and bottleneck exercise made it very clear that there are several data production and collection processes in place in Sikkim, and also systems that are digesting, processing, and reporting data. Hence, implementing the open data policy will need to negotiate with such complexity.

In the final session of the day, Dr. Shiban Ganju made a presentation on applications of open data in healthcare. His talk focused on how converting medical information about a patient being stored at various locations to a combined and shareable Electronic Health Record can save the patient as well as the medical practitioners from duplication of medical tests, easier mobility from one medical institute to another, and a clearer macro-level understanding of key public health indicators. Dr. Ganju discussed the open health data initiatives in the United States, in the United Kingdom, and in Sweden, before discussing the challenges faced in implementing interoperable standards for open health data in India. The slides from Dr. Ganju’s presentation can be accessed here.

Day 03, June 05, 2015

The final day started with a set of presentations from Mr. Garab Dorji, Deputy Chief IT Officer, Office of the Prime Minister, Thimphu, Bhutan of the Government of Bhutan, Mr. Birendra Tiwari, Senior Informatic Officer, Department of Information Technology, Government of Meghalaya, and Mr. Milan Chhetri of Melli Dara Paiyong Gram Panchayat Unit, Sikkim, on various technological solutions being explored, implemented, and practiced by the respective governments and administrative units.

Mr. Milan Chhetri’s presentation was on the operationalisation of Cyber Villages in Sikkim, which had been initiated in 2013 with support from the Honourable Chief Minister of Sikkim, Pawan Kumar Chamling. Cyber Villages aim to address digital divide, by empowering local village units with handheld data devices to collect data from every household and connect the same to a real time dashboard. All village related data is expected to be available in one place. At the same time as part of e-governance initiative, SMS based updates on Government programmes and services will be sent to all villagers. Mr. Chhetri ended his presentation with a short promotional video of the concept, which is embedded below.

The second session of the day started with a presentation from Mr. D. P. Misra, National Data Sharing and Accessibility Policy - Programme Management Unit (NDSAP-PMU), National Informatics Centre, Government of India. The presentation focused on the process of implementation of the National Data Sharing and Accessibility Policy approved by the Government of India in 2012. Mr. Misra has played a key role in the NDSAP-PMU that was trusted with development of the national open government data platform of India and in setting up the procedures and standards for publication of government data by various central and state government agencies through that Platform. His talk described the technical solutions designed by the NDSAP-PMU to make data accessible for the end-users in various file formats, to make visualisation of available data easy, and to make it possible for users to comment upon existing data and to request for data that is unavailable at the moment. Further, he emphasised the need for outreach initiatives by the government so as to build awareness and activities around the available open government data. The slides from Mr. Misra’s presentation can be accessed here.

The presentation by Mr. Misra was followed by a group exercise where various teams, self-selected by the participants, worked on different sections of the SODAAP implementation plan to put together ideas and plans for the first draft of the document. Five groups were formed and each of them worked on a separate section of the implementation plan: 1) Governance Framework and Budgetary Support, 2) Data Inventory and Negative List, 3) Data Acquisition and Open Standards, 4) Data Publication Process, Licenses, and Timeframes, and 5) Awareness, Capacity, and Demand of Data. The initial section titled ‘Introduction to the Policy and its Principles’ was put together by Vashistha Iyer on the basis of the SODAAP document. The technical section on the ‘Sikkim Open Data Portal’ was left out of this drafting exercise, as it was decided that the representatives of the Department of Information Technology will prepare this section on the basis of their interactions with the NDSAP-PMU later in June.

The drafting session was followed by presentations by each team working on a separate section, and quick feedbacks from all the participants. These drafts, along with the feedbacks, have been compiled together by Mr. Chattapadhyay, and is shared with the officials from the Government of Sikkim for their further discussion and eventual finalisation of the SODAAP implementation plan document.

The workshop ended with a round of final words and sharing of learning by the participants, and a vote of thanks on the behalf of the organisers.

For more details visit https://cis-india.org/openness/workshop-on-open-data-for-human-development-2015-06-report

Net Neutrality and the Law of Common Carriage

bhairav — 2015-08-23T11:06:26Z

For more details visit https://cis-india.org/internet-governance/blog/net-neutrality-law-of-common-carriage.pdf

'We Need to Proactively Ensure that People Can't File Patents Representative of the Creativity of a FOSS Community'

rohini — 2015-09-27T11:51:50Z

Rohini Lakshané attended “Open Innovation, Entrepreneurship, and Our Digital Culture” in Bangalore on August 13, 2015. Major takeaways from the event are documented in this post.

Speakers: Prof. Eben Moglen, Keith Bergelt, and Mishi Choudhary; Panel discussion moderator: Venkatesh Hariharan. See the event page here. The organizers republished Rohini's report on their website.

Prof. Eben Moglen on FOSS and entrepreneurship

The culture of business in the 21^st century needs open source software or free software because there is one Internet governed by one set of rules, protocols and APIs that make it possible for us to interact with each another. The Internet made everybody interdependent on everybody else. Startup culture needs free and open source software (FOSS) because startups are an insurgency, a guerrilla activity in business. The incumbents in a capitalistic world dislikes competition and detests that existing resources, such as FOSS, enable insurgents to circumvent some of the steep curve that they had to climb in order to become incumbents.
Hardware is developing in ways that make the idea of proprietary development of software obsolete. There is no large producer of proprietary software that isn't also dependent on FOSS. Microsoft Cloud is based on deployments that do not use Windows but are based on FOSS. The era of Android as a semi-closed, semi-proprietary form of FOSS is over. Big and small companies around the world are exploiting the open source nature of Android.
Free software is a renewable resource not a commodity. Management is needed to avoid over-consumption or destruction of the FOSS ecosystem. Software is to the 21^st century economic life what coal, steel, and rare earth metals were at the end of the previous century.
FOSS turned out to be about developing human brains. It turned out to be about using human intelligence in software better. Earlier universities, engineering colleges and research institutions were the greatest manufacturers and users of FOSS. Now businesses of all sizes are.
When Richard Stallman and Prof. Eben Moglen set out to make GPL free, they initiated a large public discussion process, the primary goal of which was to ensure that individual developers have as much right to talk and to be heard as loudly as the largest firms in the world. At the end of the negotiation process, 35 or 36 of the largest patent holders in the IT industry accepted the basic agreement to be a part of the commons. --- Incumbents like people to pay for a seat at the table. Paying to have an opinion is a pretty serious part of the landscape of the patent system.

Prof. Eben Moglen on Digital India

Every e-governance project that the Indian government buys should use FOSS. The very nature of the way the citizens and governments interact can come to be mediated by software that people can read, understand, modify, and improve. An enormous ecosystem will come up -- a kind of public–private partnership (PPP) in the improvement of governance and government services, which is far more useful than most other forms of PPP conceptualised in the developed world in the 20^th century.
Everybody has a stake in the success of this policy. Several corporations are working against this policy as they once stated that they do not need FOSS.
The biggest market for both making and consuming software in the world is in India, because the science done here will dominate global software making, which in turn will define how the Internet works, which in turn will define society. One can't develop the largest society on earth by reinventing the wheel. The government is going to understand that only the sharing of knowledge and the sharing of forms of inventing would enable the largest society in the world to develop itself freely and take its place in the forefront of digital humanity.
If every state government's data centre across India is going to be turned into a cloud, one state might have VMWare, another might have AWS, and so on, it would be disastrous. To prevent this, all e-governance activities of every state government and federal agency in India could be conducted in one, big, homogeneous Indian cloud. This would enable utility computing across the country for all citizens, which would also make room for citizen computing to happen. When one moves towards architectures of omnipresent utility computing with large amounts of memory flatly available to everybody, one is going to be describing a national computing environment for a billion people. We can't even begin to model it until we start accomplishing it.
Prof. Eben Moglen's ambition is that there comes a time not very long from now when basic data science is taught in Indian secondary schools. The software is free and all the big data sets are public. A nation of a 100 million data scientists rules the world.

Keith Bergelt on the Open Invention Network

Over the past 10 years, Open Invention Network (OIN) has emerged as the largest patent non-aggression community in the history of technology. It has around 1,700 participants and is adding almost 2 participants every day. In the last quarter, OIN had approximately 200 licensees.
There is now a cultural transformation where companies are recognising that where OIN members collaborate, they shouldn't use patents to stop or slow down progress. Where members compete, they choose to invent while utilising defensive patents publications. What we are doing is a patent collaboration and a technical collaboration that exists in major projects around the world.
OIN has been making a major effort since January 2015 to spend more time in India and China to be able to ensure that the technological might and expertise represented in the two countries can be a part of the global community, and that global projects can start here. “We can expect to leverage the expertise of the community to be able to drive innovation from here [India and China]. It's not about IBM investing a billion dollars a year since 1999 and having some birthright to driving the open source initiatives around the world or about Google or Red Hat or anyone else. You have the ability to impact major changes and we want to be able to support you in the name of freedom of action as participants.”

