Centre for Internet and Society

India-EU Proposed FTA

praskrishna — 2013-07-10T08:49:44Z

For more details visit https://cis-india.org/a2k/blogs/india-eu-proposed-fta.pdf

India, Egypt say no thanks to free Internet from Facebook

praskrishna — 2016-02-03T01:49:25Z

ALWAR, India — Connecting people to the Internet is not easy in this impoverished farming district of wheat and millet fields, where working camels can be glimpsed along roads that curve through the low-slung Aravalli Hills.

The article by Annie Gowen was published in Washington Post on January 28, 2016. Sunil Abraham gave inputs.

So when Facebook chief executive Mark Zuckerberg helicoptered in about a year ago to visit a small computer lab and tout Internet for all, Osama Manzar, director of India’s Digital Empowerment Foundation, was thrilled.

But when Manzar tried Facebook’s limited free Internet service, he was bitterly disappointed. The app, called Free Basics, is a pared-down version of Facebook with other services such as weather reports and job listings.

“I feel betrayed — not only betrayed but upset and angry,” Manzar said. “He said we’re going to solve the problem with access and bandwidth. But Facebook is not the Internet.”

Zuckerberg launched his sweeping Internet.org initiative in 2013 as a way to provide 4 billion people in the developing world with Web access, which he says he sees as a basic human right.

But the initiative has hit a major snag in India, where in recent months Free Basics has been embroiled in controversy — with critics saying that the app, which provides limited access to the Web, does a disservice to the poor and violates the principles of “net neutrality,” which holds that equal access to the Internet should be unfettered to all.

Activist groups such as Save the Internet, professors from leading universities and tech titans such as Nandan Nilekani, the co-founder of Infosys, have spoken out against it. Another well-known Indian entrepreneur dubbed it “poor Internet for poor people.”

The debate escalated in recent weeks after India’s telecommunications regulator suspended Free Basics as it weighs whether such plans are fair, with new rules expected by the end of the month.

A week later, Free Basics was banned in Egypt with little explanation, prompting concern that the backlash could spread to other markets. More recently, Google pulled out of the app in Zambia after a trial period. An estimated 15 million people are using Free Basics in 37 countries, including 1 million in India.

[India’s Modi wants to woo Silicon Valley, but privacy fears grow at home]

“It’s a very important test case for what will be India’s network neutrality regime,” said Sunil Abraham of the Center for Internet and Society in Bangalore.

India’s debate could affect the way other countries address the question of whether it is fair for Internet service providers to price websites differently. The U.S. Federal Communications Commission’s rules on net neutrality went into effect only in June.

Officials at Facebook launched an advertising blitz to counteract the negative publicity. “Who could possibly be against this?” Zuckerberg wondered in a Times of India editorial on Dec. 28.

“I think we’ve been a bit surprised by the strong reaction,” said Chris Daniels, Facebook’s vice president for Internet.org. “Fundamentally, the reason for the surprise is that the program is doing good. It’s bringing people online who are moving onto the broader Internet.”

India, a country of 1.2 billion, has the second-highest number of Internet users in the world, but an estimated 80 percent of the population does not have Internet access.

India’s tech-savvy prime minister, Narendra Modi, is trying to combat this with an ambitious “Digital India” plan to link 250,000 village centers with fiber-optic cable and extend mobile coverage. He has turned to the Indian tech community as well as Silicon Valley for help, securing an agreement with Google to provide free WiFi in railway stations.

India has 130 million Facebook users, second only to the United States, and is a key market as the social-media giant looks to expand beyond the developed world, where its growth has slowed.

“If Facebook manages to get another half a billion users in India, that’s a valuable set of eyeballs to sell to a political party or corporation,” Abraham said.

[Is India the next frontier for Facebook?]

Facebook has long said that its program is about altruism, not eyeballs.

But it does reap new customers. Those who buy a SIM card from Facebook’s local mobile partner, Reliance Communications, are then prompted to pay for additional data. About 40 percent who sign up for Free Basics buy a data plan to move to the wider Web after 30 days, Daniels said.

The service is still running despite the India suspension. A Reliance spokesman said it is in “testing mode” and is not being promoted.

“The thing people forget about Free Basics is that it’s intended to be a temporary transition for people to give them a taste of the Internet and sign up. It’s a marketing program for the carrier in some sense,” said David Kirkpatrick, author of “The Facebook Effect.” But he added: “The idea that it’s some kind of alternative Internet that’s a discriminatory gesture to the poor is the prevailing view among the Indian intelligentsia. It’s fundamentally misunderstood.”

Facebook has pledged to open up to new scrutiny the selection process for companies with new applications, Daniels said. That is a response to concerns by many in India’s tech community that Facebook’s process put India’s fledgling start-ups at a disadvantage.

The project’s proponents say that India’s needs are so great it cannot afford to suspend one program that could help.

Mahesh Uppal, a telecommunications consultant, notes that more than 10 percent of the country does not have mobile phone coverage and that India’s progress in extending fiber-optic cable to village centers is proceeding at a glacial pace. Modi had set a goal of linking all 250,000 by 2016, but only 27,000 have cable so far and it is ready for use in only 3,200, according to a government report.

In comparison, some 80 percent of China’s villages are linked by broadband.

[Inside the Indian temple that draws America’s tech titans]

In Alwar district in the northern state of Rajasthan, many remember when Zuckerberg came to visit but fewer know about Free Basics.

“I’ve heard it’s free and by Facebook and you don’t have to pay for it,” said Umer Farukh, 43, a folk musician. “But I don’t think Facebook should control it. The Internet should be for everybody.”

Farukh has only been computer literate for two years, but he’s already emailing and using YouTube to post videos and promote his band.

He’s become such a proponent that he has donated space for one of Manzar’s computer centers — part of a government initiative to build cyber-hubs in minority communities — and encouraged the female members of his family to take classes, which is rare in his conservative community.

Farukh says that challenges to connecting India go far beyond data plans and fiber-optic cable or the government broadband that often sputters out. Wages are low, and hours are long. Only about half of the women in his state are literate, and about a quarter of the young women in his neighborhood are kept at home and not educated.

“This place is very backward,” he said. “India as a society is lagging far behind in terms of Internet.”

In the small nearby community of Roja Ka Baas, ringed by fields of blooming mustard greens, residents are still awaiting the opening of their planned WiFi center. They are struggling along on cheap mobile phones with slow 2G spectrum until then, they said.

Sakir Khan, 14, said that once the Internet finally arrived in this village, the first thing he would do would be to sign up for Facebook.

Farheen Fatima and Subuhi Parvez contributed to this report.

For more details visit https://cis-india.org/internet-governance/news/washington-post-annie-gowen-january-28-2016-india-egypt-say-no-thanks-to-free-internet-from-facebook

India's untapped potential: Are a billion people losing out because of spectrum?

Shyam Ponappa — 2012-12-14T10:31:43Z

As one of the world’s fastest growing economies and with over 65% of its billion-plus population under 35, India has huge potential. But according to Shyam Ponappa of the Centre for Internet & Society, its spectrum management – the electromagnetic waves that are used from home appliances like microwaves and remote controls, to radios, cell phones, and of course, the internet – could be a huge barrier to the country’s economic and social development.

Until the global economic downturn that began about two years ago, the economic model for spectrum distribution in India and many developing countries was based on the free market. But Ponappa demonstrates in a new report for APC that spectrum is worth treating as a public utility the way we do roads, electricity and other basic infrastructure, which would allow for people in rural areas to access spectrum-dependant services like mobile phones and wifi and increase quality of services for all.

Currently in India, as in most other countries, spectrum is being treated as a property, where “chunks” of spectrum are sold to the mobile phone and telecommunications operators with the highest bid. Commonly there are 3 – 4 operators in a developed country; however, in India there are up to sixteen. The extreme competition has resulted in the Indian bidders paying outrageous fees that they are never able to recuperate. So while the government makes a profit on the sale, this profit comes at a societal cost.

Ponappa proposes pooling spectrum and to have a set of network providers, who in turn serve operators for retail users. This effectively opens up the spectrum and could make costs ten or fifteen times cheaper than they are now.

“It is appropriate to push the concept of open spectrum in developed markets who underwent their development phase some 60 – 100 years ago and put in place basic infrastructure systems. But in countries like India and the Asian sub-continent, it does not make sense to do this because we are not at the same stage of economic development,” Ponappa told APCNews.

“When markets are well structured and organised,” he continues, “[government control] can be less effective and efficient for society as a whole, compared with open competition. However developing economies don’t have the integrated systems in place that advanced economies do. India does not have an adequately developed network of copper, optical fibre or microwaves covering most of its population. And we are at a stage of development at which infrastructure is a fundamental determinant of productivity, as well as of a reasonable quality of life.”

Ponappa argues that in India’s case it would be advisable for governments to work with other stakeholders – corporations, state-owned agencies, and civil society – on a collaborative solution. “It would be much more conducive to a sound economy to have either the government step in and open up the commercial spectrum, or to have two to three main operators (possibly subsidised, but not necessarily) as we do with the provision of utilities,” he says. Yet, the free market mentality continues to reign, and a surfeit of operators is trying to make a profit in the telecommunications wireless sector.

Everybody wants a piece of the pie

In India, every operator is assigned a sliver of spectrum for their exclusive use and the rest is assigned to the government, the public sector and defence.

The result is high-cost infrastructure for operators (setting up networks with multiple sets of more advanced equipment because of the limited spectrum, with the capital constraints resulting in less extensive networks in rural areas) as well as for users (who have to pay for all this equipment).

