Centre for Internet and Society

Draft Law Would Prohibit Showing ‘Disputed Areas’ on Maps of India

subha — 2016-05-15T13:05:41Z

Maps that label geographic areas of conflict as “disputed” territories in India could put one behind bars for seven years with 1B Indian Rupees (US$15M) penalty if a recently proposed bill becomes law.

The article was published in Global Voices on May 11, 2016.

The controversial bill, also known as Geospatial Information Regulation Bill 2016 would make it illegal to “depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.”

If approved, it could put large corporations like Google (with its Google map), free and open source projects like Wikipedia and Open Street Map, and several other organizations in trouble for showing areas of conflict as disputed. Pakistan-Occupied Kashmir (PoK) and Arunachal Pradesh near the China border are two well-known examples of such areas.

The Indian government ruled by Bharatiya Janata Party (BJP) under the leadership of Prime Minister Narendra Modi has been quite critical of the depiction of the PoK and China border in Arunachal Pradesh.

If passed in the parliament as law, it could prevent Indians and foreigners, government employees and people traveling in ships and aircrafts that are registered in India, to acquire geospatial imagery or data. To acquire such data, one needs to obtain permissions from the security vetting authority.

In recent years, the Indian government has targeted numerous foreign publications including Al Jazeera for showing distorted maps of India that excluded parts of the state of Jammu and Kashmir and even another state Arunachal Pradesh. While the bill does not explicitly mention these efforts, it seems to fall in line with these previous attempts to control the free flow of geospatial information.

A news article about the proposed bill published on the portal MediaNama explains how the potential law could affect map portals like Open Street Map and Google Maps, taxi, e-commerce and public safety sites and many other services that allow marking and sharing coordinates. “Most digital photographs contain location meta-data, and by sharing your photos online, you’re adding to a repository of data related to man-made phenomenon,” suggests the same article. Open data advocates also have published list of 25 different services, seven major news portals, and 14 nonprofits that would be affected if the bill is approved.

The Open Data community of India also has come up with a campaign “SaveTheMap” to draft a request to the government to not pass the bill. The draft request states:

Request for comments / suggestions on draft “The Geospatial Information Regulation Bill, 2016” To regulate the acquisition, dissemination, publication and distribution of geospatial information of India which is likely to affect the security, sovereignty and integrity of India, a draft “The Geospatial Information Regulation Bill, 2016” has been prepared. Copy of the draft “The Geospatial Information Regulation Bill, 2016” is attached herewith for comments/suggestions. The comments/suggestions on the draft Bill may be forwarded to the Joint Secretary (Internal Security-I), Ministry of Home Affairs, North Block, New Delhi at email id: jsis@nic.in within 30 days.

There has been a lot of discussion with hashtag #GeoSpatialBill and humorous comments on social media:

Many have already started tweeting with the hashtag #savethemap:

Twitter user Prasanto Roy explained the implications of geospatial bill for various companies including Google, Uber and Open street maps:

Here's what other experts have to say:

Arup. R writes in Geospatial World:

This Act needs to be dropped. In its attempt to cover all bases it has been made so broadband and all encompassing that it may actually impede the progress of work on Geospatial systems and therefore on key Government programmes and projects. The Act does not take into account the fact that with the advent of the Cloud, Data as a Service, Software as a Service and Platform as a Service there is no need for ‘persons’ to possess data. They can just access data, do their work and retain only the final results. This Act does not, in fact cannot, even begin to comprehend the paradigm shift in geospatial technologies which makes it a non-starter.

India does need a Geospatial Information Act, but it has to be an enabling and encouraging Act that makes for faster and better implementation of programmes, not a regressive and punitive Act as the proposed one.

Devdutta Tengshe writes about the overreaching ambit of Geospatial bill on Medium:

Worst of all, it (the bill) is trying to implement Security by Obscurity, which is expecting the country to become secure by hiding information from its citizens. This is dangerous, because the real mischief creators, be they terrorists, Foreign government agencies, or domestic criminals, will most likely have access to kind of data from foreign sources, and will not even think about getting permits and licenses from these Indian Authorities.

Cyber law expert Pavan Duggal told The Wire:

The draft legislation has the intrinsic problem that it has been given extra-territorial applicability in terms of jurisdiction. It is applicable to any person anywhere in the world. We have historically seen that such jurisdiction does not work well in practical terms. What if global players do not want to take your licence or subject themselves to your jurisdiction?

Duggal further spoke about how the law could impact the growth of e-commerce and m-commerce in India.

Under this law, Google Maps will be illegal without a licence, which means that all mobile or e-commerce applications working on Google Maps will also become illegal. The licence will also only be applicable to the concerned person. So if I am a taxi aggregator like Ola or Uber, I will have to get a separate licence over and above what Google Map has.

Indian Express calls the Geospatial bill a death note for Cartography:

The draft Geospatial Information Regulation Bill of 2016 is so perfectly ridiculous that one can only hope that it falls off the map before it can be tabled in the House. Publishers the world over have learned, to their bewildered amusement, that India censors maps of itself. Now, to strike fear into their anti-national gizzards, the government has invoked an official map censor, a babu-led organisation whose prior permission will be required to publish geospatial information, which is newspeak for maps. Failure to correctly depict the borders of India could attract a fine of up to Rs 100 crore, before the poor offending bozo is dragged away to the cooler for seven years. With this draft, the government has embarked on a journey without maps, which must rapidly become directionless.