Panel Discussion

Patent Wars and Innovation

In the past 5 to 7 years, patent wars in the handset segment of the information technology (IT) market have wasted tens of billions of dollars on litigation, and on raising the price of patent armaments. This patent litigation was purely an economic loss to the IT industry and it contributed nothing. If the patent system strangles invention, non-profit groups, non-commercial bodies, free software makers, and start-ups cannot invent freely.
Defensive patent publications, such as those made by IBM, lead to the gross underestimation of the inventive power and output of the company. People are struggling to find something to evaluate the productive output of an entity – startup, micro-industry or macro-industry. Patents are being used inappropriately and it's part of the corruption of the patent system. Any venture capitalist (VC) who believes that either the innovative capacities or the potential success factors of a start-up are tied to its patents should know that there are only a minuscule number of cases where patents are the differentiator. The differentiators required in order to sustain business are how smart the people are, how quickly they innovate, and how quickly they are able to adapt to complex situations. We see a trend in the US of not equating patents with innovation. The core-developer and hacker communities are largely anti-patent.
However, the flip side is that if the FOSS communities do not patent defensively, i.e., acquire and publish patents for their inventions in order to prevent others from getting patents in one jurisdiction or another, patent trolls will eventually encroach on the communities' inventive output. The only people making money out of this whole process are lawyers. It is slowing down the uptake of technology by creating fears and doubts in the system.
FOSS communities didn't qualify everything produced in the 23 years of (Linus') Linux, which would have let the service serve as stable prior art, preventing other people from filing patents. We can debate what is patentable subject matter in general or whether software should be patentable, but in the meantime if we can be proactive and file everything that we have in defensive publications and make it accessible to the patent and trademark offices here and around the world, we will have far fewer patents. We need to be activists in making sure that people can't file patents that are representative of the creativity of a community.
The Chinese government has instituted a programme designed to produce defensive publications in order to capture all the inventiveness across their industries, to be able to ensure that the quality of what ultimately gets patented is at least as high.
The US has a massive repository called ip.com, which is with every patent examiner of the USPTO.
India does not grant software patents as per section 3(k) of the Indian Patents Act, but that doesn't mean that no software patents are being granted. One of the empirical studies conducted by the Software Freedom Law Centre (SFLC) in India shows that 98.3% of the [telecom and computing technology] patents granted till 2013 went to multinational corporations. Almost none of the assignees are Indian.
In the context of the ongoing patent infringement law suits filed in the Delhi High Court by Ericsson [link]: The Delhi High Court has had a reputation of being very pro-intellectual property from the beginning.
Also, there is pressure from trade organisations. In August 2015, Ericsson along with ASSOCHAM invited the Director General of the Competition Commission of India to present a paper about why patents are good. It is essential to determine how the rules of conflict of interest apply here. This is exactly what the pharmaceutical industry would do. The only bodies who would object are Doctors Without Borders (MSF) or some local organisations who realise that high priced patented drugs is not what India needs and that we do not need to have the same IP policy as the US or Japan. We only need a different policy.
The Special 301 Report of the United States Trade Representative (USTR) is a big sham, and it suggests that India doesn't have strict enforcement of IP law. India does, unlike China.
Accenture has been granted a software patent in India. The patent is about an expert present in a remote location transferring knowledge to somebody who is listening in another location. Universities offering MOOCs, BPOs, and many other services would fall under such a patent. SFLC spent four years trying to fight this patent. The first defence of Accenture's battery of lawyers was that they won't use the patent.
Patents of very low quality are being bought at very high prices. The tax system or the subsidy system for innovation regards all patents as equal. This is a pricing failure and that should be corrected by other forms of intervention. The pendulum has already begun to swing the other way. Alice Corp was the third consecutive and unanimous ruling by the US Supreme Court that abstract ideas are not patentable. Patent applications pertaining to business methods and algorithms are increasingly being rejected by the USPTO after the ruling.

Prof. Eben Moglen on Facebook:

Facebook is a badly designed technology because there is one Man in the Middle who keeps all the logs. The privacy problem with Facebook is not just about what people post. It's about surveillance and data mining of web reading behaviour. It is a social danger that ought not to exist. I have said since 2010 is that we can't forbid it; let's replace it. It means bringing the web back as a writeable medium for people in an easy way. What I see as next-generation architecture could just as well be described as Tim Burners Lee's previous generation architecture.

You have to be able to trust the Internet. If you can't, you are going to be living in the shadow of govt surveillance, corporate surveillance, the fear of identity theft, and so on. We need to be able to explain to people what kind of software they can trust and what kind they can't. Distributed social networking will happen; it's not that difficult a problem.

An example of federated networking is Freedombox, a cheap hardware doing router jobs using free software in ways that encourage privacy. The pilot project for Freedombox has been deployed in little villages in Andhra Pradesh and Karnataka. These routers don't deliver logs to a thug in a hoodie in Menlo Park.

For more details visit https://cis-india.org/a2k/blogs/we-need-to-proactively-ensure-that-people-cant-file-representatives-of-the-creativity-of-a-foss-community

Civil Society Organisations and Internet Governance in India - Open Review

sumandro — 2015-11-13T05:51:03Z

This is a book section written for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon. The pre-publication text of the section is being shared here to invite suggestions for addition and modification. Please share your comments via email sent to raw[at]cis-india[dot]org with 'Civil Society Organisations and Internet Governance in India - Comments' as the subject line. This text is published under Creative Commons Attribution-NoDerivatives 4.0 International license.

You are most welcome to read the pre-publication drafts of other sections of the Asia Internet History Vol. 3, and share your comments: https://sites.google.com/site/internethistoryasia/book3.

Early Days

The overarching context of development interventions and rights-based approaches have shaped the space of civil society organizations working on the topics of information and communication technologies (ICTs) and Internet governance in India. Early members of this space came from diverse backgrounds. Satish Babu was working with the South Indian Federation of Fishermen Societies (SIFFS) in mid-1990s, when he set up a public mailing list called 'FishNet,' connected to Internet via the IndiaLink email network, (then) run by India Social Institute to inter-connect development practitioners in India. He went on to become the President of Computer Society of India during 2012-2013; and co-founded Society for Promotion of Alternative Computing and Employment (SPACE) in 2003, where he served as the Executive Secretary during 2003-2010 [Wikipedia 2015]. Anita Gurumurthy, Executive Director of IT for Change and one of the key actors from Indian civil society organizations to take part in the World Summit on the Information Society (WSIS) process, had previously worked extensively on topics related to public health and women's rights [ITfC b], which deeply shaped the perspectives she and IT for Change have brought into the Internet governance sphere, globally as well as nationally [Gurumurthy 2001]. Arun Mehta initiated a mailing list titled 'India-GII' in 2002 to discuss 'India's bumpy progress on the global infohighway' [India-GII 2005]. This list played a critical role in curating an early community of non-governmental actors interested in the topics of telecommunication policy, spectrum licensing, Internet governance, and consumer and communication rights. As Frederick Noronha documents, the mailing list culture grew slowly in India during the late 1990s and early 2000s. However, they had a great impact in organizing early online communities, sometimes grouped around a topical focus, sometimes functioning as a bridge among family members living abroad, and sometimes curating place-specific groups [Noronha 2002].

The inaugural conference of the Free Software Foundation of India [FSFI] in Thiruvananthapuram, on 20 July 2001, galvanized the Free/Libre and Open Source Software (FLOSS) community in India. The conference was titled 'Freedom First,' and Richard Stallman was invited as the chief guest. It was a vital gathering of actors from civil society organizations, software businesses, academia, and media, as well as the Secretary of the Department of Information Technology, Government of Kerala (the state where the conference was held). The conference laid the basis for sustained collaborations between the free software community, civil society organizations, emerging software firms in the state, and the Government of Kerala for the years to come. Two early initiatives that brought together free software developers and state government agencies were the Kerala Trasportation Project and the IT@School project, which not only were awarded to firms promoting use of FLOSS in electronic governance project, but facilitated a wider public dialogue regarding the need think critically about the making of information society in India [Kumar 2007]. The inter-connected communities and overlapping practices of the FLOSS groups, civil society organizations involved in ICT for Development initiatives, telecommunication policy analysts and advocates, and legal-administrative concerns regarding life in the information society – from digital security and privacy, to freedom of online expressions, to transparency in electronic governance infrastructures – have, hence, continued to shape the civil society space in India studying, discussing, responding, and co-shaping policies and practices around governance of Internet in India.

Key Organizations

IT for Change was established in 2000, in Bengaluru, as a non-governmental organization that 'works for the innovative and effective use of information and communication technologies (ICTs) to promote socio-economic change in the global South, from an equity, social justice and gender equality point of view' [ITfC]. It has since made important contributions in the field of ICTs for Development, especially in integrating earlier communication rights practices organised around old media forms with newer possibilities of production and distribution of electronic content using digital media and Internet [ITfC e], and in that of Internet governance, especially through their participation in the WSIS and Internet Governance Forum (IGF) processes and by co-shaping the global Souther discourse of the subject [ITfC d]. It has also done significant works in the area of women's rights in the information society, and have been a core partner in a multi-country feminist action research project on using digital media to enhance the citizenship rights and experiences of marginalized women in India, Brazil, and South Africa [ITfC c]. IT for Change has co-led the formation of Just Net Coalition in February 2014 [JNC].

Digital Empowerment Foundation (DEF) was founded by Osama Manzar, in New Delhi in 2002, with a 'deep understanding that marginalised communities living in socio-economic backwardness and information poverty can be empowered to improve their lives almost on their own, simply by providing them access to information and knowledge using digital tools' [DEF c]. DEF has contributed to setting up Community Information Resource Centres across 19 states and 53 districts in India, with computers, printers, scanners, and Internet connectivity [DEF]. DEF organises one of the biggest competitions in Asia to identify, foreground, and honour significant contributions in the area of ICT for Development [DEF d]. This annual competition series, titled 'Manthan Award' (Translation: 'manthan' means 'churning' in Sanskrit), started in 2004. It has alllowed DEF to create a detailed database of ICT for Development activities and actors in the South Asia and Asia Pacific region. Since 2011, DEF has started working with Association for Progressive Communications on a project titled 'Internet Rights' to take forward the agenda of 'internet access for all' in India [DEF b].

The Society for Knowledge Commons was formed in New Delhi 2007 by 'scientists, technologists, researchers, and activists to leverage the tremendous potential of the ‘collaborative innovation’ model for knowledge generation that has lead to the growth of the Free and Open Source Software community (FOSS) around the world' [Society for Knowledge Commons]. It has championed integration of FOSS into public sector operations in India – from electronic governance systems to use of softwares in educational institutes – and has made continuous interventions on Internet governance issues from the perspective of the critical importance of shared knowledge properties and practices for a more democratic information society. It is a part of the Free Software Movement of India [FSMI], an alliance of Indian organizations involved in advocating awareness and usage of FOSS, as well as a founding member of the Just Net Coalition [JNC].