“Too many operators make for increased capital costs for each operator, and cumulatively for all operators,” Ponappa explains.

And these higher costs are increasingly difficult to recover from consumer-generated revenue, as India undergoes huge price wars. Many operators may eventually go bankrupt. While no consumers ever complain about low costs –and India has some of the world’s lowest mobile rates– they will complain about poor quality and unreliable service. Consequently, consumers may not have to pay much to use mobile services, but they may not always be able to make or receive calls when they need to, and do not have access to broadband.

While most countries have moved on to 3G networks (which has more capacity for a given spectrum band than 2G, meaning better call quality) as many as four of India’s sixteen operators have not even developed their 2G networks. Making the switch to 3G seems like a good idea, but there are substantial costs associated with deploying these more advanced techniques to both operators (for network upgrades) and for end users (in terms of new handsets).

Too much competition in this case has made operators inefficient.

Spectrum as a national common good

If spectrum were treated as if it were a public utility, posits Ponappa, each operator would have access to a bigger chunk of spectrum, and the traffic-handling capacity of each would increase at a lower cost.

“With the current model the capacity of networks is suffering because networks cannot afford to expand or make technical improvements without economic losses. Other infrastructure services such as electricity and water supply are managed by utility companies, which are typically monopolies for a product-segment, or duopolies for purposes of competition. So why not treat spectrum the same way?” suggests Ponappa.

Ponappa suggests treating networks, and spectrum as a part of networks, as we would an oil pipeline, where everyone accesses the same one, and pays a fee for its use.

This would bring more people onto the network and increase revenues, since operating costs would be shared. The more revenue it can generate, the more efficient operators will be, using the same high-capacity circuits. The more revenue the main operators have, the more they could invest in up-to-date technology to extend their networks and provide a better service to clients. The better the technology, the more people could access the internet and other now vital sources of information, as well as focus on broadband and infrastructure to the country’s isolated rural areas, which today have rudimentary communications infrastructure.

India’s rural populations, the lost resource

As a predominantly rural country, lack of basic IT infrastructure means that the largest segment of India’s population has no access to information and communications technologies.

Ponappa grew up on a farm in a rural area some 200 km from Bangalore where even fixed line phone networks were unreliable. “We have multiple telephone lines because we never know which one will work,” he says.

Given India’s massive rural population, this means that there are hundreds of millions of people that are unable to access the internet. Services like quality distance education are not even an option if basic infrastructure such as fixed telephone lines is not in place and the country itself is losing out on the incalculable potential of this untapped human resource.

Download the report here [pdf - 280 kb]

See the report in the APC website

This article was written as part of the APC’s project work on Spectrum for development, an initiative that aims to provide an understanding of spectrum regulation by examining the situation in Africa, Asia and Latin America.

Photo by kiwanja. Used with permission under Creative Content licensing.

For more details visit https://cis-india.org/telecom/blog/untapped-potential

India's Statement Proposing UN Committee for Internet-Related Policy

pranesh — 2011-10-31T15:28:04Z

This is the statement made by India at the 66th session of the United Nations General Assembly, in which its proposal for the UN Committee for Internet-Related Policy was presented.

66th Session of the UN General Assembly

New York. October 26, 2011.

Agenda Item 16: Information and Communications

Technologies for Development (ICT): Global Internet Governance

Statement by India

Mr. Chairman,

We thank the Secretary-General for his report on enhanced cooperation on public policy issues pertaining to the Internet, contained in document A/66/77, which provides a useful introduction to the discussions under this agenda item.

As a multi-ethnic, multi-cultural and democratic society with an open economy and an abiding culture of pluralism, India emphasizes the importance that we attach to the strengthening of the Internet as a vehicle for openness, democracy, freedom of expression, human rights, diversity, inclusiveness, creativity, free and unhindered access to information and knowledge, global connectivity, innovation and socio-economic growth.

We believe that the governance of such an unprecedented global medium that embodies the values of democracy, pluralism, inclusion, openness and transparency should also be similarly inclusive, democratic, participatory, multilateral and transparent in nature.

Indeed, this was already recognized and mandated by the Tunis Agenda in 2005, as reflected in paragraphs 34, 35, 56, 58, 59, 60, 61 and 69 of the Agenda. Regrettably, in the six long years that have gone by, no substantial initiative has been taken by the global community to give effect to this mandate.

Meanwhile, the internet has grown exponentially in its reach and scope, throwing up several new and rapidly emerging challenges in the area of global internet governance that continue to remain inadequately addressed. It is becoming increasingly evident that the Internet as a rapidly-evolving and inherently global medium, needs quick-footed and timely global solutions and policies, not divergent and fragmented national policies.

The range and criticality of these pressing global digital issues that continue to remain unaddressed, are growing rapidly with each passing day. It is, therefore, urgent and imperative that a multilateral, democratic participative and transparent global policy-making mechanism be urgently instituted, as mandated by the Tunis Agenda under the process of ‘Enhanced Co-operation’, to enable coherent and integrated global policy-making on all aspects of global Internet governance.

Operationalizing the Tunis mandate in this regard should not be viewed as an attempt by governments to “take over” or “regulate and circumscribe” the internet. Indeed, any such misguided attempt would be antithetical not only to the internet, but also to human welfare. As a democratic and open society that has historically welcomed outside influences and believes in openness to all views and ideas and is wedded to free dialogue, pluralism and diversity, India attaches great importance to the preservation of the Internet as an unrestricted, open and free global medium that flourishes through private innovation and individual creativity and serves as a vehicle for open communication, access to culture, knowledge, democratization and development.

India recognizes the role played by various actors and stakeholders in the development and continued enrichment of the internet, and is firmly committed to multi-stakeholderism in internet governance, both at the national and global level. India believes that global internet governance can only be functional, effective and credible if all relevant stake-holders contribute to, and are consulted in, the process.

Bearing in mind the need for a transparent, democratic, and multilateral mechanism that enables all stakeholders to participate in their respective roles, to address the many cross-cutting international public policy issues that require attention and are not adequately addressed by current mechanisms and the need for enhanced cooperation to enable governments, on an equal footing, to carry out their roles and responsibilities in international public policy issues pertaining to the Internet, India proposes the establishment of a new institutional mechanism in the United Nations for global internet-related policies, to be called the United Nations Committee for Internet-Related Policies (CIRP). The intent behind proposing a multilateral and multi-stakeholder mechanism is not to “control the internet’’ or allow Governments to have the last word in regulating the internet, but to make sure that the Internet is governed not unilaterally, but in an open, democratic, inclusive and participatory manner, with the participation of all stakeholders, so as to evolve universally acceptable, and globally harmonized policies in important areas and pave the way for a credible, constantly evolving, stable and well-functioning Internet that plays its due role in improving the quality of peoples’ lives everywhere.

The CIRP shall be mandated to undertake the following tasks:

Develop and establish international public policies with a view to ensuring coordination and coherence in cross-cutting Internet-related global issues;
Coordinate and oversee the bodies responsible for technical and operational functioning of the Internet, including global standards setting;
Facilitate negotiation of treaties, conventions and agreements on Internet-related public policies;
Address developmental issues related to the internet;
Promote the promotion and protection of all human rights, namely, civil, political, social, economic and cultural rights, including the Right to Development;
Undertake arbitration and dispute resolution, where necessary; and,
Crisis management in relation to the Internet.

The main features of CIRP are provided in the annex to this statement. In brief, the CIRP will comprise 50 Member States chosen on the basis of equitable geographical representation, and will meet annually for two working weeks in Geneva. It will ensure the participation of all relevant stakeholders by establishing four Advisory Groups, one each for civil society, the private sector, inter-governmental and international organizations, and the technical and academic community. The Advisory Groups will provide their inputs and recommendations to the CIRP. The meetings of CIRP and the advisory groups will be serviced by the UNCTAD Secretariat that also services the meetings of the Commission on Science and Technology for Development. The Internet Governance Forum will provide inputs to CIRP in the spirit of complementarity between the two. CIRP will report directly to the General Assembly and present recommendations for consideration, adoption and dissemination among all relevant inter-governmental bodies and international organizations. CIRP will be supported by the regular budget of the United Nations; a separate Fund would be set up by drawing from the domain registration fees collected by various bodies, in order to mainly finance the Research Wing to be established by CIRP to support its activities.

Those familiar with the discourse on global internet governance since the beginning of the WSIS process at the turn of the millennium, will recognize that neither the mandated tasks of the CIRP, nor its proposed modalities, are new. The Working Group on Internet Governance (WGIG) set up by the UN Secretary- General had explicitly recognized the institutional gaps in global internet governance and had proposed four institutional models in its report to the UN General Assembly in 2005. The contours of the CIRP, as proposed above, reflect the common elements in the four WGIG institutional models. While the excellent report of the WGIG was much discussed and deliberated in 2005, unfortunately, no concrete follow-up action was taken to give effect to its recommendations on the institutional front. We hope that this anomaly will be redressed at least six years later, with the timely establishment of the CIRP.

In order to operationalize this proposal, India calls for the establishment of an open-ended working group under the Commission on Science and Technology for Development for drawing up the detailed terms of reference for CIRP, with a view to actualizing it within the next 18 months. We are open to the views and suggestions of all Member States, and stand ready to work with other delegations to carry forward this proposal, and thus seek to fill the serious gap in the implementation of the Tunis Agenda, by providing substance and content to the concept of Enhanced Co-operation enshrined in the Tunis Agenda.

Thank you, Mr. Chairman.