Not the first time around?

Meanwhile, this clearly isn't the first time that services such as Google Maps have come under the federal scanner in India. In 2014, India's prime investigation agency Central Bureau of Investigation (CBI) had launched a probe into Google Maps’ irregularities in Mapathon 2013 and had accused the company of running the competition without procuring proper governmental permissions. But the agency had called off the case citing lack of ‘adequate evidence to corroborate the allegations’.

For more details visit https://cis-india.org/a2k/blogs/draft-law-would-prohibit-showing-2018disputed-areas2019-on-maps-of-india

Draft International Principles on Communications Surveillance and Human Rights

elonnai — 2013-07-12T15:55:45Z

These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles.

The principles are still in draft form. The most recent version can be accessed here. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.

These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.[1]

We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.

Preamble
Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.[2] Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.[3]

Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.[4]

While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. [5] When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. [6] Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.

It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:

Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.
Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media.

We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.

These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.[7] Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,[8] we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.

The Principles

Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process

Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Necessity: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.[9]While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. [10]

User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. [11]

Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Signatories

Organisations

Article 19 (International)
Bits of Freedom (Netherlands)
Center for Internet & Society India (CIS India)
Derechos Digitales (Chile)
Electronic Frontier Foundation (International)
Privacy International (International)
Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)
Statewatch (UK)

Individuals

Renata Avila, human rights lawyer (Guatemala)

Footnotes

[1]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance
[2]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.
[3]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument.
[4]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.
[5]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.
[6]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at http://www2.technologyreview.com/article/409598/tr10-reality-mining/ and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.
[7]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf
[8]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See http://www.globalnetworkinitiative.org/
[9]As defined by international and regional conventions mentioned above.
[10]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.
[11]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top.

For more details visit https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights

Draft Digital Communications Policy

Gurshabad Grover — 2018-06-07T02:02:29Z

For more details visit https://cis-india.org/internet-governance/files/draft-digital-communications-policy

Draft Annual Report (2010-11)

praskrishna — 2014-10-21T23:55:55Z

This is the draft of the 2010-11 Annual Report.

For more details visit https://cis-india.org/about/reports/annual-report-2010-2011.pdf

DP Compendium

Admin — 2018-05-31T16:00:24Z

For more details visit https://cis-india.org/internet-governance/files/dp-compendium

Dot Bharat domain to roll out on August 21

praskrishna — 2014-09-08T07:08:32Z

Web addresses are set to get multilingual in India. Soon you will be able to type in addresses in a web browser in the Devnagri script – with “dot bharat” standing in for the currently common “dot in” domain to begin with. The roll-out of the same begins on August 21.

This was originally published by IANS and mirrored in Firstpost on August 19, 2014. Sunil Abraham gave his inputs.

In the 90-day “sunrise period” of the roll-out those with registered trademarks will be able to register domain names in languages that use the Devnagri script, such as Hindi, Marathi, Boro, Dogri etc. After the sunrise period, it will be thrown open to regular users of the internet.

The National Internet Exchange of India (NIXI), an autonomous non-profit organisation, is responsible for peering of ISPs and routing the domestic traffic within the country. The NIXI and the government’s Centre for Development of Advanced Computing (C-DAC) have worked on enabling this country code top level domain (ccTLD) of dot bharat. They say more such domains in different scripts and languages will eventually follow.

Currently, one can find content in various languages online. However, the URLs or web addresses are in English. With this rollout, even URLs would be in Hindi or Marathi. “Once the sunrise period runs smoothly, we will introduce other languages in other scripts such as Bengali, Punjabi, Kannada, Telugu etc. There is no timeline set for it yet, but we hope there will be enough pressure with the adoption of the Devnagri domains to implement it soon,” says Mahesh Kulkarni, program coordinator at the C-DAC, heading the language technology group.

A few government websites too will be a part of the launch next week by the union minister of communications and information technology, Ravi Shankar Prasad. “For example, the pmindia dot gov dot in will be pradhanmantri dot sarkar dot bharat,” says Dr Govind, CEO of NIXI.

While some quarters have welcomed the introduction of the new domain, others are doubtful of its success given the low internet penetration and low literacy rate in the country. A June 2014 report from research firm eMarketer, India had the third largest online user-base globally after China and the US but had the lowest internet penetration growth in Asia Pacific at 17.4%. Osama Manzar, who heads the Digital Empowerment Foundation, suggests getting more people and public institutions online rolling out local language domain names.

“This is not a bad move, but I doubt and wonder if it will encourage people to buy domain names in Indian languages. Is it in sync with the national digital infrastructure? It is important that the government encourage every department and village panchayat to get online with a website along with this,” says Manzar.

Sahitya Akademi-winning Hindi writer Uday Prakash finds the Devnagri domain a welcome move, but stresses on the importance of making quality content in regional languages available online. “It’s a good step and will help those who are not comfortable with English. However, the problem remains that most of the content online is in English. If I search for Robin Williams in English, I will find hundreds of webpages. But if I google the same name in Devnagri, I’ll hardly find anything,” says Prakash.

On the other hand, there is also the view that the move towards a multilingual web need not follow a set path. “If a poor person buys a mobile phone before he build a toilet, who are we to judge? It is a market phenomenon. Like a jigsaw, some pieces of the puzzle may be worked out in advance. There are things like Indic input keyboards, text to speech and speech to text that need to be in place before an Indic language speaker can have the same experience as an English language user of the internet,” says Sunil Abraham, executive director of Bangalore-based research organization Center for Internet and Society.

In October 2013, the Internet Corporation for Assigned Names and Numbers (ICANN) delegated generic top level domains in Arabic, Chinese and Cyrillic scripts. This was under the Internationalized Domain Name (IDN) fast track process of the ICANN, which began in 2009, inviting requests from countries for territory names in scripts other than Latin. Meanwhile domestically, the union government has made a push for the use of local languages.

For more details visit https://cis-india.org/a2k/news/tech-first-post-dot-bharat-domain-to-roll-out-on-august-21

Dont hang up on this one

praskrishna — 2011-04-02T11:42:41Z

Is 3G the next twist in the mobile phone growth story?

The ubiquitous mobile phone is the story of the decade that just passed us by. Now with the superfast 3G technology set to storm the market, consumers are eagerly awaiting faster data access and multimedia services, and it isn't time to hang up on the Indian telecom story.

From a clunky walkie-talkie like device that was nearly as exclusive as the landline, to an “anywhere, anytime” device that doubles as your computer, browser, map or even digital cash, the mobile phone has taken rapid strides in recent years.

In early 2000, Karnataka and Maharashtra led the mobile phone growth. However, experts often differ on when exactly the cellphone “explosion” began and what triggered it. Is it low-cost, mass market handsets that made it possible for just about anyone to “be connected” or the sophisticated smart phone that brought hitherto unforeseen experiences onto the mobile? Further, like mobile phone manufacturers, service providers too have been involved in a fierce price war to woo customers.

Sustained growth

According to an April 2010 TRAI report, there are 601.22 million wireless phone connections in the country and a teledensity (phones per 100 people) of over 50.98.

While wireless connections are growing by nearly three per cent every month, wireless connections declined by 0.4 per cent in April.

So what will 3G do that will change the way we connect to our devices?

Currently, our mobile phones are devices that we use to talk, stay connected — even feel safe in this instant connectivity — click or transfer pictures, listen to music or capture videos. “The future will be about livelihood applications.

Services, which have thus far focussed on how to get money from consumers' pockets, will move towards evolving ways to put money back in their pockets,” says S.R. Raja, president and co-founder of Mobile Monday.

Mr. Raja alludes to services in the agricultural sector or existing commerce-based applications that will get a boost once 3G enters.

For instance, he points to a Sasken Technologies pilot initiative in rural Tamil Nadu which helps women's self-help groups sell their produce by providing access to pricing details, thereby eliminating middlemen.

While larger services and societal applications in the field of e-learning and telemedicine are likely to pick up, for the common user it means access to live video and multimedia content. The 3G rollout will transform the way we use our cellphone, experts say.

Scepticism

However, others are sceptical and far less optimistic about this “radical change” and believe that the 3G take-off may not be as smooth as people would like to believe.

“3G may not deliver in the short-term for the ordinary Indian. Smart phones are still expensive. Data services will be expensive as telecom operators will try to recoup what they spent on the spectrum auction,” says Sunil Abraham, researcher and director of the Centre for Internet and Society.

The Government should start considering spectrum a public good and additionally consider open or shared spectrum to lower costs for projects run by public institutions or non-governmental organisations. Only then will the poor of India transcend SMS, he adds.

Read the original article in the Hindu

For more details visit https://cis-india.org/news/dont-hang-up

Does the Social Web need a Googopoly?

rebecca — 2011-08-18T05:06:37Z

While the utility of the new social tool Buzz is still under question, the bold move into social space taken last week by the Google Buzz team has Gmail users questioning privacy implications of the new feature. In this post, I posit that Buzz highlights two privacy challenges of the social web. First, the application has sidestepped the consensual and contextual qualities desirable of social spaces. Secondly, Google’s move highlights the increasingly competitive and convergent nature of the social media landscape.

Last week, and for many a surprise, Google launched its new social networking platform, Buzz. The new service is Google’s effort to amplify the “social nature” of their services by integrating them under one platform, and adding some extra social utility. The social application runs from the Gmail interface, but also links other Google accounts a user may have, including albums on Picasa, and Google Reader. The service also allows for the sharing from external sources, such as photos on Flickr, and videos from YouTube. The service also allows users to post, like, or dislike the status updates of others which may be publicly searchable if the user opts. Before a Gmail user may fully participate in Google Buzz service, a unique Google Personal Profile must be created.

User Consent

Much of the buzz surrounding the new social networking service last week wasn’t paying much lip service to the new application. Instead, an uproar of privacy concerns continued to dominate the Buzz scene, with many critics quickly labeling Buzz a “privacy nightmare”. A formal complaint has been already filed with the US Federal Trade Commission in response to Google’s new privacy violating service. A second-year Harvard Law student has also filed a class-action suit against the company for its privacy malpractices.

Much of the privacy talk thus far has focused on issues of consent, or lack thereof, in this case. Upon Buzz’s launch, Gmail users were automatically subscribed as “opting in” for the service. Google has used the private address books of millions of Gmail accounts to build social networks from the contacts users email and chat with most. To entice users into using the service, Gmail users were set to auto-follow all of their contacts, and in turn, to be followed by them, too. Furthermore, all new Buzz users had been set to automatically share all public Picasa albums and Google Reader items with their new social graph. It is argued that social network services should be opt-in, rather than opt-out, and that Buzz has violated the consensual nature of the social web.

Illuminating the complications of building a social graph from ones inbox is the story of an Australian women, who remains anonymous. As she claims, most of the emails currently received through her Gmail account, are those from her abusive ex-boyfriend. Due to Google’s assumption that Gmail users would like to be “auto-followed” by their Gmail contacts (mirroring Twitters friendship protocol), items shared between herself and new boyfriend through her Google reader account had become public to her broader social graph, including her ex-boyfriend and his harassing friends.

In a blog response directed to Google’s Buzz team, the woman scornfully wrote- “F*ck you, Google. My privacy concerns are not trite. They are linked to my actual physical safety, and I will now have to spend the next few days maintaining that safety by continually knocking down followers as they pop up. A few days is how long I expect it will take before you either knock this shit off, or I delete every Google account I have ever had and use Bing out of f*cking spite”. As this case demonstrates, the people we mail most often may not be our closest friends. As email has replaced the telephone for many as the dominate mode of communication--some contacts may be friends, however, many others may not be.

In response to the uproar, tweaks to Buzz’s privacy features have since been made. Todd Jackson, Buzz’s product manager, has also posted a public apology to the official Gmail Blog late last week for not “getting everything quite right”. The service will now assume the more user-centric “auto-suggest” model, allowing users to selectively choose the contacts they wish to follow, and will also no longer auto-link Picasa and Reader content. However, as the EPIC’s complaint notes, many are still unsatisfied with the opt-out nature of the service, arguing that users should be able to opt-into the service if they so choose, rather than having to delist themselves for a service they didn’t necessarily sign up. Ethical quandaries also still loom over Google’s misuse of the users’ private contact lists to jumpstart their new service.

Contextual Integrity

The attacks on personal privacy resulting from Google’s model are vast. As the case of the Australian woman illuminates, the concept of the “online friend” has completely taken out of context with Buzz’s initial auto-follow model. Many of the contacts we make on a daily basis need not be made public through the Google profile. For most, this Buzz’s privacy breach may be benign or annoying at most. However, those who are engaged in sensitive social or political relationships via their Gmail chat or email accounts, the revelation of common contact could have been potentially damaging for many. A reporter from CNET has cleverly labeled Buzz’ as a “socially awkward networking”, as bringing diverse contacts under one umbrella doesn’t exactly make the most social sense. In response, Gmail users are required to sort through and filter their Buzz followers according, or choose to disable the service all together.

Besides questions of who is stalking whom, the assumptive and public nature of Google’s new move has cast a shadow of doubt among Gmail users regarding the ability of Google to maintain the privacy and contextual integrity of the Gmail account. Should one account be the place to socialize, and “do business”? Gmail is, and should remain, an email service. However, Buzz takes the email experience into new and questionable grounds. Do Gmail users feel entirely comfortable having their personal email, social graph, and chat functions all coming under the auspices of one platform? Many users felt they had been lured into using a social networking service that they didn’t sign up for in the first place.

Social Media Competition

In addition to Google’s attempt to integrate their various service offerings, Buzz is seen as an obvious attempt to bolster competitiveness in the social media market. In 2004, Google released Orkut. While the service has become big in countries such as Brazil and India, it has been overshadowed by sites such as Facebook in other jurisdictions, and has not been able to prove itself as a mainstream space for networking. In the past year, Google had also launched Google Wave, a tool that mixes e-mail, with instant messaging and the ability for several people to collaborate on documents. However, the application failed to completely win over audiences, and was considered one of the top failures of 2009.

With Google unable to effectively saturate the social media ecosystem, Buzz is an attempt to compete with the searchable and real time experiences provided by social media giants, Facebook and Twitter. Increased competition within the social media market could be a positive development for privacy, as social media companies could arguably be compete on their ability to provide users with preferable privacy architectures. To the contrary, however, such competition has thus far had negative ramifications for user privacy, as the recent Buzz and Facebook moves illustrates. Facebook’s loosened privacy settings were a competitive knee-jerk to Twitters searchable and real time experience. Through a Twitter search, individuals can come to know what people are saying about a certain topic, event, or product, and as a result, the service has received a great deal attention from users, and non-users such as advertisers, alike.

In an attempt to one-up, their competition, the “Twitterization” of Facebook followed in two distinct stages. First was with the implementation of the Facebook News Feed, which gave users a real time account of actions their friends on the site. Many argued that this feature invaded user privacy. However, it was argued by Facebook that they only were making available information that was already accessible through individual profile pages. The News Feed, as it happens, effectively took user information and actions on the site out of original context by streaming this information live for others easy viewing. Information users once had to rummage for had become accessible in real time on the homepage of the service.

Secondly, Facebooks’ recent privacy scandal was a step towards making profile information more searchable and accessible to third parties, as is most often the case with the more public feeds on Twitter. As one commentator notes, “Facebook used to be very private but private is not great for search, to have great search you need all of the data to be publicly available as it mostly is on Twitter. Facebook have not quite nailed real time search yet but they are getting there and it will soon be a great way of examining sentiment across different demographics”. As a result, information on Facebook, such as name, profile picture, friends list, location and fan pages have become open access information. In addition, users on Facebook have been subjected to new privacy regime without notice, leaving their profile pages generally more open, and searchable through Google.

Converging the Online Self

The impact Buzz alone can make on the social media landscape remains questionable (Gmail heralds only 140 million accounts, which is a deficient cry from Facebooks’ 400+ million dedicated users). However, despite Googles’ in/ability to become claim hegemony over the social web landscape, the abuse of private information to launch a new service has raised serious debate over the privacy and the future of social networking. The Buzz service marks more than yet another new social networking service that brushes aside the privacy of users. As user control and privacy becomes an increasingly peripheral concern, Google’s shift toward privacy decontrol also signifies a worrisome supply-side shift towards the “convergence” of online identity.

Within this new dominant paradigm, privacy concerns are often interpreted as antithetical to competitiveness in the social media marketplace. Instead of an imagined ecosystem based on user control and privacy preference, it can now be inferred that the competiveness of social networking services will continue to disrupt the delicate balance between the public and private online. Regardless that greater visibility and searchability of the social profile may not be in the public interest, Google’s recent move works to reinforcement of the new status quo of “openness”. Furthermore, it is questionable as to how concentrated and integrated a user may want their online activities to become. A critical discourse of online privacy must, therefore, take into account the ways in which the social web has renders the user increasingly transparent through networks of networking services.

Google’s Buzz illustrates this point quite well. Initially, Gmail was a straightforward email service. Next, the AdWords advertising service and Gmail chat had become integrated into the Gmail experience. Because Google was using the confidential emails of its Gmail users, privacy concerns began to mount upon the launch of the the AdWords service. However, turmoil surrounding AdWords died down, notably as Google continues to reassert that is is bots, not humans, that are scanning the emails in order to provide the AdWords service. Next, there gradually occurred a convergence of Google services under the single social profile, or “email address”. A single Gmail account potentially includes use of with Google reader, calendar, chat, groups and an Orkut account. In terms of behavioral targeted advertising, Google has recently announced that they will be providing personalized search results even to users who have not signed up for Google services. This will be done through the placement a cookie on all machines to provide targeted advertising seamlessly through each Google search and browsing session.

While many argue that the collection of non-personally identifiable information poses no privacy harm, this assumption needs reassessment. As Google comes to offer us more, they also come to learn more, and Buzz signifies this trend towards a Googopolized social web. To add another layer of complexity to Googles hegemony, users of the Buzz service are also required to create a “Google Profile”, which is searchable online and displays real time status updates, comments, and connections from other social network services, such as Facebook and Twitter. As Google recently launched the beta version of the new Social Search, Buzz was just the service required to increase the relevance to the new service by encouraging Gmail users to publish even more personal information. The creation of a personal Google profile, which is indexed and searchable, raises many concerns about privacy and identity, and doubts are continually raised over how much Google should come to know about us.

While Google’s services have arguably made the online social experience more seamless and tailored, it is questionable as to how relevant, or even desirable, such a shift may be. At present, it may appear that Google is wearing far too many hats, and users should be wary of placing all eggs into one basket. As the launch of Buzz has shown us, user consent and the contextual integrity of private personal information can be compromised when a diverse number of online services are integrated and given a social spin. When competition among social web providers drives users to lose control of the private information which is inherently theirs, critical questions surrounding competition, convergence and privacy require critical exploration.

For more details visit https://cis-india.org/openness/blog-old/does-the-social-web-need-a-googopoly

Does the Safe-Harbor Program Adequately Address Third Parties Online?

rebecca — 2011-08-02T07:19:34Z

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online. As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach. While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices. Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1]. The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU. After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly.

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU. Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce.

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally. In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites.

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed. These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement. The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected. The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused. Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social networking services have become increasingly clear and straightforward since their inception. Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used. The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members. In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs. This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program. The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites. This had included, for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information. The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information. Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues. Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program. For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies. Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources. Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”? The right to review information held by a social networking site is an important one that should be upheld. This is most notable as supplementary information from outside social networking services is employed to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program. It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere to the Safe Harbor Program. However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party. Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles. Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program. This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes that the program does not apply to third parties. Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook. The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”. Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information. Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”. Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles. In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector. However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate. However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles. Therefore, it remains questionable as to where responsibility for third parties exactly lies. When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed is worrisome. Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do. However, in practice, this has yet to become the case. A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5]. For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”.

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6]. After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites. This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”. This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service. Electronic Arts also maintains similar provisions for data retention in its privacy policy. Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held. This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games. It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model. Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications. This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches. The same is likely to be true for governments, too. As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate. While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook. This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern. If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively. Imposing more stringent responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties. However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically opt out of this practice.

[7]See Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

For more details visit https://cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online

Does India need its own Bayh-Dole?

sachia — 2011-04-02T15:58:46Z

Article by Pranesh Prakash, Programme Manager at Centre for Internet and Society in the Indian Express, 24 April 2009

Across the world battlelines are being drawn in the normally quiet areas of academia and research. The opposing sides: those in favour of open and collaborative research and development as a means to promote innovation, and those in favour of perpetuating the profits of big pharma companies and academic publishers. Currently before a Select Parliamentary Committee is a controversial law that will deny basic healthcare to millions by making medicines much more expensive, lock up academic knowledge, and help privatise publicly-funded research. The law titled the Protection and Utilisation of Public Funded Intellectual Property Bill 2008 (“PUPFIP Bill”, http://bit.ly/pupfip-bill) was tabled last December in the Rajya Sabha by the Minister for Science and Technology. It was created in utmost secrecy by the Department of Science and Technology, without so much as a draft version having been shared with the public for comments.

The PUPFIP Bill is an Indian version of a 1980 US legislation, the Bayh-Dole Act, and as per its statement of objects and reasons, it seeks to promote creativity and innovation to enable India “to compete globally and for the public good”. It aims to do so by ensuring the protection of all intellectual property (meaning copyright, patent, trade mark, design, plant variety, etc.) that is the outcome of government-funded research. The IP rights will be held by the grant recipient, or by the government if the recipient does not choose to protect the IP. This might seem like a good way to enable technology transfer from research institutes to the industry, but that would be a very myopic view, disregarding all evidence related to the failure of the Bayh-Dole Act. Last year Prof. Anthony So of Duke University co-authored an extensive analysis of the Bayh-Dole Act, and warned of the consequences of such legislation in developing countries.

First, such a law will shift the focus of research. Researchers will be inclined to to concentrate their efforts on issues of interest to industry, and which can have immediate benefit. This would force vital fundamental research into neglect since it cannot be commercialised with ease. Research by Saul Lach and Mark Schankerman shows that scientists are influenced by royalty rates, and will thus tend to work on industrial research rather than fundamental research. This creates, or at least exacerbates, what is popularly known as the “90/10 gap”: the fact that ninety per cent of medical research money goes into problems affecting ten per cent of the world’s population, since that ten per cent is richer.

Secondly, this law will have chilling effects on scholarly communications and promote secrecy. The Bill has requirements of non-disclosure by the grantee and the researcher to enable the commercialisation of the research, and requires researchers and institutions to inform the government before all publication of research. Such bureaucratisation of research publications will stultify intellectual pursuits. Such secrecy and permission-raj culture is anathema to intellectual and academic pursuits, where knowledge is sought to be freely disseminated, to be criticised and further revised by others. In South Africa, academics affected by the recent passage of a PUPFIP-type legislation there are questioning its constitutionality as it restrains freedom of speech.

Thirdly, this will lead to our pillars of learning and research becoming like businesses. US universities like Columbia and Duke have found themselves at the receiving end of criticism for their brazen commercialism, encouraged by the Bayh-Dole Act. Instead of promoting greater access to health for the poor, and spending money on research, the universities were spending money on patent litigation in court. The outcome of one of these cases was the rejection of Duke University’s research exemption defence (universities are generally not bound to observe patents when they wished to conduct research). The court held that the university had “business interests” which the research unmistakably furthered. This points at a fundamental divide between universities as places of learning and as places of profiteering. The Open Source Drug Discovery (OSSD) project that the Council of Scientific and Industrial Research (CSIR) is currently pursuing is a good attempt at promoting a culture of openness and transparency and collaboration, and thus ensuring cheaper and more efficient drug discovery. Even the US government is currently seeking to clear the way for generic versions of biotech drugs. In such an environment, it is counter-intuitive to bring in a regressive law, and goes against innovative efforts such as the OSSD, and will harm the generics industry.

Fourthly, the Bill assumes — erroneously, as an ever-growing amount of research demonstrates (Boldrin & Levine, Bessen & Meurer, etc.) — that intellectual property is the best and only way to promote creativity and innovation. All forms of intellectual property are state-granted monopolistic rights. At a basic level, competition promotes innovations while monopoly retards it. Much of modern science developed without the privilege of patents. Surely, Darwin and Newton were not encouraged by patents. And even whole industries — like the software industry — flourish without patent protection in most of the world.

The commendable aim of ensuring knowledge transfer can be accomplished much better if we refrain from giving away to private corporations (whether pharmaceutical manufacturers or publishers) exclusive rights to the product of publicly-funded research. Scientists and researchers can be encouraged to be consultants to various industrial projects, thereby ensuring that their expertise is tapped. Importantly, open access publishing which helps to ensure wide distribution and dissemination of knowledge is surely more desirable. That is the trend being followed the world over currently. The US president recently signed into law the Consolidated Appropriations Bill which makes permanent the National Institutes of Health’s open access policy. By doing so, he symbolically rejected calls (such as the much-criticised Conyers Bill) to privatise publicly funded research outputs. Thus, there are many ways by which the government can encourage innovation and creativity, and further public interest. The PUPFIP Bill, which will have deleterious unintended consequences if it is passed, is not one of them.

-----

To read the article at the Indian Express website, click here.

For more details visit https://cis-india.org/news/does-india-need-its-own-bayh-dole

dna exclusive: Geeks have a solution to digital surveillance in India: Cryptography

praskrishna — 2013-07-15T06:24:40Z

While you were thinking of what next to post on Twitter, the government has stealthily put an ambitious surveillance programme in place that tracks your every move in the digital world — through voice calls, SMS and MMS, GPRS, fax communications on landlines, video calls and emails.

The article by Joanna Lobo was published in DNA on July 7, 2013. Pranesh Prakash is quoted.

The programme, conceived in 2011, has now been brought under one umbrella referred to as the centralised monitoring system (CMS). It is the death of privacy.

But as concerned citizens argue for the need to formulate policies and laws to protect privacy, there's a simpler solution in sight for now: a CryptoParty.

At this 'party', an informal gathering of people, non-geeks can learn how to legally encrypt their digital communications and how to store data without the fear of anyone snooping in. Encryption is a process of encoding messages so that it can only be read by authorised parties.

What is it?
"A CryptoParty educates people in the domain of cryptography. It's usually about the basics: how to send encrypted email, how to protect your hardware and how to use free and open source software," says Satyakam Goswami, a free software consultant associated with the Software Freedom Law Centre (SFLC), Delhi (remove this). Goswami was one of the 72 participants at the CryptoParty organised on Saturday at Institute of Informatics & Communication (IIC), Delhi University South Campus On June 30, a CryptoParty organised at the Centre for Internet and Society (CIS) in Bangalore had 30 people in attendance. "We were taught about the what, how and who is watching us. We were also taught how to encrypt emails, chat, video calls or instant messaging,” says Siddhart Prakash Rao, a computer science graduate and a free software and open source enthusiast who is about to pursue a Masters in Cryptography.

The topics may be a mouthful for non-geeks but CryptoParty advocates maintain that all this is taught in the simplest way possible. The choice of subject depends on the composition of the group — if it is a gathering of geeks, like at the Bangalore event, then the topics are more technical.

How can it help?
CryptoParties started in August 2012 by an Australian woman (who goes by the pseudonym Asher Wolf) after a conversation on Twitter about The Australian Parliament's new cybercrime bill that allowed law enforcement to ask Internet Service Providers to monitor and store data.
Attending a CryptoParty is a good way to learn how to overcome government snooping legally.

“Citizens should use encryption to safeguard their private communications against both corporations and the government. Encryption is one of the best ways to react to CMS along with increased civic vigilance and democratic questioning of our government and parliamentarians,” says Pranesh Prakash, policy director, CIS, and one of the frontrunners in the fight to formulate a policy to safeguard privacy in India.

"In India, people tend to be rather ignorant. They are not aware of the kind of surveillance they are subjected to once online. It's a lack of understanding," says Sumandro Chattapadhyay, a researcher with Sarai, a programme of the Centre for the Study of Developing Societies, Delhi.

Bernadette Langle, who also works at CIS has been instrumental in organising the handful of CryptoParties in the country. When dna spoke to her, she was on her way to Delhi after participating in the Bangalore event. Langle will also be part of a CryptoParty being planned for October in Mumbai. "Ten years ago, you had to be a geek to be able to encrypt and protect yourself online. Now, you need software and it's much easier," she says.

The advantage is that the privacy tactics taught at such parties is completely legal. All knowledge is in the public domain. “A government will only deny its citizens basic communications privacy if it is authoritarian,” says Pranesh. “So while it can try social engineering and other means to gain access to what you've encrypted, it simply cannot 'decode' it as long as you have chosen a strong pass phrase and keep that protected, or they create quantum computers capable of breaking your encryption.”

The CIS is currently working on revisions of the Privacy (Protection) Bill 2013 with the objective of contributing to privacy legislation in India. Till that bill becomes an Act and till there's a better way to overcome needless government surveillance, attending a CryptoParty could possibly be the wisest solution for those concerned about privacy.

(For more details on CryptoParties, visit www.cryptoparty.in)

How to encrypt:
SMS: Make content secure by using software like TextSecure (Android) or CryptoSMS (Symbian). However, SMS metadata (who you are sending the message to and at what time) can still be tracked.

Instead of Whatsapp, install Jabbir and add off the record encryption.

For email, you can use OpenPGP in conjunction with Thunderbird to encrypt mails you send from Gmail/Yahoo Mail/Live Mail accounts so that even Google, Yahoo and Microsoft can't read them

For web browsing, use a VPN (which will hide your traffic from your ISP), or Tor (which will help anonymise your traffic, but will slow down your connection slower).

For more details visit https://cis-india.org/news/report-dna-july-7-2013-joanna-lobo-geeks-have-a-solution-to-digital-surveillance-in-india-cryptography

DNA Databases and Human Rights

praskrishna — 2012-09-17T05:39:06Z

Using DNA to trace people who are suspected of committing a crime has been a major advance in policing.

For more details visit https://cis-india.org/internet-governance/dna-databases-and-human-rights.pdf

DML 2013 Conference

praskrishna — 2013-03-21T09:48:33Z

For more details visit https://cis-india.org/internet-governance/blog/dml-2013-conference.pdf

Divergence between the GDPR and PDP Bill 2019

pallavi — 2020-02-21T13:05:08Z

For more details visit https://cis-india.org/internet-governance/divergence-between-the-gdpr-and-pdp-bill-2019

Distinguished Fellows

sunil — 2020-07-27T12:50:59Z

Prof. Subbiah Arunachalam is based in Chennai. Rishab Aiyer Ghosh is based at UNU-MERIT at Maastricht. Hans Varghese Mathews is based in Bangalore. Shyam Ponappa is based in New Delhi. Prof. Tejaswini Niranjana is based in Bangalore and Mumbai.

Hans Varghese Mathews

Prof. Subbiah Arunachalam (known to friends as Arun) started his career as a research chemist, but found his calling in information science. In the past four decades, he has been a student of chemistry, a laboratory researcher (at the Central Electrochemical Research Institute and the Indian Institute of Science), an editor of scientific journals (at the Publications and Information Directorate of the Council for Scientific and Industrial Research and the Indian Academy of Sciences), the secretary of a scholarly academy of sciences (IASc), a teacher of information science (at the Indian National Scientific Documentation Centre), and a development researcher (at the M.S. Swaminathan Research Foundation and the Indian Institute of Technology Madras). While working with M.S. Swaminathan Research Foundation, he initiated the South-South Exchange Traveling Workshop to facilitate hands on cross-cultural learning for knowledge workers from Africa, Asia and Latin America engaged in ICT-enabled development.

Arun is on the editorial boards of six international refereed journals including Journal of Information Science, Scientometrics, and Journal of Community Informatics; a member of the international advisory board of IICD, The Hague, a trustee of the Electronic Publishing Trust for Development, and a Trustee of the Voicing the Voiceless Foundation. Improving information access both for scientists and for the rural poor; scientometrics, ICT-enabled development and open access are among his current research interests.

Rishab Aiyer Ghosh is a researcher based in Maastricht. He is an Open Source Initiative board member, the founding international and managing editor of the peer-reviewed journal First Monday, and the Programme Leader of FLOSS at UNU-MERIT. He has undertaken several global, high-profile studies on Free Software. He is a jury member for Global Bangemann Challenge (now Stockholm Challenge Award), a prestigious prize awarded to IT projects with socio-economic impact by the mayor of Stockholm and founder member of the GII Internet Commerce Brain Trust. From 1995–1999, Rishab has worked as an editor at The Indian Techonomist, an analytical newsletter on Indian media and communications targeted at a global audience, an analyst and newsletter contributor for US-based Paul Kagan Associates, and a weekly columnist on Internet society (Electric Dreams). He still writes regularly, with over half a million words published in journals, newspapers and magazines worldwide, from PC Quest India to Wired Magazine, USA. From 2008, he heads the Collaborative Creativity Group at UNU-MERIT.

Shyam Ponappa is a Distinguished Fellow whose work is in the areas of broadband, telecommunications, and spectrum policy, from management, systems, and technology perspectives.

Beginning his career at the State Bank of India, he was a Senior Manager, Management Consulting Services, at Price Waterhouse in San Francisco, M&A Head for Citibank in India, and thereafter managed a partnership doing alliances, business strategy, and financial placements in New Delhi for major international and domestic clients. Subsequently, he was an independent consultant in India and abroad. His experience is in financial placements, M&A, and business strategy for clients in IT, telecommunications, power, oil/energy, airlines, biotechnology, banking/financial services, hotels, shipping, railroads, manufacturing, agri-business, law firms, and retail enterprises.

He has advised the government on public policy since 1990, primarily in telecommunications. As a columnist for the Business Standard, he writes on infrastructure and managing economic reforms (http://organizing-india.blogspot.com). He has an MBA from the University of California at Berkeley, an MA (History) and a BSc (Physics) from Madras Christian College."

Tejaswini Niranjana is presently a Senior Fellow at the Centre for the Study of Culture and Society (CSCS), Bangalore, and Visiting Professor at Tata Institute of Social Sciences (TISS), Mumbai.

At CSCS (www.cscs.res.in), Tejaswini helped set up in 2001 an inter-disciplinary doctoral programme in Cultural Studies, and many of her Ph.D. students have brought Indian language materials into their research and writing. At TISS (www.tiss.edu), Tejaswini is incubating the Centre for Indian languages in Higher Education, which will anchor a multi-institutional programme for Indian languages in higher education, including production of new resources, curriculum strengthening, research training, digitisation and archiving. On the anvil is the creation at TISS of a digital hub for Indian language resources for tertiary education.

She is also Lead Researcher of the Higher Education Innovation and Research Applications (HEIRA) Programme at CSCS (http://heira.in). HEIRA works towards sectoral transformation in higher education, working with private and public institutions to design and field-test new methods for curriculum development, teacher training and institutional change at the undergraduate and post-graduate levels. Tejaswini is co-author of a policy note on quality education in Indian languages, the recommendations of which are now part of the final 12^th Plan document (http://www.ugc.ac.in/ugcpdf/740315_12FYP.pdf).

Select publications are available from cscs.academia.edu. Her best-known book is Siting Translation: History, Post-structuralism and the Colonial Context (Berkeley: University of California Press, 1992). More recently, she published Mobilizing India: Women, Music and Migration across India and Trinidad (Durham: Duke University Press, 2006).

Tejaswini is the Adviser (since February 2013) to the 'Access to Knowledge' programme of CIS and will guide the A2K team in expanding the Indian language Wikipedias and in increasing the number of active editors through strategic partnerships with Higher Education institutions across India.

For more details visit https://cis-india.org/about/people/distinguished-fellows