The Centre for Internet and Society (CIS) was established in Bengaluru in 2008 with a research and advocacy focus on topics of accessibility of digital content for differently-abled persons, FOSS and policies on intellectual property rights, open knowledge and Indic Wikipedia projects, digital security and privacy, freedom of expression and Internet governance, and socio-cultural and historical studies of Internet in India [CIS]. In one of the key early projects, CIS contributed to the making of web accessibility policy for government websites in India, which was being drafted by the Department of Information Technology, Government of India [CIS 2008]. In the following years it took part in the Internet Governance Forum summits; submitted responses and suggestions to various policies being introduced by the government, especially the Information Technology (Amendment) Act, 2008, National Identification Authority of India (NIA) Bill, 2010, and the Approach Paper for a Legislation on Privacy, 2010; produced a report on the state of open government data in India [Prakash 2011b], and undertook an extensive study on the experiences of the young people in Asia with Internet, digital media, and social change [Shah 2011].

Software Freedom Law Centre has undertaken research and advocacy interventions, since 2011, in the topics digital privacy, software patents, and cyber-surveillance [SFLC]. The Internet Democracy Project, an initiative of Point of View, has organised online and offline discussions, participated in global summits, and produced reports on the topics of freedom of expression, cyber security and human rights, and global Internet governance architecture since 2012 [IDP].

The first Internet Society chapter to be established in India was in Delhi. The chapter began in 2002, but went through a period of no activity before being revived in 2008 [Delhi]. The Chennai chapter started in 2007 [Chennai], the Kolkata one in 2009 [Kolkata], and the Bengaluru chapter came into existence in 2010 [Bangalore]. Asia Internet Symposium have been organised in India twice: 1) the Kolkata one, held on on 1 December 2014, focused on 'Internet and Human Rights: Empowering the Users,' and 2) the Chennai symposium, held on 2 December 2014, discussed 'India in the Open and Global Internet.' The newest Internet Society chapter in India is in the process of formation in Trivandrum [Trivandrum], led by the efforts of Satish Babu (mentioned above).

Global and National Events

The first World Summit on the Information Society (WSIS) conference in Geneva, held on 10-12 December 2003, was not attended by many civil society organizations from India. Several Indian participants in the conference were part of the team of representatives from different global civil society organizations, like Digital Partners, Development Alternatives with Women for a New Era (DAWN), and International Centre for New Media [ITU 2003]. Between the first and the second conference, the engagement with the WSIS process increased among Indian civil society organizations increased of the WSIS process, which was especially led by IT for Change. In early 2005, before the second Preparatory Committee meeting of the Tunis conference, it organized a discussion event titled 'Gender Perspectives on the Information Society: South Asia Pre-WSIS Seminar' in partnership with DAWN and the Indian Institute of Management, Bangalore, which was supported by UNIFEM and the UNDP Asia-Pacific Development Information Programme [Gurumurthy 2006]. In a separate note, Anita Gurumurthy and Parminder Jeet Singh of IT for Change have noted their experience as a South Asian civil society organization engaging with the WSIS process [Gurumurthy 2005]. The second WSIS conference in Tunis, held on 16-18 November 2005, however, neither saw any significant participation from Indian civil society organizations, except for Ambedkar Centre for Justice and Peace, Childline India Foundation / Child Helpline International, and IT for Change [ITU 2005]. This contrasted sharply with the over 60 delegates from various Indian government agencies taking part in the conference [ITU 2005].

Two important events took place in India in early 2005 that substantially contributed to the civil society discourses in India around information technology and its socio-legal implications and possibilities. The former is the conference titled 'Contested Commons, Trespassing Publics' organized by the Sarai programme at the Centre for the Study of Developing Societies, Alternative Law Forum, and Public Service Broadcasting Trust, in Delhi on 6-8 January 2005. The conference attempted to look into the terms of intellectual property rights (IPR) debates from the perspectives of experiences in countries in Asia, Latin America, and Africa. It was based on the research carried out by the Sarai programme and Alternative Law Forum on contemporary realities of media production and distribution, and the ways in which law and legal instruments enter into the most intimate spheres of social and cultural life to operationalise the IPRs. The conference combined academic discussions with parallel demonstrations by media practitioners, and knowledge sharing by FLOSS communities [Sarai 2005]. The latter event is the first of the Asia Source workshop that took place in Bengaluru during 28 January - 4 February 2005 . It brought together more than 100 representatives from South and South-East Asian civil society organizations and technology practitioners working with them, along with several leading practitioners from Africa, Europe, North America, and Latin America, to promote adoption and usage of FLOSS across the developmental sector in the region. The workshop was organized by Mahiti (Bengaluru) and Tactical Technology Collective (Amsterdam), with intellectual and practical support from an advisory group of representatives from FLOSS communities and civil society organizations, and financial support from Hivos, the Open Society Institute, and International Open Source Network [Asia Source].

While the participation of representatives from Indian civil society organizations at the IGFs in Athens (2006) and Rio de Janeiro (2007) was minimal, the IGF Hyderabad, held on 3-6 December 2008, provided a great opportunity for Indian civil society actors to participate in and familiarize themselves with the global Internet governance process. Apart from various professionals, especially lawyers, who attended the Hyderabad conference as individuals, the leading civil society organizations participating in the event included: Ambedkar Center for Justice and Peace, Centre for Internet and Society, Centre for Science, Development and Media Studies, Digital Empowerment Foundation, Internet Society Chennai chapter, IT for Change, and Mahiti. The non-governmental participants from India at the event, however, were predominantly from private companies and academic institutes [IGF 2008].

IT for Change made a critical intervention into the discourse of global Internet governance during the Hyderabad conference by bringing back the term 'enhanced cooperation,' as mentioned in the Tunis Agenda for the Information Society [ITU 2005 b]. At IGF Sharm El Sheikh, held during 15-18 November 2009, Parminder Jeet Singh of IT for Change explained:

[E]nhanced cooperation consists of two parts. One part is dedicated to creating globally applicable policy principles, and there is an injunction to the relevant organizations to create the conditions for doing that. And I have a feeling that the two parts of that process have been conflated into one. And getting reports from the relevant organizations is going on, but we are not able to go forward to create a process which addresses the primary purpose of enhanced cooperation, which was to create globally applicable public policy principles and the proof of that is that I don't see any development of globally applicable public policy principles, which remains a very important need. [IGF 2009]

This foregrounding of the principle of 'enhanced cooperation' have since substantially contributed to rethinking not only the global Internet governance mechanisms and its reconfigurations, but also the Indian government's perspectives towards the same. It eventually led to the proposal made by a representative of Government of India at the UN General Assembly session on 26 October 2011 regarding the establishment of a UN Committee for Internet-Related Policies [Singh 2011].

Internet Policies and Censorship

One of the earliest instances of censorship of online content in India is the blocking of several websites offering Voice over IP (VoIP) softwares, which can be downloaded to make low-cost international calls, during late 1990s. The India-GII mailing list initiated by Arun Mehta, as mentioned above, started almost as a response to this blocking move by Videsh Sanchar Nigam Limited (VSNL), the government-owned Internet Service Provider (ISP). Additionally, Mehta filed a case against VSNL for blocking these e-commerce websites, which might be identified as the first case of legal activism for Internet-related rights in India [India-GII 2001]. During the war between India and Pakistan during 1999, the Indian government instructed VSNL to block various Pakistani media websites, including that of Dawn. Like in the case of websites offering VoIP services, this blocking did not involve direct intervention with the websites concerned but only the ability of Indian users to access them [Tanna 2004]. The first well-known case of the Government of India blocking digital content for political reasons occurred in 2003, when a mailing list titled 'Kynhun' was banned. Department of Telecommunications instructed all the But the previously deployed URL-blocking strategy did not work in the new situation of mailing lists. Blocking the URL of the group did not stop it from being used by members of the group to continue sharing email through it. Government of India then approached Yahoo directly to ensure that the mailing list is closed down, which Yahoo declined to implement. This resulted in imposing of a blanket blocking of all Yahoo Groups pages across ISPs in India during September 2003. By November, Yahoo decided to close down the mailing list, and the blanket blocking was repealed [Tanna 2004]. Further blocking of several blogs and websites continued through 2006 and 2007, where the government decided to work in collaboration with various platforms offering hosted blog and personal webpage services to remove access to specific sub-domains. In resistance to this series of blocking orders by the government, there emerged an important civil society campaign titled 'Bloggers Against Censorship' led by Bloggers Collective Group, a distributed network of bloggers from all across India [Bloggers 2006].

A few weeks after the IGF Hyderabad, the Government of India passed the Information Technology (Amendment) Act 2008 on 22 December 2008 [MoLaJ 2009], although it was notified and enforced much later on 27 October 2009 [MoCaIT 2009]. This amendment attempted to clarify various topics left under-defined in the Information Technology Act of 2000. However, as Pranesh Prakash of the Centre for Internet and Society noted, the casual usage of the term 'offensive content' in the amendment opened up serious threats of broad curbing of freedom of online expression under the justification that it caused 'annoyance' or 'inconvenience' [Prakash 2009]. The sections 66 and 67 of the amended Information Technology Act, which respectively address limits to online freedom of expression and legally acceptable monitoring of digital communication by government agencies, have since been severely protested against by civil society organizations across India for enabling a broad-brushed censorship and surveillance of the Internet in India. The section 66A has especially allowed the government to make a series of arrests of Internet users for posting and sharing 'offensive content' [Pahwa 2015].