***

Annex

The United Nations Committee for Internet-Related Policies (CIRP)

The United Nations Committee for Internet-Related Policies (CIRP) will have the following features:

Membership: The CIRP will consist of 50 Member States of the United Nations, chosen/elected on the basis of equitable geographical representation. It will provide for equitable representation of all UN Member States, in accordance with established UN principles and practices. It will have a Bureau consisting of one Chair, three Vice-Chairs and a Rapporteur.

Meetings: The CIRP will meet annually for two working weeks in Geneva, preferably in May/June, and convene additional meetings, as and when required. The UNCTAD Secretariat will provide substantive and logistical support to the CIRP by servicing these meetings.

Multi-stakeholder participation: Recognizing the need to involve all stakeholders in Global Internet Governance in their respective roles, the CIRP shall ensure the participation of all stakeholders recognized in the Tunis Agenda. Four Advisory Groups – one each for Civil Society, the Private Sector, Inter-Governmental and International Organisations, and the Technical and Academic Community - will be established, to assist and advise the CIRP. These Groups would be self-organized, as per agreed principles, to ensure transparency, representativity and inclusiveness. The Advisory Groups will meet annually in Geneva and in conjunction with any additional meetings of the CIRP. Their meetings will be held back-to- back with the meetings of the CIRP, so that they are able to provide their inputs and recommendations in a timely manner, to the CIRP.

Reporting: The CIRP will report directly to the UN General Assembly annually, on its meetings and present recommendations in the areas of policy and implementation for consideration, adoption and dissemination to all relevant inter-governmental bodies and international organizations. .

Research Wing: The Internet is a rapidly-evolving and dynamic medium that throws up urgent and rapidly-evolving challenges that need timely solutions. In order to deal effectively and prudently with these emerging issues in a timely manner, it would be vital to have a well-resourced Research Wing attached to the CIRP to provide ready and comprehensive background material, analysis and inputs to the CIRP, as required.

Links with the IGF: Recognizing the value of the Internet Governance Forum as an open, unique forum for multi-stakeholder policy dialogue on Internet issues, the deliberations in the IGF along with any inputs, background information and analysis it may provide, will be taken as inputs for consideration of the CIRP. An improved and strengthened IGF that can serve as a purposeful body for policy consultations and provide meaningful policy inputs to the CIRP, will ensure a stronger and more effective complementarity between the CIRP and the IGF.

Budget: Like other UN bodies, the CIRP should be supported by the regular budget of the United Nations. In addition, keeping in view its unique multi-stakeholder format for inclusive participation, and the need for a well-resourced Research Wing and regular meetings, a separate Fund should also be set up drawing from the domain registration fees collected by various bodies involved in the technical functioning of the Internet, especially in terms of names and addresses.

***

Excerpts from the Tunis Agenda

Paragraph 34 of the Tunis Agenda defines Internet Governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet”.

Paragraph 35 reaffirms the respective roles of stakeholders as follows: “(a) Policy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues”. (b) The private sector has had, and should continue to have, an important role in the development of the Internet, both in the technical an economic fields. (c) Civil society has also played an important role on Internet matters, especially at community level, and should continue to play such a role. (d) Intergovernmental organizations have had, and should continue to have, a facilitating role in the coordination of Internet-related public policy issues. (e) International organizations have also had and should continue to have an important role in the development of Internet-related technical standards and relevant policies.”

While delineating the respective roles of stakeholders, Paragraph 56 recognizes the need for an inclusive, multi-stakeholder approach by affirming that “The Internet remains a highly dynamic medium and therefore any framework and mechanisms designed to deal with Internet governance should be inclusive and responsive to the exponential growth and fast evolution of the Internet as a common platform for the development of multiple applications”.

Paragraph 58 recognizes “that Internet governance includes more than Internet naming and addressing. It also includes other significant public policy issues such as, inter alia, critical Internet resources, the security and safety of the Internet, and developmental aspects and issues pertaining to the use of the Internet”.

Paragraph 59 further recognizes that “Internet governance includes social, economic and technical issues including affordability, reliability and quality of service”. Paragraph 60 further recognizes that “there are many cross-cutting international public policy issues that require attention and are not adequately addressed by the current mechanisms”.

Paragraph 61 of the Tunis Agenda therefore concludes that “We are convinced that there is a need to initiate, and reinforce, as appropriate, a transparent, democratic, and multilateral process, with the participation of governments, private sector, civil society and international organisations, in their respective roles. This process could envisage creation of a suitable framework or mechanisms, where justified, thus spurring the ongoing and active evolution of the current arrangements in order to synergize the efforts in this regard”.

Paragraph 69 further recognizes “the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues”.

***

For more details visit https://cis-india.org/internet-governance/blog/india-statement-un-cirp

India's social media crackdown reveals clumsy govt machinery

praskrishna — 2012-08-25T06:11:30Z

"High-handed" and "reckless" are some of the words used in the media to describe the government's online crackdown.

Published in Reuters on August 24, 2012. Pranesh Prakash is quoted.

Add clumsy and incompetent to the list.

The government blocked access to more than 300 web pages after mobile phone text messages and doctored website images fuelled rumours that Muslims were planning revenge attacks for violence in Assam.

Much has been said and debated on the legal and moral legitimacy of the ban. But it's also important to study how officials went about deciding what to ban.

In his analysis of leaked government directives listing web pages to be banned, Pranesh Prakash of the Centre for Internet and Society said the list consists of people and pages who are actually debunking hateful rumours.

Twitter accounts of mainstream journalists and YouTube videos containing news clips from news channels like TimesNow, NDTV and Britain's Channel4 were included.

A glance at the list also shows that the banned pages include a Google Plus search page aggregating news stories posted on the topic "Assam riots." The government might as well ban Google.com, where anyone can do the same thing and much more.

It seems the government had no set procedure in trying to trace abusive content on the web. We don't know how they drew up the lists of sites to target, but it may have happened like this:

As northeast Indians began their exodus from cities fearing attacks, ministers and top bureaucrats went into a huddle and decided in all sincerity they must stop the spread of false information.

The task of quickly identifying malicious online content was given to lower ranking officials. Since there are no set procedures on how to scour the vast virtual universe and choose which offending pages to ban, the most likely step they took was to open Google and start typing in words related to the recent unrest, apart from trawling popular social sites.

The resulting list tells us that the official who vetted the selected pages was not too committed or had minimal online skills. Some of the pages are not even web addresses.

On Friday, the Times of India newspaper website (Read here) reported that the Twitter account of junior Communications and IT minister Milind Deora was blocked instead of the Deora imposter the government was trying to target.

Such amateurishness is not restricted to technology issues alone. There are many examples of clueless officials left red-faced in the face of public scrutiny.

Last year, the country's premier investigating agency, the CBI, had to withdraw a version of its list of India's 50 Most Wanted fugitives after it was revealed that one was already in jail and another living with his family after getting bail. The Central Statistics Office made a goof-up with the index of industrial production for January 2012, revising growth to 1.14 percent after initially putting it at 6.8 percent, a huge gap.

One of the most baffling gaffes happened in 2010 when the Directorate of Advertising and Visual Publicity issued a full-page ad on the occasion of National Girl Child Day featuring the photograph of a male former Pakistan Air Chief Marshal who appeared alongside Indian cricketers Kapil Dev and Virender Sehwag.

But the cake must go to External Affairs Minister S.M. Krishna. He read out his Portuguese counterpart's speech while addressing the United Nations Security Council.

(David Lalmalsawma is a Reuters journalist. The opinions expressed here are his own and not of Reuters. You can follow him on Twitter @david_reuters)

For more details visit https://cis-india.org/news/in-reuters-com-david-lalmalsawma-aug-24-2012-indias-social-media-crackdown-reveals-clumsy-govt-machinery

India's Ratification of the Marrakesh Treaty Celebrated; Accessible Books Consortium Launched

nehaa — 2014-07-01T11:09:08Z

On Day 1 of the 28th Session of the World Intellectual Property Organization (“WIPO”) Standing Committee on Copyright and Related Rights (“SCCR”), the WIPO organized an event to mark India’s ratification of the Marrakesh Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired or Otherwise Print Disabled, 2013 (“Marrakesh Treaty”), and to launch the Accessible Books Consortium (“ABC”).

India Becomes the First Country to Ratify the Marrakesh Treaty

Francis Gurry, Director General, WIPO said that the Marrakesh Treaty received 79 signatures in the twelve month period that the treaty was open for signatures. He further said that India’s ratification of the Marrakesh Treaty one year from its conclusion was a “WIPO record of sorts” and a “great example from a major country” of the importance attached to the Marrakesh Treaty.

Dilip Sinha, Ambassador and Permanent Representative of India to the United Nations in Geneva handed over India’s Instrument of Accession to the Marrakesh Treaty to Francis Gurry. Ambassador Sinha in his speech stressed on the importance of the Marrakesh Treaty to India and said that it helped that India had its amendments to its Copyright Act, 1957 in place, incorporating the provisions of the Marrakesh Treaty.

Maryanne Diamond, the Immediate Past President of the World Blind Union (“WBU”) congratulated India on its ratification. Calling it a country who showed “huge leadership” in negotiations of the Marrakesh Treaty, Ms. Diamond said that this ratification was extremely significant, with India being home to a large number of blind and print disabled people and a part of the Global South. Ms. Diamond urged other nations to follow India’s example and make it a priority to ratify the Marrakesh Treaty.

Jens Bammel, Secretary General, International Publishers Association (“IPA”) also congratulated India on its ratification of the Marrakesh Treaty and called on other member states to ratify it.

Accessible Books Consortium Launched

At the launch of the ABC, Mr. Gurry said that the Marrakesh Treaty was only the means to an end, where the end was books in the hands of print disabled and visually impaired persons across the world. “To make it operational,” said Mr. Gurry, “we need to have operational activities.” He said that the ABC was an operational activity which would “breathe life” into and “make operational” the legal framework provided by the Marrakesh Treaty.

What Does it Do?

Mr. Gurry said that the ABC aimed at achieving three things- first, capacity building; second, international book exchange and third, international book exchange.

Capacity Building- Mr. Gurry said that the ABC seeks to provide training on accessible book production and distribution. He thanked the Republic of Korea which has committed to providing financial assistance for training in respect of production of books in accessible formats.
International Book Exchange- Mr. Gurry said that this activity was an IT supported facility, namely, the TIGAR Service which has its origins in India. This would allow participating institutions to perform international searches of databases to find out if accessible formats of books are available.
Inclusive Publishing- Mr. Gurry said that at the end of the day, “books should be born accessible” and technology was creating the “promise of the realization of this aspiration.” Mr. Gurry said that the ABC would promote accessible publishing and to this end, had drawn up a charter of accessible publishing- Accessible Publishing Best Practice Guidelines for Publishers. Elsevier is the first publisher to have signed this charter.

India, WBU and IPA delighted

Praising the ABC, Ambassador Sinha called it an indicator of what multi-stakeholder cooperation needs to do. He said that the ABC would assist organizations such as the DAISY Forum of India in achieving the goal of access to books in accessible formats. Congratulating the WIPO for its efforts on this front, Ambassador Sinha said that this would help nations like India realize their goal of achieving the purposes of the Marrakesh Treaty. Ms. Diamond, representing the WBU congratulated Elsevier on signing the charter. Jens Bammel, on behalf of the IPA expressed concern for making books available in accessible formats for non English speakers. The ABC, he said, was a project initiated to “genuinely complement” the Marrakesh Treaty, and would create a global catalogue of accessible works, whether provided by libraries or by publishers. Expressing his delight that the ABC was being supported equally by all stakeholders, Mr. Bammel reached out to member states to support this initiative politically.

For more details visit https://cis-india.org/accessibility/blog/indias-ratification-of-marrakesh-treaty-celebrated

India's Opening Statement on the Treaty for the Visually Impaired at SCCR 24

pranesh — 2012-07-23T15:24:26Z

This was the opening statement of the Indian delegation, delivered by G.R. Raghavender, on Thursday, July 19, 2012, at the 24th meeting of the SCCR at WIPO in Geneva. The statement called upon all countries to conclude textual work on the treaty and call for a Diplomatic Conference to finalize it. This statement received applause, which is highly unusual at the SCCR.

Thank you, Mr. Chairman.

The Indian delegation is a little bit disappointed about the way we have started this topic of the Treaty for the Visually Impaired. Forgive me, Mr. Chairman, we have confidence in your abilities, but unfortunately we have already lost one hour in this afternoon session. We have only two hours left, unless and until we decide to work beyond 6:00 P.M.

We have a document, SCCR/23/7, on the table. Everybody has this document. We all decided in the last SCCR that we will work on this document and move towards a meaningful treaty. We said, in this very 24th SCCR, we will be ready for that. We should have started article-by-article discussions by now. And as we are involved in the general statements in our agenda, I can go on reading a statement for another 20 minutes as I have about five pages written out. But given our support for the treaty, I won't.

I'm sorry, I respect all the distinguished delegations: they have their own concerns, but Mr. Chairman, under your leadership we should have started article-by-article discussions by now. Yesterday, in the evening at the Chairman plus group leaders plus 3, we all requested that. Whatever happened during the 14, 15 intersessional meetings, we have no objection to that, but people raise the issue of transparency and availability of the document. Whatever changes have been made to the document must be public. If no one is ready to post that document either during the informal discussions, or here in the plenary, they can always come out with the changes made to particular articles, or para in the preamble, when the discussion starts.

We should be ready to work towards finalizing this treaty. We are even open to working on Saturday and Sunday, Mr. Chairman.

If we don't finalize in this SCCR, we cannot go to the General Assembly in the first week of the month of October. If we lose that time, we will have to wait until the next General Assembly, because we cannot have a General Assembly in between.

So we will be simply wasting our time in the November SCCR and again next July SCCR, waiting for the next General Assembly.

So kindly guide us to start text-based article-by-article discussions, so that we won't go back empty-handed. The Indian delegation won't go back empty-handed, facing the 15 million blind people in India, which is almost 50 percent of the world blind population, that is 37 million.

Thank you.

For more details visit https://cis-india.org/a2k/india-opening-statement-sccr24-tvi

India's National ID Project Brings Pain to Those it Aims to Help

Admin — 2018-05-12T00:53:39Z

Poor management, corruption and fraud are threatening to derail the world’s largest national identity project.

The blog post by Aayush Soni was published in Ozy.com on May 11, 2018.

For Phoolmati, a resident of the Kusumpur Pahari slum in south Delhi, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”

The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.

Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.

Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.

Theirs is the lived experience of Aadhaar, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.

But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.

In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.

Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.

The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.

At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.

Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.

A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national ID system would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”

That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.

In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under Modi — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.

For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.

“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.

The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.

But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.

But the Modi government has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.

It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in The Tribune, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.

Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.

These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.

The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the Supreme Court challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.

Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a chaukidaar (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.

For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.

For more details visit https://cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help

India's Latest Data Leak: People's Aadhaar Number And Bank Account Are Just One Google Search Away

Admin — 2018-07-13T15:18:46Z

Even Truecaller doesn't reveal this much.

The article by Gopal Sathe was published in Huffington Post on July 12, 2018.

Imagine being able to hack someone's personal data simply by entering their mobile phone number into a Google search. There is a website of the Andhra Pradesh government that's leaking people's phone numbers, Aadhaar numbers, father's names, passbook and bank account numbers, and the district and mandal where they live - all the link to all this information is the first result you get when you search for the phone numbers of people in the database.

The Andhra government has been leaking the personal data of more than 23,000 farmers who have received subsidies from the Andhra Pradesh Medicinal and Aromatic Plants Board, and organisation that encourages the growth of Ayurvedic medicines in the state. The subsidies are offered to farmers and tribals in the state, and all their personal data is available on an open database on an Andhra Government website.

The information is not behind any access control, and you can see all the records, click on them to get the details of anyone, or download everything as an Excel sheet. But what's perhaps worse is that simply by searching for the phone numbers of many of these farmers, we were able to find the detailed information about them. HuffPost India randomly chose a dozen farmers, and in each case, this database was the first result for their phone number on Google.

That's the most concerning part - in most cases, even when the information has leaked, it isn't readily apparent to people. You have to know the website address, or at the very least spend some time poring through dashboards. In the case of this latest leak, all you need is the person's phone number, and all their information is made visible. HuffPost India has reported this issue to the AP government, much like earlier leaks, although at the time of writing the data is still available online.

Who's held responsible?

This is just the latest in a long line of leaks from AP - in just the last few months, we've reported on a website that let you geo-locate homes on the basis of caste and religion; while another tracked all the medicines people buy, such as generic viagra, along with their phone numbers; and one that tracked pregnant women in ambulances in real time.

A government official we spoke to in AP Secretariat said that while all the departments have been digitised, an understanding of security - and privacy - is yet to come. "Even if you tell them, 'this data is not something you can publish', they disagree and say that it is needed for the beneficiaries to be able to access their own information," he explained.

Karan Saini, a security analyst and consultant who writes on issues of web security and privacy, told HuffPost that the various government departments are generally unresponsive when breaches like this are brought up.

"Lack of outreach is an issue with all of these organisations," said Saini. "NCIIPC is the only one that can even be found by someone looking at the surface. [These organisations] are hard to get a response from."

One reason for this, said Srinivas Kodali, a security researcher who has revealed a tremendous amount of leaks in the AP system, is that there is no official system of accountability in the government when it comes to data leaks.

In May 2017, the AP government passed the Andhra Pradesh Core Digital Data Authority Act, under which in section 37 it states that no legal proceeding shall lie against any officer or employee for anything which is in good faith done. What this means is that leaks and breaches are not something any official in the government can be held responsible for.

This act came out less than a month after the Centre for Internet and Society in Bengaluru published a report stating that 13 crore Aadhaar numbers were leaked - of which 2 crore were from Andhra Pradesh.

A lack of (human) resources

AP officials do acknowledge the problem. "There is a major shortage of cybersecurity professionals, and hiring them is a challenge," said V Premchand, head of the Andhra Pradesh Technology Service, who is in charge of the ongoing security work in the state. AP has seen a major security audit in May this year, and a privacy audit was announced last month.

"The work is ongoing but it is not something that can happen overnight," Premchand explained. However, others argue that the government isn't doing enough to make use of existing manpower. Unlike other countries, the Indian government does not have any real bug bounty program, where security researchers are incentivised to report weaknesses to organisations for cash rewards and recognition.

Sai Krishna Kothapalli, a student at IIT Guwahati and a security researcher, told HuffPost that the government actively discourages security experts from providing their support, rather than encouraging them.

"The US Department of Defense and others have a responsible disclosure program and a lot of people from India take part in that," he said. "Our talent is being used by them instead because the government here does not reply at all."

"India's top hackers are being employed by people outside the country, even though we have the talent here, because will you spend the time and effort to be ignored here, or report issues to a US company and make thousands of dollars instead?"

However, security audits in India are only being carried out by agencies that have been empaneled, and most of the hackers active here don't have the certification, he added. "They're too busy actually doing the work, while these big companies do audits, and leave all kinds of security issues behind."

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-12-2018-indias-latest-data-leak-is-so-basic-that-peoples-aadhaar-number-bank-account-and-fathers-name-are-just-one-google-search-away

India's Internet Jam

pranesh — 2014-03-20T12:41:58Z

As authorities continue to clamp down on digital freedom, politicians and corporations are getting a taste for censorship too. Pranesh Prakash reports.

The article was published in Index on Censorship in August 2012. This is an unedited version of the article.

In a matter of three days, in August 2012, India’s central government ordered internet service providers to block around 309 pieces of online content – mostly individual web pages, YouTube videos and Facebook groups. The blocking orders came days after people originally from north-eastern India living in Bangalore began fleeing the city in fear of attack. Rumours that some Muslims in the city were planning violence in retaliation for recent clashes between the indigenous Bodo tribe and Muslim settlers in Assam spread quickly via text messages and through the media. The Nepali migrant community in Bangalore also received text messages from their families, warning them that they might be mistaken for north-eastern Indians and also be targeted. Indian Railway, catering to the huge demand, organised special trains to Assam for the crowds of people.

Freedom of speech is enshrined in the Constitution of India, which came into force in 1952, and specifically in Article 19(1)(a), which guarantees that ‘all citizens shall have the right to freedom of speech and expression’. While in the United States, it wasn’t until the 1920s that the Supreme Court struck down a law or governmental action on freedom of speech grounds, in India, just one year after the constitution was adopted, government actions against both left- and right-wing political speech were struck down for violating Article 19(1)(a). Enraged, the Congress government then amended Article 19, expanding the list of restrictions to the right to free expression. These included speech pertaining to ‘friendly relations with foreign states’, ‘public order’ and ‘incitement to an offence’. In 1963, in response to the 1962 war with China, the ‘sovereignty and integrity of India’ was also added, taking the number of categories of permissible restrictions up to eight. While the constitution categorically stipulates that no further restrictions should be imposed, courts have on occasion added to the list (privacy, for instance) through judicial interpretation without explicitly stating that they are doing so. Comparisons are often drawn between the constitution’s ‘reasonable restrictions’ and the categorical prohibition enshrined in the US Constitution’s First Amendment: ‘Congress shall make no law … abridging the freedom of speech, or of the press’ – a meaningless comparison as there are indeed many categories of speech that are seen as being protected under the US constitution and even speech that is protected may be restrained in a number of ways.

Today, there are a number of laws that regulate freedom of speech in India, from the Indian Penal Code (IPC), the Victorian legislation meant to codify crimes, to the Information Technology Act, which was amended in 2008 and in some cases makes behaviour that is perfectly legal offline into a criminal activity when online.

Sedition and social harmony

The Indian Penal Code criminalises sedition; speech intended to cause enmity between communities; speech intended to ‘outrage religious feelings of any class’; selling, singing or displaying anything obscene; and defamation. It also prohibits ‘causing someone, by words or gestures, to believe they’re the target of divine displeasure’. Each of these provisions has been misused, as there are indeed many catagories of speech that are not seen as being protected under thw US constitution, and even speech that is protected may be restrained in a number of ways.

In recent years, sedition charges have been brought against human rights activists (Binayak Sen and Arundhati Roy), journalists (Seema Azad), cartoonists (Aseem Trivedi) and protesters (thousands of villagers in Koodankulam and neighbouring villages who demonstrated against a nuclear reactor in their area). It is usually the higher judiciary that dismisses such cases, while the lower judiciary seems to be supplicant to the bizarre claims of government, the police and complainants. Similarly, the higher judiciary has had to intervene in cases where books and films have been banned for ‘causing enmity between communities’ or for intentionally hurting the sentiments of a religious group.

Of the last six books banned by the Maharashtra government, all but one (RV Bhasin’s Islam: A Concept of Political World Invasion by Muslims) have been overturned by the Mumbai High Court. In one case, the court criticised the government for using a violent protest (organised by the Sambhaji Brigade, one of many right-wing political groups that frequently stage demonstrations) as reason enough for banning an academic book on the Maratha king Shivaji. In its decision, the judge pointed out that it is the government’s job to provide protection against such violence. Given India’s history of communal violence there is indeed a need for the law to address incitement to violence – but these laws should be employed at the actual time of incitement, not after the violence has already taken place. But, as recent events have shown, the government is willing to censor ‘harmful’ books and films and less likely to take action against individuals who incite violence during demonstrations.

Online speech and the law

There are regular calls for the government to introduce legislation that deals specifically with online behaviour, despite the fact that the vast majority of the laws regarding sedition and social harmony apply online as well as offline. One example is the recent move to introduce amendments to the Indecent Representation of Women Act (1986) so that it applies to ‘audiovisual media and material in electronic form’.

But the government’s attempts to control online speech began long before the introduction of any internet-specific legislation. Indeed, when state-monopoly internet service provider VSNL censored content, it did so under the terms of a contract it had entered with its customers, not under any law. In 1998, a mailing list called Middle East Socialist Network was blocked on national security grounds. In 1999, Pakistani newspaper Dawn’s website was blocked during the Kargil conflict. In both of the latter cases, the government relied on the Indian Telegraph Act (1885) to justify its actions, though that act contains no explicit provisions for such censorship.

In 2000, the Information Technology (IT) Act was passed and the Indian Computer Emergency Response Team (CERT-In) was created, which (unlawfully) assumed the role of official online censor. Importantly, while the IT Act did
make the publication of obscene content online illegal (though it already was under the IPC), it did not grant permission for authorities to block websites. Despite this, an executive order passed on 27 February 2003 granted CERT-In the power to block. Had this been challenged in a court, it may well have been deemed unconstitutional since, in the absence of a statutory law, an executive order cannot reverse the freedom granted under Article 19. And although the telecommunications sector in India was being liberalised around this time, as part of their licence agreements, all internet service providers (ISPs) have to agree to block links upon being requested to do so by the government. In 2008, when the IT Act was amended, it clearly stated that the government can block websites not only when it deems it necessary to do so but also when it is deemed expedient in relation to matters of public interest, national security and with regard to maintaining friendly relations with foreign states. The power to block does not, however, extend to obscenity or defamation offences. At the same time, further categories of speech crimes were introduced, along with other new offences, including the electronic delivery of ‘offensive messages through communication services’ or anything ‘for the purpose of causing annoyance or inconvenience’. This has often been abused, including by the chief minister of West Bengal, who issued proceedings against a professor for forwarding an email containing a cartoon that mocked him. Under this draconian and unconstitutional provision, the police do not need an arrest warrant and the punishment can be as much as three years’ imprisonment, longer than even the punishment for causing death by negligence. The amendment also granted the government extensive powers to monitor and intercept online speech and data traffic, greatly extending the powers provided under colonial laws such as the Indian Telegraph Act (1885). As legislation has been introduced, the penalties for online offences have increased significantly. For example, the penalty for the first-time publication of an obscene ebook is up to five years in prison and a 1,000,000 rupee (US$18,800) fine, compared with two years’ imprisonment and a 2,000 rupee (US$38) fine as stipulated in the IPC for publishing that same material in print version. New laws introduced in 2009 pertain specifically to blocking (section 69a), interception, decryption and monitoring (69 and 69b) and are in accordance with the constitution. However, the amendments were brought in without any attempt at transparency or accountability.

Power in the hands of intermediaries

In April 2011, despite critical submissions received during its public consultation, the government announced new ‘intermediary guidelines’ and ‘cyber cafe rules’, both of which have adverse effects on freedom of expression. The rules, which were issued by the Department of Information and Technology (DIT), grant not only the government but citizens significant powers to censor the internet. They require all intermediaries – companies that handle content, including web hosts, telecom companies, domain name providers and other such intermediaries – to remove ‘disparaging’ content that could ‘harm minors in any way’. They prohibit everything from jokes (if the person sharing the joke does not own copyright to it) to anything that is disparaging. In a recent case, in December 2011, thousands of people used the hashtag #=IdiotKapilSibal on Twitter to criticise the minister of communications and information technology, Kapil Sibal, who had requested that officials from Google, Microsoft, Yahoo! and Facebook in India pre-screen online content. These guidelines and rules are badly drafted and unconstitutional, as they go beyond the limits allowed under Article 19 in the constitution. And do so in a manner that lacks any semblance of due process and
fairness. They are inconsistent with offline laws, too: for example, because the guidelines also refer to gambling, the government of Sikkim can publish advertisements for its PlayWin lottery in newspapers but not online. It’s far easier to persuade officials to remove online material than it is to persuade them to remove books from a bookstore or artwork from a gallery. Police are only empowered to seize books if the government or a court has been persuaded that it violates a law and issues such an order. This fact is always recorded, in government or legal records, police files or in the press. By contrast, web content can be removed on the basis of one email complaint; intermediaries are required to ‘disable’ the relevant content within 36 hours of the complaint. A court order is not required, nor is there a requirement to notify the owner of the content that a complaint has been received or that material has been removed. The effect is that of almost invisible censorship.

This assertion – that it only takes one complaint – may seem far-fetched. But a researcher from the Centre for Internet and Society sent complaints to several intermediaries on a number of occasions, resulting in content being removed in a majority of cases. If intermediaries choose not to take action, they risk losing their immunity against punishment for content. In essence, the law is the equivalent of punishing a post office for the letters that people send via the postal service.

The amendments were brought in without any attempt at transparency or accountability

In 1984, Indira Gandhi was forced to sue Salman Rushdie for defamation in a London court in order to ensure one sentence was expurgated from his novel Midnight’s Children. Today Gandhi wouldn’t need to win a lawsuit against publishers. She would merely have to send a complaint to websites selling the book and it would have to be removed from sale. It is easier to block Akbari.in – the online newspaper run by Vinay Rai, who filed a criminal complaint against multiple internet companies in December 2011 for all manner of materials – than it is to prevent its print publication. There is no penalty for frivolous complaints, such as those sent by researchers from the Centre for Internet and Society, nor is there any requirement for records to be kept of who has removed what. Such great powers of censorship without any penalties for abuse of these powers are a sure-fire way of moving towards greater intolerance, with the internet – that republic of opinions and expressions – being a casualty.

Censorship outside the law

Since 2011, governments and private companies alike have increasingly engaged in internet censorship. In April 2011, in response to a right to information request, the DIT released a list of 11 websites that had been officially blocked under the IT Act since 2009, when the amended act came into force. But, according to a recent Google Transparency Report, government requests for the removal of material far exceeds that number. The report reveals that the government (including state governments) requested that Google remove 358 items from January 2011 to June 2011. Of this number, only eight were considered to be hate speech and only one item was related to concerns over national security. The remaining material, 255 items (71 per cent of all requests), was taken down because of ‘government criticism’. Criticism of the government is protected under the country’s constitution but, nonetheless, Google complied with take-down requests 51 per cent of the time. It’s clear, then, that governmental censorship is far more widespread than officially acknowledged.

In July 2011, Reliance Entertainment obtained a ‘John Doe’ order to protect its intellectual property rights with regard to its film Singham, which was scheduled for release that month. The order prohibited both online and offline infringement of copyright for the film and was sent to a number of ISPs, which then blocked access to file-sharing websites, even though there was no proof of the film having been available on any of them. According to Reliance Entertainment, they merely asked ISPs ‘not to make the film available’ on their networks, even though the order did not authorise it. But a right to information request pertaining to a similar case dealing with the distribution of the film Dhammu showed that the entertainment company’s lawyers had in fact asked for dozens of websites – not just deep-link URLs to infringing content – to be blocked, despite publicly claiming otherwise. If web users encountered any information at all about why access to the sites was blocked, it was that the Department of Telecom had ordered the blocking, which was plainly untrue. In February 2012, following a complaint from the Indian Music Industry (a consortium of 142 music companies), the Calcutta High Court ordered 387 ISPs to block 107 websites for music piracy. At least a few of those, including Paktimes.com and Filmicafe.com, were general interest entertainment sites. The most famous of these sites, Songs.pk, re-emerged shortly after the block as Songspk.pk, highlighting the pointlessness of the block. And outside the realm of copyright, in December 2011, the domain name CartoonsAgainstCorruption.com was suspended based on an unlawful complaint from the Mumbai police requesting its suspension, despite there being no powers for them to do so under any law.

Between August and November 2011, the DIT also went to great efforts to compel big internet companies including Indiatimes, Facebook, Google, Yahoo!, and Microsoft, to ‘self-regulate’. This revealed the department’s desire to gain ever greater powers to control ‘objectionable’ content online, effectively bypassing the IT Act. It’s obvious, too, that by encouraging internet companies to ‘self-regulate’ the government will avoid embarrassing statistics such as those revealed by Google’s Transparency Report.

New dangers

A way forward, at least for internet-specific laws, could be to rekindle the Cyber Regulations Advisory Committee – a multi-stakeholder committee required by the IT Act – and to practise at home what we preach abroad on matters of internet governance: the value of a multi-stakeholder system, which includes industry, academia and civil society and not just governments. The idea of a multi-stakeholder framework has gained prominence since it was placed at the core of the ‘Declaration of Principles’ at the first World Summit on Information Society in Geneva in 2003. It has also been at the heart of India’s pronouncements at the Internet Governance Forum and the India-Brazil-South Africa Dialogue Forum. The Internet Governance Division, which formulates the country’s international stance on internet governance, has long recognised that these decisions must be taken in an open and collaborative manner. It is time the DIT’s Cyber-Law and ESecurity Group, which formulates the country’s national stance on the internet, realises the same.

Freedom of speech means nothing in a democratic society if it does not allow everyone to speak. Despite the internet being a very elite space, the number of people who have used it to express themselves since its introduction in India in 1994 is vast, especially when compared to the number of people in India who have expressed themselves in print since 1947 when the country won its independence. Online speech is indeed a big shift from edited and usually civil discussions in the world of print media. Perhaps this gives us some indication of why there is some support among the mass media for government regulations on speech. Too many discussions of online speech laws in India descend into arguments about the lack of civility online. However, the press – and all of us – would do well to remember that civility and decency in speech, while desirable in many contexts, cannot be the subject of legislation. But in India, the greatest threat to freedom of expression is not a government clampdown on dissent but threats from political and corporate powers with a range of tools at their disposal, including fostering a climate of selfcensorship. The government has passed bad laws that have given way to private censorship. And many of these laws are simply a result of gross ineptitude.

We cannot take sufficient comfort in the fact that, in India, censorship is limited and nowhere on the scale that it is in China or Iran. It is crucial that, from a legal, cultural and technological standpoint we do not open the door for further censorship. And currently, we are failing.

Pranesh Prakash is Policy Director at the Centre for Internet and Society in Bangalore. Part of this article appeared in a blog by the author on the centre’s website, cis-india.org, in January 2012

For more details visit https://cis-india.org/internet-governance/blog/index-on-censorship-august-2012-pranesh-prakash-indias-internet-jam

India's Identity Crisis

malavika — 2014-01-09T07:56:08Z

Malavika Jayaram's article was published in 2013 Internet Monitor Annual Report: Reflections on the Digital World, published by Harvard's Berkman Center for Internet and Society.

India’s Unique Identity (UID) project is already the world’s largest biometrics identity program, and it is still growing. Almost 530 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Despite these potential benefits, however, critical concerns remain about the UID’s legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.

The most basic concerns regarding the UID project stem from the fact that biometric technologies have never been tested on such a large population. As a result, well-founded concerns exist around scalability, false acceptance and rejection rates, and the project’s core premise that biometrics can uniquely and unambiguously identify people in a foolproof manner. Some of these concerns are based on technical issues—collecting fingerprints and iris scans “in the field,” for instance, can be complicated when a registrant’s fingerprints are eroded by manual labor or her irises are affected by malnutrition and cataracts. Other concerns relate to the project’s federated implementation architecture, which, by outsourcing collection to a massive group of private and public registrars and operators, increases the chance for data breaches, error, and fraud.

Perhaps even more vexing are concerns regarding how the UID, which promises financial inclusion (by reducing the identification barriers to opening bank accounts, for example), might in fact lead to new types of exclusion for already marginalized groups. Members of the LGBT community, for instance, question whether the inclusion of the transgender category within the UID scheme is a laudable attempt at inclusion, or a new means of listing and targeting members of their community for exclusion. More fundamentally, as more and more services and benefits are linked to the UID, the project threatens to exclude all those who cannot or will not participate in the scheme due to logistical failures or philosophical objections.

It is worth noting that the UID is not the only large data project in India. A slew of “Big Brother” projects exist: the Centralised Monitoring System (CMS), the Telephone Call Interception System (TCIS), the National Population Register (NPR), the Crime and Criminal Tracking Network and Systems (CCTNS), and the National Intelligence Grid (NATGRID), which is working to aggregate up to 21 different databases relating to tax, rail and air travel, credit card transactions, immigration, and other domains. The UID is intended to serve as a common identifier across these databases, creating a massive surveillance state. It also facilitates an ecosystem where access to goods and services, from government subsidies to drivers’ licenses to mobile phones to cooking gas, increasingly requires biometric authentication.

The UID project was originally vaunted as voluntary, but the inexorable slippery slope toward compulsory participation has triggered a series of lawsuits challenging the legality of forced enrollment and the constitutionality of the entire project. Most recently, in September 2013, India’s federal Supreme Court affirmed by way of an interim decision that the UID was not mandatory, that not possessing a UID should not disadvantage anybody, and that citizenship should be ascertained as a criteria for registering in order to ensure that UIDs are not issued to illegal immigrants. This last stipulation is particularly thorny given that the Unique Identification Authority of India (UIDAI, the body in charge of the UID project) has consistently distanced the UID from questions of citizenship under the justification that it is a matter beyond their remit (i.e., the UID is open to residents, and is not linked to citizenship). The government moved quickly to urge a modification of the order, but the Supreme Court declined to do so and will instead release its final decision after it reviews a batch of petitions from activists and others. The UIDAI approached the court, arguing that not making the UID mandatory has serious consequences for welfare schemes, but the court recently ordered the federal government, the Reserve Bank of India, and the Election Commission to delink the LPG cooking gas scheme from the UID. This is a considerable setback for the project, given that this was one of the most hyped linkages for the UID. It remains to be seen whether the court will similarly halt other attempts to make the UID mandatory.

In the meantime, the UID project is effectively being implemented in a legal vacuum without support from the Supreme Court or Parliament. The Cabinet is seeking to rectify this and has cleared a bill that would finally provide legal backing for the UID program—its previous attempt was rejected by the Standing Committee on Finance in 2010. This bill is scheduled to come up for debate during the winter session of Parliament. The bill’s progress, along with the final decision of the Supreme Court, will have far reaching consequences for the UID project’s implementation and longevity, as well as for the relationship between India’s citizens and the state.

If fully implemented, the UID system will fundamentally alter the way in which citizens interact with the government by creating a centrally controlled, technology-based standard that mediates access to social services and benefits, financial systems, telecommunications, and governance. It will undoubtedly also have implications for how citizens relate to private sector entities, on which the UID rests and which have their own vested interests in the data. The success or failure of the UID represents a critical moment for India. Whatever course the country takes, its decision to travel further toward or turn away from becoming a “database nation” will have implications for democracy, free speech, and economic justice within its own borders and also in the many neighboring countries that look to it as a technological standard bearer.

The Indian government seems to envision “big data” as a panacea for fraud, corruption, and abuse, but it has given little attention to understanding and addressing the fraud, corruption, and abuse that massive databases can themselves engender. The government’s actions have yet to demonstrate an appreciation for the fact that the matrix of identity and surveillance schemes it has implemented can create a privacy-invading technology layer that is not only a barrier to online activity but also to social participation writ large.

The lack of identification documents for a large portion of the Indian population does need to be addressed. Whether the UID project is the best means to do this—whether it has the right architecture and design, whether it can succeed without an overhaul of several other failures of governmental institutions, and whether fixing the identity piece alone causes more harm than good—should be the subject of intense debate and scrutiny. Only through rigorous threat modeling and analysis of the risks arising out of this burgeoning “data industrial complex” can steps be taken to stem the potential repercussions of the project not just for identity management, fraud, corruption, distributive justice, and welfare generally, but also for autonomy, openness, and democracy.

Click to download the article published in the annual report of Berkman's Center for Internet and Society (PDF 7223 Kb)

For more details visit https://cis-india.org/internet-governance/blog/internet-monitor-2013-malavika-jayaram-indias-identity-crisis

India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution

sinha — 2018-05-07T16:13:31Z

Earlier this week, India’s department of telecommunications (DoT) released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’.

The article originally published in the Wire on May 6, 2018 can be read here. Access the Draft National Digital Communications Policy 2018 here.

The three pillars of the draft policy are ‘Connect India’, ‘Propel India’ and ‘Secure India’, which primarily seek to improve broadband connectivity, accelerate development of next-generation technologies and services and institute measures for data sovereignty, security and safety, respectively.

Several strategies have been devised under each pillar – few carry on from previous national telecom policies, and some are new proposals.

The document is high on aspirations, a lot of which it seeks to fulfil by 2022. It also proposes several favourable institutional and regulatory changes and simplifies obtaining of permissions.

However, it remains quite open-ended in terms of how the details could evolve. For example, while it endeavours to develop a fair, flexible, simple and transparent method for spectrum assignments and allocations, by pricing spectrum at an ‘optimal price’ and linking spectrum usage charges (SUC) to reflect costs of regulation and administration of spectrum, it cannot be said if these measures will fully rejuvenate a debt-ridden telecom sector.

Ideally, the policy should have explicitly mentioned that revenue maximisation is not a goal for the government anymore, to reassure the industry that licence fees and SUC will not be astronomically priced – especially as it is in no mood to change the model of spectrum allocation from auction to revenue sharing (circa NTP-99). A clear commitment would have helped inspire more confidence in this strained sector. Regardless, these changes will also need approval from the finance ministry, where stiff resistance is expected.

Expanding both wireless and wired broadband is a clear priority of the government. It sets out four initiatives, encouraging public-private partnerships to serve both rural and urban centres (BharatNet, GramNet, NagarNet, JanWiFi), and several additional measures to accelerate laying of optical fibre, mobile towers and increase sharing of infrastructure.

Although the previous telecom policies (NTP-99, NTP-2012 and recommendations in ‘Fixing Broadband Quickly’ (TRAI, 2015)) determined the similar gaps and objectives, little has translated into concrete results so far. In 2017, ITU and UNESCO reported that India was the largest unconnected market, with 49.5% (approx. 660 million) of our population still unconnected. The report further noted that the penetration of mobile broadband was much higher than fixed-line broadband connections – and urban centres were better served than rural areas. One hopes that the new strategies and objectives will be better realised this time around.

The policy also seeks to boost domestic innovation in the field of standards in communications technologies. This is reflected in its aims to strengthen domestic IP portfolios by providing financial incentives for the development of standard-essential patents (SEPs) and promote them at standard setting organisations. It mandates access to critical, mostly foreign-owned SEPs on a fair, reasonable and non-discriminatory basis (FRAND basis). This is an approach to patent licensing that has been endorsed by courts and the Competition Commission of India in the context of mobile phone technologies, as well as in other jurisdictions.

However, it remains to be seen how this mandate will be implemented in TRAI’s forthcoming recommendations on promoting telecom equipment manufacturing in India. This is a real opportunity for the telecom regulator to help the low-cost smartphone manufacturing industry in India to overcome their disadvantage in terms of having to pay exorbitant royalties to foreign-SEP holders and getting sued for infringement in the process. Another strategy that should have found place was the creation of government-controlled patent pools for SEPs, which could have solved the issue of uncertainty for local manufacturers and ensured payments to SEP holders to a great extent.

Additionally, the policy proposes a few consumer-oriented changes such as establishing a ‘Telecom Ombudsman’ and a centralised web-based complaint redressal system. In the third pillar of ‘Secure India’, although the document does not reveal the DoT’s approach to net-neutrality nor data protection and privacy, it does say that the government will be amenable to changing the terms of license to fulfill their core principles.

Curiously, in order to ‘facilitate security and safety of citizens’ it proposes to set up ‘lawful interception agencies with state of the art lawful intercept and analysis systems for implementation of law and order and national security’. This measure did not exist in TRAI’s version of the draft policy.

On next-generation tech in the field of IoT and cloud, it retained TRAI’s suggestion of setting up ‘light-touch’ licensing frameworks. This may prove to be a barrier to innovation in the field.

While the policy is broad and forward-looking, the true intent and meaning of the listed steps will only be understood when complementary legislative and granular policy actions to support these strategies are crystallised. That will make all the difference.

For more details visit https://cis-india.org/telecom/blog/the-wire-anubha-sinha-may-6-2018-india-draft-telecom-policy

India's Data Protection Framework Will Need to Treat Privacy as a Social and Not Just an Individual Good

amber — 2018-05-18T06:22:57Z

The idea that technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way.

Published in Economic & Political Weekly, Volume 53, Issue No. 18, 05 May, 2018. Article can be accessed online here.

In July 2017, the Ministry of Electronics and Information Technology (MeITy) in India set up a committee headed by a former judge, B N Srikrishna, to address the growing clamour for privacy protections at a time when both private collection of data and public projects like Aadhaar are reported to pose major privacy risks (Maheshwari 2017). The Srikrishna Committee is in the process of providing its input, which will go on to inform India’s data-protection law.

While the committee released a white paper with provisional views, seeking feedback a few months ago, it may be discussing a data protection framework without due consideration to how data practices have evolved.

In early 2018, a series of stories based on investigative journalism by Guardianand Observer revealed that the data of 87 million Facebook users was used for the Trump campaign by a political consulting firm, Cambridge Analytica, without their permissions. Aleksandr Kogan, a psychology researcher at the University of Cambridge, created an application called “thisisyourdigitallife” and collected data from 270,000 participants through a personality test using Facebook’s application programming interface (API), which allows developers to integrate with various parts of the Facebook platform (Fruchter et al 2018). This data was collected purportedly for academic research purposes only. Kogan’s application also collected profile data from each of the participants’ friends, roughly 87 million people.

The kinds of practices concerning the sharing and processing of data exhibited in this case are not unique. These are, in fact, common to the data economy in India as well. It can be argued that the Facebook–Cambridge Analytica incident is representative of data practices in the data-driven digital economy. These new practices pose important questions for data protection laws globally, and how these may need to evolve to address data protection, particularly for India, which is in the process of drafting its own data protection law.

Privacy as Control

Most modern data protection laws focus on individual control. In this context, the definition by the late Alan Westin (2015) characterises privacy as:

The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.

The idea of “privacy as control” is what finds articulation in data protection policies across jurisdictions, beginning with the Fair Information Practice Principles (FIPP) from the United States (US) (Dixon 2006). These FIPPs are the building blocks of modern information privacy law (Schwartz 1999) and not only play a significant role in the development of privacy laws in the US, but also inform data protection laws in most privacy regimes internationally (Rotenberg 2001), including the nine “National Privacy Principles” articulated by the Justice A P Shah Committee in India. Much of this approach is also reflected in the white paper released by the committee, led by Justice Srikrishna, towards the creation of data protection laws in India (Srikrishna 2017)

This approach essentially involves the following steps (Cate 2006):

(i) Data controllers are required to tell individuals what data they wish to collect and use and give them a choice to share the data.
(ii) Upon sharing, the individuals have rights such as being granted access, and data controllers have obligations such as securing the data with appropriate technologies and procedures, and only using it for the purposes identified.

The objective in this approach is to make the individual empowered and allow them to weigh their own interests in exercising their consent. The allure of this paradigm is that, in one elegant stroke, it seeks to “ensure that consent is informed and free and thereby also (seeks) to implement an acceptable tradeoff between privacy and competing concerns.” (Sloan and Warner 2014). This approach is also easy to enforce for both regulators and businesses. Data collectors and processors only need to ensure that they comply with their privacy policies, and can thus reduce their liability while, theoretically, consumers have the information required to exercise choice. In recent years, however, the emergence of big data, the “Internet of Things,” and algorithmic decision-making has significantly compromised the notice and consent model (Solove 2013).

Limitations of Consent

Some cognitive problems, such as long and difficult to understand privacy notices, have always existed with regard to the issue of informed consent, but lately these problems have become aggravated. Privacy notices often come in the form of long legal documents, much to the detriment of the readers’ ability to understand them. These policies are “long, complicated, full of jargon and change frequently” (Cranor 2012).

Kent Walker (2001) lists five problems that privacy notices typically suffer from:

(i) Overkill: Long and repetitive text in small print.
(ii) Irrelevance: Describing situations of little concern to most consumers.
(iii) Opacity: Broad terms that reflect limited truth, and are unhelpful to track and control the information collected and stored.
(iv) Non-comparability: Simplification required to achieve comparability will lead to compromising of accuracy.
(v) Inflexibility: Failure to keep pace with new business models.

Today, data is collected continuously with every use of online services, making it humanly impossible to exercise meaningful consent.
The quantity of data being generated is expanding at an exponential rate. With connected devices, smartphones, appliances transmitting data about our usage, and even the smart cities themselves, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information” (Bollier 2010).

The infinitely complex nature of the data ecosystem renders consent of little value in cases where individuals may be able to read and comprehend privacy notices. As the uses of data are so diverse, and often not limited by a purpose identified at the beginning, individuals cannot conceptualise how their data will be aggregated and possibly used or reused.

Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. While the regulatory framework is designed such that individuals are expected to engage in cost–benefit analysis of trading their data to avail services, this ecosystem makes such individual analysis impossible.

Conflicts Between Big Data and Individual Control

The thrust of big data technologies is that the value of data resides not in its primary purposes, but in its numerous secondary purposes, where data is reused many times over (Schoenberger and Cukier 2013).

On the other hand, the idea of privacy as control draws from the “data minimisation” principle, which requires organisations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required. Control is excercised and privacy is enhanced by ensuring data minimisation. These two concepts are in direct conflict. Modern data-driven businesses want to retain as much data as possible for secondary uses. Since these secondary uses are, by their nature, unanticipated, their practices run counter to the very principle of purpose limitation (Tene and Polonetsky 2012).

It is evident from such data-sharing practices, as demonstrated by the Cambridge Analytica–Facebook story, that platform architectures are designed with a clear view to collect as much data as possible. This is amply demonstrated by the provision of a “friends permission” feature by Facebook on its platform to allow individuals to share information not just about themselves, but also about their friends. For the principle of informed consent to be meaningfully implemented, it is necessary for users to have access to information about intended data practices, purposes and usage, so they consciously share data about themselves.

In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. A case in point is Mark Zuckerberg’s facile claim that there was no “data-breach" in the Cambridge Analytica–Facebook incident. Instead of asking each of the 87 million users whether they wanted their data to be collected and shared further, Facebook designed a platform that required consent in any form only from 270,000 users. Not only were users denied the opportunity to give consent, their consent was assumed through a feature which was on by default. This is representative of how privacy trade-offs are conceived by current data-driven business models. Participation in a digital ecosystem is by itself deemed as users’ consent to relinquish control over how their data is collected, who may have access to it, and what purposes it may be used for.

Yet, Zuckerberg would have us believe that the primary privacy issue of concern is not about how his platform enabled the collection of users’ data without their explicit consent, but in the subsequent unauthorised sharing of the data by Kogan. Zuckerberg’s insistence that collection of data of people without their consent is not a data breach is reminiscent of the UIDAI’s recent claims in India that publication of Aadhaar numbers and related information by several government websites is not a data breach, so long as its central biometric database in secure (Sharma 2018). In such cases also, the intended architecture ensured the seeding of other databases with Aadhaar numbers, thus creating multiple potential points of failure through disclosure. Similarly, the design flaws in direct benefit transfers enabled Airtel to create payments bank accounts with the customers’ knowledge (Hindu Business Line 2017). Such claims clearly suggest the very limited responsibility data controllers (both public and private) are willing to take for personal data that they collect, while wilfully facilitating and encouraging data practices which may lead to greater risk to data.

On this note, it is also relevant to point out that the Srikrishna committee white paper begins with identifying informational privacy and data innovation as its two key objectives. It states that “a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India.”

Conversations around privacy and data have become inevitably linked to the idea of technological innovation as a competing interest. Before engaging in such conversations, it is important to acknowledge that the value of innovation as a competing interest itself is questionable. It is not a competing right, nor a legitimate public interest endeavour, nor a proven social good.

The idea that in policymaking, technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. The social argument is premised on the promises of mathematical models and computational capacity being capable of identifying key insights from data. In turn, these insights may be useful in public and private decision-making. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way. Sufficient research suggests that indiscriminate data collection is greatly increasing the ratio of noise to signal, and can lead to erroneous insights. Further, the greater the amount of data you collect, the greater is the attack surface that leads to cybersecurity risks. Further, incidents such as Facebook–Cambridge Analytica demonstrate that toxicity of data in various ways and underscores the need for data regulation at every stage of the data lifecycle (Scheiner 2016). These are important tempering factors that need to be kept in mind while evaluating data innovation as a key mover of policy or regulation.

Privacy as Social Good

As long as privacy is framed as arising primarily from individual control, data controllers will continue to engage in practices that compromise the ability to exercise choice. There is a need to view privacy as a social good, and policymaking should ensure its preservation and enhancement. Contractual protections and legal sanctions can themselves do little if platform architectures are designed to do the exact opposite.

More importantly, policymaking needs to recognise privacy not merely as an individual right, available for individuals to forego when engaging with data-driven business models, but also as a social good. The recognition of something as a social good deems it desirable by definition, and a legitimate goal of law and policy, rather than rely completely on market forces for its achievement.

The Puttaswamy judgment (K Puttaswamy v Union of India 2017) lends sufficient weight to privacy’s social value by identifying it as fundamental to any individual development through its dependence on solitude, anonymity, and temporary releases from social duties.

Sociological scholarship demonstrates that different types of social relationships, be it Gesellschaft (interest groups and acquaintances) or Gemeinschaft (friendship, love, and marriage), and the nature of these relationships depend on the ability to conceal certain things (Simmel 1906). Demonstrating this in the context of friendships, it has been stated that such relationships “present a very peculiar synthesis in regard to the question of discretion, of reciprocal revelation and concealment.” Friendships, much like most other social relationships, are very much dependent on our ability to selectively present ourselves to others. Contrast this with Zuckerberg’s stated aim of making the world more “open” where information about people flows freely and effectively without any individual control. Contrast this also with government projects such as the Aadhaar which intends to act as one universal identity which can provide a 360-degree view of citizens.

Other scholars such as Julie Cohen (2012) and Anita Allen (2011) have demonstrated that data that a person produces or has control over concerns both herself and others. Individuals can be exposed not only because of their own actions and choices, but also made vulnerable merely because others have been careless with their data. This point is amply demonstrated in the Facebook–Cambridge Analytica incident. What this means is that protection of privacy requires not just individual action, but in a sense, requires group co-ordination. It is my argument that this group interest of privacy as a social good must be the basis of policymaking and regulation of data in the future, in addition to the idea of privacy as an individual right. In the absence of attention to the social good aspect of privacy, individual consumers are left to their own devices to negotiate their privacy trade-offs with large companies and governments and are significantly compromised.

What this translates into is a regulatory framework and data protection frameworks should not be value-neutral in their conception of privacy as a facet of individual control. The complete reliance of data regulation on the data subject to make an informed choice is, in my opinion, an idea that has run its course. If privacy is viewed as a social good, then the data protection framework, including the laws and the architecture must be designed with a view to protect it, rather than leave it entirely to the market forces.

The Way Forward

Data protection laws need to be re-evaluated, and policymakers must recognise Lawrence Lessig’s dictum that “code is law.” Like laws, architecture and norms can play a fundamental role in regulation. Regulatory intervention for technology need not mean regulation of technology only, but also how technology itself may be leveraged for regulation (Lessig 2006; Reidenberg 1998). It is key that the latter is not left only in the hands of private players.
Zuckerberg, in his testimony (Washington Post 2018) before the United States Senate's Commerce and Judiciary committees, asserted that "AI tools" are central to any strategy for addressing hate speech, fake news, and manipulations that use data ecosystems for targeting.

What is most concerning in his testimony is the complete lack of mention of standards, public scrutiny and peer-review processes, which “AI tools” and regulatory technologies need to be subject to. Further, it cannot be expected that data-driven businesses will view privacy as a social good or be publicly accountable.

As policymakers in India gear up for writing the country’s data protection law, they must acknowledge that their responsibility extends to creating norms and principles that will inform future data-driven platforms and regulatory technologies.

Since issues of privacy and data protection will have to be increasingly addressed at the level of how architectures enable data collection, and more importantly how data is used after collection, policymakers must recognise that being neutral about these practices is no longer enough. They must take normative positions on data collection, processing and sharing practices. These positions cannot be implemented through laws only, but need to be translated into technological solutions and norms. Unless a multipronged approach comprising laws, architecture and norms is adopted, India’s new data protection regime may end up with limited efficacy.

For more details visit https://cis-india.org/internet-governance/blog/epw-amber-sinha-may-18-2018-for-indias-data-protection-regime-to-be-efficient-policymakers-should-treat-privacy-as-a-social-good

India's Contribution to Internet Governance Debates

sunil — 2018-08-16T13:32:54Z

For more details visit https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns