Centre for Internet and Society

Aadhaar-enabled smartphones will ease money transfer

praskrishna — 2016-08-10T13:33:54Z

With its plans to make smartphones Aadhaar-enabled, the government hopes to provide users a means to do self-authentication and let businesses and banks verify the identity of their clients through their smartphones, a move that could potentially lead the way to a cashless society.

The article by Neha Alawadhi and Gulveen Aulakh was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

"Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)," Nandan Nikelani, former chairman of the Unique Identification Authority of India, told ET, welcoming the government's plan to make smartphones Aadhaar-enabled.

ET was the first to report that on July 27 a meeting between UIDAI, which administers Aadhaar, and senior executives of smartphone-makers discussed ways to allow smartphone handsets let citizens authenticate their fingerprints and iris on the phone to get services. The most immediate use for the Aadhaar-enabled smartphones is the Unified Payment Interface (UPI), the new payment system that allows money transfer between any two parties using mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani. Over time, the idea is to open Aadhaar authentication to third party apps, said another person familiar with the ongoing discussions, who did not wish to be named.

In effect, biometric and iris scan authentication could become one of the permissions a user grants to different third party apps, such as access to camera, contacts, phone book and so on. Handset makers have raised concerns about some security issues on using iris scan for Aadhar authentication. Also, companies such as Apple that have very closed ecosystems, would not be easy to get on board, several people told ET.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider, who is aware of the discussions, requesting anonymity. The proposal for smartphone makers includes a "hardware secure zone" where biometric data will be encrypted and sent out. It will not leave the electronic secure zone without encryption, and every phone doing Aadhaar authentication will be registered in the UID system.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

"The reluctance to make changes at the vendor level are mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons," Nilekani said, adding that both ends - the handset and the Aadhaar database -- will use the highest level of encryption.

Samsung India, which in May launched the Galaxy Tab Iris, a device that uses Aadhaar authentication, said it has taken care that its user's biometric data does not fall into the wrong hands. "We ensure that biometric data is encrypted as per UIDAI specifications in device itself for Galaxy Tab Iris," Sukesh Jain, vice president, Samsung India Electronics, told ET in an email response.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-neha-alawadhi-gulveen-aulakh-aadhaar-enabled-smartphones-will-ease-money-transfer

Community digest: Konkani language speakers are separated by scripts but unite by Wikipedia; news in brief

subha — 2016-08-07T03:11:06Z

Konkani-language Wikipedians on what they think of Wikipedia as a binding factor for native speakers who speak in different variations of the same language and write in different scripts.

This was published on Wikimedia Blog on August 4, 2016

I reached out to a few Goan Konkani Wikipedians to learn about their experience with the project, especially after it went live in 2015. In the interview they share what they think of Wikipedia as a binding factor for native speakers that are currently dispersed in many states, speak in different variations of the same language, and write in different scripts.

Subhashish Panigrahi (SP): Hi The Discoverer [a long time contributor to Wikipedia who is actively contributing to the Goan Konkani Wikipedia], you have been actively contributing to the Goan Konkani Wikipedia since 2006 even before it went live in 2014. What potential do you see in the Goan Konkani Wikipedia bringing Konkani speakers from the states of Goa, Maharashtra, Karnataka and Kerala?
User:The Discoverer (TD): Even though my first contributions were in 2006, I have been moderately active on Wikipedia all these years.

I do agree with you that Konkani Wikipedia has the potential to bind people across borders. As you have rightly pointed out, Konkani is remarkable in that, for the small geographical area where it is a native language, it has developed a large number of dialects, in addition to being used in multiple scripts. Unfortunately, in the offline world, we see that there are disagreements over certain Konkani scripts being favored or not favored in terms of official recognition. Konkani Wikipedia can not only be a platform in bringing together Konkani speakers from many regions but can also be the unifying factor among the Konkani people.

SP: How do think Wikipedia could be a good platform to help unifying the Konkani people?
TD: For Konkani Wikipedia to succeed, it is not just a ‘good idea’ for Konkani speakers writing in various scripts to work together on one Wikipedia, but it’s also a necessity and a challenge at the same time. It’s a necessity, because as things stand, no one script has a strong enough community to run a Wikipedia by themselves. It’s a challenge because not everyone can read every script, and it’s important for all the users of a Wikipedia to be able to understand all the content on that site.

SP: Very rightly spotted. And how do you think the Wikipedia community and the CIS-A2K program should work together to tackle this challenge?
TD: We need an automatic script converter (see the script converter resource page for Konkani on Meta and task on Phabricator) that could make the lives of the editors easier. Most people cannot read more than two scripts. Most users are currently depending on an external site for transliteration when the user cannot read the script used in a Wikipedia article. That’s painful and a user might also would not know about a third party converter. An automatic script converter on Wikipedia would enable people to read any page in the script of their choice in a single click. This is where CIS-A2K can really help Konkani Wikipedia, by helping to implement the script converter. In addition to the script converter, CIS-A2K could also study various multi-script Wikipedias in existence and prepare a list of such features that are used in these Wikipedias to deal with multiple scripts, so that Indian multi-script Wikipedias can consider implementing such a feature as well.

Konkani Wikipedia is facing another challenge right now in growing the community as there are only handful of active editors. And we need contributors from varied walks of life to add more diversity to the community. The boost that was needed initially to make Konkani Wikipedia live—thanks to institutions like Goa University (GU) and Nirmala Institute of Education (NIE) and CIS-A2K for bringing in many student-editors—needs more intensity now. Students from GU and NIE were mainly from the Konkani language and teaching disciplines. If you consider other larger Wikipedias, like the English Wikipedia, they owe their success to editing by people from a diverse backgrounds, and also to the fact that the people are comfortable with the basics of markup and coding and were able to build templates, etc. Today, there is almost no one who is working on templates and other similar technical stuff for Konkani Wikipedia. Here too, CIS-A2K can help by reaching out to Konkani speakers with a background in computing—for instance, students of Bachelor of Computer Application (BCA), Master in Computer Application, Computer Science and engineering. This will help build a community that is technically adept at creating templates and dealing with more advanced types of content for the Wikipedia.

The Konkani Wikipedia can also take advantage of software extensions like VisualEditor and Flow that the knowledge of markup and other technicalities that the user needs to have, so that users who are uncomfortable with editing markup can focus on just adding content with a much more simple and user-friendly interface.

In these ways, participation of people from different regional and vocational backgrounds can form a vibrant editing community leading to the growth of the Konkani Wikipedia.

In brief

WikiConference India 2016 to be held at Chandigarh during August 5–7: The second WikiConference India (WCI) will be held on August 5-7 in Chandigarh, India. After the first WCI in 2011, this will be the largest gathering of the Wikimedians from the Indian subcontinent. A team of volunteers representing several Wikimedia communities across the country and three Wikimedia affiliates—Wikimedia India, Punjabi Wikimedians and Centre for Internet and Society’s Access to Knowledge program—are working together to make this event a success. Over 100 scholarships have been offered to noteworthy contributors from India, Pakistan, Nepal, Bangladesh and Sri Lanka. Various talks, meetups and workshops are planned for the three-day event, and a needs assessment survey has been put in place for ensuring any hackathon needs are addressed.
Punjab edit-a-thon: A month-long edit-a-thon has been running in 12 Indic language Wikipedias and one European language Wikipedia (the Ukrainian) to enrich the content related to Punjab, the Punjabi people, and their language and culture. So far, more than 1000 articles have been created by about 100 Wikipedians. As we have already surpassed the dream target of 1000 articles, we are planning to extend the edit-a-thon through WikiConference India so many can participate during the event.
Campaign for relicensing copyrighted books under Creative Commons licenses: A campaign has been started to relicense Telugu-language books of several noted authors from “all rights reserved” to a Creative Commons Share-Alike (CC BY-SA) license. This campaign was started on June 19 and copyright migration process is complete for 17 books so far. Once the copyright migration is over the books—ranging from historical figures and popular personalities to regional history—are going to be digitized on Wikisource. “I don’t want these works to be in bookshelf and get wasted by termites. My wish as an author and researcher is to make these works available to future historians who can make use of it, so that our people get to know the local history” shares Kanuri Badarinadh, a historian, novelist and journalist who has donated some of his books.
Train-the-trainer and Mediawiki training program for capacity building of community leaders from Indian subcontinent: After two iterations of the Train the Trainer in 2013 and 2015, CIS-A2K organized the third program during June 15-17 at Bengaluru. The Mediawiki training was designed to help groom technical leadership skills of the technical contributors of the communities. A total of 45 participants, that were selected by a collaborative consultation with the community, took part in these events. The trainers for both the events consisted of subject experts from the Wikimedia community, the free knowledge movement, the free and open source software community and CIS-A2K program staff. A series of small Mediawiki trainings will follow soon that will be led by the trained participants.
Indian women in Science edit-a-thon: Organized by IndiaBioscience, a not-for-profit working for research and advocacy on the life sciences in India, this edit-a-thon began with an introduction to the series of Wikipedia edit-a-thons that have been running to expand Wikipedia’s reach on Indian women with contribution to Science. There was a Q&A session Professor Vaishnavi Ananthanarayanan followed by introduction to Wikipedia editing, its policies and guidelines, and brief on copyright, and Creative Commons licensing. 11 new articles were created and 11 existing articles were expanded in English, Hindi and Odia-language Wikipedias.
Indigenous South-Asian language gets a new open Unicode font: A new font for the Ol chiki script (used to write the Santali language) along with input tools are getting ready to be released soon. Santali is spoken by over 6 million people in South Asia over Bangladesh and Nepal and six states in India. This project, supported by the Centre for Internet of India, will help native language speakers type in Unicode across platforms, and also using Universal Language System in all Wikimedia projects.

For more details visit https://cis-india.org/a2k/blogs/community-digest-konkani-language-speakers-are-separated-by-scripts-but-unite-by-wikipedia-news-in-brief

Why experts are worried about Aadhaar-based authentication

praskrishna — 2016-08-07T02:16:29Z

As private companies are increasingly using Aadhaar data, is the privacy and security of personal data really at risk? What do those defending Aadhaar have to say?

The post was published in Citizen Matters on August 2, 2016. Amber Sinha was quoted.

The Unique Identification numbers of Aadhaar card holders are being extensively used by government and private agencies for authentication purposes, as we have already seen in an earlier article.

There are 246 registered Authentication User Agencies in India, both government and private, which are helping organisations and individuals in executing the authentication process. In simple terms, they help the organisation that has placed the authentication request, to confirm the identity of a person during hiring, lending loans or while implementing welfare schemes.

But all does not seem well with the Aadhaar authentication process. Concerns have been raised about the privacy and security aspects and, loopholes in the law.

The amended Aadhaar Bill (now, Aadhaar Act) has a clause that allows the UIDAI to respond to any authentication query “with a positive, negative or any other appropriate response.” This move has drawn a lot of criticism from the activist fraternity. They have questioned the government on framing an Act that places the security and privacy of individual citizens at risk.

Even before the Bill was passed, legal scholar Usha Ramanathan had, in an article published in Scroll.in, expressed concern over private agencies using the Aadhaar database for authenticating the identity of an individual.

“Very little was heard about the interest private companies would have in this information data base. It is not until the 2016 Bill was introduced in Lok Sabha that we were told, expressly, that just about any person or company may draw on the Aadhaar system for its purposes. There are no qualifications or limits on who may use it and why. It depends on the willingness of the Unique Identification Authority of India, which is undertaking the project, to let them become a part of the Aadhaar system,” she wrote.

What’s crucial in the entire process is how the government is allowing private players to use Aadhaar-based information, putting the privacy of Aadhaar-holders at stake. The government is technically allowed to share the Aadhaar information with other agencies, only if the holder has given consent to sharing his information, during enrollment.

The guidelines for recording Aadhaar demographic data states: “Ask resident’s consent to whether it is alright with the resident if the information captured is shared with other organisations for the purpose of welfare services including financial services. Select appropriate circle to capture residents response as - Yes/No.”

In 2011, Citizen Matters had published a report on how people wanting to register for Aadhaar were not asked if they would agree to share their personal information. Citizens seemingly were unaware of the provision for sharing information with a third party and data operators had reportedly not asked them for their consent before marking ‘yes’ for the consent option.

There remains a regulatory vacuum

In less than four months of the enactment of the Aadhaar Act, the number of private agencies using Aadhaar database for identity authentication too has grown long. Amber Sinha, Programme Officer at the Center for Internet and Society expresses concern over the privacy implications that a project of this magnitude would lead to.

“The original idea of Aadhaar was to use it for providing services under welfare schemes. But the Aadhaar Act lets private agencies avail the Aadhaar authentication service. The scope of the Act itself doesn’t envisage sharing the data with private parties, but if any third party wants to authenticate the identity of an individual, they can use the UIDAI repository for the purpose,” he points out.

In the process, Amber says, the CIDR has to send a reply in ‘yes’ or ‘no’ format, for any request seeking to confirm the identity of an individual. The new legislation gives scope for the authorities to respond to a query with a positive, negative or any other appropriate response.

“The Aadhaar enrollment information includes demographic and biometric details. So at this stage, we do not know what that “other appropriate response” stands for. Further, while there are requirements to take the data subject’s consent under the Act, there is lack of clarity on the oversight mechanisms and control mechanisms in place when a private party collects information for authentication. The UIDAI is yet to frame the rules and the rules will probably determine this. Until the rules are framed, some of the issues will exist in regulatory vacuum,” Amber observes.

Under the current circumstances, Amber says, the responsible thing to do for UIDAI is not to make such services available until the rules are framed.

But why has the Authority then started the authentication process even before the rules have been framed? Assistant Director General of the Authentication and Application Division of UIDAI, Ajai Chandra says the rules when framed will have retrospective effect, from the date the Act was enacted.

Activists have also questioned the UIDAI for allowing private agencies to use and authenticate Aadhaar data, when the Supreme Court has restricted the use of Aadhaar. In its last order dated 15 October 2015, the Apex Court allowed the government to use Aadhaar in implementing selective welfare schemes such as PDS, LPG distribution, MGNREGS, pension schemes, PMJDY and EPFO. It makes no mention about the UIDAI using the Aadhaar data repository to provide services to private agencies.

“When the Supreme Court has restricted the use of Aadhaar number to a few specific government programmes only, how can UIDAI allow the data to be used for any other programmes, let alone by private agencies?” Amber asks.

In a very brief conversation, Reena Saha, Additional DG, UIDAI told Citizen Matters that UIDAI was acting as per the Supreme Court’s order dated October 15th. “We aren’t sharing the data with private agencies,” she said.

‘Authentication happening only with consent’

Srikanth Nadhamuni, CEO of Khosla Labs - a registered Authentication User Agency, who was also the Head of Technologies at UIDAI, rejects the accusations on the security aspect, saying that the authentication system is completely secure and foolproof.

“We have made a secure system so that there is no man in the middle taking the biometric information. The biometric information shared on the application is encrypted and neither the AUA nor the Authentication Service Agency (an intermediary between the AUA and the CIDR) can open it. Both the AUA and ASA will sign on the packet and forward it to the data repository as it is. There is no way that we can figure out what is inside the packet. Once the request reaches the data repository, they will unlock the signatures, run the authentication and reply in ‘yes’ or ‘no’ or with an error code,” Srikanth explains.

ADG Chandra says that at present the CIDR is replying to authentication requests in an “yes/no” format. “We aren’t sharing the data with any agencies. Upon receiving the request for authentication, be it demographic, biometric or one time pin (OTP), a notification is sent to the registered mobile / email address of the Aadhaar holder,” he says. So if the Aadhaar holder has changed the address, phone number, email ID etc after Aadhaar enrollment, he/she should update the data with UIDAI by placing a request online or through post. This will avoid any confusion that may occur during the authentication.

Ajai Chandra further clarifies, “the private agencies seeking authentication (the Authentication User Agency) are not given direct access to the database. On receiving the request, the intermediary Authentication Service Agencies first examine the format of the authentication request. The request is forwarded to the CIDR only if it complies with the format.”

Apart from authentication, the eKYC (Know Your Customer) option also allows companies to retrieve eKYC data of the Aadhaar holder. This data includes photo, name, address, gender and date of birth (excludes mobile number and email ID). But in this case too, “eKYC data can be retrieved only with the consent of the Aadhaar card holder, the person has to be adequately informed about the retrieval and the data cannot be shared with a third party,” says Chandra.

Though Aadhaar Act allows the UIDAI to perform authentication of Aadhaar number, subject to the requesting entity paying the fee, UIDAI at present is providing the service free of cost. “We will provide free service till December 2016 and may levy the fee thereafter,” the ADG says.

For more details visit https://cis-india.org/internet-governance/news/bangalore-citizen-matters-august-2-2016-akshatha-why-experts-are-worried-about-aadhaar-based-authentication

WikiConference India 2016

praskrishna — 2016-08-07T01:35:50Z

WikiConference India 2016 is an event to provide a common platform for all Wikimedians in India to meet and share their views, discuss challenges and exchange useful tips, best practices and other information. The Conference is open for participation of Wikimedians from all nations, and will be taking place on the 5th, 6th, and 7th of August 2016 at Chandigarh.

The Conference has a very distinct Indian flavor and deals primarily with issues relating to India on Wikipedia and its sister projects.

The main objective is to reduce the gap between different communities and get help from other community members on technical issues and other things like best practices in decision making and how we resolve the disputes in the community.

Guests

Katherine Maher, Executive Director, Wikimedia Foundation
Nataliia Tymkiv, Board Member, Wikimedia Foundation
Asaf Bartov, Senior Program Officer, Emerging Wikimedia Communities, Wikimedia Foundation
Runa Bhattacharjee, Manager, Language Engineering Team (International), Wikimedia Foundation
Dr. Surjit Patar, Punjabi poet and writer
Tighe Flanagan, Senior Manager, Wikipedia Education Program, Wikimedia Foundation
Sunil Abraham, Executive Director, The Centre for Internet and Society
Yohann Varun Thomas, President, Wikimedia India
María Kreuz, Communications and Outreach Coordinator, Wikimedia Foundation

Social Media Campaign

Facebook event page - https://www.facebook.com/events/146258892472025/ (More suited for conference participants only)
Facebook Page - https://www.facebook.com/WikiConferenceIndia2016
Facebook group - https://www.facebook.com/groups/WikiConferenceIndia2016/
Official Twitter Handler - https://twitter.com/WikiConIndia
IRC Channel - #wikiconferenceindia

More Info, click here

For more details visit https://cis-india.org/a2k/news/wikiconference-india-2016

An India Where the Disabled have a Choice

praskrishna — 2016-08-06T17:06:38Z

The Roundtable on Digital Access to the Disabled held in Bangalore brought forward many issues related to the topic. Dr. Nirmita Narasimhan, Policy Director, Centre for Internet and Society speaks to Dr. Archana Verma about the problems faced by the disabled while using technology. Being herself partially visually impaired, this is an interview from an expert as well as the personal experiences of a person from the disabled group.

This interview was published in Dataquest on August 5, 2016.

Q-Please throw some light on the issue of the inaccessibility of mobile apps to the disabled, since these have become essential for independent living today.

While mobile apps are fast becoming the preferred and often the only way to access services, these remain unavailable to a large section of the Indian population living with disabilities. This is because they are not designed in a way which conforms to standards of accessibility and cannot be used by persons using assistive technologies such as screen readers. Apps such as Ola, Uber, Big Basket, Make my trip, Flipkart, Myntra and most others are not completely accessible. The inaccessibility varies from total inaccessibility, where the screen reader remains absolutely silent and is unable to give any information to the user opening the app, to partially inaccessible, disallowing persons using screen readers from accessing complete information or from completing transactions. For instance, if one opens Flipkart, one hears a button labelled home page banner and then the screen reader just keeps saying button for whatever is pressed, without being able to give any information on what the buttons are for or what is written there. Similarly, if one opens Myntra, one doesn’t hear any information at all, just a series of clicks, at one point one hears buttons labelled for man, for women, for kids and then when one presses any of those, one is again greeted by complete silence. The Big Basket app also has problems such as unlabelled buttons and fields and makes it difficult to carry out transactions such as changing the quantity, changing the address etc.

It is rather sad that the IT industry fails to realise that persons with disabilities, a group which is the world’s largest minority and account for a very large percentage of our population can potentially be amongst the biggest consumers of these ICT products and services. Consider before the advent of technology, a blind person could not read mainstream books and newspapers, work in routine office environments, shop alone or pay bills, file returns etc. on his/her own. Now, when everything can be done on line and there is technology which can read out and assist blind persons to use computers/ phones themselves, they offer the opportunity to negate the limitations of disability. However, this is not happening because products and services are not designed and developed in compliance with standards of accessibility and universal design, resulting in them being ineffectual or useless for persons using assistive technology. If the apps and websites conform to accessibility standards, Developers need not test their software against each and every disability, which can get understandably complicated, they are automatically accessible to persons with different disabilities in one way or another.

While accessing necessary services and information itself is challenging and often impossible for the disabled, the ability to access and enjoy games like other people is completely beyond imagination, not even something one could dream of said a friend of mine. I asked my friend Dinesh Kaushal, an accessibility expert who heads development of NVDA, an open source screen reader for the blind in India what his experience with the new gaming app Pokemon Go was, which is all the rage nowadays and he said that it was completely inaccessible. There is absolutely no information on the game screen and the Android screen reader Talk Back is absolutely silent. And this according to him this is not uncommon in many gaming apps.

Q- Highlight some of the problems related to the inaccessibility of websites and content to the disabled.

Web site inaccessibility very often hinders a person using assistive technology from accessing information on the internet. A web site can be inaccessible for different persons because of different reasons, depending upon the disability. However, this can be solved by compliance with standards. Inaccessibility of websites also hinders accessing content on mobile phones or affects persons with limited bandwidth or elderly persons.

While progress is being made to make government web sites accessible, this has not yet been completely achieved. In addition, web sites of important services and organisations such as banks, health care, education etc. are often inaccessible. Often a person using a screen reader may come across an important document which is an image file and cannot be read by the screen reader or a deaf person cannot enjoy an audio visual clip because there are no sub titles. Web sites with frequent flashing and flickering, constantly changing pages, images without descriptions and unlabelled form fields and headings, audio visual media content without subtitles, image files of documents without alternate accessible format options continue to populate the Internet. Unless web site accessibility is taken seriously and is treated as a non-negotiable ingredient of a contract for web site development and maintenance, the Internet will continue to be inaccessible.

Q- Can you enumerate the policy and guidelines requiring web site accessibility and the large spread of non-compliance with them?

Although most transactions happen online today, the fact that websites do not conform to universal standards of accessibility render them unusable by persons with disabilities.
The World Wide Web consortium has had accessibility standards for web site accessibility for over a decade now and these have been adopted by many countries around the world. This standard is known as the Web Content Accessibility Guidelines (WCAG) 2.0. India also notified the Guidelines for Indian Government Websites (GIGW) which borrows from the WCAG 2.0 to ensure that government websites are accessible. The National policy on universal electronic accessibility was notified in October 2013 and requires conformance to standards of accessibility. It mentions W3C standards such as WCAG 2.0, ARIA and ATAG and identifies procurement as a route to make electronic infrastructure accessible. It also identifies strategies such as awareness raising, training, research and development of assistive technology as vital to implementation of the policy and allocates different roles to different stake holders, including to ministries, departments, private organisations, etc. Other commitments are to be found in the accessible India and digital India campaigns, commitments under the UN Convention on the Rights of Persons with Disabilities (UNCRPD) which requires government to make all ICT and Internet available and accessible to persons with disabilities and encourage private service providers to make their services accessible, Access to ICTs are also covered under the goals of the Incheon Strategy to make the rights real for persons with disabilities.

Q- Give us some information about the work of the Centre for Internet and Society (CIS) in the realm of the digital and technological accessibility for the disabled.

We are an eight year old organisation. Our accessibility programme works in multiple ways, which include the following –

(A) Policy research and advocacy (initiating and contributing to new and existing policy discussions to bring digital accessibility on the agenda: We started our work on 3 issues:

(a)Website and electronic accessibility – We produced research on what different countries have in terms of policies, guidelines and measures to promote website and electronic accessibility and worked with the Department of Electronics and information technology (DEITy) to formulate the National Policy on Universal Electronics accessibility which was notified in 2013. We also serve on the Implementation committee.

(b) Getting an exception into the Indian Copyright Act to allow conversion of books and other copyrighted works into accessible formats without the need to get permission from copyright holders. We provided research to MHRD on what other countries have in terms of copyright exceptions to promote access to published works for persons who are blind, have low vision or other print disabilities, we carried out a right to read campaign around India, provided submissions to the standing committee and finally were able to positively influence, along with other NGOs, the amendment to the Copyright Act in 2012.

(c) Aiding the negotiation of a Treaty at the World Intellectual Property Organisation which would facilitate international sharing of books for persons with print disabilities. We attended the negotiations at Geneva from 2010 and are a permanent observer there now, intervening and providing research advice on various issues. The Marrakesh Treaty to Facilitate Access to Published Works for persons who are blind, visually impaired or otherwise print-disabled was concluded in 2014 and India was the first country to ratify it. The 20 ratifications required to bring the treaty into force just got concluded on June 30th 2016 and the treaty will come into force from 1st September 2016.

(d) We also worked with the Universal Service Obligation Fund of India to launch a pilot scheme to fund projects for persons with disabilities in rural areas.

(e) Apart from the above, we have produced global reports with international partners like the International Telecommunication Union and G3ict on topics such as mobile accessibility and produced research which we sent to relevant government agencies on topics such as banking and financial inclusion, emergency and disaster management for persons with disabilities, accessible broadcasting and so on.

(f) We are implementing a project to develop text to speech for several Indian languages using an open source speak synthesiser called e-Speak and enhanced working of NVDA an open source screen reader which works with English and other Indian languages. We have also carried out several trainings on this software around the country.
We also provide advice to governments and organisations in other countries on ICT accessibility related issues. We have also organised trainings on web accessibility and other topics as may be required.

Q- What kinds of challenges are faced by the CIS in its work?

Limited resources – very few donors fund the kind of work we do although no one denies the criticality and usefulness of it. Neither do we fall within the bracket of a traditional organisation serving persons with disabilities, nor is accessibility as marketable a topic as say something like privacy and cyber security, hence to have a team which can actively carry on this work of research and advocacy, constantly responding to policy developments, attending meetings is very difficult and we are not able to do the kind of work we want.

Q- What kind of vision of empowerment would you propose for the disabled through digital accessibility? How can this vision be achieved?

My Vision- Every person with a disability in India is able to access the Internet, content and facilities through an ICT enabled device, be it computers or phones; where this access is unhindered by barriers and is instantaneous, not retrospective. Further, I speak for an India which is inclusive in the complete sense, i.e. accessibility standards are part of mainstream standards and Universal Design is the standard approach to creations and developments of all kind and not where separate considerations need to be made for the disabled on specific products and services. Where a person with a disability has a choice, as do the other citizens and not where they are given an option; they have access to the world at the same time on the same terms; where there is true equality and we live a life with dignity and pride.

How Can We Achieve It?

India has already taken certain steps to show her commitment to accessibility –

We have ratified the UNCRPD, are part of the Incheon Strategy to make the rights real for persons with disabilities and are in the process of passing a new Rights of Persons with disabilities legislation. We also have a National Policy on Universal Electronics Accessibility, Guidelines on Government Websites, the Accessible India and Digital India campaigns and the Smart Cities Mission. There is ample opportunity and scope for ensuring accessibility is implemented to give complete effect to these. Some of the areas where action can be taken include:

1. Web site accessibility should be taken up immediately since it affects access for all on using different platforms. The plan can identify number of web sites and different stakeholders and the time lines by which they are required to make their web sites compliant. Both self-certification as well as regular audits should be carried out to check for compliance.

2. Public Procurement is another critical tool in the hands of the government to ensure that all public infrastructure and all facilities/ resources/ products/ services procured out of public money or for the consumption/ use of the public should be made accessible. This is increasingly being adopted in countries around the world. India has a draft procurement bill, several organisations serving the disabled have given a request for the inclusion of accessibility considerations within the procurement bill, we hope they will be taken seriously. By including compliance with accessibility standards as part of performance criteria in all government contracts and calls for proposals and contracts for development and maintenance of products and services, we can ensure not only that web sites etc. become accessible, but that competence is generated in the market to create and market accessible products and increase choice in the market for persons with disabilities.

3. Government ensuring that accessibility requirements are integrated in all government schemes and programmes and accessibility should be considered no longer a matter of choice, but of necessity. There are budgets for different ministries and agencies, there should be a mechanism to evaluate that all the budget set aside for meeting the needs of persons with disabilities are expended meaningfully and not accumulated or go back to the main kitty unspent. There should be proactive disclosure on the part of all government agencies on their spending on accessibility/ disability and they should solicit advice from persons with disabilities and accessibility experts who are part of the committee to review budget spending.

4. Development of appropriate technologies- we need to ensure that enough resources are pumped towards creating our own research and development community to support development and maintenance of assistive technology that caters to needs of specific groups. Open source solutions are desirable for a country like India because of the opportunity they offer for deployment, customisation and improvements.

5. Accessible Smart Cities- The Smart Cities Mission should immediately ensure that their advisory panel includes accessibility experts and that the smart cities which emerge as part of this initiative are inclusive- this is the ideal opportunity to build an accessible city, universal design should be the basic principle on which these smart cities are developed; if this is not done, then there will always remain two worlds- one for the world at large and one for persons with disabilities, and the disparity between the two will always continue.

6. Finally the most important advice I would reiterate is the inclusion of persons with disabilities across all work of the government – only then will the accessibility perspective be represented and taken into account everywhere. Otherwise we may have a situation where accessibility is either missing, or where projects are being implemented to aid the disabled, which are totally meaningless or inappropriate and only serve to waste precious resources, time and effort.

Q- What measures do you suggest for making digital accessibility available to the disabled people across the divides of class, gender and more developed and less developed regions?

Digital accessibility should be implemented at the levels of content, user interface and end user device. Hence accessibility of documents and information on the Internet should conform to standards of accessibility, such as EPUB 3.0, html etc.

User interface-WCAG 2.0 for websites is a must for any device to function effectively. Assistive software must be completely accessible. For instance, it is not uncommon to find that an ATm which is termed ‘accessible’ actually needs the input of a sighted person at some stages of the transaction while some other points are completely prompted through audio. In such a case, the blind still cannot use this.

Schemes under the USOF and others may be used to provide devices and connectivity to persons with disabilities in rural and far flung areas and also targeting specific user groups such as women. For instance a project under the USOF to promote women entrepreneurship in rural areas by providing them with a mobile phone can easily be replicated for disabled women. They could be funded for initiatives such as operating public internet kiosks or public phone booths etc. Schools in villages could be provided with computers fitted with assistive technology (hardware and software as may be required) s that disabled children and teachers have access and exposure to technology.

Providing mobile phones to all persons with disabilities will go a long way to open up the world of books, information, communication and access to emergency services to persons with disabilities.

Common Services Centres throughout the country are an excellent way of reaching persons with disabilities and providing them access to technology. By providing assistive technology on computers there, which is not at all inexpensive if one were to use free and open source software such as the NVDA screen reader and one trained person to impart training to the disabled, who can also be a person with a disability, we can make a lot of progress in terms of both building trained capacity and providing access to technology for persons with disabilities. Private employers and organisations also have a critical role to play in promoting accessibility for the disabled.

For more details visit https://cis-india.org/accessibility/news/dataquest-august-5-2016-an-india-where-the-disabled-have-a-choice

The largest Wikipedia gathering in South Asia kicks off

subha — 2016-08-06T17:11:39Z

Wikimedia Conference 2016Wiki Conference India 2016 (WCI), the largest gathering of contributors to Wikipedia and its sister projects in South Asia, will be held during August 5-7 this year in Chandigarh, India.

This was published Opensource.com on August 5, 2016

The first iteration of this event was five years ago in 2011. The event is focused around South Asian language Wikipedias and Wikimedia projects. Hundreds of participants, including over 100 scholarship holders from India, Pakistan, Nepal, Bangladesh and Sri Lanka, will participate in this three-day event. A team of volunteers representing several Wikimedia communities across the country and three Wikimedia affiliates—Wikimedia India, Punjabi Wikimedians and Centre for Internet and Society's Access to Knowledge program—are working together to make this event a success.

Several Wikimedia project and program-related talks, meetups and thematic workshops, focused on technology, program design, volunteer leadership building and engagement, gender gap in Wikipedia, global reach, and education, will keep the participants occupied. There will be separate technical tracks, which were chosen from the results of a pre-event needs assessment survey to ensure that community needs are met. Prior to the conference, a month-long edit-a-thon has been running in twelve South Asian language Wikipedias, and one European language Wikipedia (Ukrainian Wikipedia). The focus of this sprint was to expand the content reach of Wikipedia on Punjab, Punjabi people, and their language and culture as the event is happening in Punjab. So far, more than 1900 articles have been created by about 150 Wikipedians, and the edit-a-thon will be also running during the conference to keep the option of creating more articles open to the participants. Some of the guests includes Wikimedia Foundation's board member Nataliia Tymkiv, the organization's newly promoted executive director Catherine Maher, Punjabi-language poet Surjit Patar and Internet freedom advocate and Centre for Internet and Society's Executive Director Sunil Abraham.

As compared to the last WikiConference India, this conference has more thematic focus, especially on challenges like the gender bias on Wikipedia, and emerging projects like the Wikipedia Education Program. There are as many as six presentations related to gender gap, and six more related to education program.

There has been constant engagement on both on Facebook and Twitter with the hashtag #WCI2016. Some of the most-used basic phrases in the Punjabi language have been recorded and shared to the participants from outside the region to communicate with the locals.

For more details visit https://cis-india.org/a2k/blogs/opensource.com-subhashish-panigrahi-august-5-2016-largest-wikipedia-gathering-in-south-asia-kicks-off

WikiConference India 2016 Starts Friday in Chandigarh

praskrishna — 2016-08-05T01:48:32Z

India, a key growth area for Wikipedia, is gearing up for a national conference "for Wikimedians in India to meet and share their views, discuss challenges and exchange useful tips, best practices and other information".

First published by Indo Asian News Service was mirrored on NDTV website on August 4, 2016. Sunil Abraham will be participating.

While the conference is open to "Wikipedians" from across the globe, organisers announced here that it would have a "very distinct Indian flavour and will deal primarily with issues relating to India on Wikipedia and its sister projects".

Wikipedia, founded in 2001, is the world's sixth-most popular website in terms of overall visitor traffic. Its worldwide monthly readership totals almost 500 million.

Since 2011, the Wikipedia has been working to expand its growth in India, and it held its first Indian conference in Mumbai in November that year, which was attended by 700 persons and addressed by website founder Jimmy Wales.

This year, the meet takes place from August 5-8 in Chandigarh, the city and a Union territory of a million population that serves as the capital of the states of Punjab and Haryana.

"The main objective is to reduce the gap between different communities and get help from other community members on technical issues and other things like best practices in decision making and how we resolve the disputes in the community," the organisers said.

Those attending including Wikimedia Foundation executive director Katherine Maher, board member Nataliia Tymkiv, senior programme officer for emerging Wikimedia communities Asaf Bartov, language engineering team international manager Runa Bhattacharjee, Punjabi poet Dr Surjit Patar, and Wikipedia education programme senior manager Tighe Flanagan.

From India, participants will include The Centre for Internet and Society executive director Sunil Abraham, and Wikimedia India president Yohann Varun Thomas.

This event includes "hackathons" and "edit-a-thons" - collective workings towards improving the content available online. It will also see sessions on the Wikimedia movement in India, examples of its use in education, innovative tech solutions from India, content translation, a "gentle introduction" to Wikidata, gender gaps, and case studies from various Indian languages.

Participants are coming from the Wikipedias in languages including Punjabi, Kannada, Odia, Tamil, English, Bengali, Telugu, Malayalam, Urdu, Sindhi, Hindi and Chinese.

Because of its widespread popularity - and contrary to fears that a website "anyone" can edit will not have quality - the Wikipedia notches often among the highest results when information is searched for on the world wide web.

It is a project supported by the Wikimedia Foundation and based on a model of "openly editable content". As the site explains: "The name Wikipedia is a portmanteau of the words wiki (a technology for creating collaborative websites, from the Hawaiian word wiki, meaning quick) and encyclopedia."

For more details visit https://cis-india.org/a2k/news/indo-asian-news-service-ndtv-august-4-2016-wiki-conference-india-2016-starts-friday-in-chandigarh

101 Ways of Starting an ISP:* No. 53 - Conversation, Content and Weird Fiction

Surfatial — 2016-08-03T12:47:31Z

This essay by Surfatial is part of the 'Studying Internet in India' series. It argues that the internet has created a space for philosophical questioning among contemporary Indian participants which can develop further, despite common assertions that online spaces are largely uncivil and abusive. It actively explores how anonymous and pseudonymous content production may offer a method for exploring and expressing the internet in India, with a certain degree of freedom, and how spam-like methods may prove effective in puncturing filter bubbles.

* ISP stands for Internal Surface Provider.

Mainstream institutions for learning, as we see them, are not concerned with the substance and gravity of the present moment [B1]. The professing of experience to aid learning or skill development is largely a perverted claim. There is no actual intention of enabling, nor is there even a desire to personally experience any immersion or penetration [B2]. Added to this is the spectre of commodification of experience and learning today, where education has turned into a consumer product. The ivory tower of aloofness is too comfortable to deviate from. The institutionalisation of aloof posturing and the masks of professorships are too smugly fitting the exhausted bodies of those running the ship.

Academics are like fruit on an inaccessible tree. It is there, but we cannot eat it. The moon is spoken of by poets and lovers because it is so far away and experientially inaccessible. Love is a stream and will never be in a state of harmony forever. It will remain tumultuous and rocky like the sea into which an asteroid has just fallen.

We observe that disinterest in engaging in the immediacy of our continuing experience invariably leads us to holding on to selective bits while the rest passes. These selections then get shaped into some semblance of narratives. But how do we talk about the experience of the moment or even acknowledge the presence of what has not been selected? How does an individual’s perception and response direct to a better understanding of experiences that can harbour empathy?

When telephones get cross-connected, we hear voices that do not belong to the conversation. What if these voices were to become a part of the conversation? We can talk to strangers. We don’t really need to talk about anything in particular - we can just get used to each other’s voice.

Surfatial is concerned with knowledge production and has been exploring the format of conversations both online and offline as a space to perform personally experienced sequences of knowledge, and talk about these to others. Somewhere in this process learning emerges. We are currently seeding a platform for the sharing and dissemination of alternate pedagogies and self-woven visions of the world. This desire responds to academia's hangover with the past and its inability to instil processes and incubate practices that can help students in a continual production of content.

Narrative is processed from raw experience and so it is more easy to deal with than the complex mass of experience.

Harnessing Anonymity

The internet offers you a morphing cloak - you can be selective about your identity, you can be online with selective vision and selective speech [B3]. What do you choose to see online? What do you choose to reveal? And how much? [B4] If you wear the cloak that covers you altogether, are you truly anonymous, or could it be that your true self leaks out as you put your hands against your eyes in an attempt to hide yourself?

Think about a day when you want to say something and you feel that the Internet feels like too distant a medium. The Internet is so close to us, so intertwined in our lives that the perception of distance feels like a make-believe construct.

Anonymity has potential to offer a voice to the invisible identity, the silenced perspective, the overlooked persona, the taboo desire. Could it also be harnessed for accessing and expressing that which is experienced in the present? Could anonymity be that filter which stands with the least amount of obstruction to experiencing the present as it unfolds, does it offer that means to experience more freely?

Why are you online? What are you looking for online? What do you see? How does a visually impaired person experience the internet? What does that feel like? And then, what do you say online?

From awkwardness and discomfort as the minimum level of experience, we are moving to anger, disinterest and boredom [B5]. This social reality is being exacerbated by the manifestation of our realities on the internet. Anger is a mode of communication that rejects existing content in the pipeline and allows a relentless push mode of transmission. Disinterest is a lack of empathy that we are privileged to employ, while, at the same time, displacing and dismantling existing systems of falsehood and decay that are populating the system. Boredom is disengagement that comes from an immunity to words that don't mean anything - floating in the air, timed to music or masquerading as knowledge.

If we keep an open mic near a flock of passionate birds, will the flapping and other sounds become a cacophony to form an interesting soundscape? Do birds become conscious of an open mic?

Surfatial works for the frustrated seeker, seeking nourishing clarifying content on the internet. The internet has become a shopping mall, but this doesn't mean that we can't walk around and talk to people.

What to do? How to act? What to produce? What should the lost and wandering tribes of the world do to express with diversity? Is there some secret pathway to knowing what to do that is only accessible to deviants?

Production means to render an output, from the flux that we encounter in our experience. We can also choose not to produce but then we end up with a mass of material and no narrative.

Does deviation from the norm guarantee some kind of clarity? Why can't ordinary people know? Why do they have to be inspired and awakened and creative to know? Is there nothing that flows in the narrow channels of propriety?

Deviation does guarantee a unique pool of content being made for us to access. But the question is how this access is setup for a kind of secondary process - one that is possible only after the ordinary has been dealt with and has led to something. Deviant content leads us further away from the sugar-coated annals of the plain world that is meant for mass-consumption.

We live in echo chambers online and off. An infrastructure needs to be in place for the flow of a lubricant [B6] within echo chambers so that the conversation in the closed loop becomes smooth enough, and when a disassociation from the self or a disparate viewpoint happens, it is less painful. The echo-chamber becomes the social space when multiple levels of echoes are able to inter-mingle in ambiguous contexts and containers.

If we were not productive beings we would not be able to deal with ourselves. We would be strangers to our own legacies.

Spaces for Speculative Content Production

Surfatial offers an online stage for self-enactment, where there can be friction without producing sparks. As a producer of assembly line infrastructure around access to knowledge, we find denial very useful. Denial of identity, denial of social constructions, denial of expected modes of speaking in conversations. We find that we create even the room for conversation around the need for alternatives after allegiances have stopped being in existence.

The internet is not a pool, it is a cesspool. Everyone who is trying to navigate the space feels stuck and lost. So we avoid navigation and jump from node to node in order to escape from the boiling cesspool that gets too hot if we remain in the same place for a long time.

When the shadows of dependencies on systemic corruptions have disappeared the real possibility of ‘being’ arises. We care about this possibility. We are making access to knowledge universal, since access based on the question of privilege and capacity sets a very low bar for conversations in terms of what is allowed to be spoken, which directions of verbal exploration are politically acceptable, and who gets to abuse whom with which epithets. We are concerned with formats that are open to every participant’s perspective equally and their individual approach to contributing to the collective voice.

The play never ends. Laugh at yourself
Seek a new denial... the shift of power is a natural process.

Anonymous and pseudonymous forms of content production offer a method for exploring and expressing with a certain degree of freedom. How free we feel depends partly on how free we are allowed to feel [B7], and depends in equal parts on the level of our own disinhibition. Through degrees in the opening up, passionate potentialities are demonstrated.

Who are you? And who are we? We do not know, we are nobody at all sometimes and then we wake from our slumber and feel like doing something again.

Anonymity is a double edged sword. Can virtual freedom of expression lead to any insight that can transfer into real life interaction? How difficult is this jump from virtual to real life? Virtuality has evolved beyond the world of simulation, where it is now possible to experience multiple mechanisms of meaningful relationships with people. We believe there is a level of balance between virtual and physical engagements that can be struck in order for bringing one closer to a semblance of self-realisation.

Why do players choose anonymity, if they do? Fake profiles sometimes are an expression of a desire to play. Those who play can succumb to joy. Joy becomes a tempting emotional state. The more joyful you are, the more comfortable you feel in any garb. This could be a liberating experience, when the blurring of identities occur.

“Putting aside the baggage of ego and identity has a freeing effect on which part of our persona we express.”
— Mithya J., a fake profile on Facebook.

Harnessing pseudonimity

Being playful becomes possible if role-play and make-believe are accepted as valid forms of narrative ploy with a functional purpose in the everyday. The role assumed during play sometimes becomes more enjoyable than the dry person of absolute dimensions. As the rules of play are adopted, disassociation and immersion happen. The player has a choice to deny their outside-play persona and remain fully entrenched in the dynamics of play. This denial helps in the player’s engagement with our system of accessing knowledge. If the gravity and consciousness of your plain existence is lost, then communicating with you becomes easier. In short, your shadow becomes what you could never become. The being and presence of your playtime persona are much stronger than what you can ordinarily muster. In our space, you get to deny the world outside play and conversely render your world as play.

“being fictional is you without your physical being. If we take away the physical beings from this world, we are left with imagination, ideas and their interpretations.”
— Raavi Georgian, a Facebook user.

The garb of comedy allows you to listen with a certain distance. The Indian internet landscape is no stranger to this choice of presentation. Several personas dot the scene, there is Norinder Mudi, there is Gabbar Singh or the Cows of Benaras. In an era of cathartic sharing, where all manner of mental chatter finds channels of expression, comedy can be a balm for controlled experiments in taking potshots at sociopolitical power structures. Some platforms incentivise identity in order to legitimise the online experience, for instance, Facebook seems to place a premium on profile pictures by giving them a default public setting, and the user-base is advised by sundry guidelines about the “perfect profile pic” to adopt clear frontal images for maximum effect. Others have a policy of anonymity, like Reddit.

Forget who you are. Just be someone else.
And then you can be the one,
Holding the mic in your hand.

The existing mechanism of algorithms make it seem like there is free and open access to information, even customised for the user’s convenience. But this customisation in fact filters information based on working out the user’s bubble. One way to beat the bubble is to role-play. This would require receivers to adopt pseudonymous/ alternate roles to have access to content outside of their own filters. A loosening of the self can expand the algorithm.

Loosening of the self is a safe idea. The ideal is to have no cognisance of one’s identity. The network converts you into an IP - an anonymous VPN blurs your IP, nobody knows who you are. Behaviours found in the online community show that there are several aspects of blurring in identity and the presentation of information.

Harnessing disinhibition

Disinhibition is not necessarily rendered as a condition of the external ecosystem (physical and virtual ecosystems). It has more to do with the actor’s persona and how she has framed and declared her persona. What is the pitch of the actor’s voice? What does it say? What kind of response becomes necessary?

The opportunity for denial emerges from the confidence gained from play. If random social play does not cause huge rescissions of norms and contracts already in place, its extension to become a fundamental behavioural pattern changes nothing.

We will convince you that when we step on your toes and snap back at you in response to your idiotic and subservient social conduct, we are just playing. And if you accept it, then we can tell you the harshest and most unpleasant truth about you on your face and get away with it.

Surfatial designed a conversation game called flip & blip [A2] which has the objective of enhancing empathy and sociability, via role play and assuming personas. The purpose of role-play is to help people step put of themselves and play out situations through alternate lenses. In any situation, how does another feel? [B8] We are either intuitive, or we are clueless. This game opens up the space between. It uses question cards and persona cards as triggers to present scenarios to the players. The goal was to have a conversation while wearing a persona, and then to have the same conversation while being oneself. The players then reflected on the occurrence of any shifts in perspective during this process [B9].

A game is a format for play that has rules [B10]. Even while these rules are very important, sometimes it becomes possible to play with them. The extent to which we enjoy the game depends on our interpretation of these rules. Now, socially acceptable rules of conduct are considered to be good behaviour. And if our physical social lives are viewed as some kind of a game with rulesets and interpersonal protocols of engagement (a game with heavy consequences for not playing by the rules), perhaps our online lives offer that outlet for exercising freedom from this oppressive structure, and perhaps the freeing online experience can translate into incorporating playfulness into strict routine interactions?

“Human social structures built upon transactional attitudes don't have space for free expression, since free expression means disregarding façades and notions of "propriety" as well as hierarchy"
— Mithya J., a fake profile on Facebook.

Access might supposedly require a filtration system. But we are opposed to the construction and use of filters. We are of the opinion that we need to be able to access the core content directly - no envelopes, no braces, and no reduced-sets. People fear dealing with the naked world because they fear engagement, immersion and getting overwhelmed, while at the same time craving first hand knowledge, craving a removal of gatekeepers who shield them from the naked truth using agenda-coloured filters.

Surfatial has been working with several formats for harnessing anonymous content production and for playful engagement, via our structured study groups that actively discourage the elaboration of direct personal identification. The emergence of individual identities occurs only through the exchange of perspectives during conversation [B11].

The study group derives itself from a group of individuals who are interested in remaining sharp as a group. The group’s concern will always be to aid others as well as itself by challenging every perspective that seems superfluous.

Our study groups

Our study groups [A1] are webinars hosted on Google Hangouts on Air, with a framework of philosophical questioning and a self-reflective exchange of individual experiences. These are structured conversations that are completely open to participation and listening, with one to three anchors. Each study group is centred around a topic, and three pre-determined questions relating to that topic are posed to the participants. The tone is detached, with not much encouragement for sharing of personal information. The conversation is fluid and anyone who has anything to say is able to start speaking. We do not follow the common conventional etiquette of introducing the guests or apologising for intrusion. Due to this it becomes rather freeing and divorced from any mode of social behaviour. The illusion we often chase is of the study group being just a set of “voices in the head”.

When an idea oversteps the terrain that it has been assigned to, it acquires the garb of being a trespasser. Ideas trespass when they uncover surprising connections. which they might otherwise not be related to in any direct way. Such connections cannot be predicted. They emerge out of the process of exploring something else. Trespass happens at perspective boundaries—one never meant to hear another’s perspective, but now that they are in a space together, one must; encroachment will invariably happen.

Study groups have anchors who stand with markers for conversation transition points. Anchors could be Surfatial members or guests. Guest anchors are invited with the intent of extending Surfatial’s sphere of engagement and to alter the threads that connect the conversations.

Anchors are not moderators. They are literally anchors for the discussion. They make sure that the discussion deals with the issues that it raises before moving onto other issues. Anchors seek out questions and figure if they have been answered. They are like accountants of a currency of ideas.

The archive of all these study group conversations [A8] is treated as a dynamic space for re-engagement in order to consistently pursue alternate methods of presenting it—through text, posters, books, soundtracks, videos and conversation games.

How messages are presented

When we start seeding a message, we feel the pull of invisible attractors. The vestiges of messages are either offered at their face value or they are so thin, light and loosely packed that they do not offer sufficient flesh to sink teeth into [B12]. The least we demand from the producers of noise and meaninglessness in our environment is that they give us sufficient depth of material to bite into and suck the juice out. Density is the key.

In compression lies our only hope. If you have to speak, speak less and mean more. If you have to produce material of any kind, make sure it is densely packed with fissile material which can all combust together to yield a message.

By packaging our formats in diverse forms they become appealing to people in different ways.

But there is a danger of package and content being divorced in the process of design. Design facilitates skimming of content by packaging its appearance as eye-candy; packaging runs the danger of dissuading immersion into content. We look to destabilise this tendency, and offer value in the packaging itself. We are interested in packages with embedded content, to save the viewer the trouble of unwrapping any external cover.

Access to free exchange is sometimes denied. Free exchange ensures that ideas get modified and challenged. They grow and so it is an essential process that is needed in order for them to be change and offer strength garnered from this free exchange.

Then what is the way? How do you get past institutional filters? If limits have been drawn, if the surfaces of knowledge are guarded, how do messages get out of the perimeter of control? Spam—unsolicited communication, yielding messages where none are requested or expected—is the answer. Spam and spam-like methods are the only tools that can get past the filters. There are no constraints which are fine enough for the fine specks of spam to be swatted out.

We are going to populate compressed messages of the whole world's knowledge onto surfaces of mass display and then circulate them like spam.

Posters [A9] are posts that linger [B13]. Posters are not just lozenges of information, they are pieces and fragments of a song that gets completed in the reader’s mind. The poster is already present on social media as a format. But not all designers use the poster in the same way. For some it is just a clever punch-line. We believe in the punch but not in the merit of clever punch-lines. We attempt a sharp contrast between the text that we write and the general experience offered by the environment for consumption of media. This sharp contrast is conveyed through our choice of the posters’ visual format as well as through the auditory means of a soundscape.

What is a song? Who is singing? A song speaks when words are weak, when humming gets through, when drumming has no beat.

Our tracks [A7] emerge out of our words and texts. We put together sounds and speech sometimes post-fact, sometimes in the moment with everyone there in the room. We believe that fragments of words and speech can be agents of perspective shifts if placed within altered contexts and rhythms. We think of our sounds as soundscapes more than music.

Conversation as Currency

To sell, one needs to be invisible. No business survives on recurrent sales to family and friends. Businesses survive and grow because they create markets within which strangers can transact with confidence. For strangers to transact with confidence, value needs to be stable and fixed into the form of the product. And for that, products need to develop an intensely tangible form. Value of the product starts and finishes with the form. The form cannot be soft or intangible. It needs to be concrete.

To fix the value for a thing, one needs to have a conversation. The price of a commodity can be arrived at through conversation. But we do not care about the price. Because once we sell, our conversation is over. We do not want to end it. Besides, we will all keep having more to say and would like others to have access to it too. These are things of value for all of us. This is what we want to exchange and so, conversation is our currency. We will only transact through conversations.

To buy, one must be desirous. There must be a desire for change, for a perturbation of the status quo. A desire that drives motivation for the mouth to open and the hand to move towards a device that dispenses currency. All this takes a lot of effort. The seller and the buyer both have desires and motivations, but the anxiety of the approach to the final push off of the cliff-face of the mountain of the transaction must be overcome. This is the difficult part. It involves a leap of faith. Can a push be made as effortlessly as possible? Sure. We only need to find a way. Efficiency is a way. We introduce efficiency into the system by reducing steps. If we take away the step of the hand moving, we have already reduced effort. Now only the mouth has to open.

We have made the determination of value into a game, which is in the form of a Book of Conversation Triggers [A3]. In this game, we will read each sentence in our book to you and we will ask you if you agree. After we have performed all the sentences to you, we will ask you if you feel like holding on to any sentence, or if any sentence led you to experience a new kind of thought. If you think so, we will offer those sentences to you. You may if you like, in turn play this game with whomever you choose to play it with, in order to have another conversation. You owe yourself that much at least. If conversation is a currency, it wants to grow and spread like a virus. So, why not go forth and multiply?

What will you, the player, win? You win a sentence you can post on your fridge door or your Facebook wall, you win an insight you can talk about further. You win the memory of a delightful conversation you had with us, which we guarantee you will have again with whomever you choose to play with. This game will give you victory again and again. Are you game?

A poster can also be a person who posts. A post-writer is often one who reaches the point of saturation, which pushes them to producing compressed text. This act places them in a new period in the timeline of history, of being post-writers.

Publishing sans credits

We work with the idea of credit-less production. post_writer [A5] is a twitter-based monthly journal. Each issue consists of six tweets. Four by humans, one by a bot and one by a sponsor. There are only issue-wide credits but no individual credits. Which tweet is by whom is an ambiguity.

As an actor, you can choose to disengage from every story you assume you are a part of, then you deal with the anxiety of performing for free in an under-documented and under-credited fashion. When this anxiety subsides, awakening might happen.

We look to expand the study group format to have anchors interested in exploring their own questions in a nondescript manner. We are also looking at shorter capsules of study groups which will be podcast, with a question dedicated for an individual’s consideration, to capture their particular perspective of experience sharing.

We would rather model the world as a space swarming with individuals who actively produce content, rather than as a space with an abundance of consumers and a scarcity of commercially viable producers enveloped in the gloss of the culture of page-hits and celebrity [B14] [B15]. Today we have a competitive marketplace of market-validated content that goes into profiling our consumption. Our profiles are then further recycled as fodder by the market, to be fed back to us [B16]. We are not valued as producers; we are valued as consumers of products, and vessels for marketing those very products.

The current state of the world has many different sources of validation but does not have a space for the self-validated. If we choose to be blind to the sociality of the content we see, then we have nothing at all. Every package of content is socialised, everything is floating in mediated space [B17]. The isolated, untouched (by mind or hand) content has no place in the world. We are surrounded by content which has no fidelity, coils through minds at will, and yields their message to anyone who enquires. There is no knowledge personally reserved for you in this pool of content. Reading is supposed to lead to synthesis and this synthesis is meant to culminate into a development of personal perspectives and opinions. However, in a pool of commonly read content there is more likelihood for the development of cliques and clouds of common belief and little space for individualised synthesis. Some get hit more directly by some threads of content and identify the hit as a personal facet of discovery.

“The smart way to keep people passive and obedient is to strictly limit the spectrum of acceptable opinion, but allow very lively debate within that spectrum....”
— Noam Chomsky, The Common Good

To hit upon a truly personal facet of content that doesn’t belong to a popular cesspool, a flow of production has to be initiated and self-validated. Entire knowledge-systems need be constructed without any building blocks but with content generated from the knowledge of the moment [B18]. Insights gleaned from here and there come together as a granular pool of content that is personal, special and hitherto unseen in our context. A unique association between the individual and message gets formed. And this association is incoherent and unfamiliar in ways, because it doesn't belong to the popularly socialised frameworks of knowledge. This weird fiction gets overlooked and thereby remains safe from being intruded upon or being misconstrued. The obscure and the hidden breed mysteries waiting to be tapped.

Time to break [B19] from packaged commodified sound byte capsules.

A) Index of Surfatial Projects

1. Study groups on Google Hangouts on Air

Study groups with Surfatial anchors
Study groups with guest anchors

2. Conversation based games: flip & blip

3. Book of Conversation Triggers: PDF

4. Online Residency on Surfatial’s Facebook page

5. Post-writer: https://twitter.com/post_writer.

Each issue is based on public contributions

6. Interactive performances and exhibitions

7. Tracks based on our archives of text and audio: Soundcloud

8. Digital archives of games, performance and study-groups: YouTube

9. Poster: Facebook

B) References [B20]

1. Pulp - “Glory Days” - This is Hardcore (1998)

2. Pink Floyd - “The Happiest Days of Our Lives” - The Wall (1979)

3. Weezer - “The Futurescope Trilogy” - Everything Will Be Alright In The End (2014)

4. Radiohead - “How to Disappear Completely” - Kid A (2000)

5. Nirvana - “Smells Like Teen Spirit” - Nevermind (1991)

6. Pink Floyd - “Empty Spaces” - The Wall (1979)

7. Metallica - “The Unforgiven” - Metallica (The Black Album) (1991)

8. Backstreet Boys - “Quit Playing Games with My Heart” - Backstreet Boys (1995)

9. Sting - “Shape of My Heart” - Ten Summoner’s Tales (1993)

10. Kenny Rogers - “Rules of the Game” - The Gambler (1978)

11. Boyzone - “If We Try” - BZ20 (2013)

12. Bangles - “Mixed Messages” - Doll Revolution (2003)

13. Cranberries - “Linger” - Everybody Else's Doing It, So Why Can't We? (1993)

14. Lady Gaga - “Paparazzi” - The Fame (2008)

15. Eminem - “The Real Slim Shady” - The Marshal Mathers LP (2000)

16. Kraftwerk - “Hall of Mirrors” - Trans-Europe Express (1977)

17. Marshall McLuhan - “The Medium is the Message” - The Medium is the Message (1967)

18. Chicks on Speed - “Utopia” - UTOPIA (2014)

19. Queen - I Want to Break Free - The Works (1984)

20. DJ Shadow - “Right Thing / GDMFSOB” - The Private Press (2002)

C) Game - 101 Ways of starting an ISP: No. 54

Instructions for playing:

Click here to access the game.
On every left-click, you will receive a new poster.
If you like what you see, right-click and save as an image. (This works on the Google Chrome and Firefox browsers).
You can then choose to share the image on your Facebook or Twitter pages and tag #Surfatial. We use conversation as currency, so we will contact you and converse with you to complete the transaction process.

Authors' Profile

Surfatial is a trans-local collective that operates through the internet. We use conversations to aid learning outside established structures. We are concerned with enabling disinhibition through the internet, for expressing what may not be feasible in physical reality. We organise internet-based audio conferences called study-groups where we deal with philosophical questions and a self-reflective exchange of individual experiences. We have previously presented our work at Soundphile 2016, Delhi; play_book (in collaboration with Thukral & Tagra), Gurgaon; CONA, Mumbai, and Mumbai Art Room. Our upcoming engagement is with ZK/U, Berlin.

Facebook - https://www.facebook.com/surfatial

Website - http://www.museumofvestigialdesire.net/offices/surfatial

Twitter - https://twitter.com/surfatial

Surfatial is Malavika Rajnarayan, Prayas Abhinav, Satya Gummuluri, and No.55, a bot.

Prayas Abhinav

Prayas is an artist and teacher. He works on his capacity to learn through performance. He has worked in the last few years on numerous pieces of speculative fiction, software, games, interactive installations, public interventions and curatorial projects. He is the initiator of the Museum of Vestigial Desire. He has developed his practice with the support of fellowships by Sarai, Openspace, the Center for Experimental Media Arts (CEMA), TED and Lucid. He has been in residencies at Khoj (India), Coded Cultures (Austria) and dis-locate (Japan). He has shared his work at festivals including Transmediale, 48c, Futuresonic, ISEA and Wintercamp.

Satya Gummuluri

Satya is an artist originally from Bombay currently based in Germany. She works with music, writing and photography as well as doing freelance translation, editorial and research work. She has lived in Chicago for several years, collaborating, recording, performing and traveling with musicians and dancers in Chicago, NYC and Lisbon, and has appeared with them at the Chicago Jazz and World Music Festivals, and Austin’s SXSW. As a writer and translator, her work has appeared in online and print journals such as Almost Island and SAADA’s Tides magazine. She also works with activist groups engaged with feminism and urban issues in India and the US.

Malavika Rajnarayan

Malavika is an artist based in India. Her paintings use the human figure to explore larger issues of collective consciousness. Her works have also been exhibited in Mumbai, Delhi, Bangalore, Chennai and Ahmedabad in India and at the 2007 Sosabeol Art Expo in South Korea. She has presented lectures at EWHA University in Seoul, South Korea, College of Fine Arts, Karnataka Chitrakala Parishath, SITE art space, Baroda and conducted short workshops at NID, Ahmedabad and at non-profit organisations for women and children. She has been an artist-in-residence at The Collective Studio Baroda, The Contemporary Artists Centre, Troy, New York and at CAMAC Centre for Art in Marnay sur-Seine, France, supported by the K. K. Hebbar Art foundation and the Indian Council for Cultural Relations.

For more details visit https://cis-india.org/raw/blog_101-ways-of-starting-an-isp-no-53-conversation-content-weird-fiction

It's That Eavesdrop Endemic

praskrishna — 2016-07-30T15:45:31Z

Whatsapp Says It’s Snoop-Proof Now, But There’s Always A Way In

The article by Arindam Mukherjee was published in Outlook on July 25, 2016. Pranesh Prakash was quoted.

Lock and Key

WhatsApp says it has end-to-end encryption, so no one, not even WhatsApp, can snoop into calls.

Experts say any encryption can be broken by security agencies. Android phones can also get infected by malware.

For years, a Delhi power-broker used to call from nondescript landline numbers, changing them ever so often. Of late, he has started using WhatsApp calls for ‘sensitive’ conversations. He’s not alone. WhatsApp has revealed that over 100 million voice calls are being made on the social network every day. That’s over 1,100 calls a second! India is one of the biggest user bases of WhatsApp. And many Indian users are making the app their main engine for voice calls.

One reason for this shift is that WhatsApp calls are seen to be essentially free (though they indeed have data charges). But for a lot of people, the chief allure lies in the touted fact that WhatsApp calling is far more secure than mobile calling. In April, the app introduced end-to-end encryption for its messages and voice calls.

Consequent to this, Sudhir Yadav, a Gurgaon-based software engineer filed a PIL in the Supreme Court seeking a ban on WhatsApp on the grounds that its calls are so safe that it could be misused by ‘terrorists’. Last month, a court in Brazil issued orders to block WhatsApp for 72 hours after it failed to provide the authorities access to encrypted data.

Are WhatsApp calls really impenetrable? WhatsApp believes so and says that the encryption key is held by the two persons at the two ends of the message or call and no one, not even the company, can snoop in. “The calls are end-to-end encrypted so WhatsApp and third parties can’t listen to them,” a WhatsApp spokesperson told Outlook. This is precisely Yadav’s concern. “Because the encryption is end to end, the government can’t break it and WhatsApp cannot provide the decryption key,” he says.

However, experts do not buy this argument. They believe everything on the Internet is vulnerable. “Anything that uses a phone number is vulnerable,” says Kiran Jonnalagadda, founder of technology platform HasGeek. “Anyone can impersonate the phone number by getting a duplicate SIM and get access to a phone. There are also bugs in the system which security agencies use.”

WhatsApp uses a person’s phone number to open an account and authenticate a user. So, if the government or a security agency wants to get access to a WhatsApp call, it would be very easy. “Telecom companies cannot access these calls as they are encrypted before they reach the network. But the government can. It just has to replicate a SIM to access any number and its messages or voice calls,” says Aravind R.S., a volunteer for Save the Internet campaign and founder of community chat app Belong,

There are other modes of attack as well. It is a given that Android phones, which form the majority of mobile phones used in India today, are most vulnerable to malware attacks. So, even if the app itself is secure, the device is not and if the device is attacked, just about everything in it can be tapped into. For instance, there’s the ‘man in the middle’ mode of attack, where a third person gets into a call and mirrors the messages to both the sides and relays the messages or calls to a different server. There is also the SS7 signalling protocol that can help hackers get into networks and calls. These attacks can make even a WhatsApp encryption vulnerable.

Security agencies and hackers routinely implant viruses into the phones of people they are monitoring. Once a phone is “infected”, everything is accessible. And Android phones are extremely prone to attacks from malware. “It's not perfectly secure, especially if there is any virus in an Android phone, which is what security agencies work with. They have many more ways to get into a phone. There is no defence against that,” says Aravind,

Experts believe it is possible that US intelligence agencies like the FBI and the NSA may have access to or are capable of breaking into even the WhatsApp encryption. This is proven by the recent incident where the FBI, after being refused by Apple to open up an iPhone used by a terrorist, broke into the phone by itself.

“If you are on the NSA list, there is nothing you can do to protect yourself,” says Pranesh Prakash, policy director with the Centre for Internet and Society. “They will find a way to get into your phone. In WhatsApp, many things like photographs and videos are not encrypted; these can get access to a person’s account.”

In India, the debate on access to encrypted phones has been on since the government engaged with Blackberry a few years ago. “There is no law governing an Over The Top (OTT) service like WhatsApp. If the government orders decryption of a call and WhatsApp cannot comply, it will become illegal,” says cyber lawyer Asheeta Regidi. The government’s seeming comfort level with all this legal ambiguity is yet another indicator that all is not what is seems with WhatsApp. As for callers, they would do well to speak discreetly on any network.

For more details visit https://cis-india.org/internet-governance/news/outlook-july-25-2016-arindam-mukherjee-its-that-eavesdrop-endemic

India and Regional Mega-Trade Agreements

praskrishna — 2016-07-30T12:59:56Z

Anubha Sinha was invited by the Observer Research Foundation for a panel discussion on "India and Regional Mega-Trade Agreements" with Ambassador Robert Holleyman, Deputy US Trade Representative and Ambassador Shyam Saran, Chairman, Research and Information System for Developing Countries on July 25, 2016 at ORF Conference Hall in New Delhi.

The discussion comes at a critical time for digital trade in Asia, with the recent conclusion of the Trans-Pacific Partnership and the continent's emergence as a major contributor the global digital economy.

The growth of the digital economy has spurred new concerns about global tax regimes, and the negotiation of trade terms - including non-tariff barriers and the alignment of policies - even as intellectual property rights are redefined and e-commerce changes industry practices. The backdrop to these developments is the rapid and unpredictable advance of technology, which has prompted the need for adaptive policies. The Digital 2 Dozen, the US tenets for unrestricted commerce and an open internet, is attached for your reference.

For more details visit https://cis-india.org/a2k/news/india-and-regional-mega-trade-agreements

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

ICT Paper

praskrishna — 2016-07-30T10:46:47Z

For more details visit https://cis-india.org/internet-governance/files/ict-paper.pdf

USTR elaborates the Two Dozen Digital Rules of Club TPP

sinha — 2016-07-29T08:00:00Z

Members of the recently concluded Trans-Pacific Partnership (TPP) are now scrounging the world to include more countries in its fold. The Digital 2 Dozen(D2D) is a bite-sized document which packs the TPP into 24 key tenets. The D2D, aggressively championed by the US as the path forward for the global digital economy poses some critical questions for India: first, how will India position itself against US pressure in the larger scheme of US-India foreign relations, and how much is it willing to concede its policies in the name of trade; second, how will reduced barriers and establishment of a level field for Indian and foreign IT and internet companies alike, hurt Indian consumers and businesses? This week, the Deputy US Trade Representative Ambassador Robert Holleyman discussed the Digital 2 Dozen document with Ambassador Shyam Saran (Chairman, RIS). The exchange was moderated by Samir Saran (Observer Research Foundation). I attended the discussion and this post is a summary of the key points.

For a background on the data protection and privacy aspects of the Trans-Pacific Partnership agreement and Digital 2 Dozen principles, please read CIS' piece here.

Ambassador Robert Holleyman

Ambassador Holleyman opened with stating that trade agreements are created to build a foundation for national policies. He added that the D2D is not merely a tech D2D, rather it is based on the premise that our economies have digitised to a large extent, and hence, the TPP contains provisions on agriculture as well. The TPP tries to combat barriers to the growth of digital economy, and the D2D provides the most modern and the highest standard of such provisions. The D2D tenets can be divided into three categories:

1. Provisions to ensure the internet is open and safe, and an effective channel for trade and services.

2. Provisions to combat protectionist and restrictive provisions of member nations. The D2D talks about eliminating rules that seek to make foreign companies localise their data by building expensive data centers in every market they seek to serve. Further, TPP also seeks to prevent countries from 'forcing' foreign companies from transferring their technologies and production processes as a pre-condition for doing business there.

3. Provisions on IPRs to 'build a level playing field' in order to 'protect' innovators and creators in the digital space.

“ ...The TPP rules on enforcement of IPRs are strong and balanced and embody the TRIPs standards. For instance, countries are required to to impose criminal penalties on trade-secret violations such as cyberhacking.”

He added:

“We believe these rules are the foundation for next 20 years of the digital economy. To make sure that India does not fall behind we want to work with India (for the adoption of these rules). We're encouraged by the new government's programmes and the PM's engagement with US and silicon valley leaders.

We encourage India to level the playing field. To that end the USTR is working with the Indian Ministries of Communications and IT, and Commerce and Industry to exchange practices for building open markets. We want to work together in eliminating localisation policies given that how a lot of IT companies have established investment heavy R&D centers in India, and they rely heavily on the free flow of cross border data. Imposition of localisation of data would be detrimental in this age of cloud-computing. We're aware that the Indian government is reviewing its policies on cloud-computing and encryption, and we encourage the government to consider the implications of the such policies carefully, for India is also a leader in global IT and would be a potential framework setter at that.”

The D2D also endorses elimination of custom duties on ICT products, and the Ambassador added that the US was very pleased to see India deposit their instrument of accession on the Trade Facilitation Agreement with the WTO. The US has been pleased to see India's ratcheting up its norms for IPR protection. He mentioned that the two countries held a successful copyright workshop earlier this year, and later this year they plan to conduct a workshop on trade secret protection. The D2D also says that conformity assessment procedures are excessive and should be eliminated. This emerges from US' IT industries concerns on the compulsory registration of ICT products that required re-testing in Indian labs.

He made a case for opening up Indian markets by quoting a study which revealed that the Indian market for ICT products is worth 65bn dollars, while the global market stands at 2 trillion dollars. So while India could leverage its exports to meet the demand, the question remains if we want to foster a market based on openness. In his opinion, openness has enabled the IT sector in India to access other markets. However, he observed that countries were erecting barriers to this openness by restricting the cross-border free-flow of data, particularly and this is where the TPP assumes importance. The real challenge now is for the US and India to prepare their own version the the D2D.

On the route of D2D, the Ambassador was largely optimistic:

“The TPP has Obama's backing and the US Congress should ratify the deal before the elections. Other TPP members have already initiated steps to ratify the deal in their countries. For phase II, 13 non-member countries have already approached the US to be a part of TPP since the deal was concluded.”

Ambassador Shyam Saran

He began by stating that the India-US engagement on digital economy would become an area of close cooperation for US-India relationship. A few years ago the US pharma was unhappy with Indian generics, and this tussle left a bad taste between the countries, and also spilled over into the political side. Disagreements on several issues such as IPR, WTO subjects, etc still persist, despite some developments reflecting mutual trust and confidence (for instance the counter-terrorism initiative).

He welcomed potential cooperation in the digital field, because that would dispel the negativity and prevailing perception of India and US not being on the same page. The one area that has been a shaky pillar is the trade and economic relationship. In his frank opinion, the Indian establishment perceives USTR's outlook on trade issues as quite adversarial. He was mindful of a developing India's unique needs and priorities:

“In regard to the differences between India and US on trade and economic issues, it is not surprising because we must also be mindful of the reality- we are a developing country, wheras the US is highly developed and technologically advances - thus, we need different lenses for each. This is something we need to address, (remember how we acknowledged and fixed this in our defence relationship re the nuclear deal). The lesson that I draw is that here is an area critical to both countries' growth, and we need to address this differential aspect...”

According to him, right now India has an ambiguous position on the TPP. Holleyman had mentioned that the deal was based on an open platform, and Shyam pointed out that it was in fact conceived through closed door negotiations. It is common knowledge that rules at TPP were arrived at through complex negotiations between 13 countries, which surely was a process of complex give and takes. At this stage, it was not possible for India to look at one chapter and agree to meet the “gold standards” set in it.

According to him, D2D was important to the US solely in terms of trade benefits for its own businesses. He said that to convince the Indian government, the USTR will have to first convince the Indian IT industry the D2D benefits- which he was skeptical of. The reason was that this 'opportunity' comes across as a clear case of double-standards when the US talks about lowering barriers in India, and on the other hand is increasing barriers on its own shores (several pending bills in the US Congress indicate this). Similarly, immigration troubles for the Indian talent pool have only gone up. The other aspect he raised was on localisation and IPRs. He said that while stands on these issues were being formulated, it should also be expected that the government will take into account concerns of privacy and security. In the US itself, the US treasury has said in regard to banking and financial transactions localisation may be necessary.

He closed by offering an alternative route to the US – one of working with India as a partner in the Digital Economy instead of fixating on barriers and/or nitpicking on Indian legislations. This would be a more sustainable way to capitalise on India's growth potential and align with its digital future.

Samir Saran

Samir responded to the discussants by offering his thoughts (and questions) on D2D and the digital economy, broadly:

“...Can the digital space be a new space for a partnership? Three stories are important in the context of a trade document:
First is dominated by access – India is seeing 6 million new internet users every month and most of them are on low-cost mobile devices. Can a trading normative process allow to continue this phenomenon as it is?
Second is opportunity – India is already responding to investment flows. In terms of privacy and security – if India believes that it can become the digital infrastructure hub, it will need to develop world-class encryption tools. Similarly in terms of free-flow of information, when Obama and PM met they endorsed the same. So it is a step back from localisation, anyway. So you see India changing positions to make the atmosphere more business conducive.
Third is security – How can you make free-flow of data uni-directional? Why is it that you want data to flow unfettered when it creates value, but you are creating barriers for giving data for security purposes?...

...Further, in a phase when the mood worldwide is in favour of de-globalisation, will hyperglobalisation through FTAs work?...”

Finally, Holleyman acknowledged that historically India and US have had differences, but with the digital economy perhaps they can forge some approaches. He accepted that some of the points were written squarely for the US tech sector, but he hoped that the other 11 partners of the TPP will come out with what the D2D means to them.

For more details visit https://cis-india.org/a2k/blogs/ustr-elaborates-the-two-dozen-digital-rules-of-club-tpp

Letter to MPs on Concerns on Regional Comprehensive Economic Partnership

sinha — 2016-07-29T02:39:44Z

The Centre for Internet and Society sent a letter to Members of Parliament on July 27, 2016 to appeal to re-examine the Regional Comprehensive Economic Partnership (RCEP).

To,

The Hon’ble Chief Minister / Member of Parliament

We are writing to you to draw your attention to the concerns related to India’s engagement in the Regional Comprehensive Economic Partnership (RCEP), a mega-regional trade agreement (MRTA), currently under negotiation. We write as part of a forum on free trade agreements (FTAs), which is a network of over 80 civil society organisations and concerned individuals from across India. It came together in 2008 to analyse the impacts of India’s FTAs on people’s lives & livelihoods.

As you may know, RCEP is a FTA consisting of 10 ASEAN Countries plus Australia, New Zealand, South Korea, Japan, China and India. It is a comprehensive FTA dealing with not only tariff cuts but also a range of other issues such as investment, intellectual property rights, e-commerce, services, competition, etc. RCEP has far reaching implications on India’s future economic and social development. India is currently facing huge trade deficit with ASEAN, South Korea, Japan and China. RCEP is expected to worsen the huge trade deficit and damage India’s manufacturing sector.

Similarly, concerns are expressed in the field of intellectual property (IP). Many proposals by Japan and South Korea in the area of IP go well beyond our current national IP legislation, especially the Indian Patents Act 1970. Whereas, the Indian act permits only a narrow scope for patenting of software, the RCEP texts reveal disastrous proposals to hugely widen the scope, which, if accepted could compromise access to technologies in many critical areas. Likewise, Japanese & Korean negotiators' proposals run contrary to existing Indian copyright legislation. They mandate that all RCEP member countries to increase the term of copyright protection to 70 years from the year of the death of the author. The leaked chapters also envisage strong technological protection measures, without any limitations or exceptions for fair dealing use; creating new rights for making copies for temporary storage and blanket prohibition on re-transmission over the internet. All these changes would be extremely damaging to increasing access to knowledge in a developing country like India.

Further, the proposals also urge RCEP members to become members of another IP agreement on seeds – the UPOV Convention. Firstly, this would be ‘TRIPS-plus’, taking us beyond what WTO requires us to do in the area of seed. Secondly, it will mean going against the ‘farmer’s rights’ provisions in our national law – Protection of Plant Varieties & Farmers’ Rights Act (passed by Parliament in 2001 in compliance with WTO).

The leaked investment chapter shows that the proposals are going against India’s current position on investment treaties. India has developed a model BIPA text. India has also re-negotiating 57 of its 83 bilateral investment treaties (BITs) on the basis of its new model BIPA & to avoid one-sided approach to protecting investor’s interest. But demands being made in RCEP, may push us beyond our position on investments as well, for example, on the investor-state dispute mechanism.

The RCEP talks have picked up pace, hence the appeal to you to get involved.

Since 2013 RCEP negotiations have completed 13 rounds. The 14th round of negotiations is to take place in Vietnam on 15th of August. The Chief negotiators from each of the 16 countries are meeting 18-19th July in Jakarta, Indonesia. The upcoming RCEP Ministerial meeting on 5th August at Laos is expected set the new deadline for the conclusion of the negotiation.

However, there are no studies available in the public domain with regard to the implications of RCEP on India. In reply to an RTI query, Government denied existence of any cost and benefit analyses of RCEP. Similarly, there is no consultation with State governments with regard to RCEP and no texts are available in the public domain. Against this background we request you to take initiative:

to demand socio-economic assessment of RCEP on India’s development, especially on poor and marginalised populations, including implications for women & children

To ask for wider consultations on RCEP including consultations with state governments and ordinary people (such stakeholder consultations have already been held with industry bodies).
To make publicly available all the negotiating texts and institutionalise the process of making them open.
To ensure discussion on the cost and benefits of FTAs in general and RCEP in particular in both houses of the Parliament, including in the relevant Parliamentary Standing Committee.
To demand a while paper on India’s experience - costs and benefits, from FTAs with Japan, South Korea, Thailand, Malaysia and ASEAN.

Anticipating your kind attention on this urgent matter.

Thank you.

Yours truly,

Anubha Sinha
Centre for Internet & Society

For more details visit https://cis-india.org/a2k/blogs/letter-to-mps-on-concerns-on-regional-comprehensive-economic-partnership

Submitted Comments on the 'Government Open Data Use License - India'

sinha — 2016-07-26T09:23:48Z

The public consultation process of the draft open data license to be used by Government of India has ended yesterday. Here we share the text of the submission by CIS. It was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay.

The following comments on the 'Government Open Data Use License - India' was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay, and submitted through the MyGov portal on July 25, 2016. The original submission can be found here.

I. Preliminary

This submission presents comments by the Centre for Internet and Society (“CIS”) [1] on the draft Government Open Data Use License - India (“the draft licence”) [2] by the Department of Legal Affairs.
This submission is based on the draft licence released on the MyGov portal on June 27, 2016 [3].
CIS commends the Department of Ministry of Law and Justice, Government of India for its efforts at seeking inputs from various stakeholders prior to finalising its open data licence. CIS is thankful for the opportunity to have been a part of the discussion during the framing of the licence; and to provide this submission, in furtherance of the feedback process continuing from the draft licence.

II. Overview

The Centre for Internet and Society is a non-governmental organisation engaged in research and policy work in the areas of, inter alia, access to knowledge and openness. This clause-by-clause submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. Accordingly, the comments in this submission aim to further these principles and are limited to those clauses that most directly have an impact on them.

III. Comments and Recommendations

Name of the Licence: CIS recommends naming the licence “Open Data Licence - India” to reflect the nomenclature already established for similar licences in other nations like the UK and Canada. More importantly, the inclusion of the word ‘use’ in the original name “Government Open Data Use License” is misleading, since the licence permits use, sharing, modification and redistribution of open data.
Change Language on Permissible Use of Data: The draft licence uses the terms “Access, use, adapt, and redistribute,” which are used in UNESCO’s definition of open educational resources, whereas, under the Indian Copyright Act [4], it should cover “reproduction, issuing of copies,” etc. To resolve this difference, we suggest the following language be used: “Subject to the provisions of section 7, all users are provided a worldwide, royalty-free, non-exclusive licence to all rights covered by copyright and allied rights, for the duration of existence of such copyright and allied rights over the data or information.”
Add Section on the Scope of Applicability of the Licence: It will be useful to inform the user of the licence on its applicability. The section may be drafted as: “This licence is meant for public use, and especially by all Ministries, Departments, Organizations, Agencies, and autonomous bodies of Government of India, when publicly disclosing, either proactively or reactively, data and information created, generated, collected, and managed using public funds provided by Government of India directly or through authorized agencies.”
Add Sub-Clause Specifying that the Licence is Agnostic of Mode of Access: As part of the section 4 of the draft licence, titled ‘Terms and Conditions of Use of Data,’ a sub-clause should be added that specifies that users may enjoy all the freedom granted under this licence irrespective of their preferred mode of access of the data concerned, say manually downloaded from the website, automatically accessed via an API, collected from a third party involved in re-sharing of this data, accessed in physical/printed form, etc.
Add Sub-Clause on Non-Repudiability and Integrity of the Published Data: To complement the sub-clause 6.e. that notes that data published under this licence should be published permanently and with appropriate versioning (in case of the published data being updated and/or modified), another sub-clause should be added that states that non-repudiability and integrity of published data must be ensured through application of real/digital signature, as applicable, and checksum, as applicable. This is to ensure that an user who has obtained the data, either in physical or digital form, can effectively identify and verify the the agency that has published the data, and if any parts of the data have been lost/modified in the process of distribution and/or transmission (through technological corruption of data, or otherwise).
Combine Section 6 on Exemptions and Section 7 on Termination: Given that the licence cannot reasonably proscribe access to data that has already been published online, it is suggested that it would be better to simply terminate the application of the licence to that data or information that ought not to have been published for grounds provided under section 8 of the RTI Act, or have been inadvertently published. It should also be noted that section 8 of the RTI Act cannot be “violated” (as stated in Section 6.g. of the draft licence), since it only provides permission for the public authority to withhold information, and does not impose an obligation on them (or anyone else) to do so. The combined clause can read: “Upon determination by the data provider that specific data or information should not have been publicly disclosed for the grounds provided under Section 8 of the Right to Information Act, 2005, the data provider may terminate the applicability of the licence for that data or information, and this termination will have the effect of revocation of all rights provided under Section 3 of this licence.”
It will be our pleasure to discuss these submissions with the Department of Legal Affairs in greater detail, supplement these with further submissions if necessary, and offer any other assistance towards the efforts at developing a national open data licence.

[1] See: http://cis-india.org/.

[2] See: https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf.

[3] See: https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/.

[4] See: http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf.

For more details visit https://cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india