In 2011, the Government of India introduced another critical piece of policy instrument for controlling online expressions – the Information Technology (Intermediary Guidelines) Rules, 2011 [MoCaIT 2011] – targeted at defining the functions of the intermediaries associated with Internet-related services and communication, and how they are to respond to government's directives towards taking down and temporary blocking of digital content. The draft Rules were published in early 2011 and comments were invited from the general public. One of the responses, submitted by Privacy India and the Centre for Internet and Society, explicitly highlighted the draconian implications of the (then) proposed rules:

This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked. [Prakash 2011]

The policy apparatus of controlling online expression in India took its full form by the beginning of the decade under study here. The 'chilling effect' of this apparatus was made insightfully evident by a study conducted by Rishabh Dara at the Centre for Internet and Society, where fake takedown notices (regarding existing digital content) were sent to 7 important Internet intermediaries operating in India, and their responses were studied. The results of this experiment demonstrated that:

[T]he Rules create uncertainty in the criteria and procedure for administering the takedown thereby inducing the intermediaries to err on the side of caution and over-comply with takedown notices in order to limit their liability; and as a result suppress legitimate expressions. Additionally, the Rules do not establish sufficient safeguards to prevent misuse and abuse of the takedown process to suppress legitimate expressions. [Dara 2012]

Reference

[Bloggers 2006] Bloggers Collective Group, Bloggers Against Censorship. Last updated on April 30, 2009‎. Accessed on July 08, 2015, from http://censorship.wikia.com/wiki/Bloggers_Against_Censorship.

[Dara 2012] Dara, Rishabh, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet. The Centre for Internet and Society. April 27. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/chilling-effects-on-free-expression-on-internet.

[DEF] Digital Empowerment Foundation (DEF). Community Information Resource Centre. Accessed on July 08, 2015, from http://defindia.org/circ-2/.

[DEF b] Digital Empowerment Foundation (DEF). Internet Rights. Accessed on July 08, 2015, from http://internetrights.in/.

[DEF c] Digital Empowerment Foundation (DEF). Our Story. Accessed on July 08, 2015, from http://defindia.org/about-def/.

[DEF d] Digital Empowerment Foundation (DEF). Manthan Awards. Accessed on July 08, 2015, from http://defindia.org/manthan-award-south-asia-masa/.

[FSFI] Free Software Foundation of India. Accessed on July 08, 2015, from http://fsf.org.in/.

[FSMI] Free Software Movement of India. Accessed on July 08, 2015, from http://www.fsmi.in/node.

[Gurumurthy 2001] Gurumurthy, Anita, A Gender Perspective to ICTs and Development: Reflections towards Tunis. January 15. Accessed on July 08, 2015, from http://www.worldsummit2003.de/en/web/701.htm.

[Gurumurthy 2005] Gurumurthy, Anita, and Parminder Jeet Singh, WSIS PrepCom 2: A South Asian Perspective. Association for Progressive Communications. April 01. Accessed on July 08, 2015, from https://www.apc.org/en/news/hr/world/wsis-prepcom-2-south-asian-perspective.

[Gurumurthy 2006] Gurumuthy, Anita et al (eds.), Gender in the Information Society: Emerging Issues. UNDP Asia-Pacific Development Information Programme. Accessed on July 08, 2015, from http://www.genderit.org/sites/default/upload/GenderIS.pdf.

[India-GII 2001] India-GII, Status of VSNL Censorship of IP-Telephony Sites. Accessed on July 08, 2015, from http://members.tripod.com/~india_gii/statusof.htm.

[India-GII 2005] India-GII. 2005. Last modified on May 24. Accessed on July 08, 2015, from http://india-gii.org/.

[IDP] Internet Democracy Project. Accessed on July 08, 2015, from http://internetdemocracy.in/.

[ITU 2003] International Telecommunication Union (ITU), Geneva Phase of the WSIS: List of Participants. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/summit_participants.pdf.

[ITU 2005] International Telecommunication Union (ITU), List of Participants (WSIS) – Update 5 Dec 2005. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs2/tunis/final-list-participants.pdf.

[ITU 2005 b] International Telecommunication Union (ITU), Tunis Agenda for the Information Society. November 18. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs2/tunis/off/6rev1.pdf.

[IGF 2008] Internet Governance Forum, Hyderabad Provisional List of Participants. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/index.php/component/content/article/385-hyderabad-provisional-list-of-participants.

[IGF 2009] Internet Governance Forum, Managing Critical Resources. IGF Sharm El Sheikh, Egypt . November 16. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/2009/sharm_el_Sheikh/Transcripts/Sharm%20El%20Sheikh%2016%20November%202009%20Managing%20Critical%20Internet%20Resources.pdf.

[Bangalore] Internet Society Bangalore Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org/.

[Delhi] Internet Society Delhi Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org.

[Chennai] Internet Society Chennai Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org.

[Kolkata] Internet Society Kolkata Chapter. Accessed on July 08, 2015, from http://isockolkata.in/.

[Trivandrum] Internet Society Trivandrum Chapter. Accessed on July 08, 2015, from http://www.internetsociety.org/what-we-do/where-we-work/chapters/india-trivandrum-chapter.

[ITfC] IT for Change, About IT for Change. Accessed on July 08, 2015, from http://www.itforchange.net/aboutus.

[ITfC b] IT for Change, Anita Gurumurthy. Accessed on July 08, 2015, from http://www.itforchange.net/Anita.

[ITfC c] IT for Change, Gender and Citizenship in the Information Society: Southern Feminist Dialogues in Practice and Theory. Accessed on July 08, 2015, from http://www.gender-is-citizenship.net/.

[ITfC d] IT for Change, Internet Governance. Accessed on July 08, 2015, from http://www.itforchange.net/Techgovernance.

[ITfC e] IT for Change, Our Field Centre. Accessed on July 08, 2015, from http://www.itforchange.net/field_centre.

[JNC] Just Net Coalition (JNC). Accessed on July 08, 2015, from http://justnetcoalition.org/.

[Kumar 2007] Kumar, Sasi V. 2007. The Story of Free Software in Kerala, India. Accessed on July 08, 2015, from http://swatantryam.blogspot.in/2007/08/story-of-free-software-in-kerala-india.html.

[MoLaJ 2009] Ministry of Law and Justice (MoLaJ), The Information Technology (Amendment) Act, 2008. The Gazette of India. February 05. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf.

[MoCaIT 2009] Ministry of Communications and Information Technology (MoCaIT), Notification. The Gazette of India. October 27. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/act301009.pdf.

[MoCaIT 2011] Ministry of Communications and Information Technology (MoCaIT), Information Technology (Intermediaries Guidelines) Rules, 2011. The Gazette of India. April 11. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.

[Noronha 2002] Noronha, Frederick, Linking a Diverse Country: Mailing Lists in India. The Digital Development Network. May 22. Accessed on July 08, 2015, from http://www.comminit.com/ict-4-development/content/linking-diverse-country-mailing-lists-india.

[Pahwa 2015] Pahwa, Nikhil, A List of Section 66A Arrests in India through the Years. Medianama. March 24. Accessed on July 08, 2015, from http://www.medianama.com/2015/03/223-section-66a-arrests-in-india/.

[Prakash 2009] Prakash, Pranesh, Short Note on IT Amendment Act, 2008 . The Centre for Internet and Society. February. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/publications/it-act/short-note-on-amendment-act-2008/.

[Prakash 2011] Prakash, Pranesh, CIS Para-wise Comments on Intermediary Due Diligence Rules, 2011. The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/blog/intermediary-due-diligence.

[Prakash 2011 b] Prakash, Pranesh, et al, Open Government Data Study. The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/openness/blog/open-government-data-study.

[SFLC] Software Freedom Law Centre (SFLC). Accessed on July 08, 2015, from http://sflc.in/.

[Shah 2011] Shah, Nishant. 2011. Digital AlterNatives with a Cause? The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/digital-natives/blog/dnbook.

[Singh 2011] Singh, Dushyant, India's Proposal for a United Nations Committee for Internet-Related Policies. Sixty Sixth Session of the UN General Assembly, New York. October 26. Accessed on July 08, 2015, from http://www.itforchange.net/sites/default/files/ItfC/india_un_cirp_proposal_20111026.pdf.

[SKC] Society for Knowledge Commons. About Us. Accessed on July 08, 2015, from http://www.knowledgecommons.in/about-us/.

[Asia Source] Tactical Technology Collective, Asia Source. Accessed on July 08, 2015, from https://tacticaltech.org/asiasource.

[Tanna 2004] Tanna, Ketan, Internet Censorship in India: Is It Necessary and Does It Work?. Sarai-CSDS Independent Fellowship. Accessed on July 08, 2015, from http://www.ketan.net/INTERNET_CENSORSHIP_IN_INDIA.html.

[CIS] The Centre for Internet and Society. About Us. Accessed on July 08, 2015, from http://cis-india.org/about/.

[CIS 2008] The Centre for Internet and Society. 2008. Annual Report. Accessed on July 08, 2015, from http://cis-india.org/accessibility/annual-report-2008.pdf.

[Sarai 2005] The Sarai Programme, Contested Commons, Trespassing Publics. January 12. Accessed on July 08, 2015, from http://sarai.net/contested-commons-trespassing-publics/.

[Wikipedia 2015] Satish Babu. Wikipedia. Last modified on June 25. Accessed on July 08, 2015, from https://en.wikipedia.org/wiki/Satish_Babu.

For more details visit https://cis-india.org/raw/civil-society-organisations-and-internet-governance-in-india-open-review

Civil Society Organisations and Internet Governance in Asia - Open Review

sumandro — 2015-11-13T05:54:33Z

This is a book section written for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon. The pre-publication text of the section is being shared here to invite suggestions for addition and modification. Please share your comments via email sent to raw[at]cis-india[dot]org with 'Civil Society Organisations and Internet Governance in Asia - Comments' as the subject line. This text is published under Creative Commons Attribution-NoDerivatives 4.0 International license.

You are most welcome to read the pre-publication drafts of other sections of the Asia Internet History Vol. 3, and share your comments: https://sites.google.com/site/internethistoryasia/book3.

Preparations for the World Summit on the Information Society

The World Summit on the Information Society (WSIS) conferences organized by the United Nations in Geneva (2003) and Tunis (2005) initiated crucial platforms and networks, some temporary and some continued, for various non-governmental actors to intensively and periodically take part in the discussions of governance of Internet and various related activities towards the goals of inclusive development and human rights. Many of the civil society organizations taking part in the WSIS conferences, as well as the various regional and thematic preparatory meetings and seminars, had little prior experience in the topic of Internet governance. They were entering these conversations from various perspectives, such as local developmental interventions, human and cultural rights activism, freedom and diversity of media, and gender and social justice. With backgrounds in such forms of applied practice and theoretical frameworks, members of these civil society organizations often faced a difficult challenge in articulating their experiences, insights, positions, and suggestions in terms of the (then) emerging global discourse of Internet governance and that of information and communication technologies (ICTs) as instruments of development. At the WSIS: An Asian Response Meeting in 2002, Susanna George, (then) Executive Director of Isis International, Manila, succinctly expressed this challenge being faced by the members of civil society organizations:

For some feminist activists however, including myself, it has felt like trying to squeeze my concerns into a narrow definition of what gender concerns in ICTs are. I would like it to Cinderella’s ugly sister cutting off her toe to fit into the dainty slipper of gender concerns in ICTs. The development ball, it seems, can only accommodate some elements of what NGO activists, particularly those from the South, are concerned about in relation to new information and communications technologies. (George 2002)

The above mentioned seminar, held in Bangkok, Thailand, on November 22-24, 2002, was a crucial early meeting for the representatives from Asian civil society organizations to share and shape their understanding and positions before taking part in the global conversations during the following years. The meeting was organised by Bread for All (Switzerland), Communication Rights in the Information Society Campaign (Netherlands), Forum-Asia (Thailand), and World Association for Christian Communication (United Kingdom), as a preparatory meeting before the Asia-Pacific Regional Conference of WSIS, with 34 organizations from 16 Asian countries taking part in it. The Final Document produced at the end of this seminar was quite a remarkable one. It highlighted the simultaneity of Asia as one of the global centres of the information economy and the everyday reality of wide-spread poverty across the Asian countries, and went on to state that the first principle for the emerging global information society should be that the '[c]ommunication rights are fundamental to democracy and human development' (The World Summit on the Information Society: An Asian Response 2002). It proposed the following action items for the efforts towards a global inclusive information society: 1) strengthen community, 2) ensure access, 3) enhance the creation of appropriate content, 4) invigorate global governance, 5) uphold human rights, 6) extend the public domain, 7) protect and promote cultural and linguistic diversity, and 8) ensure public investment in infrastructure (ibid.).

Immediately after this Conference, several Asian civil society organizations attended the Asian Civil Society Forum, organised as part of the Conference of Non-governmental Organizations in Consultative Relations with the United Nations (CONGO), held in Bangkok, Thailand, during December 9-13, 2002. Representatives of Dhaka Ahsania Mission (Bangladesh), OneWorld South Asia (India), GLOCOM (Japan), Foundation for Media Alternative (Philippines), Korean Progressive Network – JINBONET (Republic of Korea), Friedrich Naumann Foundation (Singapore), International Federation of University Women (Switzerland), and Forum Asia (Regional) drafted a Joint Statement emphasising that a 'broad-based participation of civil society, especially from those communities which are excluded, marginalized and severely deprived, is critical in defining and building such a [true communicative, just and peaceful] society' (Aizu 2002). In the very next month, the Asia-Pacific Regional Conference was held in Tokyo during January 13-15, 2003, 'to develop a shared vision and common strategies for the “Information Society' (WSIS Executive Secretariat 2003: 2). The conference saw participation of representatives from 47 national governments, 22 international organizations, 54 private sector agencies, and 116 civil society organizations across the Asia-Pacific region. The Tokyo Declaration, the final document prepared at the conclusion of the Conference, recognized that:

[T]he Information Society must ... facilitate full utilization of information and communication technologies (ICT) at all levels in society and hence enable the sharing of social and economic benefits by all, by means of ubiquitous access to information networks, while preserving diversity and cultural heritage. (Ibid.: 2)

Further, it highlighted the following priority areas of action: 1) infrastructure development, 2) securing affordable, universal access to ICTs, 3) preserving linguistic and cultural diversity and promoting local content, 4) developing human resources, 5) establishing legal, regulatory and policy frameworks, 6) ensuring balance between intellectual property rights (IPR) and public interest, 7) ensuring the security of ICTs, and 8) fostering partnerships and mobilizing resources. It is not difficult to see how the focus of necessary actions shifted from an emphasis on concerns of community and human rights, and public investments and commons, towards those of legal and policy mechanisms, multi-partner delivery of services, and intellectual property rights. Civil society organizations, expectedly, felt sidelined in this Conference, and decided to issue a join statement of Asian civil society organizations to ensure that their positions are effectively presented. The first two topics mentioned in this document were: 1) '[c]ommunication rights should be fully recognized as a fundamental and universal human right to be protected and promoted in the information society,' and 2) '[t]he participation of civil society in the information society at all levels should be ensured and sustained, from policy planning to implementation, monitoring and evaluation' (UNSAJ et al 2003). The joint statement was endorsed by 30 civil society organizations: UDDIPAN (Bangladesh); COMFREL (Cambodia); ETDA (East Timor); The Hong Kong Council of Social Services (Hong Kong); Food India, IT for Change (India); Indonesian Infocom Society (Indonesia); Active Learning, CPSR, Forum for Citizens' Television and Media, JTEC, Kyoto Journal, Ritsumeikan University Media Literacy Project, UNSAJ (Japan); Computer Association Nepal, Rural Area Development Programme (Nepal); APC Women's Networking Support Programme, Foundation for Media Alternatives, ISIS International (Philippines); Citizens' Action Network, Korean Progressive Network – Jinbonet, Labor News Production, ZAK (Republic of Korea); e-Pacificka Consulting (Samoa); National University of Singapore (Singapore); Public Television Service, Taiwan Association for Human Rights (Taiwan); Asian-South Pacific Bureau for Adult Education, FORUM ASIA, and TVE Asia Pacific (Regional) (Ibid.).

Participation in the WSIS Process

The first WSIS conference was held in Geneva in December 2003. Through the processes of organizing this conference, and the second one in Tunis in November 2005, United Nations expressed a clear intention of great participation of actors from the private companies, civil society, academia, and media, along with the governmental organizations. During the first meeting of the WSIS Preparatory Committee (PrepCom-1) in Geneva, during July 1-5, 2002, the civil society organizations demanded that they should be allowed to co-shape the key topics to be discussed during the first conference (2003). There was already an Inter-Governmental Subcommittee on Contents and Themes, but no equivalent platform for the civil society organizations was available. With the approval of the Civil Society Plenary (CSP), the Civil Society Subcommittee on Content and Themes (WSIS-SCT) was instituted during PrepCom-1 (WSIS-SCT 2003b). At the second WSIS Preparatory Committee meeting (PrepCom-2) in Geneva, during February 17-28, 2003, the WSIS-SCT produced a summary of the views of its members titled 'Vision and Principles of Information and Communication Societies,' and also a one page brief titled 'Seven Musts: Priority Principles Proposed by Civil Society' to be used for lobbying purposes (Ibid.). This brief mentioned seven key principles of Internet governance identified by the civil society organization taking part in the WSIS process: (1) sustainable development, (2) democratic governance, (3) literacy, education, and research, (4) human rights, (5) global knowledge commons, (6) cultural and linguistic diversity, and (7) information security (WSIS-SCT 2003a).

Asian civil society organizations that took part in the PrepCom-2 meeting included United Nations Association of China (China); CASP - Centre for Adivasee Studies and Peace, C2N - Community Communications Network (India); ICSORC - Iranian Civil Society Organizations Resource Center (Iran); GAWF - General Arab Women Federation (Iraq); Daisy Consortium, GLOCOM - Center for Global Communications (Japan); Association for Progressive Communication, Global Knowledge Partnership (Malaysia); Pakistan Christian Peace Foundation (Pakistan); WFEO - World Federation of Engineering Organization (Palestine); Asian South Pacific Bureau of Adult Education, Foundation for Media Alternatives, ISIS International – Manila (Philippines); Korean Progressive Network - Jinbonet (Republic of Korea); IIROSA - International Islamic Relief Organization (Saudi Arabia); and Taking IT Global (India, Indonesia, Malaysia, Philippines, and Turkey) (ITU 2003a).

All these efforts led to development of the Civil Society Declaration to the World Summit on the Information Society, which was prepared and published by the Civil Society Plenary at the Geneva conference, on December 08, 2003. The Declaration was titled 'Shaping Information Societies for Human Needs' (WSIS Civil Society Plenary 2003). The Asian civil society organization that took part in the Geneva conference were BFES - Bangladesh Friendship Education Society, Drik, ICTDPB - Information & Communication Technology Development Program, Proshika - A Center for Human Development (Bangladesh); China Society for Promotion of the Guangcai Programme, Chinese People's Association for Friendship with Foreign Countries, United Nations Association of China (China); The Hong Kong Council of Social Service (Hong Kong); CASP - Centre for Adivasee Studies and Peace, Childline India Foundation / Child Helpline International, DAWN - Development Alternatives with Women for a New Era (India); Communication Network of Women's NGOs in Iran, Green front of Iran, ICTRC - Iranian Civil Society Organizations Training and Research Center, Islamic Women's Institute of Iran, Institute for Women's Studies and Research, Organization for Defending Victims of Violence (Iran); ILAM - Center for Arab Palestinians in Israel (Israel); Citizen Digital Solutions, Forum for Citizens' Television and Media, GLOCOM - Center for Global Communications, JCAFE - Japan Computer Access for Empowerment, Soka Gakkai International (Japan); LAD-Nepal - Literary Academy for Dalit of Nepal (Nepal); Asia-Pacific Broadcasting Union, Global Knowledge Partnership (Malaysia); PAK Educational Society / Pakistan Development Network, SMEDA - Small & Medium Enterprise Development Authority (Pakistan); Palestine IT Association of Companies (Palestine); Isis International – Manila, Ugnayan ng Kababaihan sa Pulitika / Philippine Women's Network in Politics and Governance (Philippines); Citizen's Alliance for Consumer Protection of Korea, Korean Civil Society Network for WSIS (Republic of Korea); Youth Challenge (Singapore); Association for Progressive Communications (India and Philippines), CITYNET - Regional Network of Local Authorities for the Management of Human Settlements (India. Mongolia, and Philippines), Taking IT Global (India and Philippines) (ITU 2003b).

As the preparatory meetings and consultations towards the second WSIS conference advanced during the next year, the Asian civil society organizations attempted to engage more directly with the global Internet governance processes on one hand, and the national Internet and ICT policy situations on the other. Writing about their encounters at and before the second Preparatory Committee meeting of the Tunis conference, held in Geneva during February 17-25, 2005, Anita Gurumurthy and Parminder Jeet Singh made several early observations that have continued to resonate with the experiences of Asian civil society organizations throughout the decade (Gurumurthy & Singh 2005). Firstly, they indicated that the government agencies present in the dialogues tend to take diverging positions in international events and domestic contexts. Secondly, there was a marked absence of formal and informal discussions between the governmental and the civil society representatives of the same country present at the meeting. The government agencies were clearly disinterested in involving civil society organizations in the process. Thirdly, the civil society actors present in the meeting were mostly from the ICT for Development sector, and the organizations working in more 'traditional' sectors – such as education, health, governance reform, etc. – remained absent from the conversations. This is especially problematic in the case of such developing countries where there does not exist strategic linkages between civil society organizaions focusing on topics of technologized developmental interventions, and those involved in more 'traditional' development practices. Rekha Jain, in a separate report on the Indian experience of participating in the WSIS process, re-iterates some of these points (Jain 2006). She notes that '[w]hile the Secretary, [Department of Telecommunications, Government of India] was involved in (PrepCom-1) drafting the initial processes for involvement of NGOs, at the national level, this mechanism was not translated in to a process for involving the civil society or media' (Ibid.: 14).

The frequent lack of interest of national governments, especially in the Asian countries, to engage with civil society organizations on matters of policies and projects in Internet governance and ICTs for development (Souter 2007), further encouraged these organization to utilise the global discussion space opened up by the WSIS process to drive the agendas of democratisation of Internet governance processes, and protection and advancement of human rights and social justice. The second WSIS conference held in Tunis, during November 16-18, 2005, however, did not end in a positive note for the civil society organizations as a whole. The sentiment is aptly captured in the title of the Civil Society Statement issued after the Tunis Conference: 'Much more could have been achieved' (WSIS Civil Society Plenary 2005). Apart from producing this very important critical response to the WSIS process, within a month of its conclusions, the civil society organization contributed effectively in one of the more longer-term impacts of the process – the establishment of the Internet Governance Forums (IGFs). Immediately after the publication of the Report of the Working Group on Internet Governance (Desai et al) in June 2005, the Center for Global Communications (GLOCOM), Japan, acting on behalf of the Civil Society Internet Governance Caucus, came forward with public support for 'the establishment of a new forum to address the broad agenda of Internet governance issues, provided it is truly global, inclusive, and multi-stakeholder in composition allowing all stakeholders from all sectors to participate as equal peers' (WSIS Civil Society Internet Governance Caucus 2005: 3).

Asian Civil Society Organizations at the IGFs

In 2006, the WSIS Civil Society Internet Governance Caucus was reformed and established as a permanent 'forum for discussion, advocacy, action, and for representation of civil society contributions in Internet governance processes' (Civil Society Internet Government Caucus 2006). Representatives from Asian civil society organizations have consistently played critical roles in the functionings of this Caucus. Youn Jung Park of the Department of Technology and Society, SUNY Korea, co-founded and co-coordined the original Caucus in 2003. Adam Peake of the Center for Global Communications (GLOCOM), International University of Japan, was co-coordinator of the original Caucus from 2003 to 2006. Parminder Jeet Sing of IT for Change, India, was elected as one of the co-cordinators of the newly reformed Caucus in 2006, with the term ending in 2008. Izumi Aizu of the Institute for HyperNetwork Society and the Institute for InfoSocinomics, Tama University, Japan served as the co-coordinator of the Caucus during 2010-2012.

The first Internet Governance Forum organized in Athens, October 30 – November 2, 2006, saw participation from a very few Asian civil society organizations, mostly from Bangladesh and Japan (IGF 2006). The second Internet Governance Forum in Rio de Janeiro, November 12-15, 2007 had a wider representation from Asian civil society organizations: Bangladesh NGOs Network for Radio and Communication, BFES - Bangladesh Friendship Education Society, VOICE – Voices for Interactive Choice and Empowerment (Bangladesh); China Association for Science and Technology, Internet Society of China (China); University of Hong Kong (Hong Kong); Alternative Law Forum (via Association for Progressive Communications - Women's Networking Support Programme), Indian Institute of Technology in Delhi, IT for Change (India); GLOCOM, Kumon Center, Tama University (Japan); Sustainable Development Networking Programme (Jordan); Kuwait Information Technology Society (Kuwait); Assocation of Computer Engineers – Nepal, Rural Area Development Programme, Nepal Rural Information Technology Development Society (Nepal); Bytesforall – APC / Pakistan, Pakistan Christian Peace Foundation (Pakistan); Foundation for Media Alternatives, Philippine Resources for Sustainable Development Inc. (Philippines); and LIRNEasia (Sri Lanka). At the Open IGF Consultations in Geneva, on February 26 2008, the Internet Governance Caucus made two significant submissions: 1) that, although structuring the IGF sessions in Athens and Rio de Janeiro around the large themes of access, openness, diversity, and security have been useful to open up the multi-stakeholder dialogues, it is necessary to begin focused discussions of specific public policy issues to take the IGF process forward (Civil Society Internet Governance Caucus 2008a), and 2) that the Multi-Stakeholder Advisory Group (MAG), which drives the IGF process and events, should be made more proactive and transparent, and expanded in size so as to better include the different stakeholder groups who may self-identify their representatives for the MAG (Civil Society Internet Governance Caucus 2008b).

On one hand, the IGF Hyderabad, December 3-6, 2008, experienced a decline in the percentage of participants from civil society organizations and a rather modest increase in the percentage of participants from Asian countries (see: 6.1.5. Annexe – Tables), especially since this was the first major international Internet governance summit held in an Asian country. On the other hand, the Civil Society Internet Governance Caucus succeeded to bring forth the term 'enhanced cooperation,' as mentioned in the Tunis Agenda, to be addressed and discussed in one of the main sessions of the Forum (IGF 2008). The next IGF held in Sharm El Sheikh, November 15-18, 2009, saw further decline of participation from both the representatives of civil society organizations, and the attendees from Asian countries (see: 6.1.5. Annexe – Tables). In this context, Youn Jung Park made the following statement in the Stock Taking session of the summit:

As a cofounder of WSIS Civil Society Internet Governance Caucus in 2003, I would like to remind you ... [that] Internet Governance Forum was created as a compromise between those who supported the status quo Internet governance institution under one nation's status provision, and those who requested for more balanced roles for governments under international supervision of the Internet. While IGF has achieved a great success of diluting of such political tension between those who have different views of how to institutionalize Internet governance, ironically Internet governance forum became a forum without governance... [We] have to admit [that] IGF failed to deliver another mandate of the U.N. WSIS: Continuing discussion of how to design Internet governance institutions... The current IGF continues to function as knowledge transfer of ICANN's values to other stakeholders, while those who want to discuss and negotiate on how to design Internet governance institutions should have another platform for that specific U.N. WSIS mandate. (IGF 2009)

The first Asia Pacific Regional Internet Governance Forum (APrIGF) was held in Hong Kong on June 14-16, 2010. The organising committee included three civil society / acadmic organizations – Center for Global Communications (GLOCOM), Internet Society Hong Kong, and National University of Singapore – and three indpendent experts – Kuo-Wei Wu (Taiwan), Norbert Klein (Cambodia), and Zahid Jamil (Pakistan). Though the Forum had dominant presence from government and private sector participants, several representatives from Asian civil society / academic organizations spoke at the sessions: Ang Peng Hwa (Singapore Internet Research Centre, Nanyang Technological University), Charles Mok (Internet Society Hong Kong), Christine Loh (Civic Exchange), Chong Chan Yau (Hong Kong Blind Union), Clarence Tsang (Christian Action), Ilya Eric Lee (Taiwan E-Learning and Digital Archives Program, and Research Center for Information Technology Innovation), Izumi Aizu (Institute for HyperNetwork Society, and Institute for InfoSocinomics, Kumon Center, Tama University), Oliver “Blogie” Robillo (Mindanao Bloggers Community), Parminder Jeet Singh (IT for Change), Priscilla Lui (Against Child Abuse in Hong Kong), Tan Tin Wee (Centre for Internet Research, National University of Singapore), and Yap Swee Seng (Asian Forum for Human Rights and Development). As Ang Peng Hwa noted at the beginning of the summit, its key objective was to provide a formal space for various stakeholders from the Asia-Pacific region to discuss and provide inputs to the IGF process (APrIGF 2010). The regional forum was successful in enabling newer civil society entrants from the Asia-Pacific region to familiarize themselves with the IGF process, and to contribute to it. Oliver “Blogie” Robillo, represented and submit recommendations from Southeast Asian civil society organizations at IGF Vilnius, September 14-17, 2010, which was the first time he took part in the summit series. He emphasised the following topics: 1) openness and freedom of expression are the basis of democracy, and state-driven censorship of Internet in the region is an immediate threat to such global rights, 2) coordinated international efforts need to address and resolve not only global digital divides, but also the divides at regional, national, and sub-nationals scales, 3) the right to privacy is an integral part of cybersecurity, as well as a necessary condition for exercising human rights, 4) global Internet governance efforts must ensure that national governments do not control and restrict abilities of citizens to express through digital means, and it should be aligned with the universal human rights agenda, and 5) even after 5 years of the IGF process, a wider participation of civil society organizations, especially from the Asia-Pacific regions, remains an unachieved goal, which can only be achived if specific resources are allocated and processes are implemented (IGF 2010).

Internet Censorship and Civil Society Responses

Throughout the decade of 2000-2010, censorship of Internet and restriction of digital expression remained a crucial Internet rights concern across the world, and especially the Asian countries. One of the earliest global reports on the matter was brought out by the Reporters without Borders. In 2006, it published a list of countries marked as 'Internet Enemies' that featured 16 countries, out of which 11 were from Asia: China, Iran, Maldives, Myanmar (then, Burma), Nepal, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan, and Vietnam (Reporters without Borders 2006). The list was updated in 2007, and three of these countries – Libya, Maldives, and Nepal – were taken off (Ibid.). The unique contradictions of the Asian region were sharply foregrounded in the 2006-07 report on Internet censorship by OpenNet Initiative, which noted:

Some of the most and least connected countries in the world are located in Asia: Japan, South Korea, and Singapore all have Internet penetration rates of over 65 percent, while Afghanistan, Myanmar, and Nepal remain three of thirty countries with less than 1 percent of its citizens online. Among the countries in the world with the most restricted access, North Korea allows only a small community of elites and foreigners online. Most users must rely on Chinese service providers for connectivity, while the limited number North Korean–sponsored Web sites are hosted abroad... [T]hough India’s Internet community is the fifth largest in the world, users amounted to only about 4 percent of the country’s population in 2005. Afghanistan, Myanmar, and Nepal are among the world’s least-developed countries. Despite the constraints on resources and serious developmental and political challenges, however, citizens are showing steadily increasing demand for Internet services such as Voice-over Internet Protocol (VoIP), blogging, and chat. (Wang 2007)

The report further described the strategy used by various Asian governments of 'delegation of policing and monitoring responsibilities to ISPs, content providers, private corporations, and users themselves' (Ibid.) These mechanisms enforce self-surveillance and self-censorship in the face of threats of loss of commercial license, denial of services, and even criminal liability. Defamation suits and related civil and criminal liability have also been used by several Asian governments to silence influential critics and protesters. Direct technical filtering of Internet traffic (especially inwards traffic) and blocking of URLS via government directives sent to Internet Service Providers (ISPs) have also been common practice in key Asian countries (Ibid.). Expectedly, such experiences of oppression led to widespread campaigns and communications by the Asian civil society organizations, as can be sensed from the above mentioned submission by Oliver “Blogie” Robillo at IGF Vilnius.

Among the Asian countries, the comprehensive technologies of censorship developed and deployed by China has been studied most extensively. The Golden Shield Project was initiated by the Ministry of Public Security of China in 1998 to undertake blanket blocking of incoming Internet traffic based on specific URLs and terms. Evidences of the project getting operationalised became available in 2003 (Garden Networks for Freedom of Information 2004). Censorship of Internet in China, however, has not only been dependent on such sophisticated systems. In 2003, it was made mandatory for all residents of Lhasa, Tibet, to use a specific combination and password to access Internet, which was directly linked to their names and address. An Internet ID Card was issued by the government to implement this (International Campaign for Tibet. 2004). Tibet Action Institute has been a key civil society organization at the forefront of cyber-offensive of the Chinese government. A recent documentary by the Institute, titled 'Tibet: Frontline of the New Cyberwar,' has narrated how it has worked closely with the Citizen Lab, Munk School of Global Affairs, University of Toronto, to identify, trace, and resist the malware- and other cyber-attacks experienced by the civil society actors and websites in favor of independence of Tibet (Tibet Action Institute 2015). Not only activists supporting the Tibetan cause, digital security training emerged as an important aspect of the life of civil society organizations during the decade. Asian organizations like Bytes for All (Pakistan) and Myanmar ICT for Development Organization (Mynamar), as well as international organizations like Front Line Defenders and Citizen Lab have educated and supported civil society activities much beyond the Internet governance sphere with tools and techniques for effectively using digital channels of communications, and defending themselves for cyber-threats.

Combination of traditional forms of civil society mobilizations and digital techniques have often been used resist attempts by Asian governments to control the online communication space. Huma Yusuf has extensively studied the emergence of hybrid media strategies, using both old media channels like newspapers and new media channels like blogs and video sharing platforms, among citizen journalists and civil society activists in Pakistan as the government took harsh steps towards control of both traditional and online media during 2007-2008 (Yusuf 2009). She has carefully traced how possibilities of new forms of information and media sharing enabled by Internet were initially identified and implemented by citizen journalists and student activists, which was quickly learned and re-deployed by more formal organisation, such as print and electronic news companies, and civil society organizations like those involved in election monitoring (Ibid.). Malaysia also experienced fast-accelerating face-off between the government and the civil society during 2007-2010, as the former started intervening directly into censoring blogs and newspaper websites. On one hand, the government took legal actions against critical bloggers, either directly or indirectly, and on the other it instructed ISPs to block 'offensive content.' It also borrowed the 'Singapore-model' to mandate registration of bloggers with government authorities, if they are identifed as writing on socio-political topics. The civil society actors responded to these oppressive steps by setting up a new blog dedicated to coverage of the defamation cases (filed against prominent bloggers), and publicly sharing instructions for circumvention of the blocks imposed by ISPs. The National Alliance of Bloggers was soon formed, which organised the “Blogs and Digital Democracy” forum on October 3, 2007 (Thien 2011: 46-47). Similarly, Bloggers Against Censorship campaign took shape in India in 2006 as the government first directed ISPs to block specific blogs hosted on Blogspot, TypePad, and Yahoo! Geocities, and then went for complete blocking of Yahoo! Geocities as the ISPs failed to block specific sub-domains of the platform (Bloggers Collective Group 2006). Learning from this experience, the following year Indian government decided to work directly with Orkut to take down 'defamatory content' about a politician (The Economic Times 2007). This is common for other Asian governments too, as they have continued to develop more legally binding and technically sophisticated measures to monitor and control online expression.

In the 'Internet Enemies Report 2012,' Reporters without Borders listed 12 countries as 'enemies of the Internet,' out of which 10 were from Asia – Bahrain, China, Iran, Myanmar, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan, and Vietnam – and it named 14 countries that are conducting surveillance on its citizens, out of which 7 were from Asia – India, Kazakhstan, Malaysia, South Korea, Sri Lanka, Thailand, and United Arab Emirates (Reporters without Borders 2012). At the APrIGF held in Tokyo, July 18-20, 2012, a group of delegates from civil society organizations working in the South-East Asian region issued a joint statement with a clear call for global action against the shrinking space for freedom of (digital) expression in the region (Thai Netizen Network et al 2012). They specifically noted the following national acts as examples of the legislative mechanisms being used by different Asian governments to criminalize online speech and/or to harass public dissenters:

Burma – The 2004 Electronic Transactions Act
Cambodia – The 2012 Draft Cyber-Law, the 1995 Press Law, and the 2010 Penal Code
Malaysia – The 2012 Amendment to the Evidence Act and the 2011 Computing Professionals Bill
Indonesia – The 2008 Law on Information and Electronic Transaction and the 2008 Law on Pornography
The Philippines – The 2012 Data Privacy Act
Thailand – The 2007 Computer Crimes Act, the Article 112 of the Penal Code, and the 2004 Special Case Investigation Act
Vietnam – The 1999 Penal Code, the 2004 Publishing Law, the 2000 State Secrets Protection Ordinance, and the 2012 Draft Decree on Internet Management. (Ibid.)

The statement was co-signed by Thai Netizen Network, Thai Media Policy Centre, The Institute for Policy Research and Advocacy (ELSAM), Southeast Asian Press Alliance (SEAPA), Southeast Asian Centre for e-Media (SEACeM), Victorius (Ndaru) Eps, Community Legal Education Center (CLEC), Sovathana (Nana) Neang, Asian Forum for Human Rights and Development (FORUM-ASIA), and was endorsed by ICT Watch (Indonesian ICT Partnership Association).

Annexe – Tables

Table 1: Participation from Asian Countries and of representatives from Asian civil society organisations in IGFs, 2006-2010

Event	Participants from Asian Countries	Participants from Civil Society Organizations
IGF Athens 2006	11%	29%
IGF Rio de Janeiro 2007	13%	32%
IGF Hyderabad 2008	56% from India, and 15% from other Asian countries	25%
IGF Sharm El Sheikh 2009	17%	19%
IGF Vilnius 2010	Not Available	Not Available

Source: Reports available on Internet Governance Forum website (http://igf.wgig.org/cms).

Table 2: Internet Society Chapters in Asia

Chapter	Year of Establishment	URL
Afghanistan	In formation	Not available
Bahrain	2001	http://www.bis.org.bh/
Bangladesh	2011	http://www.isoc.org.bd/dhaka/
Hong Kong	2005	http://www.isoc.hk/
India (Bangalore)	2010	http://www.isocbangalore.org/
India (Chennai)	2007	http://www.isocindiachennai.org/
India (Delhi)	2002. Rejuvenated in 2008.	http://www.isocdelhi.in/
India (Kolkata)	2009	http://isockolkata.in/
India (Trivandrum)	2015	Not available
Indonesia	2014	http://www.isoc.or.id/
Israel	1995	http://www.isoc.org.il/
Japan	1994	http://www.isoc.jp/
Lebanon	2010	http://www.isoc.org.lb/
Malaysia	2010	http://www.isoc.my/
Nepal	2007	http://www.internetsociety.org.np/
Pakistan (Islamabad)	2013	http://www.isocibd.org.pk/
Palestine	2002	http://www.isoc.ps/
Philippines	1999. Rejuvenated in 2009.	https://www.facebook.com/isoc.ph/
Qatar	2011	http://www.isoc.qa/
Republic of Korea	2014	Not available
Singapore	2011	http://isoc.sg/
Sri Lanka	2010	http://www.isoc.lk/
Taipei	1996	http://www.isoc.org.tw/
Thailand	1996	http://www.isoc-th.org/
United Arab Emirates	2007	http://www.isocuae.com/
Yemen	2013	http://isoc.ye/

Source: Details of chapters available on Internet Society website (http://www.internetsociety.org/).

Reference

Aizu, Izumi et al. 2002. Joint Statement from Asia Civil Society Forum Participants on World Summit on the Information Society (WSIS). December 13. Accessed on July 08, 2015 from http://www.wsisasia.org/wsis-acsf2002/wsis-acsfdec13f.doc.

Asia Pacific Regional Internet Governance Forum (APrIGF). 2010. APrIGF Roundtable – June 15th, 2010: Session 1 – Welcome Remarks and Introduction – Real Time Transcript. Accessed on July 08, 2015 from http://2010.rigf.asia/aprigf-roundtable-june-15th-2010-session-1/.

Bloggers Collective Group. 2006. Bloggers Against Censorship. Last updated on April 30, 2009‎. Accessed on July 08, 2015, from http://censorship.wikia.com/wiki/Bloggers_Against_Censorship.

Civil Society Internet Governance Caucus. 2006. Internet Governance Caucus Charter. October 14. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC-charter_final-061014.html.

Civil Society Internet Governance Caucus. 2008a. Inputs for the Open IGF Consultation, Geneva, 26th February, 2008 – Statement II: Main Session Themes for IGF, Hyderabad. February 26. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC%20-%20Main%20themes%20for%20IGF%20Hyd.pdf.

Civil Society Internet Governance Caucus. 2008b. Inputs for the Open IGF Consultation, Geneva, 26th February, 2008 – Statement III: Renewal / Restructuring of Multi-stakeholder Advisory Group. February 26. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC%20-%20MAG%20Rotation.pdf.

Desai, Nitin, et al. 2005. Report of the Working Group on Internet Governance. United June. Accessed on July 08, 2015 from http://www.wgig.org/docs/WGIGREPORT.pdf.

Garden Networks for Freedom of Information. 2004. Breaking through the “Golden Shield.” Open Society Institute. November 01. Accessed on July 08, 2015 from https://www.opensocietyfoundations.org/sites/default/files/china-internet-censorship-20041101.pdf.

George, Susanna. 2002. Women and New Information and Communications Technologies: The Promise of Empowerment. Presented at The World Summit on the Information Society: An Asian Response Meeting, November 22-24. Accessed on July 08, 2015 from http://www.wsisasia.org/materials/susanna.doc/.

Gurumurthy, Anita, & Parminder Jeet Singh. 2005. WSIS PrepCom 2: A South Asian Perspective. Association for Progressive Communications. April 01. Accessed on July 08, 2015, from https://www.apc.org/en/news/hr/world/wsis-prepcom-2-south-asian-perspective.

Internet Governance Forum (IGF). 2006. Athens 2006 – List of Participants. Accessed on July 08, 2015, from http://www.intgovforum.org/PLP.html.

Internet Governance Forum (IGF). 2008. Arrangements for Internet Governance, Global and National/Regional. IGF Hyderabad, India. December 5. Accessed on July 08, 2015, from https://web.archive.org/web/20130621205004/http://www.intgovforum.org/cms/hyderabad_prog/AfIGGN.html [Original URL: http://www.intgovforum.org/cms/hyderabad_prog/AfIGGN.html].

Internet Governance Forum (IGF). 2009. Taking Stock and Looking Forward – On the Desirability of the Continuation of the Forum, Part II. IGF Sharm El Sheikh, Egypt. November 18. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/2009/sharm_el_Sheikh/Transcripts/Sharm%20El%20Sheikh%2018%20November%202009%20Stock%20Taking%20II.txt.

Internet Governance Forum (IGF). 2010. Taking Stock of Internet Governance and the Way Forward. IGF Vilnius, Lithuania. September 17. Accessed on July 08, 2015, from http://igf.wgig.org/cms/component/content/article/102-transcripts2010/687-taking-stock.

International Campaign for Tibet. 2004. Chinese Authorities Institute Internet ID Card System in Tibet for Online Surveillance. April 30. Accessed on July 08, 2015, from http://www.savetibet.org/chinese-authorities-institute-internet-id-card-system-in-tibet-for-online-surveillance/.

International Telecommunication Union (ITU). 2003a. PrepCom-2 / 17-28 February 2003 – Final List of Participants. February 28. Accessed on July 08, 2015, from http://www.itu.int/wsis/participation/prepcom2/prepcom2-cl.pdf.

International Telecommunication Union (ITU). 2003b. Geneva Phase of the WSIS: List of Participants. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/summit_participants.pdf.

Jain, Rekha. 2006. Participation of Developing Countries in the World Summit on the Information Society (WSIS) Process: India Case Study. Association for Progressive Communications. March. Accessed on July 08, 2015 from http://rights.apc.org/documents/wsis_india.pdf.

Reporters without Borders. 2006. List of the 13 Internet Enemies. Last updated on August 28, 2007. Accessed on July 08, 2015 from http://en.rsf.org/list-of-the-13-internet-enemies-07-11-2006,19603.

Reporters without Borders. 2012. Internet Enemies Report 2012. Accessed on July 08, 2015 from http://en.rsf.org/IMG/pdf/rapport-internet2012_ang.pdf.

Souter, David. 2007. WSIS and Civil Society. In: Whose Summit? Whose Information Society? Developing Countries and Civil Society at the World Summit on the Information Society. With additional research by Abiodun Jagun. Association for Progressive Communications. Pp. 72-89. Accessed on July 08, 2015 from http://rights.apc.org/documents/whose_summit_EN.pdf.

Thai Netizen Network et al. 2012. Southeast Asian Civil Society Groups Highlight Increasing Rights Violations Online, Call for Improvements to Internet Governance Processes in the Region. Statement of Civil Society Delegates from Southeast Asia to 2012 Asia-Pacific Regional Internet Governance Forum (APrIGF). July 31. Accessed on July 08, 2015 from https://freedomhouse.org/sites/default/files/AprIGF-Joint%20Statement-FINAL.pdf.

The Economic Times. 2007. Orkut's Tell-All Pact with Cops. May 01. Accessed on July 08, 2015 from http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson.

The World Summit on the Information Society: An Asian Response. 2002. Final Document. Accessed on July 08, 2015 from http://www.wsisasia.org/materials/finalversion.doc.

Thien, Vee Vian. 2011. The Struggle for Digital Freedom of Speech: The Malaysian Sociopolitical Blogosphere’s Experience. In: Ronald Deibert et al. (eds.) Access Contested. OpenNet Initiative. Pp. 43-63. Accessed on July 08, 2015 from http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-03.pdf.

Tibet Action Institute. 2015. Tibet: Frontline of the New Cyberwar. YouTube. January 27. Accessed on July 08, 2015 from https://www.youtube.com/watch?v=yE3AQqbGVkk.

UNSAJ et al. 2003. Civil Society Observations and Response to the Tokyo Declaration. Asia-Pacific Regional Conference on the World Summit on the Information Society. January 15. Accessed on July 08, 2015 from http://www.wsisasia.org/wsis-tokyo/tokyo-statement.html.

Wang, Stephanie. 2007. Internet Filtering in Asia in 2006-2007. OpenNet Initiative. Accessed on July 08, 2015, from https://opennet.net/studies/asia2007.

WSIS Civil Society Internet Governance Caucus. 2005. Initial Reactions to the WGIG Report. Contribution from GLOCOM on behalf of the WSIS Civil Society Internet Governance Caucus. July 19. Accessed on July 08, 2015, from www.itu.int/wsis/%20docs2/pc3/contributions/co23.doc.

WSIS Civil Society Plenary. 2003. “Shaping Information Societies for Human Needs” – Civil Society Declaration to the World Summit on the Information Society. December 8. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/civil-society-declaration.pdf.

WSIS Civil Society Plenary. 2005. “Much more could have been achieved” – Civil Society Statement on the World Summit on the Information Society. December 18. Accessed on July 08, 2015, from https://www.itu.int/wsis/docs2/tunis/contributions/co13.pdf.

WSIS Civil Society Subcommittee on Content and Themes. 2003a. “Seven Musts”: Priority Principles Proposed by Civil Society. February 25. Accessed on July 08, 2015, from http://www.movimientos.org/es/foro_comunicacion/show_text.php3%3Fkey%3D1484.

WSIS Civil Society Subcommittee on Content and Themes. 2003b. Final Report on Prepcom-2 Activities of the Civil Society on Content and Themes. March 27. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/pcip/misc/cs_sct.pdf.

WSIS Executive Secretariat. 2003. Report of the Asia-Pacific Regional Conference for WSIS (Tokyo, 13-15 January 2003). WSIS. Accessed on July 08, 2015, from http://www.itu.int/dms_pub/itu-s/md/03/wsispc2/doc/S03-WSISPC2-DOC-0006!!PDF-E.pdf.

Yusuf, Huma. 2009. Old and New Media: Converging during the Pakistan Emergency (March 2007 - February 2008). MIT Centre for Civic Media. January 12. Accessed on July 08, 2015, from https://civic.mit.edu/blog/humayusuf/old-and-new-media-converging-during-the-pakistan-emergency-march-2007-february-2008.

For more details visit https://cis-india.org/raw/civil-society-organisations-and-internet-governance-in-asia-open-review

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology