Centre for Internet and Society

Net Neutrality and the Law of Common Carriage

bhairav — 2015-08-23T11:06:26Z

For more details visit https://cis-india.org/internet-governance/blog/net-neutrality-law-of-common-carriage.pdf

'We Need to Proactively Ensure that People Can't File Patents Representative of the Creativity of a FOSS Community'

rohini — 2015-09-27T11:51:50Z

Rohini Lakshané attended “Open Innovation, Entrepreneurship, and Our Digital Culture” in Bangalore on August 13, 2015. Major takeaways from the event are documented in this post.

Speakers: Prof. Eben Moglen, Keith Bergelt, and Mishi Choudhary; Panel discussion moderator: Venkatesh Hariharan. See the event page here. The organizers republished Rohini's report on their website.

Prof. Eben Moglen on FOSS and entrepreneurship

The culture of business in the 21^st century needs open source software or free software because there is one Internet governed by one set of rules, protocols and APIs that make it possible for us to interact with each another. The Internet made everybody interdependent on everybody else. Startup culture needs free and open source software (FOSS) because startups are an insurgency, a guerrilla activity in business. The incumbents in a capitalistic world dislikes competition and detests that existing resources, such as FOSS, enable insurgents to circumvent some of the steep curve that they had to climb in order to become incumbents.
Hardware is developing in ways that make the idea of proprietary development of software obsolete. There is no large producer of proprietary software that isn't also dependent on FOSS. Microsoft Cloud is based on deployments that do not use Windows but are based on FOSS. The era of Android as a semi-closed, semi-proprietary form of FOSS is over. Big and small companies around the world are exploiting the open source nature of Android.
Free software is a renewable resource not a commodity. Management is needed to avoid over-consumption or destruction of the FOSS ecosystem. Software is to the 21^st century economic life what coal, steel, and rare earth metals were at the end of the previous century.
FOSS turned out to be about developing human brains. It turned out to be about using human intelligence in software better. Earlier universities, engineering colleges and research institutions were the greatest manufacturers and users of FOSS. Now businesses of all sizes are.
When Richard Stallman and Prof. Eben Moglen set out to make GPL free, they initiated a large public discussion process, the primary goal of which was to ensure that individual developers have as much right to talk and to be heard as loudly as the largest firms in the world. At the end of the negotiation process, 35 or 36 of the largest patent holders in the IT industry accepted the basic agreement to be a part of the commons. --- Incumbents like people to pay for a seat at the table. Paying to have an opinion is a pretty serious part of the landscape of the patent system.

Prof. Eben Moglen on Digital India

Every e-governance project that the Indian government buys should use FOSS. The very nature of the way the citizens and governments interact can come to be mediated by software that people can read, understand, modify, and improve. An enormous ecosystem will come up -- a kind of public–private partnership (PPP) in the improvement of governance and government services, which is far more useful than most other forms of PPP conceptualised in the developed world in the 20^th century.
Everybody has a stake in the success of this policy. Several corporations are working against this policy as they once stated that they do not need FOSS.
The biggest market for both making and consuming software in the world is in India, because the science done here will dominate global software making, which in turn will define how the Internet works, which in turn will define society. One can't develop the largest society on earth by reinventing the wheel. The government is going to understand that only the sharing of knowledge and the sharing of forms of inventing would enable the largest society in the world to develop itself freely and take its place in the forefront of digital humanity.
If every state government's data centre across India is going to be turned into a cloud, one state might have VMWare, another might have AWS, and so on, it would be disastrous. To prevent this, all e-governance activities of every state government and federal agency in India could be conducted in one, big, homogeneous Indian cloud. This would enable utility computing across the country for all citizens, which would also make room for citizen computing to happen. When one moves towards architectures of omnipresent utility computing with large amounts of memory flatly available to everybody, one is going to be describing a national computing environment for a billion people. We can't even begin to model it until we start accomplishing it.
Prof. Eben Moglen's ambition is that there comes a time not very long from now when basic data science is taught in Indian secondary schools. The software is free and all the big data sets are public. A nation of a 100 million data scientists rules the world.

Keith Bergelt on the Open Invention Network

Over the past 10 years, Open Invention Network (OIN) has emerged as the largest patent non-aggression community in the history of technology. It has around 1,700 participants and is adding almost 2 participants every day. In the last quarter, OIN had approximately 200 licensees.
There is now a cultural transformation where companies are recognising that where OIN members collaborate, they shouldn't use patents to stop or slow down progress. Where members compete, they choose to invent while utilising defensive patents publications. What we are doing is a patent collaboration and a technical collaboration that exists in major projects around the world.
OIN has been making a major effort since January 2015 to spend more time in India and China to be able to ensure that the technological might and expertise represented in the two countries can be a part of the global community, and that global projects can start here. “We can expect to leverage the expertise of the community to be able to drive innovation from here [India and China]. It's not about IBM investing a billion dollars a year since 1999 and having some birthright to driving the open source initiatives around the world or about Google or Red Hat or anyone else. You have the ability to impact major changes and we want to be able to support you in the name of freedom of action as participants.”

Panel Discussion

Patent Wars and Innovation

In the past 5 to 7 years, patent wars in the handset segment of the information technology (IT) market have wasted tens of billions of dollars on litigation, and on raising the price of patent armaments. This patent litigation was purely an economic loss to the IT industry and it contributed nothing. If the patent system strangles invention, non-profit groups, non-commercial bodies, free software makers, and start-ups cannot invent freely.
Defensive patent publications, such as those made by IBM, lead to the gross underestimation of the inventive power and output of the company. People are struggling to find something to evaluate the productive output of an entity – startup, micro-industry or macro-industry. Patents are being used inappropriately and it's part of the corruption of the patent system. Any venture capitalist (VC) who believes that either the innovative capacities or the potential success factors of a start-up are tied to its patents should know that there are only a minuscule number of cases where patents are the differentiator. The differentiators required in order to sustain business are how smart the people are, how quickly they innovate, and how quickly they are able to adapt to complex situations. We see a trend in the US of not equating patents with innovation. The core-developer and hacker communities are largely anti-patent.
However, the flip side is that if the FOSS communities do not patent defensively, i.e., acquire and publish patents for their inventions in order to prevent others from getting patents in one jurisdiction or another, patent trolls will eventually encroach on the communities' inventive output. The only people making money out of this whole process are lawyers. It is slowing down the uptake of technology by creating fears and doubts in the system.
FOSS communities didn't qualify everything produced in the 23 years of (Linus') Linux, which would have let the service serve as stable prior art, preventing other people from filing patents. We can debate what is patentable subject matter in general or whether software should be patentable, but in the meantime if we can be proactive and file everything that we have in defensive publications and make it accessible to the patent and trademark offices here and around the world, we will have far fewer patents. We need to be activists in making sure that people can't file patents that are representative of the creativity of a community.
The Chinese government has instituted a programme designed to produce defensive publications in order to capture all the inventiveness across their industries, to be able to ensure that the quality of what ultimately gets patented is at least as high.
The US has a massive repository called ip.com, which is with every patent examiner of the USPTO.
India does not grant software patents as per section 3(k) of the Indian Patents Act, but that doesn't mean that no software patents are being granted. One of the empirical studies conducted by the Software Freedom Law Centre (SFLC) in India shows that 98.3% of the [telecom and computing technology] patents granted till 2013 went to multinational corporations. Almost none of the assignees are Indian.
In the context of the ongoing patent infringement law suits filed in the Delhi High Court by Ericsson [link]: The Delhi High Court has had a reputation of being very pro-intellectual property from the beginning.
Also, there is pressure from trade organisations. In August 2015, Ericsson along with ASSOCHAM invited the Director General of the Competition Commission of India to present a paper about why patents are good. It is essential to determine how the rules of conflict of interest apply here. This is exactly what the pharmaceutical industry would do. The only bodies who would object are Doctors Without Borders (MSF) or some local organisations who realise that high priced patented drugs is not what India needs and that we do not need to have the same IP policy as the US or Japan. We only need a different policy.
The Special 301 Report of the United States Trade Representative (USTR) is a big sham, and it suggests that India doesn't have strict enforcement of IP law. India does, unlike China.
Accenture has been granted a software patent in India. The patent is about an expert present in a remote location transferring knowledge to somebody who is listening in another location. Universities offering MOOCs, BPOs, and many other services would fall under such a patent. SFLC spent four years trying to fight this patent. The first defence of Accenture's battery of lawyers was that they won't use the patent.
Patents of very low quality are being bought at very high prices. The tax system or the subsidy system for innovation regards all patents as equal. This is a pricing failure and that should be corrected by other forms of intervention. The pendulum has already begun to swing the other way. Alice Corp was the third consecutive and unanimous ruling by the US Supreme Court that abstract ideas are not patentable. Patent applications pertaining to business methods and algorithms are increasingly being rejected by the USPTO after the ruling.

Prof. Eben Moglen on Facebook:

Facebook is a badly designed technology because there is one Man in the Middle who keeps all the logs. The privacy problem with Facebook is not just about what people post. It's about surveillance and data mining of web reading behaviour. It is a social danger that ought not to exist. I have said since 2010 is that we can't forbid it; let's replace it. It means bringing the web back as a writeable medium for people in an easy way. What I see as next-generation architecture could just as well be described as Tim Burners Lee's previous generation architecture.

You have to be able to trust the Internet. If you can't, you are going to be living in the shadow of govt surveillance, corporate surveillance, the fear of identity theft, and so on. We need to be able to explain to people what kind of software they can trust and what kind they can't. Distributed social networking will happen; it's not that difficult a problem.

An example of federated networking is Freedombox, a cheap hardware doing router jobs using free software in ways that encourage privacy. The pilot project for Freedombox has been deployed in little villages in Andhra Pradesh and Karnataka. These routers don't deliver logs to a thug in a hoodie in Menlo Park.

For more details visit https://cis-india.org/a2k/blogs/we-need-to-proactively-ensure-that-people-cant-file-representatives-of-the-creativity-of-a-foss-community

Civil Society Organisations and Internet Governance in India - Open Review

sumandro — 2015-11-13T05:51:03Z

This is a book section written for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon. The pre-publication text of the section is being shared here to invite suggestions for addition and modification. Please share your comments via email sent to raw[at]cis-india[dot]org with 'Civil Society Organisations and Internet Governance in India - Comments' as the subject line. This text is published under Creative Commons Attribution-NoDerivatives 4.0 International license.

You are most welcome to read the pre-publication drafts of other sections of the Asia Internet History Vol. 3, and share your comments: https://sites.google.com/site/internethistoryasia/book3.

Early Days

The overarching context of development interventions and rights-based approaches have shaped the space of civil society organizations working on the topics of information and communication technologies (ICTs) and Internet governance in India. Early members of this space came from diverse backgrounds. Satish Babu was working with the South Indian Federation of Fishermen Societies (SIFFS) in mid-1990s, when he set up a public mailing list called 'FishNet,' connected to Internet via the IndiaLink email network, (then) run by India Social Institute to inter-connect development practitioners in India. He went on to become the President of Computer Society of India during 2012-2013; and co-founded Society for Promotion of Alternative Computing and Employment (SPACE) in 2003, where he served as the Executive Secretary during 2003-2010 [Wikipedia 2015]. Anita Gurumurthy, Executive Director of IT for Change and one of the key actors from Indian civil society organizations to take part in the World Summit on the Information Society (WSIS) process, had previously worked extensively on topics related to public health and women's rights [ITfC b], which deeply shaped the perspectives she and IT for Change have brought into the Internet governance sphere, globally as well as nationally [Gurumurthy 2001]. Arun Mehta initiated a mailing list titled 'India-GII' in 2002 to discuss 'India's bumpy progress on the global infohighway' [India-GII 2005]. This list played a critical role in curating an early community of non-governmental actors interested in the topics of telecommunication policy, spectrum licensing, Internet governance, and consumer and communication rights. As Frederick Noronha documents, the mailing list culture grew slowly in India during the late 1990s and early 2000s. However, they had a great impact in organizing early online communities, sometimes grouped around a topical focus, sometimes functioning as a bridge among family members living abroad, and sometimes curating place-specific groups [Noronha 2002].

The inaugural conference of the Free Software Foundation of India [FSFI] in Thiruvananthapuram, on 20 July 2001, galvanized the Free/Libre and Open Source Software (FLOSS) community in India. The conference was titled 'Freedom First,' and Richard Stallman was invited as the chief guest. It was a vital gathering of actors from civil society organizations, software businesses, academia, and media, as well as the Secretary of the Department of Information Technology, Government of Kerala (the state where the conference was held). The conference laid the basis for sustained collaborations between the free software community, civil society organizations, emerging software firms in the state, and the Government of Kerala for the years to come. Two early initiatives that brought together free software developers and state government agencies were the Kerala Trasportation Project and the IT@School project, which not only were awarded to firms promoting use of FLOSS in electronic governance project, but facilitated a wider public dialogue regarding the need think critically about the making of information society in India [Kumar 2007]. The inter-connected communities and overlapping practices of the FLOSS groups, civil society organizations involved in ICT for Development initiatives, telecommunication policy analysts and advocates, and legal-administrative concerns regarding life in the information society – from digital security and privacy, to freedom of online expressions, to transparency in electronic governance infrastructures – have, hence, continued to shape the civil society space in India studying, discussing, responding, and co-shaping policies and practices around governance of Internet in India.

Key Organizations

IT for Change was established in 2000, in Bengaluru, as a non-governmental organization that 'works for the innovative and effective use of information and communication technologies (ICTs) to promote socio-economic change in the global South, from an equity, social justice and gender equality point of view' [ITfC]. It has since made important contributions in the field of ICTs for Development, especially in integrating earlier communication rights practices organised around old media forms with newer possibilities of production and distribution of electronic content using digital media and Internet [ITfC e], and in that of Internet governance, especially through their participation in the WSIS and Internet Governance Forum (IGF) processes and by co-shaping the global Souther discourse of the subject [ITfC d]. It has also done significant works in the area of women's rights in the information society, and have been a core partner in a multi-country feminist action research project on using digital media to enhance the citizenship rights and experiences of marginalized women in India, Brazil, and South Africa [ITfC c]. IT for Change has co-led the formation of Just Net Coalition in February 2014 [JNC].

Digital Empowerment Foundation (DEF) was founded by Osama Manzar, in New Delhi in 2002, with a 'deep understanding that marginalised communities living in socio-economic backwardness and information poverty can be empowered to improve their lives almost on their own, simply by providing them access to information and knowledge using digital tools' [DEF c]. DEF has contributed to setting up Community Information Resource Centres across 19 states and 53 districts in India, with computers, printers, scanners, and Internet connectivity [DEF]. DEF organises one of the biggest competitions in Asia to identify, foreground, and honour significant contributions in the area of ICT for Development [DEF d]. This annual competition series, titled 'Manthan Award' (Translation: 'manthan' means 'churning' in Sanskrit), started in 2004. It has alllowed DEF to create a detailed database of ICT for Development activities and actors in the South Asia and Asia Pacific region. Since 2011, DEF has started working with Association for Progressive Communications on a project titled 'Internet Rights' to take forward the agenda of 'internet access for all' in India [DEF b].

The Society for Knowledge Commons was formed in New Delhi 2007 by 'scientists, technologists, researchers, and activists to leverage the tremendous potential of the ‘collaborative innovation’ model for knowledge generation that has lead to the growth of the Free and Open Source Software community (FOSS) around the world' [Society for Knowledge Commons]. It has championed integration of FOSS into public sector operations in India – from electronic governance systems to use of softwares in educational institutes – and has made continuous interventions on Internet governance issues from the perspective of the critical importance of shared knowledge properties and practices for a more democratic information society. It is a part of the Free Software Movement of India [FSMI], an alliance of Indian organizations involved in advocating awareness and usage of FOSS, as well as a founding member of the Just Net Coalition [JNC].

The Centre for Internet and Society (CIS) was established in Bengaluru in 2008 with a research and advocacy focus on topics of accessibility of digital content for differently-abled persons, FOSS and policies on intellectual property rights, open knowledge and Indic Wikipedia projects, digital security and privacy, freedom of expression and Internet governance, and socio-cultural and historical studies of Internet in India [CIS]. In one of the key early projects, CIS contributed to the making of web accessibility policy for government websites in India, which was being drafted by the Department of Information Technology, Government of India [CIS 2008]. In the following years it took part in the Internet Governance Forum summits; submitted responses and suggestions to various policies being introduced by the government, especially the Information Technology (Amendment) Act, 2008, National Identification Authority of India (NIA) Bill, 2010, and the Approach Paper for a Legislation on Privacy, 2010; produced a report on the state of open government data in India [Prakash 2011b], and undertook an extensive study on the experiences of the young people in Asia with Internet, digital media, and social change [Shah 2011].

Software Freedom Law Centre has undertaken research and advocacy interventions, since 2011, in the topics digital privacy, software patents, and cyber-surveillance [SFLC]. The Internet Democracy Project, an initiative of Point of View, has organised online and offline discussions, participated in global summits, and produced reports on the topics of freedom of expression, cyber security and human rights, and global Internet governance architecture since 2012 [IDP].

The first Internet Society chapter to be established in India was in Delhi. The chapter began in 2002, but went through a period of no activity before being revived in 2008 [Delhi]. The Chennai chapter started in 2007 [Chennai], the Kolkata one in 2009 [Kolkata], and the Bengaluru chapter came into existence in 2010 [Bangalore]. Asia Internet Symposium have been organised in India twice: 1) the Kolkata one, held on on 1 December 2014, focused on 'Internet and Human Rights: Empowering the Users,' and 2) the Chennai symposium, held on 2 December 2014, discussed 'India in the Open and Global Internet.' The newest Internet Society chapter in India is in the process of formation in Trivandrum [Trivandrum], led by the efforts of Satish Babu (mentioned above).

Global and National Events

The first World Summit on the Information Society (WSIS) conference in Geneva, held on 10-12 December 2003, was not attended by many civil society organizations from India. Several Indian participants in the conference were part of the team of representatives from different global civil society organizations, like Digital Partners, Development Alternatives with Women for a New Era (DAWN), and International Centre for New Media [ITU 2003]. Between the first and the second conference, the engagement with the WSIS process increased among Indian civil society organizations increased of the WSIS process, which was especially led by IT for Change. In early 2005, before the second Preparatory Committee meeting of the Tunis conference, it organized a discussion event titled 'Gender Perspectives on the Information Society: South Asia Pre-WSIS Seminar' in partnership with DAWN and the Indian Institute of Management, Bangalore, which was supported by UNIFEM and the UNDP Asia-Pacific Development Information Programme [Gurumurthy 2006]. In a separate note, Anita Gurumurthy and Parminder Jeet Singh of IT for Change have noted their experience as a South Asian civil society organization engaging with the WSIS process [Gurumurthy 2005]. The second WSIS conference in Tunis, held on 16-18 November 2005, however, neither saw any significant participation from Indian civil society organizations, except for Ambedkar Centre for Justice and Peace, Childline India Foundation / Child Helpline International, and IT for Change [ITU 2005]. This contrasted sharply with the over 60 delegates from various Indian government agencies taking part in the conference [ITU 2005].

Two important events took place in India in early 2005 that substantially contributed to the civil society discourses in India around information technology and its socio-legal implications and possibilities. The former is the conference titled 'Contested Commons, Trespassing Publics' organized by the Sarai programme at the Centre for the Study of Developing Societies, Alternative Law Forum, and Public Service Broadcasting Trust, in Delhi on 6-8 January 2005. The conference attempted to look into the terms of intellectual property rights (IPR) debates from the perspectives of experiences in countries in Asia, Latin America, and Africa. It was based on the research carried out by the Sarai programme and Alternative Law Forum on contemporary realities of media production and distribution, and the ways in which law and legal instruments enter into the most intimate spheres of social and cultural life to operationalise the IPRs. The conference combined academic discussions with parallel demonstrations by media practitioners, and knowledge sharing by FLOSS communities [Sarai 2005]. The latter event is the first of the Asia Source workshop that took place in Bengaluru during 28 January - 4 February 2005 . It brought together more than 100 representatives from South and South-East Asian civil society organizations and technology practitioners working with them, along with several leading practitioners from Africa, Europe, North America, and Latin America, to promote adoption and usage of FLOSS across the developmental sector in the region. The workshop was organized by Mahiti (Bengaluru) and Tactical Technology Collective (Amsterdam), with intellectual and practical support from an advisory group of representatives from FLOSS communities and civil society organizations, and financial support from Hivos, the Open Society Institute, and International Open Source Network [Asia Source].

While the participation of representatives from Indian civil society organizations at the IGFs in Athens (2006) and Rio de Janeiro (2007) was minimal, the IGF Hyderabad, held on 3-6 December 2008, provided a great opportunity for Indian civil society actors to participate in and familiarize themselves with the global Internet governance process. Apart from various professionals, especially lawyers, who attended the Hyderabad conference as individuals, the leading civil society organizations participating in the event included: Ambedkar Center for Justice and Peace, Centre for Internet and Society, Centre for Science, Development and Media Studies, Digital Empowerment Foundation, Internet Society Chennai chapter, IT for Change, and Mahiti. The non-governmental participants from India at the event, however, were predominantly from private companies and academic institutes [IGF 2008].

IT for Change made a critical intervention into the discourse of global Internet governance during the Hyderabad conference by bringing back the term 'enhanced cooperation,' as mentioned in the Tunis Agenda for the Information Society [ITU 2005 b]. At IGF Sharm El Sheikh, held during 15-18 November 2009, Parminder Jeet Singh of IT for Change explained:

[E]nhanced cooperation consists of two parts. One part is dedicated to creating globally applicable policy principles, and there is an injunction to the relevant organizations to create the conditions for doing that. And I have a feeling that the two parts of that process have been conflated into one. And getting reports from the relevant organizations is going on, but we are not able to go forward to create a process which addresses the primary purpose of enhanced cooperation, which was to create globally applicable public policy principles and the proof of that is that I don't see any development of globally applicable public policy principles, which remains a very important need. [IGF 2009]

This foregrounding of the principle of 'enhanced cooperation' have since substantially contributed to rethinking not only the global Internet governance mechanisms and its reconfigurations, but also the Indian government's perspectives towards the same. It eventually led to the proposal made by a representative of Government of India at the UN General Assembly session on 26 October 2011 regarding the establishment of a UN Committee for Internet-Related Policies [Singh 2011].

Internet Policies and Censorship

One of the earliest instances of censorship of online content in India is the blocking of several websites offering Voice over IP (VoIP) softwares, which can be downloaded to make low-cost international calls, during late 1990s. The India-GII mailing list initiated by Arun Mehta, as mentioned above, started almost as a response to this blocking move by Videsh Sanchar Nigam Limited (VSNL), the government-owned Internet Service Provider (ISP). Additionally, Mehta filed a case against VSNL for blocking these e-commerce websites, which might be identified as the first case of legal activism for Internet-related rights in India [India-GII 2001]. During the war between India and Pakistan during 1999, the Indian government instructed VSNL to block various Pakistani media websites, including that of Dawn. Like in the case of websites offering VoIP services, this blocking did not involve direct intervention with the websites concerned but only the ability of Indian users to access them [Tanna 2004]. The first well-known case of the Government of India blocking digital content for political reasons occurred in 2003, when a mailing list titled 'Kynhun' was banned. Department of Telecommunications instructed all the But the previously deployed URL-blocking strategy did not work in the new situation of mailing lists. Blocking the URL of the group did not stop it from being used by members of the group to continue sharing email through it. Government of India then approached Yahoo directly to ensure that the mailing list is closed down, which Yahoo declined to implement. This resulted in imposing of a blanket blocking of all Yahoo Groups pages across ISPs in India during September 2003. By November, Yahoo decided to close down the mailing list, and the blanket blocking was repealed [Tanna 2004]. Further blocking of several blogs and websites continued through 2006 and 2007, where the government decided to work in collaboration with various platforms offering hosted blog and personal webpage services to remove access to specific sub-domains. In resistance to this series of blocking orders by the government, there emerged an important civil society campaign titled 'Bloggers Against Censorship' led by Bloggers Collective Group, a distributed network of bloggers from all across India [Bloggers 2006].

A few weeks after the IGF Hyderabad, the Government of India passed the Information Technology (Amendment) Act 2008 on 22 December 2008 [MoLaJ 2009], although it was notified and enforced much later on 27 October 2009 [MoCaIT 2009]. This amendment attempted to clarify various topics left under-defined in the Information Technology Act of 2000. However, as Pranesh Prakash of the Centre for Internet and Society noted, the casual usage of the term 'offensive content' in the amendment opened up serious threats of broad curbing of freedom of online expression under the justification that it caused 'annoyance' or 'inconvenience' [Prakash 2009]. The sections 66 and 67 of the amended Information Technology Act, which respectively address limits to online freedom of expression and legally acceptable monitoring of digital communication by government agencies, have since been severely protested against by civil society organizations across India for enabling a broad-brushed censorship and surveillance of the Internet in India. The section 66A has especially allowed the government to make a series of arrests of Internet users for posting and sharing 'offensive content' [Pahwa 2015].

In 2011, the Government of India introduced another critical piece of policy instrument for controlling online expressions – the Information Technology (Intermediary Guidelines) Rules, 2011 [MoCaIT 2011] – targeted at defining the functions of the intermediaries associated with Internet-related services and communication, and how they are to respond to government's directives towards taking down and temporary blocking of digital content. The draft Rules were published in early 2011 and comments were invited from the general public. One of the responses, submitted by Privacy India and the Centre for Internet and Society, explicitly highlighted the draconian implications of the (then) proposed rules:

This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked. [Prakash 2011]

The policy apparatus of controlling online expression in India took its full form by the beginning of the decade under study here. The 'chilling effect' of this apparatus was made insightfully evident by a study conducted by Rishabh Dara at the Centre for Internet and Society, where fake takedown notices (regarding existing digital content) were sent to 7 important Internet intermediaries operating in India, and their responses were studied. The results of this experiment demonstrated that:

[T]he Rules create uncertainty in the criteria and procedure for administering the takedown thereby inducing the intermediaries to err on the side of caution and over-comply with takedown notices in order to limit their liability; and as a result suppress legitimate expressions. Additionally, the Rules do not establish sufficient safeguards to prevent misuse and abuse of the takedown process to suppress legitimate expressions. [Dara 2012]

Reference

[Bloggers 2006] Bloggers Collective Group, Bloggers Against Censorship. Last updated on April 30, 2009‎. Accessed on July 08, 2015, from http://censorship.wikia.com/wiki/Bloggers_Against_Censorship.

[Dara 2012] Dara, Rishabh, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet. The Centre for Internet and Society. April 27. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/chilling-effects-on-free-expression-on-internet.

[DEF] Digital Empowerment Foundation (DEF). Community Information Resource Centre. Accessed on July 08, 2015, from http://defindia.org/circ-2/.

[DEF b] Digital Empowerment Foundation (DEF). Internet Rights. Accessed on July 08, 2015, from http://internetrights.in/.

[DEF c] Digital Empowerment Foundation (DEF). Our Story. Accessed on July 08, 2015, from http://defindia.org/about-def/.

[DEF d] Digital Empowerment Foundation (DEF). Manthan Awards. Accessed on July 08, 2015, from http://defindia.org/manthan-award-south-asia-masa/.

[FSFI] Free Software Foundation of India. Accessed on July 08, 2015, from http://fsf.org.in/.

[FSMI] Free Software Movement of India. Accessed on July 08, 2015, from http://www.fsmi.in/node.

[Gurumurthy 2001] Gurumurthy, Anita, A Gender Perspective to ICTs and Development: Reflections towards Tunis. January 15. Accessed on July 08, 2015, from http://www.worldsummit2003.de/en/web/701.htm.

[Gurumurthy 2005] Gurumurthy, Anita, and Parminder Jeet Singh, WSIS PrepCom 2: A South Asian Perspective. Association for Progressive Communications. April 01. Accessed on July 08, 2015, from https://www.apc.org/en/news/hr/world/wsis-prepcom-2-south-asian-perspective.

[Gurumurthy 2006] Gurumuthy, Anita et al (eds.), Gender in the Information Society: Emerging Issues. UNDP Asia-Pacific Development Information Programme. Accessed on July 08, 2015, from http://www.genderit.org/sites/default/upload/GenderIS.pdf.

[India-GII 2001] India-GII, Status of VSNL Censorship of IP-Telephony Sites. Accessed on July 08, 2015, from http://members.tripod.com/~india_gii/statusof.htm.

[India-GII 2005] India-GII. 2005. Last modified on May 24. Accessed on July 08, 2015, from http://india-gii.org/.

[IDP] Internet Democracy Project. Accessed on July 08, 2015, from http://internetdemocracy.in/.

[ITU 2003] International Telecommunication Union (ITU), Geneva Phase of the WSIS: List of Participants. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/summit_participants.pdf.

[ITU 2005] International Telecommunication Union (ITU), List of Participants (WSIS) – Update 5 Dec 2005. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs2/tunis/final-list-participants.pdf.

[ITU 2005 b] International Telecommunication Union (ITU), Tunis Agenda for the Information Society. November 18. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs2/tunis/off/6rev1.pdf.

[IGF 2008] Internet Governance Forum, Hyderabad Provisional List of Participants. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/index.php/component/content/article/385-hyderabad-provisional-list-of-participants.

[IGF 2009] Internet Governance Forum, Managing Critical Resources. IGF Sharm El Sheikh, Egypt . November 16. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/2009/sharm_el_Sheikh/Transcripts/Sharm%20El%20Sheikh%2016%20November%202009%20Managing%20Critical%20Internet%20Resources.pdf.

[Bangalore] Internet Society Bangalore Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org/.

[Delhi] Internet Society Delhi Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org.

[Chennai] Internet Society Chennai Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org.

[Kolkata] Internet Society Kolkata Chapter. Accessed on July 08, 2015, from http://isockolkata.in/.

[Trivandrum] Internet Society Trivandrum Chapter. Accessed on July 08, 2015, from http://www.internetsociety.org/what-we-do/where-we-work/chapters/india-trivandrum-chapter.

[ITfC] IT for Change, About IT for Change. Accessed on July 08, 2015, from http://www.itforchange.net/aboutus.

[ITfC b] IT for Change, Anita Gurumurthy. Accessed on July 08, 2015, from http://www.itforchange.net/Anita.

[ITfC c] IT for Change, Gender and Citizenship in the Information Society: Southern Feminist Dialogues in Practice and Theory. Accessed on July 08, 2015, from http://www.gender-is-citizenship.net/.

[ITfC d] IT for Change, Internet Governance. Accessed on July 08, 2015, from http://www.itforchange.net/Techgovernance.

[ITfC e] IT for Change, Our Field Centre. Accessed on July 08, 2015, from http://www.itforchange.net/field_centre.

[JNC] Just Net Coalition (JNC). Accessed on July 08, 2015, from http://justnetcoalition.org/.

[Kumar 2007] Kumar, Sasi V. 2007. The Story of Free Software in Kerala, India. Accessed on July 08, 2015, from http://swatantryam.blogspot.in/2007/08/story-of-free-software-in-kerala-india.html.

[MoLaJ 2009] Ministry of Law and Justice (MoLaJ), The Information Technology (Amendment) Act, 2008. The Gazette of India. February 05. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf.

[MoCaIT 2009] Ministry of Communications and Information Technology (MoCaIT), Notification. The Gazette of India. October 27. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/act301009.pdf.

[MoCaIT 2011] Ministry of Communications and Information Technology (MoCaIT), Information Technology (Intermediaries Guidelines) Rules, 2011. The Gazette of India. April 11. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.

[Noronha 2002] Noronha, Frederick, Linking a Diverse Country: Mailing Lists in India. The Digital Development Network. May 22. Accessed on July 08, 2015, from http://www.comminit.com/ict-4-development/content/linking-diverse-country-mailing-lists-india.

[Pahwa 2015] Pahwa, Nikhil, A List of Section 66A Arrests in India through the Years. Medianama. March 24. Accessed on July 08, 2015, from http://www.medianama.com/2015/03/223-section-66a-arrests-in-india/.

[Prakash 2009] Prakash, Pranesh, Short Note on IT Amendment Act, 2008 . The Centre for Internet and Society. February. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/publications/it-act/short-note-on-amendment-act-2008/.

[Prakash 2011] Prakash, Pranesh, CIS Para-wise Comments on Intermediary Due Diligence Rules, 2011. The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/blog/intermediary-due-diligence.

[Prakash 2011 b] Prakash, Pranesh, et al, Open Government Data Study. The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/openness/blog/open-government-data-study.

[SFLC] Software Freedom Law Centre (SFLC). Accessed on July 08, 2015, from http://sflc.in/.

[Shah 2011] Shah, Nishant. 2011. Digital AlterNatives with a Cause? The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/digital-natives/blog/dnbook.

[Singh 2011] Singh, Dushyant, India's Proposal for a United Nations Committee for Internet-Related Policies. Sixty Sixth Session of the UN General Assembly, New York. October 26. Accessed on July 08, 2015, from http://www.itforchange.net/sites/default/files/ItfC/india_un_cirp_proposal_20111026.pdf.

[SKC] Society for Knowledge Commons. About Us. Accessed on July 08, 2015, from http://www.knowledgecommons.in/about-us/.

[Asia Source] Tactical Technology Collective, Asia Source. Accessed on July 08, 2015, from https://tacticaltech.org/asiasource.

[Tanna 2004] Tanna, Ketan, Internet Censorship in India: Is It Necessary and Does It Work?. Sarai-CSDS Independent Fellowship. Accessed on July 08, 2015, from http://www.ketan.net/INTERNET_CENSORSHIP_IN_INDIA.html.

[CIS] The Centre for Internet and Society. About Us. Accessed on July 08, 2015, from http://cis-india.org/about/.

[CIS 2008] The Centre for Internet and Society. 2008. Annual Report. Accessed on July 08, 2015, from http://cis-india.org/accessibility/annual-report-2008.pdf.

[Sarai 2005] The Sarai Programme, Contested Commons, Trespassing Publics. January 12. Accessed on July 08, 2015, from http://sarai.net/contested-commons-trespassing-publics/.

[Wikipedia 2015] Satish Babu. Wikipedia. Last modified on June 25. Accessed on July 08, 2015, from https://en.wikipedia.org/wiki/Satish_Babu.

For more details visit https://cis-india.org/raw/civil-society-organisations-and-internet-governance-in-india-open-review

Civil Society Organisations and Internet Governance in Asia - Open Review

sumandro — 2015-11-13T05:54:33Z

This is a book section written for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon. The pre-publication text of the section is being shared here to invite suggestions for addition and modification. Please share your comments via email sent to raw[at]cis-india[dot]org with 'Civil Society Organisations and Internet Governance in Asia - Comments' as the subject line. This text is published under Creative Commons Attribution-NoDerivatives 4.0 International license.

You are most welcome to read the pre-publication drafts of other sections of the Asia Internet History Vol. 3, and share your comments: https://sites.google.com/site/internethistoryasia/book3.

Preparations for the World Summit on the Information Society

The World Summit on the Information Society (WSIS) conferences organized by the United Nations in Geneva (2003) and Tunis (2005) initiated crucial platforms and networks, some temporary and some continued, for various non-governmental actors to intensively and periodically take part in the discussions of governance of Internet and various related activities towards the goals of inclusive development and human rights. Many of the civil society organizations taking part in the WSIS conferences, as well as the various regional and thematic preparatory meetings and seminars, had little prior experience in the topic of Internet governance. They were entering these conversations from various perspectives, such as local developmental interventions, human and cultural rights activism, freedom and diversity of media, and gender and social justice. With backgrounds in such forms of applied practice and theoretical frameworks, members of these civil society organizations often faced a difficult challenge in articulating their experiences, insights, positions, and suggestions in terms of the (then) emerging global discourse of Internet governance and that of information and communication technologies (ICTs) as instruments of development. At the WSIS: An Asian Response Meeting in 2002, Susanna George, (then) Executive Director of Isis International, Manila, succinctly expressed this challenge being faced by the members of civil society organizations:

For some feminist activists however, including myself, it has felt like trying to squeeze my concerns into a narrow definition of what gender concerns in ICTs are. I would like it to Cinderella’s ugly sister cutting off her toe to fit into the dainty slipper of gender concerns in ICTs. The development ball, it seems, can only accommodate some elements of what NGO activists, particularly those from the South, are concerned about in relation to new information and communications technologies. (George 2002)

The above mentioned seminar, held in Bangkok, Thailand, on November 22-24, 2002, was a crucial early meeting for the representatives from Asian civil society organizations to share and shape their understanding and positions before taking part in the global conversations during the following years. The meeting was organised by Bread for All (Switzerland), Communication Rights in the Information Society Campaign (Netherlands), Forum-Asia (Thailand), and World Association for Christian Communication (United Kingdom), as a preparatory meeting before the Asia-Pacific Regional Conference of WSIS, with 34 organizations from 16 Asian countries taking part in it. The Final Document produced at the end of this seminar was quite a remarkable one. It highlighted the simultaneity of Asia as one of the global centres of the information economy and the everyday reality of wide-spread poverty across the Asian countries, and went on to state that the first principle for the emerging global information society should be that the '[c]ommunication rights are fundamental to democracy and human development' (The World Summit on the Information Society: An Asian Response 2002). It proposed the following action items for the efforts towards a global inclusive information society: 1) strengthen community, 2) ensure access, 3) enhance the creation of appropriate content, 4) invigorate global governance, 5) uphold human rights, 6) extend the public domain, 7) protect and promote cultural and linguistic diversity, and 8) ensure public investment in infrastructure (ibid.).

Immediately after this Conference, several Asian civil society organizations attended the Asian Civil Society Forum, organised as part of the Conference of Non-governmental Organizations in Consultative Relations with the United Nations (CONGO), held in Bangkok, Thailand, during December 9-13, 2002. Representatives of Dhaka Ahsania Mission (Bangladesh), OneWorld South Asia (India), GLOCOM (Japan), Foundation for Media Alternative (Philippines), Korean Progressive Network – JINBONET (Republic of Korea), Friedrich Naumann Foundation (Singapore), International Federation of University Women (Switzerland), and Forum Asia (Regional) drafted a Joint Statement emphasising that a 'broad-based participation of civil society, especially from those communities which are excluded, marginalized and severely deprived, is critical in defining and building such a [true communicative, just and peaceful] society' (Aizu 2002). In the very next month, the Asia-Pacific Regional Conference was held in Tokyo during January 13-15, 2003, 'to develop a shared vision and common strategies for the “Information Society' (WSIS Executive Secretariat 2003: 2). The conference saw participation of representatives from 47 national governments, 22 international organizations, 54 private sector agencies, and 116 civil society organizations across the Asia-Pacific region. The Tokyo Declaration, the final document prepared at the conclusion of the Conference, recognized that:

[T]he Information Society must ... facilitate full utilization of information and communication technologies (ICT) at all levels in society and hence enable the sharing of social and economic benefits by all, by means of ubiquitous access to information networks, while preserving diversity and cultural heritage. (Ibid.: 2)

Further, it highlighted the following priority areas of action: 1) infrastructure development, 2) securing affordable, universal access to ICTs, 3) preserving linguistic and cultural diversity and promoting local content, 4) developing human resources, 5) establishing legal, regulatory and policy frameworks, 6) ensuring balance between intellectual property rights (IPR) and public interest, 7) ensuring the security of ICTs, and 8) fostering partnerships and mobilizing resources. It is not difficult to see how the focus of necessary actions shifted from an emphasis on concerns of community and human rights, and public investments and commons, towards those of legal and policy mechanisms, multi-partner delivery of services, and intellectual property rights. Civil society organizations, expectedly, felt sidelined in this Conference, and decided to issue a join statement of Asian civil society organizations to ensure that their positions are effectively presented. The first two topics mentioned in this document were: 1) '[c]ommunication rights should be fully recognized as a fundamental and universal human right to be protected and promoted in the information society,' and 2) '[t]he participation of civil society in the information society at all levels should be ensured and sustained, from policy planning to implementation, monitoring and evaluation' (UNSAJ et al 2003). The joint statement was endorsed by 30 civil society organizations: UDDIPAN (Bangladesh); COMFREL (Cambodia); ETDA (East Timor); The Hong Kong Council of Social Services (Hong Kong); Food India, IT for Change (India); Indonesian Infocom Society (Indonesia); Active Learning, CPSR, Forum for Citizens' Television and Media, JTEC, Kyoto Journal, Ritsumeikan University Media Literacy Project, UNSAJ (Japan); Computer Association Nepal, Rural Area Development Programme (Nepal); APC Women's Networking Support Programme, Foundation for Media Alternatives, ISIS International (Philippines); Citizens' Action Network, Korean Progressive Network – Jinbonet, Labor News Production, ZAK (Republic of Korea); e-Pacificka Consulting (Samoa); National University of Singapore (Singapore); Public Television Service, Taiwan Association for Human Rights (Taiwan); Asian-South Pacific Bureau for Adult Education, FORUM ASIA, and TVE Asia Pacific (Regional) (Ibid.).

Participation in the WSIS Process

The first WSIS conference was held in Geneva in December 2003. Through the processes of organizing this conference, and the second one in Tunis in November 2005, United Nations expressed a clear intention of great participation of actors from the private companies, civil society, academia, and media, along with the governmental organizations. During the first meeting of the WSIS Preparatory Committee (PrepCom-1) in Geneva, during July 1-5, 2002, the civil society organizations demanded that they should be allowed to co-shape the key topics to be discussed during the first conference (2003). There was already an Inter-Governmental Subcommittee on Contents and Themes, but no equivalent platform for the civil society organizations was available. With the approval of the Civil Society Plenary (CSP), the Civil Society Subcommittee on Content and Themes (WSIS-SCT) was instituted during PrepCom-1 (WSIS-SCT 2003b). At the second WSIS Preparatory Committee meeting (PrepCom-2) in Geneva, during February 17-28, 2003, the WSIS-SCT produced a summary of the views of its members titled 'Vision and Principles of Information and Communication Societies,' and also a one page brief titled 'Seven Musts: Priority Principles Proposed by Civil Society' to be used for lobbying purposes (Ibid.). This brief mentioned seven key principles of Internet governance identified by the civil society organization taking part in the WSIS process: (1) sustainable development, (2) democratic governance, (3) literacy, education, and research, (4) human rights, (5) global knowledge commons, (6) cultural and linguistic diversity, and (7) information security (WSIS-SCT 2003a).

Asian civil society organizations that took part in the PrepCom-2 meeting included United Nations Association of China (China); CASP - Centre for Adivasee Studies and Peace, C2N - Community Communications Network (India); ICSORC - Iranian Civil Society Organizations Resource Center (Iran); GAWF - General Arab Women Federation (Iraq); Daisy Consortium, GLOCOM - Center for Global Communications (Japan); Association for Progressive Communication, Global Knowledge Partnership (Malaysia); Pakistan Christian Peace Foundation (Pakistan); WFEO - World Federation of Engineering Organization (Palestine); Asian South Pacific Bureau of Adult Education, Foundation for Media Alternatives, ISIS International – Manila (Philippines); Korean Progressive Network - Jinbonet (Republic of Korea); IIROSA - International Islamic Relief Organization (Saudi Arabia); and Taking IT Global (India, Indonesia, Malaysia, Philippines, and Turkey) (ITU 2003a).

All these efforts led to development of the Civil Society Declaration to the World Summit on the Information Society, which was prepared and published by the Civil Society Plenary at the Geneva conference, on December 08, 2003. The Declaration was titled 'Shaping Information Societies for Human Needs' (WSIS Civil Society Plenary 2003). The Asian civil society organization that took part in the Geneva conference were BFES - Bangladesh Friendship Education Society, Drik, ICTDPB - Information & Communication Technology Development Program, Proshika - A Center for Human Development (Bangladesh); China Society for Promotion of the Guangcai Programme, Chinese People's Association for Friendship with Foreign Countries, United Nations Association of China (China); The Hong Kong Council of Social Service (Hong Kong); CASP - Centre for Adivasee Studies and Peace, Childline India Foundation / Child Helpline International, DAWN - Development Alternatives with Women for a New Era (India); Communication Network of Women's NGOs in Iran, Green front of Iran, ICTRC - Iranian Civil Society Organizations Training and Research Center, Islamic Women's Institute of Iran, Institute for Women's Studies and Research, Organization for Defending Victims of Violence (Iran); ILAM - Center for Arab Palestinians in Israel (Israel); Citizen Digital Solutions, Forum for Citizens' Television and Media, GLOCOM - Center for Global Communications, JCAFE - Japan Computer Access for Empowerment, Soka Gakkai International (Japan); LAD-Nepal - Literary Academy for Dalit of Nepal (Nepal); Asia-Pacific Broadcasting Union, Global Knowledge Partnership (Malaysia); PAK Educational Society / Pakistan Development Network, SMEDA - Small & Medium Enterprise Development Authority (Pakistan); Palestine IT Association of Companies (Palestine); Isis International – Manila, Ugnayan ng Kababaihan sa Pulitika / Philippine Women's Network in Politics and Governance (Philippines); Citizen's Alliance for Consumer Protection of Korea, Korean Civil Society Network for WSIS (Republic of Korea); Youth Challenge (Singapore); Association for Progressive Communications (India and Philippines), CITYNET - Regional Network of Local Authorities for the Management of Human Settlements (India. Mongolia, and Philippines), Taking IT Global (India and Philippines) (ITU 2003b).

As the preparatory meetings and consultations towards the second WSIS conference advanced during the next year, the Asian civil society organizations attempted to engage more directly with the global Internet governance processes on one hand, and the national Internet and ICT policy situations on the other. Writing about their encounters at and before the second Preparatory Committee meeting of the Tunis conference, held in Geneva during February 17-25, 2005, Anita Gurumurthy and Parminder Jeet Singh made several early observations that have continued to resonate with the experiences of Asian civil society organizations throughout the decade (Gurumurthy & Singh 2005). Firstly, they indicated that the government agencies present in the dialogues tend to take diverging positions in international events and domestic contexts. Secondly, there was a marked absence of formal and informal discussions between the governmental and the civil society representatives of the same country present at the meeting. The government agencies were clearly disinterested in involving civil society organizations in the process. Thirdly, the civil society actors present in the meeting were mostly from the ICT for Development sector, and the organizations working in more 'traditional' sectors – such as education, health, governance reform, etc. – remained absent from the conversations. This is especially problematic in the case of such developing countries where there does not exist strategic linkages between civil society organizaions focusing on topics of technologized developmental interventions, and those involved in more 'traditional' development practices. Rekha Jain, in a separate report on the Indian experience of participating in the WSIS process, re-iterates some of these points (Jain 2006). She notes that '[w]hile the Secretary, [Department of Telecommunications, Government of India] was involved in (PrepCom-1) drafting the initial processes for involvement of NGOs, at the national level, this mechanism was not translated in to a process for involving the civil society or media' (Ibid.: 14).

The frequent lack of interest of national governments, especially in the Asian countries, to engage with civil society organizations on matters of policies and projects in Internet governance and ICTs for development (Souter 2007), further encouraged these organization to utilise the global discussion space opened up by the WSIS process to drive the agendas of democratisation of Internet governance processes, and protection and advancement of human rights and social justice. The second WSIS conference held in Tunis, during November 16-18, 2005, however, did not end in a positive note for the civil society organizations as a whole. The sentiment is aptly captured in the title of the Civil Society Statement issued after the Tunis Conference: 'Much more could have been achieved' (WSIS Civil Society Plenary 2005). Apart from producing this very important critical response to the WSIS process, within a month of its conclusions, the civil society organization contributed effectively in one of the more longer-term impacts of the process – the establishment of the Internet Governance Forums (IGFs). Immediately after the publication of the Report of the Working Group on Internet Governance (Desai et al) in June 2005, the Center for Global Communications (GLOCOM), Japan, acting on behalf of the Civil Society Internet Governance Caucus, came forward with public support for 'the establishment of a new forum to address the broad agenda of Internet governance issues, provided it is truly global, inclusive, and multi-stakeholder in composition allowing all stakeholders from all sectors to participate as equal peers' (WSIS Civil Society Internet Governance Caucus 2005: 3).

Asian Civil Society Organizations at the IGFs

In 2006, the WSIS Civil Society Internet Governance Caucus was reformed and established as a permanent 'forum for discussion, advocacy, action, and for representation of civil society contributions in Internet governance processes' (Civil Society Internet Government Caucus 2006). Representatives from Asian civil society organizations have consistently played critical roles in the functionings of this Caucus. Youn Jung Park of the Department of Technology and Society, SUNY Korea, co-founded and co-coordined the original Caucus in 2003. Adam Peake of the Center for Global Communications (GLOCOM), International University of Japan, was co-coordinator of the original Caucus from 2003 to 2006. Parminder Jeet Sing of IT for Change, India, was elected as one of the co-cordinators of the newly reformed Caucus in 2006, with the term ending in 2008. Izumi Aizu of the Institute for HyperNetwork Society and the Institute for InfoSocinomics, Tama University, Japan served as the co-coordinator of the Caucus during 2010-2012.

The first Internet Governance Forum organized in Athens, October 30 – November 2, 2006, saw participation from a very few Asian civil society organizations, mostly from Bangladesh and Japan (IGF 2006). The second Internet Governance Forum in Rio de Janeiro, November 12-15, 2007 had a wider representation from Asian civil society organizations: Bangladesh NGOs Network for Radio and Communication, BFES - Bangladesh Friendship Education Society, VOICE – Voices for Interactive Choice and Empowerment (Bangladesh); China Association for Science and Technology, Internet Society of China (China); University of Hong Kong (Hong Kong); Alternative Law Forum (via Association for Progressive Communications - Women's Networking Support Programme), Indian Institute of Technology in Delhi, IT for Change (India); GLOCOM, Kumon Center, Tama University (Japan); Sustainable Development Networking Programme (Jordan); Kuwait Information Technology Society (Kuwait); Assocation of Computer Engineers – Nepal, Rural Area Development Programme, Nepal Rural Information Technology Development Society (Nepal); Bytesforall – APC / Pakistan, Pakistan Christian Peace Foundation (Pakistan); Foundation for Media Alternatives, Philippine Resources for Sustainable Development Inc. (Philippines); and LIRNEasia (Sri Lanka). At the Open IGF Consultations in Geneva, on February 26 2008, the Internet Governance Caucus made two significant submissions: 1) that, although structuring the IGF sessions in Athens and Rio de Janeiro around the large themes of access, openness, diversity, and security have been useful to open up the multi-stakeholder dialogues, it is necessary to begin focused discussions of specific public policy issues to take the IGF process forward (Civil Society Internet Governance Caucus 2008a), and 2) that the Multi-Stakeholder Advisory Group (MAG), which drives the IGF process and events, should be made more proactive and transparent, and expanded in size so as to better include the different stakeholder groups who may self-identify their representatives for the MAG (Civil Society Internet Governance Caucus 2008b).

On one hand, the IGF Hyderabad, December 3-6, 2008, experienced a decline in the percentage of participants from civil society organizations and a rather modest increase in the percentage of participants from Asian countries (see: 6.1.5. Annexe – Tables), especially since this was the first major international Internet governance summit held in an Asian country. On the other hand, the Civil Society Internet Governance Caucus succeeded to bring forth the term 'enhanced cooperation,' as mentioned in the Tunis Agenda, to be addressed and discussed in one of the main sessions of the Forum (IGF 2008). The next IGF held in Sharm El Sheikh, November 15-18, 2009, saw further decline of participation from both the representatives of civil society organizations, and the attendees from Asian countries (see: 6.1.5. Annexe – Tables). In this context, Youn Jung Park made the following statement in the Stock Taking session of the summit:

As a cofounder of WSIS Civil Society Internet Governance Caucus in 2003, I would like to remind you ... [that] Internet Governance Forum was created as a compromise between those who supported the status quo Internet governance institution under one nation's status provision, and those who requested for more balanced roles for governments under international supervision of the Internet. While IGF has achieved a great success of diluting of such political tension between those who have different views of how to institutionalize Internet governance, ironically Internet governance forum became a forum without governance... [We] have to admit [that] IGF failed to deliver another mandate of the U.N. WSIS: Continuing discussion of how to design Internet governance institutions... The current IGF continues to function as knowledge transfer of ICANN's values to other stakeholders, while those who want to discuss and negotiate on how to design Internet governance institutions should have another platform for that specific U.N. WSIS mandate. (IGF 2009)

The first Asia Pacific Regional Internet Governance Forum (APrIGF) was held in Hong Kong on June 14-16, 2010. The organising committee included three civil society / acadmic organizations – Center for Global Communications (GLOCOM), Internet Society Hong Kong, and National University of Singapore – and three indpendent experts – Kuo-Wei Wu (Taiwan), Norbert Klein (Cambodia), and Zahid Jamil (Pakistan). Though the Forum had dominant presence from government and private sector participants, several representatives from Asian civil society / academic organizations spoke at the sessions: Ang Peng Hwa (Singapore Internet Research Centre, Nanyang Technological University), Charles Mok (Internet Society Hong Kong), Christine Loh (Civic Exchange), Chong Chan Yau (Hong Kong Blind Union), Clarence Tsang (Christian Action), Ilya Eric Lee (Taiwan E-Learning and Digital Archives Program, and Research Center for Information Technology Innovation), Izumi Aizu (Institute for HyperNetwork Society, and Institute for InfoSocinomics, Kumon Center, Tama University), Oliver “Blogie” Robillo (Mindanao Bloggers Community), Parminder Jeet Singh (IT for Change), Priscilla Lui (Against Child Abuse in Hong Kong), Tan Tin Wee (Centre for Internet Research, National University of Singapore), and Yap Swee Seng (Asian Forum for Human Rights and Development). As Ang Peng Hwa noted at the beginning of the summit, its key objective was to provide a formal space for various stakeholders from the Asia-Pacific region to discuss and provide inputs to the IGF process (APrIGF 2010). The regional forum was successful in enabling newer civil society entrants from the Asia-Pacific region to familiarize themselves with the IGF process, and to contribute to it. Oliver “Blogie” Robillo, represented and submit recommendations from Southeast Asian civil society organizations at IGF Vilnius, September 14-17, 2010, which was the first time he took part in the summit series. He emphasised the following topics: 1) openness and freedom of expression are the basis of democracy, and state-driven censorship of Internet in the region is an immediate threat to such global rights, 2) coordinated international efforts need to address and resolve not only global digital divides, but also the divides at regional, national, and sub-nationals scales, 3) the right to privacy is an integral part of cybersecurity, as well as a necessary condition for exercising human rights, 4) global Internet governance efforts must ensure that national governments do not control and restrict abilities of citizens to express through digital means, and it should be aligned with the universal human rights agenda, and 5) even after 5 years of the IGF process, a wider participation of civil society organizations, especially from the Asia-Pacific regions, remains an unachieved goal, which can only be achived if specific resources are allocated and processes are implemented (IGF 2010).

Internet Censorship and Civil Society Responses

Throughout the decade of 2000-2010, censorship of Internet and restriction of digital expression remained a crucial Internet rights concern across the world, and especially the Asian countries. One of the earliest global reports on the matter was brought out by the Reporters without Borders. In 2006, it published a list of countries marked as 'Internet Enemies' that featured 16 countries, out of which 11 were from Asia: China, Iran, Maldives, Myanmar (then, Burma), Nepal, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan, and Vietnam (Reporters without Borders 2006). The list was updated in 2007, and three of these countries – Libya, Maldives, and Nepal – were taken off (Ibid.). The unique contradictions of the Asian region were sharply foregrounded in the 2006-07 report on Internet censorship by OpenNet Initiative, which noted:

Some of the most and least connected countries in the world are located in Asia: Japan, South Korea, and Singapore all have Internet penetration rates of over 65 percent, while Afghanistan, Myanmar, and Nepal remain three of thirty countries with less than 1 percent of its citizens online. Among the countries in the world with the most restricted access, North Korea allows only a small community of elites and foreigners online. Most users must rely on Chinese service providers for connectivity, while the limited number North Korean–sponsored Web sites are hosted abroad... [T]hough India’s Internet community is the fifth largest in the world, users amounted to only about 4 percent of the country’s population in 2005. Afghanistan, Myanmar, and Nepal are among the world’s least-developed countries. Despite the constraints on resources and serious developmental and political challenges, however, citizens are showing steadily increasing demand for Internet services such as Voice-over Internet Protocol (VoIP), blogging, and chat. (Wang 2007)

The report further described the strategy used by various Asian governments of 'delegation of policing and monitoring responsibilities to ISPs, content providers, private corporations, and users themselves' (Ibid.) These mechanisms enforce self-surveillance and self-censorship in the face of threats of loss of commercial license, denial of services, and even criminal liability. Defamation suits and related civil and criminal liability have also been used by several Asian governments to silence influential critics and protesters. Direct technical filtering of Internet traffic (especially inwards traffic) and blocking of URLS via government directives sent to Internet Service Providers (ISPs) have also been common practice in key Asian countries (Ibid.). Expectedly, such experiences of oppression led to widespread campaigns and communications by the Asian civil society organizations, as can be sensed from the above mentioned submission by Oliver “Blogie” Robillo at IGF Vilnius.

Among the Asian countries, the comprehensive technologies of censorship developed and deployed by China has been studied most extensively. The Golden Shield Project was initiated by the Ministry of Public Security of China in 1998 to undertake blanket blocking of incoming Internet traffic based on specific URLs and terms. Evidences of the project getting operationalised became available in 2003 (Garden Networks for Freedom of Information 2004). Censorship of Internet in China, however, has not only been dependent on such sophisticated systems. In 2003, it was made mandatory for all residents of Lhasa, Tibet, to use a specific combination and password to access Internet, which was directly linked to their names and address. An Internet ID Card was issued by the government to implement this (International Campaign for Tibet. 2004). Tibet Action Institute has been a key civil society organization at the forefront of cyber-offensive of the Chinese government. A recent documentary by the Institute, titled 'Tibet: Frontline of the New Cyberwar,' has narrated how it has worked closely with the Citizen Lab, Munk School of Global Affairs, University of Toronto, to identify, trace, and resist the malware- and other cyber-attacks experienced by the civil society actors and websites in favor of independence of Tibet (Tibet Action Institute 2015). Not only activists supporting the Tibetan cause, digital security training emerged as an important aspect of the life of civil society organizations during the decade. Asian organizations like Bytes for All (Pakistan) and Myanmar ICT for Development Organization (Mynamar), as well as international organizations like Front Line Defenders and Citizen Lab have educated and supported civil society activities much beyond the Internet governance sphere with tools and techniques for effectively using digital channels of communications, and defending themselves for cyber-threats.

Combination of traditional forms of civil society mobilizations and digital techniques have often been used resist attempts by Asian governments to control the online communication space. Huma Yusuf has extensively studied the emergence of hybrid media strategies, using both old media channels like newspapers and new media channels like blogs and video sharing platforms, among citizen journalists and civil society activists in Pakistan as the government took harsh steps towards control of both traditional and online media during 2007-2008 (Yusuf 2009). She has carefully traced how possibilities of new forms of information and media sharing enabled by Internet were initially identified and implemented by citizen journalists and student activists, which was quickly learned and re-deployed by more formal organisation, such as print and electronic news companies, and civil society organizations like those involved in election monitoring (Ibid.). Malaysia also experienced fast-accelerating face-off between the government and the civil society during 2007-2010, as the former started intervening directly into censoring blogs and newspaper websites. On one hand, the government took legal actions against critical bloggers, either directly or indirectly, and on the other it instructed ISPs to block 'offensive content.' It also borrowed the 'Singapore-model' to mandate registration of bloggers with government authorities, if they are identifed as writing on socio-political topics. The civil society actors responded to these oppressive steps by setting up a new blog dedicated to coverage of the defamation cases (filed against prominent bloggers), and publicly sharing instructions for circumvention of the blocks imposed by ISPs. The National Alliance of Bloggers was soon formed, which organised the “Blogs and Digital Democracy” forum on October 3, 2007 (Thien 2011: 46-47). Similarly, Bloggers Against Censorship campaign took shape in India in 2006 as the government first directed ISPs to block specific blogs hosted on Blogspot, TypePad, and Yahoo! Geocities, and then went for complete blocking of Yahoo! Geocities as the ISPs failed to block specific sub-domains of the platform (Bloggers Collective Group 2006). Learning from this experience, the following year Indian government decided to work directly with Orkut to take down 'defamatory content' about a politician (The Economic Times 2007). This is common for other Asian governments too, as they have continued to develop more legally binding and technically sophisticated measures to monitor and control online expression.

In the 'Internet Enemies Report 2012,' Reporters without Borders listed 12 countries as 'enemies of the Internet,' out of which 10 were from Asia – Bahrain, China, Iran, Myanmar, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan, and Vietnam – and it named 14 countries that are conducting surveillance on its citizens, out of which 7 were from Asia – India, Kazakhstan, Malaysia, South Korea, Sri Lanka, Thailand, and United Arab Emirates (Reporters without Borders 2012). At the APrIGF held in Tokyo, July 18-20, 2012, a group of delegates from civil society organizations working in the South-East Asian region issued a joint statement with a clear call for global action against the shrinking space for freedom of (digital) expression in the region (Thai Netizen Network et al 2012). They specifically noted the following national acts as examples of the legislative mechanisms being used by different Asian governments to criminalize online speech and/or to harass public dissenters:

Burma – The 2004 Electronic Transactions Act
Cambodia – The 2012 Draft Cyber-Law, the 1995 Press Law, and the 2010 Penal Code
Malaysia – The 2012 Amendment to the Evidence Act and the 2011 Computing Professionals Bill
Indonesia – The 2008 Law on Information and Electronic Transaction and the 2008 Law on Pornography
The Philippines – The 2012 Data Privacy Act
Thailand – The 2007 Computer Crimes Act, the Article 112 of the Penal Code, and the 2004 Special Case Investigation Act
Vietnam – The 1999 Penal Code, the 2004 Publishing Law, the 2000 State Secrets Protection Ordinance, and the 2012 Draft Decree on Internet Management. (Ibid.)

The statement was co-signed by Thai Netizen Network, Thai Media Policy Centre, The Institute for Policy Research and Advocacy (ELSAM), Southeast Asian Press Alliance (SEAPA), Southeast Asian Centre for e-Media (SEACeM), Victorius (Ndaru) Eps, Community Legal Education Center (CLEC), Sovathana (Nana) Neang, Asian Forum for Human Rights and Development (FORUM-ASIA), and was endorsed by ICT Watch (Indonesian ICT Partnership Association).

Annexe – Tables

Table 1: Participation from Asian Countries and of representatives from Asian civil society organisations in IGFs, 2006-2010

Event	Participants from Asian Countries	Participants from Civil Society Organizations
IGF Athens 2006	11%	29%
IGF Rio de Janeiro 2007	13%	32%
IGF Hyderabad 2008	56% from India, and 15% from other Asian countries	25%
IGF Sharm El Sheikh 2009	17%	19%
IGF Vilnius 2010	Not Available	Not Available

Source: Reports available on Internet Governance Forum website (http://igf.wgig.org/cms).

Table 2: Internet Society Chapters in Asia

Chapter	Year of Establishment	URL
Afghanistan	In formation	Not available
Bahrain	2001	http://www.bis.org.bh/
Bangladesh	2011	http://www.isoc.org.bd/dhaka/
Hong Kong	2005	http://www.isoc.hk/
India (Bangalore)	2010	http://www.isocbangalore.org/
India (Chennai)	2007	http://www.isocindiachennai.org/
India (Delhi)	2002. Rejuvenated in 2008.	http://www.isocdelhi.in/
India (Kolkata)	2009	http://isockolkata.in/
India (Trivandrum)	2015	Not available
Indonesia	2014	http://www.isoc.or.id/
Israel	1995	http://www.isoc.org.il/
Japan	1994	http://www.isoc.jp/
Lebanon	2010	http://www.isoc.org.lb/
Malaysia	2010	http://www.isoc.my/
Nepal	2007	http://www.internetsociety.org.np/
Pakistan (Islamabad)	2013	http://www.isocibd.org.pk/
Palestine	2002	http://www.isoc.ps/
Philippines	1999. Rejuvenated in 2009.	https://www.facebook.com/isoc.ph/
Qatar	2011	http://www.isoc.qa/
Republic of Korea	2014	Not available
Singapore	2011	http://isoc.sg/
Sri Lanka	2010	http://www.isoc.lk/
Taipei	1996	http://www.isoc.org.tw/
Thailand	1996	http://www.isoc-th.org/
United Arab Emirates	2007	http://www.isocuae.com/
Yemen	2013	http://isoc.ye/

Source: Details of chapters available on Internet Society website (http://www.internetsociety.org/).

Reference

Aizu, Izumi et al. 2002. Joint Statement from Asia Civil Society Forum Participants on World Summit on the Information Society (WSIS). December 13. Accessed on July 08, 2015 from http://www.wsisasia.org/wsis-acsf2002/wsis-acsfdec13f.doc.

Asia Pacific Regional Internet Governance Forum (APrIGF). 2010. APrIGF Roundtable – June 15th, 2010: Session 1 – Welcome Remarks and Introduction – Real Time Transcript. Accessed on July 08, 2015 from http://2010.rigf.asia/aprigf-roundtable-june-15th-2010-session-1/.

Bloggers Collective Group. 2006. Bloggers Against Censorship. Last updated on April 30, 2009‎. Accessed on July 08, 2015, from http://censorship.wikia.com/wiki/Bloggers_Against_Censorship.

Civil Society Internet Governance Caucus. 2006. Internet Governance Caucus Charter. October 14. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC-charter_final-061014.html.

Civil Society Internet Governance Caucus. 2008a. Inputs for the Open IGF Consultation, Geneva, 26th February, 2008 – Statement II: Main Session Themes for IGF, Hyderabad. February 26. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC%20-%20Main%20themes%20for%20IGF%20Hyd.pdf.

Civil Society Internet Governance Caucus. 2008b. Inputs for the Open IGF Consultation, Geneva, 26th February, 2008 – Statement III: Renewal / Restructuring of Multi-stakeholder Advisory Group. February 26. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC%20-%20MAG%20Rotation.pdf.

Desai, Nitin, et al. 2005. Report of the Working Group on Internet Governance. United June. Accessed on July 08, 2015 from http://www.wgig.org/docs/WGIGREPORT.pdf.

Garden Networks for Freedom of Information. 2004. Breaking through the “Golden Shield.” Open Society Institute. November 01. Accessed on July 08, 2015 from https://www.opensocietyfoundations.org/sites/default/files/china-internet-censorship-20041101.pdf.

George, Susanna. 2002. Women and New Information and Communications Technologies: The Promise of Empowerment. Presented at The World Summit on the Information Society: An Asian Response Meeting, November 22-24. Accessed on July 08, 2015 from http://www.wsisasia.org/materials/susanna.doc/.

Gurumurthy, Anita, & Parminder Jeet Singh. 2005. WSIS PrepCom 2: A South Asian Perspective. Association for Progressive Communications. April 01. Accessed on July 08, 2015, from https://www.apc.org/en/news/hr/world/wsis-prepcom-2-south-asian-perspective.

Internet Governance Forum (IGF). 2006. Athens 2006 – List of Participants. Accessed on July 08, 2015, from http://www.intgovforum.org/PLP.html.

Internet Governance Forum (IGF). 2008. Arrangements for Internet Governance, Global and National/Regional. IGF Hyderabad, India. December 5. Accessed on July 08, 2015, from https://web.archive.org/web/20130621205004/http://www.intgovforum.org/cms/hyderabad_prog/AfIGGN.html [Original URL: http://www.intgovforum.org/cms/hyderabad_prog/AfIGGN.html].

Internet Governance Forum (IGF). 2009. Taking Stock and Looking Forward – On the Desirability of the Continuation of the Forum, Part II. IGF Sharm El Sheikh, Egypt. November 18. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/2009/sharm_el_Sheikh/Transcripts/Sharm%20El%20Sheikh%2018%20November%202009%20Stock%20Taking%20II.txt.

Internet Governance Forum (IGF). 2010. Taking Stock of Internet Governance and the Way Forward. IGF Vilnius, Lithuania. September 17. Accessed on July 08, 2015, from http://igf.wgig.org/cms/component/content/article/102-transcripts2010/687-taking-stock.

International Campaign for Tibet. 2004. Chinese Authorities Institute Internet ID Card System in Tibet for Online Surveillance. April 30. Accessed on July 08, 2015, from http://www.savetibet.org/chinese-authorities-institute-internet-id-card-system-in-tibet-for-online-surveillance/.

International Telecommunication Union (ITU). 2003a. PrepCom-2 / 17-28 February 2003 – Final List of Participants. February 28. Accessed on July 08, 2015, from http://www.itu.int/wsis/participation/prepcom2/prepcom2-cl.pdf.

International Telecommunication Union (ITU). 2003b. Geneva Phase of the WSIS: List of Participants. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/summit_participants.pdf.

Jain, Rekha. 2006. Participation of Developing Countries in the World Summit on the Information Society (WSIS) Process: India Case Study. Association for Progressive Communications. March. Accessed on July 08, 2015 from http://rights.apc.org/documents/wsis_india.pdf.

Reporters without Borders. 2006. List of the 13 Internet Enemies. Last updated on August 28, 2007. Accessed on July 08, 2015 from http://en.rsf.org/list-of-the-13-internet-enemies-07-11-2006,19603.

Reporters without Borders. 2012. Internet Enemies Report 2012. Accessed on July 08, 2015 from http://en.rsf.org/IMG/pdf/rapport-internet2012_ang.pdf.

Souter, David. 2007. WSIS and Civil Society. In: Whose Summit? Whose Information Society? Developing Countries and Civil Society at the World Summit on the Information Society. With additional research by Abiodun Jagun. Association for Progressive Communications. Pp. 72-89. Accessed on July 08, 2015 from http://rights.apc.org/documents/whose_summit_EN.pdf.

Thai Netizen Network et al. 2012. Southeast Asian Civil Society Groups Highlight Increasing Rights Violations Online, Call for Improvements to Internet Governance Processes in the Region. Statement of Civil Society Delegates from Southeast Asia to 2012 Asia-Pacific Regional Internet Governance Forum (APrIGF). July 31. Accessed on July 08, 2015 from https://freedomhouse.org/sites/default/files/AprIGF-Joint%20Statement-FINAL.pdf.

The Economic Times. 2007. Orkut's Tell-All Pact with Cops. May 01. Accessed on July 08, 2015 from http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson.

The World Summit on the Information Society: An Asian Response. 2002. Final Document. Accessed on July 08, 2015 from http://www.wsisasia.org/materials/finalversion.doc.

Thien, Vee Vian. 2011. The Struggle for Digital Freedom of Speech: The Malaysian Sociopolitical Blogosphere’s Experience. In: Ronald Deibert et al. (eds.) Access Contested. OpenNet Initiative. Pp. 43-63. Accessed on July 08, 2015 from http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-03.pdf.

Tibet Action Institute. 2015. Tibet: Frontline of the New Cyberwar. YouTube. January 27. Accessed on July 08, 2015 from https://www.youtube.com/watch?v=yE3AQqbGVkk.

UNSAJ et al. 2003. Civil Society Observations and Response to the Tokyo Declaration. Asia-Pacific Regional Conference on the World Summit on the Information Society. January 15. Accessed on July 08, 2015 from http://www.wsisasia.org/wsis-tokyo/tokyo-statement.html.

Wang, Stephanie. 2007. Internet Filtering in Asia in 2006-2007. OpenNet Initiative. Accessed on July 08, 2015, from https://opennet.net/studies/asia2007.

WSIS Civil Society Internet Governance Caucus. 2005. Initial Reactions to the WGIG Report. Contribution from GLOCOM on behalf of the WSIS Civil Society Internet Governance Caucus. July 19. Accessed on July 08, 2015, from www.itu.int/wsis/%20docs2/pc3/contributions/co23.doc.

WSIS Civil Society Plenary. 2003. “Shaping Information Societies for Human Needs” – Civil Society Declaration to the World Summit on the Information Society. December 8. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/civil-society-declaration.pdf.

WSIS Civil Society Plenary. 2005. “Much more could have been achieved” – Civil Society Statement on the World Summit on the Information Society. December 18. Accessed on July 08, 2015, from https://www.itu.int/wsis/docs2/tunis/contributions/co13.pdf.

WSIS Civil Society Subcommittee on Content and Themes. 2003a. “Seven Musts”: Priority Principles Proposed by Civil Society. February 25. Accessed on July 08, 2015, from http://www.movimientos.org/es/foro_comunicacion/show_text.php3%3Fkey%3D1484.

WSIS Civil Society Subcommittee on Content and Themes. 2003b. Final Report on Prepcom-2 Activities of the Civil Society on Content and Themes. March 27. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/pcip/misc/cs_sct.pdf.

WSIS Executive Secretariat. 2003. Report of the Asia-Pacific Regional Conference for WSIS (Tokyo, 13-15 January 2003). WSIS. Accessed on July 08, 2015, from http://www.itu.int/dms_pub/itu-s/md/03/wsispc2/doc/S03-WSISPC2-DOC-0006!!PDF-E.pdf.

Yusuf, Huma. 2009. Old and New Media: Converging during the Pakistan Emergency (March 2007 - February 2008). MIT Centre for Civic Media. January 12. Accessed on July 08, 2015, from https://civic.mit.edu/blog/humayusuf/old-and-new-media-converging-during-the-pakistan-emergency-march-2007-february-2008.

For more details visit https://cis-india.org/raw/civil-society-organisations-and-internet-governance-in-asia-open-review

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

A Review of the Policy Debate around Big Data and Internet of Things

elonnai — 2015-08-17T08:36:18Z

This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.

Defining and Connecting Big Data and Internet of Things

The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the velocity at which data is generated, the volume of data that is generated, and the variety of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.

General Implications of Big Data and Internet of Things

Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.

At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article "Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon" propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " The Societal Impact of the Internet of Things" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]

Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]

Regulation of Big Data and Internet of Things

The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article "Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article "Big Data's Disparate Impact" explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]

The Impact of Big Data and IoT on Data Protection Principles

In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:

Collection Limitation: As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]
Consent: As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]
Data Minimization: As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]
Notice: As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]
Purpose Limitation: As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]
Necessity: As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]
Access and Correction: As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]
Opt In and Opt Out Choices: Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]
PI: As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]
Data Controller: In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]

Possible Technical and Policy Solutions

In a Report titled "Internet of Things: Privacy & Security in a Connected World" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:

Automatically delete data after a specified period of time [21] (addressing concerns of data retention)
Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)
Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)
Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)
Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)
Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)
Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)
Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)

Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]

Experts have also suggested that more emphasis should be placed on the principles and practices of:

Transparency,
Access and correction,
Use/misuse
Breach notification
Remedy
Ability to withdraw consent

Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]

Possible Regulatory Frameworks

To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]

Conclusion

A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.

Answering the 'how do we regulate Big Data” question requires re-conceptualization of data ownership and realities. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of critical national infrastructure of a nation, and accorded the security, protections, and legal backing thereof to prevent the misuse of the resource by the private or public sectors, local or foreign governments. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.

In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a National Data Archive with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.

[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf

[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/

[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf. Accessed: July 2^nd 2015.

[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564

[5] Danah Boyd, Kate Crawford. CRITICAL QUESTIONS FOR BIG DATA. Information, Communication & Society Vol. 15, Iss. 5, 2012. Available at: http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878. Accessed: July 2^nd 2015.

[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[7] ARTICLE 29 Data Protection Working Party. (2014). Opinion 8/2014 on the on Recent Developments on the Internet of Things. European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784

[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.

[13] Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).

[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf

[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14^th 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2nd 2015.

[20] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[21] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[22] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[23] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[24] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[31] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[33] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1^st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2^nd 2015.

[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf

[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25^th 2015. Available at: http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/. Accessed: August 8^th 2015.

[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7^th 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415

[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10^th 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/

For more details visit https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things

War Driving in Lhasa Vegas

Oxblood Ruffin — 2015-08-17T08:19:56Z

This post by Oxblood Ruffin is part of the 'Studying Internets in India' series. Oxblood Ruffin is a hacktivist and film maker. He joined the CULT OF THE DEAD COW in 1996 as its Foreign Minister. Colonel Ruffin is co-author of the Hacktivismo Enhanced Source Software Licencse Agreement (HESSLA), network curmudgeon, and line cook. He will publish a book on information warfare in 2016. In this essay, Colonel Ruffin traces the history of Internet access in Dharamsala, and the factors at play in shaping it - mundane and maverick, familiar and outlier.

Monkeys would often climb up the poles to fool around with the routers forcing Yahel to fix a cage around them to make them “monkey-proof”
— Eric Brewer

War is an outmoded concept
— Dalai Lama

Dharamsala is on the frontline of the Indian internet, fuelled by information activists. Its transition from a sleepy hill station to the residence of the Dalai Lama and the Tibetan government in exile clearly politicised the region. The Tibetan diaspora was its primary network. Information flowed in and out of Dharamsala along conventional means. Students of Buddhism, backpackers, and tourists began to arrive after reading exotic press reports. And then almost overnight everything changed. The internet arrived and with it an explosion of content and possibility. Dharamsala transitioned again.

In 1959 the Dalai Lama (HHDL) escaped from Tibet to India after the Chinese invasion. And estimated six thousand monasteries and temples were destroyed by the Peoples Liberation Army and up to 1.2 million Tibetans - approximately one sixth of the population - were killed or died of starvation after China invaded Tibet in 1950. A large influx of Tibetan refugees followed HHDL which in turn made Dharamsala a popular tourist destination.

It is equally chaotic. Like much of touristic India it is full of shambolic hawkers in pursuit of the gora dollar; Israeli twenties fresh from the military and hot for bhang; American unicorns stinking of patchouli in their first pair of harem pants; and young Punjabi men drowning in beer on the weekends. Dharamsala is all of these things, and it is more. Dharamshala is a Hindi word loosely translated into English as 'spiritual dwelling' or 'sanctuary'.

The region is surrounded by pine forests. The Dalai Lama’s residence in McLeod Ganj and the headquarters of the Central Tibetan Administration (the Tibetan government in exile, or CTA) are also located in Dharamsala. Some folks from Delhi have remarked that when they’re in McLeod Ganj they have the feeling that they aren’t in India. Much of the architecture is in the Tibetan style and the diversity of town-life is atypical. The local Gaddi [tribal] community is supplemented by Kashmiri merchants and Tibetan vendors. Then there is the steady stream of tourists from every point on earth; many having come to study Tibetan culture and Buddhism. Even though HHDL arrived in this mountain town ten years before the first nodes of the internet were deployed, Dharamsala had become a hotbed of activism waiting to connect.

In the earliest days campaigning was contained within the Tibetan community, and the bustling Dharamsala of today had yet to emerge. But over time, year by year, volunteers from the outside would drift through. Most would work for a few weeks or a few months. Some would never leave. Networks were formed and the technologies of those times were worked overtime. Printing presses, fax machines, photocopiers, tape recorders, photography and, film. Everything was used to get the Tibetan message out, and all of these technologies were used to preserve Tibetan culture in ways that were forbidden in Chinese occupied Tibet. And steadily another technology was developing. The internet.

In 1986 the Education and Research Network (ERNET) was initiated by the Department of Electronics and transmitted India’s first email exchange. But email had rapidly been flourishing years before on military and university networks in the West. The push came from the outside to get Dharamsala on the internet and to think about email as an emerging communications alternative. In 1989 Indira Singh - a New York based computer consultant - envisioned a globally connected Dharamsala. And at the same time Thubten Samdup - a Tibetan living in Montreal - was wrestling with the problem of how to bring communication costs down. Ms. Singh sent the first email message over an ad-hoc telephone connection from Dharamsala to the Office of Tibet in New York.

“Hello from Dharamsala”, it said.

It did not take long to convince officials from the CTA that email and the internet were the future of communications from Dharamsala. While discussions of the technology caused many eyes to glaze over the economics did not: email was cheaper and faster than regular mail. The sell was that simple. Not to mention that Tibetan activists in North America and Europe were already using email. Thubten Samdup founded World Tibet Network News (WTN) on Usenet in 1992; and established eleven different listservs in different languages serving various verticals in the Tibetan diaspora. Although the internet existed in India at the time, it was rather rarefied. Research institutes and military networks primarily in urban centres formed the earliest nodes. The further and mountainous reaches of Dharamsala were not on the drawing board, until they were pushed onto the internet from the outside. In 1993 the International Centre for Human Rights and International Development in Montreal donated fifteen thousand dollars to buy three computers and set up email service for the CTA.

Other developments followed apace.

Back in 1989 when Ms. Singh first contemplated an interconnected Dharamsala another computer scientist was sorting out his own vision. Sir Tim Berners-Lee was fiddling with what was to become the World Wide Web. He released the code to the public on Christmas day 1990, and with that the seeds to the mainstreaming of the internet were planted. In 1995 the dial-up internet was introduced for the public in six major cities in India by VSNL. Dharamsala was not included in the rollout, but technical experts in the CTA had been quietly working behind the scenes. In cooperation with North American hackers the CTA’s official Website Tibet.net was launched in 1996 under the stewardship of Thubten Samdup. That same year Sabeer Bhatia, a U.S. based engineer from Bangalore released Hotmail, a free Web email service that garnered 100,000 Indian subscribers within the first three weeks.

The following year five Bay Area technical experts under the supervision of Dan Haig made a forty hour haul from San Francisco to Dharamsala. Their mission was to set up an intranet for the CTA using sixty thousand dollars of their own money, and carrying one hundred and sixty-five pounds of cables and hardware in their backpacks. The mountain had come to Muhammed if that metaphor is not too strained for Tibetan Buddhists. Once again Dharamsala’s international support network kickstarted the local process. Haig and his colleagues wired the seven ministries of the CTA and the Library of Tibetan Works and Archives giving them high-speed intranet connections. The also created and email system and dial-up service for many cultural institutions in the Dharamsala area that were too far away to be on the network.

For a town far away in the mountains full of monks and political refugees, Dharamsala was making great strides on the Indian internet. The next leap forward came in the form of an accidental activist. Yahel Ben-David had been a young officer in the Israeli Defence Forces, a successful Linux entrepreneur, and an avid hiker. When he got a call in 1998 to help the CTA install a satellite dish he jumped. What could be better than a three week working vacation in the mountains? Three weeks turned into three months; eventually he relocated to Dharamsala with his wife where he would spend the next eight years working on tech projects. For the next four years Ben-David developed a Local Area Network (LAN) for the CTA and switched everything to ethernet. Monasteries, the Dalai Lama’s private office, and NGOs were all connected. But Ben-David was still dissatisfied.

Given Dharamsala’s remoteness and the cost-prohibitive realities of proper infrastructure development, the region wouldn’t be seeing a high speed internet any time soon. Radio networks were a technical possibility but the cost of licensed solutions was prohibitive. WiFi could have been a solution but was to be illegal for public use until 2004, and then only indoors. Ben-David put his ham radio knowledge to use by tearing part every Linux SOHO (small office/home office) networking device he could find. He founded the Tibetan Technology Centre (TTC) with Phuntsok Dorjee, a non-profit technology company that would train local talent and develop bespoke routers. And finally in January 2005 the Indian government deregulated WiFi for public use. Within hours of that ruling Ben-David put up the first node of the Dharamsala Community Wireless Mesh Network. It had effectively become the first public WiFi network in the country.

Testing and tweaking the nodes was a continuous process. In addition to the demanding mountainous terrain environmental issues had to be factored in: Four distinct seasons which included a heavy monsoon; daily power outages; and last but not least, monkeys. They are particularly destructive creatures when they discover something new to play with. Ben-David settled on tamper-proof cages to encase the routers. Similarly the power outages were countered with solar panels. TTC was putting itself on the map for its innovations internationally, and Dharamsala began to attract more and more technical talent. The town that had once been the preserve of backpackers and Buddhists was broadening to include networking and security experts and open-source developers. None of this was lost on the Chinese intelligence community.

Dharamsala had been an embarrassment to the Chinese ever since the Dalai Lama escaped in 1959. The town has been constantly monitored as have been prominent activists and all of the Tibetan Support Groups. China was particularly displeased when Tibetan activists in Dharamsala partnered with the Cult of the Dead Cow (cDc) hacking group to protest Google’s operations in China. Increasingly Tibetans suffered targeted malware attacks. Listservs and networks were compromised and sensitive information about the CTA, Dalai Lama and activists found its way back to the Chinese intelligence community. A typical exploit of the time involved forged email headers appearing to come from a friendly source. It would include a PDF file containing a message of support. Once opened a friendly enough document would appear, however, it contained a modified version of a PDF-Encode vulnerability. The exploit silently dropped and ran a file called C:\Program Files\Update\winkey.exe. It was a keylogger that collected and sent everything typed on the affected machine to a server running in China. By 2008 Dharamsala appeared to be on the frontline of China’s cyber-espionage ambitions.

Security researchers at the University of Toronto were approached by the office of the Dalai Lama to examine its computers. Something wasn’t right. The ensuing investigation confirmed that malware had been installed on these machines. They were able to monitor the commands on the infected computers and discover the names of the documents exfiltrated from Dharamsala. Further investigation pointed to specific correspondence stolen and that those behind the attack had gained control of the email servers in the Dalai Lama’s office. One incident was particularly telling. After an email invitation was sent to a foreign diplomat, the Chinese government made a call to the same diplomat discouraging the meeting. And a young woman working for a Dharamsala group making chat connections between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet. She was shown copies of her chat sessions and ordered to stop her political activities. What followed was extraordinary.

The Toronto researchers discovered that the Dalai Lama’s Dharamsala network was completely compromised, and also those of Tibetan exile groups in India, Brussels, London, and New York. And then the kicker. Additionally their investigations revealed that the command and control centre infecting the computers from China had also taken over more than 1300 computers in 103 countries. Much of the malware had been attached embassies and foreign ministries, including the Indian embassy in Washington. What had originally been thought to be Chinese interference in the Dalai Lama’s affairs and those of the Tibetan Support Groups turned out to only be the tip of the iceberg. The researchers uncovered an international spying operation. But even when exposed and caught by compelling evidence, Chinese officials denied any involvement and dismissed the researchers report as propaganda.

Despite China’s cries of innocence, the Tibetan community took some satisfaction from the incident. They had been the objects of Chinese interference for years and now the world could see that they weren’t just being paranoid about Chinese hackers. It also garnered wider support in Dharamsala and the Tibetan diaspora for greater security awareness. Groups like Students for a Free Tibet and Tibet Action Institute who had been offering security workshops for years experienced increasing demand for their services. And one thing should also be noted. While the Tibetan community had been on the receiving end of computer hacking and online harassment for years, they never responded in kind. Dharamsala’s response to Chinese aggression has always been non-violent action, online and offline. Two examples come to mind.

The Dalai Lama had always wanted to be able to speak directly to the Chinese people. Thubten Samdup who had spearheaded a number of internet initiatives organised a group of Chinese speaking Tibetans to engage mainland Chinese via chat online. The strategy was simple. Let people on the other end know that they are chatting with Tibetans, and did they have any questions? The internet probed to be a great leveller and one by one some minds were cleared of disinformation about Tibet and the Dalai Lama. Even though this project met with modest success things were becoming worse in occupied Tibet. Beginning in 2009 Tibetans began self-immolating as a desperate form of non-violent protest. Were it not for a network of monks most of the details of the 138 immolations to date would not be known to the world.

From the first self-immolation China initiated an information blackout in Tibet. Foreign journalists were not allowed into Tibet and all communications networks were heavily monitored. However one man managed to get the message out. Gyanak Tsering is a Tibetan studying at the Kirti Monastery in Dharamsala. He escaped from Tibet in 1999 and began experimenting with the internet and mobile technology. Working with security experts in Dharamsala Mr. Tsering began to covertly transfer information to and from Tibet. Mobile phones are the primary communication devices in Tibet and increasingly smartphones are used to access the mobile Web. Whenever a self-immolation is reported in the press it is because Mr. Tsering has been sent the details from Tibet. When he has verified the details with three separate sources in Tibet he releases the information to the press. Some wags in Dharamsala refer to Mr. Tsering as the Jason Bourne Buddhist.

Technical innovation in Dharamsala has always been driven by necessity. Initially it was because the internet was cheaper and faster than conventional communications. Then WiFi development brought more people online because it was easier to deploy than conventional infrastructure. Whatever challenges were faced in Dharamsala there was always some workaround, and others began to notice. Largely as a result of the Dharamsala Community Wireless Mesh Network (later rechristened AirJaldi) open-source developers began flocking to the region. It is now one of India’s more attractive development hubs with IT conferences, new businesses, coding workshops, and hacker spaces. What was once a sleepy hill station emerged as a Tibetan refuge that adapted to the internet and proved that anything was possible.

Note: The post, including the image, is published under Creative Commons Attribution 4.0 International license, and copyright is retained by the author.

For more details visit https://cis-india.org/raw/blog_war-driving-in-lhasa-vegas

CIS submission to the UNGA WSIS+10 Review

jyoti — 2015-08-09T16:24:04Z

The Centre for Internet & Society (CIS) submitted its comments to the non-paper on the UNGA Overall Review of the Implementation of the WSIS outcomes, evaluating the progress made and challenges ahead.

To what extent has progress been made on the vision of the peoplecentred, inclusive and development oriented Information Society in the ten years since the WSIS?
The World Summit on the Information Society (WSIS) in 2003 and 2005 played an important role in encapsulating the potential of knowledge and information and communication technologies (ICT) to contribute to economic and social development. Over the past ten years, most countries have sought to foster the use of information and knowledge by creating enabling environment for innovation and through efforts to increase access. There have been interventions to develop ICT for development both at an international and national level through private sector investment, bilateral treaties and national strategies.

However, much of the progress made in the past ten years in terms of getting people connected and reaping the benefits of ICT has not been sufficiently peoplecentred, nor have they been sufficiently inclusive.

These developments have not been sufficiently peoplecentred, since governments across the world have been using the Internet as a monumental surveillance tool, invading people’s privacy without legitimate justifications, in an arbitrary manner without due care for reasonableness, proportionality, or democratic accountability. These developments have not been sufficiently peoplecentred, since the largest and most profitable Internet businesses — businesses that have more users than most nationstates have citizens, yet have one-sided terms of service — have eschewed core principles like open standards and interoperability that helped create the Internet and the World Wide Web, and instead promote silos.

We still reside in a world where development has been very lopsided, and ICTs have contributed to reducing some of these gulfs, while exacerbating others. For instance, persons with visual impairment are largely yet to reap the benefits of the Information Society due to a lack of attention paid to universal, while sighted persons have benefited far more; the ability of persons who don’t speak a language like English to contribute to global Internet governance discussions is severely limited; the spread of academic knowledge largely remains behind prohibitive paywalls.

As ICTs have grown both in sophistication and reach, much work remains to achieve the peoplecentred, inclusive and developmentoriented information society envisaged in WSIS. While the diffusion of ICTs has created new opportunities for development, even today less than half the world has access to broadband (with only eleven per cent of the world’s population having access to fixed broadband). See International Telecommunication Union, ICT Facts and Figures: The World in 2015.

Ninety per cent of people connected come from the industrialized countries — North America (thirty per cent), Europe (thirty per cent) and the AsiaPacific (thirty per cent). Four billion people from developing countries remain offline, representing two-thirds of the population residing in developing countries. Of the nine hundred and forty million people residing in Least Developed Countries (LDCs), only eighty-nine million use the Internet and only seven per cent of households have Internet access, compared with the world average of forty-six per cent. See International Telecommunication Union, ICT Facts and Figures: The World in 2015. This digital divide is first and foremost a question of access to basic infrastructure (like electricity).

Furthermore, there is a problem of affordability, all the more acute since in the South in comparison with countries of the North due to the high costs related to access to the connection. Further, linguistic, educational, cultural and content related barriers are also contributing to this digital divide. Growth of restrictive regimes around intellectual property, vision of the equal and connected society. Security of critical infrastructure with in light of ever growing vulnerabilities, the loss of trust following revelations around mass surveillance and a lack of consensus on how to tackle these concerns are proving to be a challenge to the vision of a connected information society. The WSIS+10 overall review is timely and a much needed intervention in assessing the progress made and planning for the challenges ahead.

There were two bodies as major outcomes of the WSIS process: the Internet Governance Forum and the Digital Solidarity Fund, with both of these largely failing to achieve their intended goals. The Internet Governance Forum, which is meant to be a leading example of “multi-stakeholder governance” is also a leading example of what the Multi-stakeholder Advisory Group (MAG) noted in 2010 as “‘black box’ approach”, with the entire process around the nomination and selection of the MAG being opaque. Indeed, when CIS requested the IGF Secretariat to share information on the nominators, we were told that this information will not be made private. Five years since the MAG lamented its own blackbox nature, things have scarcely improved. Further, analysis of MAG membership since 2006 shows that 26 persons have served for 6 years or more, with the majority of them being from government, industry, or the technical community. Unsurprisingly, 36 per cent of the MAG membership has come from the WEOG group, highlighting both deficiencies in the nomination/selection
process as well as the need for capacity building in this most important area. The Digital Solidarity Fund failed for a variety of reason, which we have analysed in a separate document annexed to this response.

What are the challenges to the implementation of WSIS outcomes?

Some of the key areas that need attention going forward and need to be addressed include:

Access to Infrastructure

Developing policies aimed at promoting innovation and increasing affordable access to hardware and software, and curbing the ill effects of the currentlyexcessive patent and copyright regimes.

Focussing global energies on solutions to lastmile access to the Internet in a manner that is not decoupled from developmental ground realities.
This would include policies on spectrum sharing, freeing up underutilized spectrum, and increasing unlicensed spectrum.
This would also include governmental policies on increasing competition among Internet providers at the last mile as well as at the backbone (both nationally and internationally), as well as commitments for investments in basic infrastructure such as an openaccess national fibreoptic backbone where the private sector investment is not sufficient.
Developing policies that encourage local Internet and communications infrastructure in the form of Internet exchange points, data centres, community broadcasting.

Access to Knowledges

As the Washington Declaration on IP and the Public Interest5 points out, the enclosure of the public domain and knowledge commons through expansive “intellectual property” laws and policies has only gotten worse with digital technologies, leading to an unjust allocation of information goods, and continuing royalty outflows from the global South to a handful of developing countries. This is not sustainable, and urgent action is needed to achieve more democratic IP laws, and prevent developments such as extra judicial enforcement mechanisms such as digital restrictions management systems from being incorporated within Web standards.
Aggressive development of policies and adoption of best practices to ensure that persons with disabilities are not treated as secondgrade citizens, but are able to fully and equally participate in and benefit from the Information Society.
Despite the rise of video content on the Internet, much of that has been in parts of the world with already high literacy, and language and illiteracy continue to pose barriers to full usage of the Internet.
While the Tunis Agenda highlighted the need to address communities marginalized in Information Society discourse, including youth, older persons, women, indigenous peoples, people with disabilities, and remote and rural communities, but not much progress has been seen on this front.

Rights, Trust, and Governance

Ensuring effective and sustainable participation especially from developing countries and marginalised communities. Developing governance mechanisms that are accountable, transparent and provide checks against both unaccountable commercial interests as well as governments.
Building citizen trust through legitimate, accountable and transparent governance mechanisms.
Ensuring cooperation between states as security is influenced by global foreign policy, and is of principal importance to citizens and consumers, and an enabler of other rights.
As the Manila Principles on Intermediary Liability show, uninformed intermediary liability policies, blunt and heavy handed regulatory measures, failing to meet the principles of necessity and proportionality, and a lack of consistency across these policies has resulted in censorship and other human rights abuses by governments and private parties, limiting individuals’ rights to free expression and creating an environment of uncertainty that also impedes innovation online. In developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries, interoperable and harmonized regimes that can promote innovation while respecting users’ rights in line with the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the United Nations Guiding Principles on Business and Human Rights are needed and should be encouraged.
An important challenge before the Information Society is that of the rise of “quantified society”, where enormous amounts of data are generated constantly, leading to great possibilities and grave concerns regarding privacy and data protection.
Reducing tensions arising from the differences between cultural and digital nationalism including on issues such as data sovereignty, data localisation, unfair trade and the need to have open markets.
Currently, there is a lack of internationally recognized venues accessible to all stakeholders for not only discussing but also acting upon many of these issues.

What should be the priorities in seeking to achieve WSIS outcomes and progress towards the Information Society, taking into account emerging trends?
All the challenges mentioned above should be a priority in achieving WSIS outcomes and ensuring innovation to lead social and economic progress in society. Digital literacy, multilingualism and addressing privacy and user data related issues need urgent attention in the global agenda. Enabling increased citizen participation thus accounting for the diverse voices that make the Internet a unique medium should also be treated as priority. Renewing the IGF mandate and giving it teeth by adopting indicators for development and progress, periodic review and working towards tangible outcomes would be beneficial to achieving the goal of a connected information society.

What are general expectations from the WSIS + 10 High Level Meeting of the United Nations General Assembly?
We would expect the WSIS+10 High Level Meeting to endorse an outcome document that seeks to d evelop a comprehensive policy framework addressing the challenges highlighted above . It would also be beneficial, if the outcome document could identify further steps to assess development made so far, and actions for overcoming the identified challenges. Importantly, this should not only be aimed at governments, but at all stakeholders. This would be useful as a future road map for regulation and would also allow us to understand the impact of Internet on society.

What shape should the outcome document take?
The outcome document should be a resolution of the UN General Assembly, with high level policy statements and adopted agreements to work towards identified indicators. It should stress the urgency of reforms needed for ICT governance that is democratic, respectful of human rights and social justice and promotes participatory policymaking. The language should promote the use of technologies and institutional architectures of governance that ensure users’ rights over data and information and recognize the need to restrict abusive use of technologies including those used for mass surveillance. Further, the outcome document should underscore the relevance of the Universal Declaration of Human Rights, including civil, political, social, economic, and cultural rights, in the Information Society.

The outcome document should also acknowledge that certain issues such as security, ensuring transnational rights, taxation, and other such cross jurisdictional issues may need greater international cooperation and should include concrete steps on how to proceed on these issues. The outcome document should acknowledge the limited progress made through outcome-less multi-stakeholder governance processes such as the Internet Governance Forum, which favour status quoism, and seek to enable the IGF to be more bold in achieving its original goals, which are still relevant. It should be frank in its acknowledgement of the lack of consensus on issues such as “enhanced cooperation” and the “respective roles” of stakeholders in multi-stakeholder processes, as brushing these difficulties under the carpet won’t help in magically building consensus. Further, the outcome document should recognize that there are varied approaches to multi-stakeholder governance.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-unga-wsis-review

Rare Telugu religious and historical work preserved at Annamacharya library to come on Wikisource!

rahim — 2015-09-04T12:53:19Z

Telugu Wikipedia Community and the Centre for Internet & Society conducted a day long edit-a-thon at Annamaya Library on August 6, 2015 at Andhra Loyola College, Vijayawada.

Some of the rarest religious and historical works in Telugu language that are preserved in the Annamacharya library, Guntur are soon be made available to the public on the internet. With the cutting age tool like Telugu Wikipedia, a group of students of Andhra Loyola College, Vijayawada are going to start writing about various historical heritage of Andhra Prasadesh on Telugu Wikipedia tomorrow, the 6th August 2015. The Annamaya Library edit-a-thon that is being collaboratively organised by the Telugu Wikipedia community and The Centre for Internet and Society's Access To Knowledge programme is designed to teach students to enrich Telugu Wikipedia with the rare books available in the library. They will also contribute in writing about the rare books the library has been preserving for many years now—in Telugu, English and other seven Indian languages like Sanskrit, Kannada, Hindi and Tamil ranging over a few areas. The library is associated with Tirumala Tirupati Devasthanam Trust and has been active in the preservation of age-old Telugu religious literature with using cutting age digital technology. The library has done pioneering work in digitisation of notable Telugu poet Annamacharya's “Sankeertanas” in the past.

The Telugu Wikipedia is arguably the largest online encyclopedia in Telugu language with over 61,506 articles ranging from art to culture and from science to various humanities. Over 50 active editors edit the encyclopedia voluntarily. Similarly the Telugu Wikisource, a sister project of Wikipedia and an online library, is as rich as with 26,763 folios from many of the rarest books in Telugu language. Both the projects will now be primarily used to explore and open the great collection of Telugu language and literature preserved in the Annamaya library to masses.

The students from Andhra Loyola College along with senior Telugu Wikimedians Bhaskar Naidu and GullapalliNageshwara Rao will be participating in the edit-a-thon and create articles about the books at the library. Andhra Loyola College has been a partner of CIS-A2K since 2014 where 23 books of Telugu poet Shri Vireshalingama were digitised.


Image of a Wikipedia training for the staff at the Annamaya library, freely licesed by Viswanadh.B.K under CC-by-SA 3.0.

For more details visit https://cis-india.org/openness/rare-telugu-religious-and-historical-work-preserved-at-annamacharya-library-to-come-on-wikisource

Digital Activism in Asia Reader

sumandro — 2015-10-24T14:36:44Z

The digital turn might as well be marked as an Asian turn. From flash-mobs in Taiwan to feminist mobilisations in India, from hybrid media strategies of Syrian activists to cultural protests in Thailand, we see the emergence of political acts that transform the citizen from being a beneficiary of change to becoming an agent of change. In co-shaping these changes, what the digital shall be used for, and what its consequences will be, are both up for speculation and negotiation. Digital Activism in Asia marks a particular shift where these questions are no longer being refracted through the ICT4D logic, or the West’s attempts to save Asia from itself, but shaped by multiplicity, unevenness, and urgencies of digital sites and users in Asia. It is our great pleasure to present the Digital Activism in Asia Reader.

The Book

The Reader took shape over two workshops with a diverse range of participants, including activists, change-makers, and scholars, organised by the Researchers at Work (RAW) programme in June 2014 and March 2015. During the first workshop, the participants identified the authors, topics, and writings that should be included/featured in the reader, based upon their relevance in the grounded practices of the participants, who came from various Asian countries. The second workshop involved open discussions regarding how the selected readings should be annotated, from key further questions to strategies of introducing them, followed by development of the annotations by the participants of the workshop. The full list of contributors, annotators, and editors is mentioned at the end of the book.

We are grateful to the Meson Press for its generous and patience support throughout the development process of the book.

Please download, read, and share this open-access book from the Meson Press website.

The Reader has been edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay, with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun.

Excerpt from the Foreword

Compiling this Reader on Digital Activism in Asia is fraught with compelling challenges, because each of the key terms in the formulation of the title is sub-ject to multiple interpretations and fierce contestations. The construction of ‘Asia’ as a region, has its historical roots in processes of colonial technologies of cartography and navigation. Asia was both, a measured entity, mapped for resources to be exploited, and also a measure of the world, promising anorientation to the Western World’s own turbulent encounters. As Chen Kuan-Hsing points out in his definitive history of the region, Asia gets re-imagined as a ‘method’ in cold-war conflicts, becoming the territory to be assimilated through exports of different ideologies and cultural purports. Asia does not have its own sense of being aregion. The transactions, interactions, flows and exchanges between different countries and regions in Asia have been so entirely mediated by powers of colonisation that the region remains divided and reticent in its imagination of itself. However, by the turn of the 21st century, Asia has seen a new awakening. It finds a regional identity, which, surprisingly did not emerge from its consolidating presence in global economics or in globalised structures of trade and commerce. Instead, it finds a presence, for itself, through a series of crises of governance, of social order, of political rights, and of cultural productions, that binds it together in unprecedented ways.

The digital turn might as well be marked as an Asian turn, because with the new networks of connectivity, with Asian countries marking themselves as informatics hubs, working through a circulated logic of migrant labour and dis-tributed resources, there came a sense of immediacy, proximity, and urgencythat continues to shape the Asian imagination in a new way. In the last decade or so, the rapid changes that have emerged, creating multiple registers of modernity, identity, and community in different parts of Asia, accelerated by a seamless exchange of ideas, commodities, cultures, and people have created a new sense of the region as emerging through co-presence rather than competition and conflict. Simultaneously, the emergence of global capitals of information, labour and cultural export, have created new reference points by which the region creates its identities and networks that are no longer subject to the tyranny of Western hegemony...

While the digital remains crucial to this shaping of contemporary Asia, both in sustaining the developmental agenda that most of the countries espouse, and in opening up an inward looking gaze of statecraft and social organisation, the digital itself remains an ineffable concept. Largely because the digital is like a blackbox that conflates multiple registers of meaning and layers of life, it becomes important to unengineer it and see what it enables and hides. The economic presence of the digital is perhaps the most visible in telling the story of Asia in the now. Beginning with the dramatic development of Singapore as the centre of informatics governance and the emergence of a range of cities from Shanghai to Manilla and Bangalore to Tehran, there has been an accelerated narrative of economic growth and accumulation of capital that is often the global face of the Asian turn. However, this economic reordering is not a practice in isolation. It brings with it, a range of social stirrings that seek to overthrow traditional structures of oppression, corruption, control, and injustice that have often remained hidden in the closed borders of Asian countries. However, the digital marks a particular shift where these questions are no longer being excavated by the ICT4D logic, of the West’s attempts to save Asia from itself. These are questions that emerge from the ground, as more people interact with progressive and liberal politics and aspire not only for higher purchase powers but a better quality of rights. The digital turn has opened up a range of social and political rights based discourses, practices, and movements, where populations are holding their governments and countries responsible, accountable, and culpable in the face of personal and collective loss and injustice...

In the face of this multiplicity of digital sites and usages that are reconfiguring Asia, it is obvious then, that the very nature of what constitutes activism is changing as well. Organised civil society presence in Asia has often had a strong role in shaping modern nation states, but more often than not these processes were defined in the same vocabulary as that of the powers that they were fighting against. Marked by a strong sense of developmentalism and often working in complement to the state rather than keeping a check on the state’s activities, traditional activism in Asia has often suffered from the incapacity to scale and the inability to find alternatives to the state-defined scripts of development, growth and progress. In countries where literacy rates have been low, these movements also suffer from being conceived in philosophical and linguistic sophistry that escapes the common citizen and remains the playground of the few who have privileges afforded to them by class and region. Digital Activism, however, seems to have broken this language barrier, both internally and externally, allowing for new visualities enabled by ubiquitous computing to bring various stakeholders into the fray... At the same time, the digital itself has introduced new problems and concerns that are often glossed over, in the enthralling tale of progress. Concerns around digital divide, invasive practices of personal data gathering, the nexus of markets and governments that install the citizen/consumer in precarious conditions, and the re-emergence of organised conservative politics are also a part of the digital turn. Activism has had to focus not only on digital as a tool, but digital also as a site of protest and resistance...

The Reader does not offer an index of the momentous emergence with the growth of the digital or a chronological account of how digital activism in Asia has grown and shaped the region. Instead, the Reader attempts a crowd-sourced compilation that presents critical tools, organisations, theoretical concepts, political analyses, illustrative case-studies and annotations, that an emerging network of changemakers in Asia have identified as important in their own practices within their own contexts.

For more details visit https://cis-india.org/raw/digital-activism-in-asia-reader

Genetic Profiling: Is it all in the DNA?

praskrishna — 2015-09-13T09:47:17Z

A Bill seeks to make genetic profiling mandatory for the fight against crime—and generates a debate about the clash of ethics, freedom, science and data.

The article by Ullekh NP was published in Open Magazine on August 7, 2015. Sunil Abraham gave his inputs.

When British geneticist Sir Alec Jeffreys first developed the DNA profiling test 31 years ago in his laboratory at Leicester University, he didn’t help the police prove a man guilty. His test—back then it took weeks to complete DNA profiling procedures as opposed to a few hours now—proved that a rape suspect in police custody was innocent. Details from the whole exercise also subsequently helped the local police nab the real criminal, who had killed his teenaged rape victim. Later, the police found that he was the one who had committed a similar crime three years earlier in a village nearby. Britain was destined to make great gains in solving crimes thanks to DNA identification, while the rest of the developed world, including the US, caught up later, but only after lagging initially thanks to the relentless—and sometimes ill-founded—opposition from civil liberties activists. In India, the Human DNA Profiling Bill, 2015, a proposed law that envisages collecting DNA finger prints—which are unique to an individual—especially of criminals, has been in the making for the past 12 years. The draft bill, which will shortly be placed before the Union Cabinet for its nod, has been prepared by the Department of Biotechnology and the Centre for DNA Fingerprinting & Diagnostics (CDFD), a Hyderabad-based Central Government-run agency, after examining and reviewing submissions by a panel of experts, holding consultations with various stakeholders and getting responses from the public. Notwithstanding the claims of safeguards against any misuse of the intended DNA data base, activists, lawyers, internet freedom fighters, civil liberty activists and columnists have been up in arms against the Government, arguing that the DNA profiling bill is ill- conceived and naïve—to the extent that it would destroy an individual’s right to privacy as it lacks provisions to check data tampering.

The international experience has proved otherwise. Ever since Sir Jeffreys extracted DNA from human muscle tissue, identified and processed genetic markers (which are unique to individuals except in the case of identical twins) from what was until then considered ‘seemingly purposeless segments of the human DNA’ in the words of writers Peter Reinharz and Howard Safir, more than 500,000 ‘otherwise unsolvable’ cases have been solved in the developed world thanks to the DNA identification, note CDFD scientists. DNA is the hereditary material in the human body. It is found in blood, saliva, urine, strands of hair, semen, tears, skin, etcetera.

Dr Madhusudan Reddy Nandineni, staff scientist and group leader, laboratory of DNA fingerprinting services and laboratory of genomics and profiling applications, CDFD, is worried that opposition to the Bill is gaining momentum in India due to a raft of reasons. Of course, the West, too, has witnessed sharp protests against DNA profiling laws. One of the key reasons anti-profiling activists have an edge, says a senior Home Ministry official who asks not to be named, is that there is a “general public anxiety” over “anything to do with disclosing personal details”. He agrees that the tests are going to be intrusive, because muscle tissue may have to be collected from private parts. The procedure of DNA sample collection—as explained in the draft Bill submitted in January by a committee headed by TS Rao, senior adviser to the department of biotechnology—talks about obtaining intimate body samples of living persons (on page 6-7 of the 48- page document) from ‘the genital or anal area, the buttocks and also breasts in the case of a female’. According to the draft Bill, it also involves external examination of private parts, taking samples from pubic hair or by swabs or washing or by vacuum suction, by scraping or by lifting by tape and taking of a photograph or video recording of, or an impression or cast of a wound in those areas. “But then, it is par for the course,” says the Home Ministry official by way of justification.

American military historian and author Edward Luttwak agrees that DNA profiling is a significant intrusion into the “very body of a citizen”. That is the price one has to pay in the choice between liberty and equality before investigation, he posits. Luttwak is glad that in the US, as well as in other countries that have such profiling laws, DNA identification has yielded results. “It protects suspicious/ low status but innocent people from false accusations and helps to catch clever/high-status law-breakers,” he says.

+++

For his part, Dr Nandineni says that every aspect of the Human DNA Profiling Bill for India is based on similar legislation that has already been implemented in the US, Canada, UK, Australia and Continental Europe for more than 20 years. He also contends that the benefits that have accrued there are enormous, which India has missed out on for all these years. “In all these countries, the concerns of the general public on privacy matters have been allayed in their legislation,” he adds. He points out that the retention of DNA profiles in a ‘DNA Data Bank’ is meant to apprehend repeat offenders and thus serve a larger societal good. As regards privacy concerns, Dr Nandineni says that consultations on the preparations of the Bill lasted for 2-3 years and took into account the views of an expert committee whose members included representatives of NGOs.

Dr Nandineni is of the view that the opponents of the Bill have managed to get an upper hand in a national debate thanks to their media-savvy backgrounds. Agrees the Home Ministry official: “Perhaps the drafters of the Bill have not been communicative enough in getting their points across to the public and the media. Which might explain why the Bill has come under tremendous attack in the media. Even otherwise, global trends also show that civil liberty rights activists have had great initial advantage in their campaign against DNA profiling.” After all, the potential for misuse of DNA samples is not restricted to biological material collected under the provisions of the DNA Bill alone, Nandineni offers. “Any and every blood sample collected by a clinical laboratory has the same potential for misuse,” he says.

While Dr J Gowrishankar, director, CDFD, has been vocal about the positives of the Bill, its opponents have been louder. Many of those who oppose the Bill say the question is not one of being loud or feeble, but about being naïve or not.

The likes of Sunil Abraham, executive director of Bangalore-based internet research organisation Centre for Internet and Society (CIS), have no argument against DNA profiling being the gold standard for all forensic investigations. “There is nothing wrong with using DNA evidence for forensic purposes,” says Abraham, “However, the draft Bill is filled with techno-utopianism; it assumes that the people and machines that leverage DNA technologies are infallible.” He goes on, “This is not true. It is easier to tamper with DNA evidence than it is to tamper with a video recording. Therefore, all we are asking for are process checks that prevent compromised persons and machines from using DNA evidence to convict or exonerate the wrong person.” His contention is that if the DNA sample is sent to two different labs and both labs come back with exactly the same result, then the courts can be convinced of the veracity of the result. “Also the Bill says that DNA labs will give courts ‘yes’ or ‘no’ answers to questions related to DNA matching. But ideally, the lab must give the exact match percentage along with all the detailed information that emerges from the match process so that the court can fully appreciate the significance of the DNA evidence,” he suggests.

Abraham and legal scholar Usha Ramanathan—both members of the expert panel who filed notes of dissent and disagreed with various aspects of the Bill—have a problem with the claim that the proposed DNA data bank will cover only criminals and not the general public. Points out Ramanathan: “The Bill does not restrict the data base to criminals alone, not by a long shot. The provision in the proposed Bill reads: ‘(Clause 31(4)) Every DNA Data Bank shall maintain following indices for various categories of data, namely: (a) a crime scene index; (b) a suspects’ index; (c) an offenders’ index; (d) a missing persons’ index; (e) unknown deceased persons’ index; (f) a volunteers’ index; and (g) such other DNA indices as may be specified by regulations.’ That is an elaborate set of indices. There is certainly a lot of the ‘general public’ in it.”

Supporters of the DNA Profiling Bill have maintained that a DNA data bank is not for the public but only for a limited category of individuals. The proposed law also provides for storing profiles with the consent of relatives of missing children and grownups so that relationship identities can be established.

Ramanathan is also worried that apart from purposes of criminal justice, DNA profiling may be extended to parental disputes (maternity or paternity), issues related to pedigree, those related to assisted reproductive technologies (surrogacy, in vitro fertilisation or IVF, intrauterine implantation or IUI, and so on), to transplantation of human organs (donor and recipient) under the Transplantation of Human Organs Act, 1994, and also related to immigration or emigration. She had objected to the requirement of revealing a person’s caste in the application form for offering blood samples. “This Bill is certainly not a convict data base. The ambitions are much much vaster, and little to do with crime control,” she alleges.

Abraham agrees that some safeguards have been built in the proposed law to prevent any misuse of DNA data under pressure from expert panel members such as him. However, he says, cyber security and privacy-related issues are not addressed in a comprehensive manner. “The Bill basically hopes that the Privacy Bill will address all of this when it becomes law. But unfortunately, a bill could take 7-10 years before it becomes law,” he says.

Dr Gowrishankar of CDFD and others have conceded that it was the decision of the expert panel to include an enabling provision for the privacy issues of DNA profiling to comply with the proposed Privacy Bill.

Abraham says that various measures to prevent ‘privacy harms’ to volunteers are missing in the latest draft of the Bill. “Given that biometric technology works on probabilistic matching, the larger the size of the database, the larger the incidence of mistaken identification. Therefore it is important that the database remain as small as necessary,” he asserts.

+++

The estimated cost of the Bill is Rs 20 crore—to create the infrastructure for the DNA Profiling Board and the data bank, which includes buildings, furniture, computer servers and so on. Among other things, the DNA Profiling Board is tasked with the responsibility of laying down and implementing standards for laboratories and proper protocols for ‘Data Bank’ operations.

CDFD scientists and government officials are keen to highlight the ‘under- hyped’ benefits of DNA profiling –similar to the Innocence Project in the US, which was aimed at securing the release of people who were erroneously convicted on the basis of other lines of evidence. Abraham has no patience for such comparisons. “DNA profiling for forensic purposes is very advanced and sophisticated, but technologies do not exist in a vacuum,” he says, “These advanced technologies have to work within traditional institutions with vulnerabilities and flaws. We need to, therefore, have non-technological procedural fixes that ensure that these technologies are not compromised by money and power. The choice is between the right to privacy and the rights and requirements of the criminal justice process.”

Ramanathan agrees with that view. “In the Indian context, the state of investigation is so poor that we have been looking for ways of circumventing our problems, not addressing them. That is how narco-analysis began to be used, till the court struck it down. DNA may be more reliable than most other scientific tools available to us today, but it is not all about the science. We also have to worry about contamination, what happens in the chain of custody, its potential for being planted or otherwise abused, and the errors even in the laboratory. You may remember the avowed mix-up of results in the Aarushi [Talwar murder] case, something the lab said they noticed over two years after they had given it to the investigators. The danger of treating DNA as conclusive and not needing corroboration is exacerbated in this kind of a vulnerable system. Which is why bringing this into a DNA data base law and not putting any checks on criminal procedure is less than wise,” she elaborates. She is least impressed with the ‘idea’ of ‘pedigree’ and of ‘population genetics’ in the Bill. “Institutions like the CDFD have been collecting DNA from suspects and asking for the caste of the person on the form. How does this seem innocent and safeguarded?” she asks.

Meanwhile, columnist and author Salil Tripathi says that it is sheer hubris to think that technology will provide all the answers to crime-fighting. “Tech- nology is enormously useful and powerful, but it is value-neutral; it can be used for good or bad ends… There have to be sufficient safeguards, overseen not only by technologists, law enforcement officers and bureaucrats, but also by lawyers and civil liberties experts, who can point out potential flaws and misuse and prevent those.”

Tripathi, too, is piqued that one of the markers sought is of caste. “Why?” he asks, emphatic that the country’s people should be concerned about allowing the state so much power over their lives. “And it may not be only the state; given that the scope of its future expansion is undefined, what guarantees are there that private actors won’t have access to the data, and if so, what security protocols would apply?”

Dr Gowrishankar and Dr Nandineni are right in saying that without DNA fingerprinting, many international criminals would still be at liberty, and the opponents of the Bill do not disagree with the efficacy of the technique developed by Sir Jeffreys. Instead, they are placing the spotlight on various objectionable aspects in the proposed law. In a country which first needs—according to former RAW chief Vikram Sood—to ensure access to Photofit (a technique to create an accurate image of a person that gels with a witness’ description) for its ground-level police operatives to combat crime, critics of the Bill seem to have won the war of words.

For more details visit https://cis-india.org/internet-governance/news/open-magazine-august-7-2015-ullekh-np-genetic-profiling

India blocks access to 857 porn sites

pranesh — 2015-08-05T01:31:32Z

India has blocked free access to 857 porn sites in what it says is a move to prevent children from accessing them.

The story was published by BBC on August 3, 2015. Pranesh Prakash gave his inputs.

Adults will still be able to access the sites using virtual private networks (VPNs) or proxy servers. In July, the Supreme Court expressed its unhappiness over the government's inability to block sites, especially those featuring child pornography.

Telecom companies have said they will not be able to enforce the "ban" immediately.

"We have to block each site one by one and it will take a few days for all service providers to block all the sites," an unnamed telecom company executive told The Times of India newspaper.

A senior official, who preferred to remained unnamed, told the BBC Hindi that India's department of telecommunications had "advised" telecom operators and Internet service providers to "control free and open access" to 857 porn sites.

"There is no total ban. This was done in the backdrop of Supreme Court's observation on children having free access to porn sites. The idea is also to protect India's cultural fabric. This will not prevent adults from visiting porn sites," the official said.

In July, the top court had observed that it was not for the court to order a ban on porn sites.

"It is an issue for the government to deal with. Can we pass an interim order directing blocking of all adult websites? And let us keep in mind the possible contention of a person who could ask what crime have I committed by browsing adult websites in private within the four walls of my house. Could he not argue about his right to freedom to do something within the four walls of his house without violating any law?," the court said.

According to statistics released by adult site Pornhub, India was its fourth largest source of traffic in 2014, behind the US, UK and Canada. Pranesh Prakash of the Bangalore based Centre for Internet and Society said the directive to block the 857 sites was "the largest single order of its kind" in India.

"The government's reasoning that it is not a ban because adults can still access the porn sites is ridiculous," he told the BBC. The move has caused a great deal of comment on Indian social media networks, with many prominent personalities coming forward to condemn it.

Popular author Chetan Bhagat, writer and commentator Nilanjana Roy, politician Milind Deora and director Ram Gopal Varma have all added their voices to the debate.

For more details visit https://cis-india.org/internet-governance/news/bbc-news-august-3-2015-india-blocks-access-to-857-porn-sites

India launches crackdown on online porn

pranesh — 2015-08-05T01:21:12Z

India has launched a crackdown on internet pornography, banning access to more than 800 adult websites, including Playboy and Pornhub.

The article by James Crabtree published in Financial Times on August 3, 2015 quotes Pranesh Prakash.

The restrictions followed a ruling from India’s telecoms ministry ordering internet service providers, including international telecoms groups operating in the country such as the UK’s Vodafone, to block 857 such sites.

Prime Minister Narendra Modi’s government provided no public justification for the unexpected ban when it came into effect at the weekend. However, on Monday India’s telecoms ministry said that the order, issued under India’s Information Technology Act, had been prompted by comments made by a supreme court judge during a hearing in July.

The ministry said that the restrictions were temporary and did not amount to a “blanket” ban, arguing that internet users running virtual private networks, which can be used to access blocked sites, could still view the material. “It isn’t that they are being banned lock, stock and barrel,” the ministry said. “The justice noted that free and open access to these websites.... should be controlled, but these sites will continue to be available through the mechanism of a VPN.”

The crackdown is set to raise fresh concerns about sudden and sweeping legal restrictions in India, after the introduction of a ban on the sale of beef earlier this year in the western state of Maharashtra, a move that was supported by Mr Modi’s government. The ruling also drew criticism from legal experts following broader concerns about a recent rise in poorly-targeted internet rules, including some restrictions on global social media sites such as Facebook and Twitter.

Pranesh Prakash of the Bangalore-based Centre for Internet and Society think-tank questioned the basis of the ruling, describing it as a further example of a “clumsy” approach to online regulation.

“There is no proper justification that they have given for banning all porn, rather than child porn or revenge porn or something like that,” he said. “The reaction is heavy handed, and has been done under the cloak of secrecy.” The remarks by a judge cited by India’s government as a rationale for the ban were a comment made in court rather than a legal ruling, Mr Prakash added, casting further doubt on the basis for the restrictions.

India’s mix of strict regulation and conservative public morals mean explicit sexual content is almost unheard of in mainstream media, where Bollywood films seldom featuring more than a chaste on-screen embrace.However India’s fast-growing internet population of about 300m is now both the world’s second largest after China, and an increasingly important sources for traffic for global pornographic websites.

Pornhub, which is the world’s 66th most visited website according to ranking service Alexa, said Indians were the fourth largest national users of its content during 2014.

For more details visit https://cis-india.org/internet-governance/news/financial-times-james-crabtree-august-3-2015-india-launches-crackdown-on-online-porn

Policy Paper on Surveillance in India

vipul — 2015-08-03T15:27:41Z

This policy brief analyses the different laws regulating surveillance at the State and Central level in India and calls out ways in which the provisions are unharmonized. The brief then provides recommendations for the harmonization of surveillance law in India.

Introduction

The current legal framework for surveillance in India is a legacy of the colonial era laws that had been drafted by the British. Surveillance activities by the police are an everyday phenomenon and are included as part of their duties in the various police manuals of the different states. It will become clear from an analysis of the laws and regulations below, that whilst the police manuals cover the aspect of physical surveillance in some detail, they do not discuss the issue of interception of telephone or internet traffic. These issues are dealt with separately under the Telecom Act and the Information Technology Act and the Rules made thereunder, which are applicable to all security agencies and not just the police. Since the Indian laws deal with different aspects of surveillance under different legislations, the regulations dealing with this issue do not have any uniform standards. This paper therefore argues that the need of the hour is to have a single legislation which deals with all aspects of surveillance and interception in one place so that there is uniformity in the laws and practices of surveillance in the entire country.

Legal Regime

India does not have one integrated policy on surveillance and law enforcement and security agencies have to rely upon a number of different sectoral legislations to carry out their surveillance activities. These include:

1. Police Surveillance under Police Acts and Model Police Manual

Article 246(3) of the Constitution of India, read with Entry 2, List II, of the VIIth Schedule, empowers the States to legislate in matters relating to the police. This means that the police force is under the control of the state government rather than the Central government. Consequently, States have their own Police Acts to govern the conduct of the police force. Under the authority of these individual State Police Acts, rules are formulated for day-to-day running of the police. These rules are generally found in the Police Manuals of the individual states. Since a discussion of the Police Manual of each State with its small deviations is beyond the scope of this study, we will discuss the Model Police Manual issued by the Bureau of Police Research and Development.

As per the Model Police Manual, “surveillance and checking of bad characters” is considered to be one of the duties of the police force mentioned in the “Inventory of Police Duties, Functions and Jobs”.[1] Surveillance is also one of the main methods utilized by the police for preventing law and order situations and crimes.[2] As per the Manual the nature and degree of surveillance depends on the circumstances and persons on whom surveillance is mounted and it is only in very rare cases and on rare occasions that round the clock surveillance becomes necessary for a few days or weeks.[3]

Surveillance of History Sheeted Persons: Beat Police Officers should be fully conversant with the movements or changes of residence of all persons for whom history sheets of any category are maintained. They are required to promptly report the exact information to the Station House Officer (SHO), who make entries in the relevant registers. The SHO on the basis of this information reports, by the quickest means, to the SHO in whose jurisdiction the concerned person/persons are going to reside or pass through. When a history-sheeted person is likely to travel by the Railway, intimation of his movements should also be given to the nearest Railway Police Station.[4] It must be noted that the term “history sheet” or “history sheeter” is not defined either in the Indian Penal Code, 1860, most of the State Police Acts or the Model Police Manual, but it is generally understood and defined in the Oxford English Dictionary as persons with a criminal record.

Surveillance of “Bad Characters”: Keeping tabs on and getting information regarding “bad characters” is part of the duties of a beat constable. In the case of a “bad character” who is known to have gone to another State, the SHO of the station in the other state is informed using the quickest means possible followed by sending of a BC Roll 'A' directly to the SHO.[5] When a “bad character” absents himself or goes out of view, whether wanted in a case or not, the information is required to be disseminated to the police stations having jurisdiction over the places likely to be visited by him and also to the neighbouring stations, whether within the State or outside. If such person is traced and intimation is received of his arrest or otherwise, arrangements to get a complete and true picture of his activities are required to be made and the concerned record updated.[6]

The Police Manual clarifies the term “bad characters” to mean “offenders, criminals, or members of organised crime gangs or syndicates or those who foment or incite caste, communal violence, for which history sheets are maintained and require surveillance.”[7] A fascinating glimpse into the history of persons who were considered to be “bad characters” is contained in the article by Surjan Das & Basudeb Chattopadhyay in EPW[8] wherein they bring out the fact that in colonial times a number of the stereotypes propagated by the British crept into their police work as well. It appears that one did not have to be convicted to be a bad character, but people with a dark complexion, strong built, broad chins, deep-set eyes, broad forehead, short hair, scanty or goatee beard, marks on face, moustache, blunt nose, white teeth and monkey-face would normally fit the description of “bad characters”.

Surveillance of Suspicious Strangers: When a stranger of suspicious conduct or demeanour is found within the limits of a police station, the SHO is required to forward a BC Roll to the Police Station in whose jurisdiction the stranger claims to have resided. The receipt of such a roll is required to be immediately acknowledged and replied. If the suspicious stranger states that he resides in another State, a BC Roll is sent directly to the SHO of the station in the other State.[9] The manual however, does not define who a “suspicious stranger” is and how to identify one.

Release of Foreign Prisoners: Before a foreign prisoner (whose finger prints are taken for record) is released the Superintendent of Police of the district where the case was registered is required to send a report to the Director, I.B. through the Criminal Investigation Department informing the route and conveyance by which such person is likely to leave the country.[10]

Shadowing of convicts and dangerous persons: The Police Manual contains the following rules for shadowing the convicts on their release from jails:

(a) Dangerous convicts who are not likely to return to their native places are required to be shadowed. The fact, when a convict is to be shadowed is entered in the DCRB in the FP register and communicated to the Superintendent of Jails.

(b) The Police Officer deputed for shadowing an ex-convict is required to enter the fact in the notebook. The Police Officers area furnished with a challan indicating the particulars of the ex-convict marked for shadowing. This form is returned by the SHO of the area where the ex-convict takes up his residence or passes out of view to the DCRB / OCRS where the jail is situated, where it is put on record for further reference and action if any. Even though the subjects being shadowed are kept in view, no restraint is to put upon their movements on any account.[11]

Apart from the provisions discussed above, there are also provisions in the Police Manual regarding surveillance of convicts who have been released on medical grounds as well as surveillance of ex-convicts who are required to report their movements to the police as per the provisions of section 356 of the Code of Criminal Procedure.[12]

As noted above, the various police manuals are issued under the State Police Acts and they govern the police force of the specific states. The fact that each state has its own individual police manual itself leads to non-uniformity regarding standards and practices of surveillance. But it is not only the legislations at the State levels which lead to this problem, even legislation at the Central level, which are applicable to the country as a whole also have differing standards regarding different aspects of surveillance. In order to explore this further, we shall now discuss the central legislations dealing with surveillance.

2. The Indian Telegraph Act, 1885

Section 5 of the Indian Telegraph Act, 1885, empowers the Central Government and State Governments of India to order the interception of messages in two circumstances: (1) in the occurrence of any public emergency or in the interest of public safety, and (2) if it is considered necessary or expedient to do so in the interest of:[13]

the sovereignty and integrity of India; or
the security of the State; or
friendly relations with foreign states; or
public order; or
for preventing incitement to the commission of an offence.

The Supreme Court of India has specified the terms 'public emergency' and 'public safety', based on the following[14]:

"Public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large calling for immediate action. The expression 'public safety' means the state or condition of freedom from danger or risk for the people at large. When either of these two conditions are not in existence, the Central Government or a State Government or the authorised officer cannot resort to telephone tapping even though there is satisfaction that it is necessary or expedient so to do in the interests of it sovereignty and integrity of India etc. In other words, even if the Central Government is satisfied that it is necessary or expedient so to do in the interest of the sovereignty and integrity of India or the security of the State or friendly relations with sovereign States or in public order or for preventing incitement to the commission of an offence, it cannot intercept the message, or resort to telephone tapping unless a public emergency has occurred or the interest of public safety or the existence of the interest of public safety requires. Neither the occurrence of public emergency nor the interest of public safety are secretive conditions or situations. Either of the situations would be apparent to a reasonable person."

In 2007, Rule 419A was added to the Indian Telegraph Rules, 1951 framed under the Indian Telegraph Act which provided that orders on the interception of communications should only be issued by the Secretary in the Ministry of Home Affairs. However, it provided that in unavoidable circumstances an order could also be issued by an officer, not below the rank of a Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary.[15]

According to Rule 419A, the interception of any message or class of messages is to be carried out with the prior approval of the Head or the second senior most officer of the authorised security agency at the Central Level and at the State Level with the approval of officers authorised in this behalf not below the rank of Inspector General of Police, in the belowmentioned emergent cases:

in remote areas, where obtaining of prior directions for interception of messages or class of messages is not feasible; or
for operational reasons, where obtaining of prior directions for interception of message or class of messages is not feasible;

however, the concerned competent authority is required to be informed of such interceptions by the approving authority within three working days and such interceptions are to be confirmed by the competent authority within a period of seven working days. If the confirmation from the competent authority is not received within the stipulated seven days, such interception should cease and the same message or class of messages should not be intercepted thereafter without the prior approval of the Union Home Secretary or the State Home Secretary.[16]

Rule 419A also tries to incorporate certain safeguards to curb the risk of unrestricted surveillance by the law enforcement authorities which include the following:

Any order for interception issued by the competent authority should contain reasons for such direction and a copy of such an order should be forwarded to the Review Committee within a period of seven working days;[17]
Directions for interception should be issued only when it is not possible to acquire the information by any other reasonable means;[18]
The directed interception should include the interception of any message or class of messages that are sent to or from any person n or class of persons or relating to any particular subject whether such message or class of messages are received with one or more addresses, specified in the order being an address or addresses likely to be used for the transmission of communications from or to one particular person specified or described in the order or one particular set of premises specified or described in the order;[19]
The interception directions should specify the name and designation of the officer or the authority to whom the intercepted message or class of messages is to be disclosed to;[20]
The directions for interception would remain in force for sixty days, unless revoked earlier, and may be renewed but the same should not remain in force beyond a total period of one hundred and eighty days;[21]
The directions for interception should be conveyed to the designated officers of the licensee(s) in writing by an officer not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank;[22]
The officer authorized to intercept any message or class of messages should maintain proper records mentioning therein, the intercepted message or class of messages, the particulars of persons whose message has been intercepted, the name and other particulars of the officer or the authority to whom the intercepted message or class of messages has been disclosed, etc.;[23]
All the requisitioning security agencies should designate one or more nodal officers not below the rank of Superintendent of Police or the officer of the equivalent rank to authenticate and send the requisitions for interception to the designated officers of the concerned service providers to be delivered by an officer not below the rank of Sub-Inspector of Police;[24]
Records pertaining to directions for interception and of intercepted messages should be destroyed by the competent authority and the authorized security and Law Enforcement Agencies every six months unless these are, or likely to be, required for functional requirements;[25]

According to Rule 419A, service providers \are required by law enforcement to intercept communications are required to comply with the following[26]:

Service providers should designate two senior executives of the company in every licensed service area/State/Union Territory as the nodal officers to receive and handle such requisitions for interception;[27]
The designated nodal officers of the service providers should issue acknowledgment letters to the concerned security and Law Enforcement Agency within two hours on receipt of intimations for interception;[28]
The system of designated nodal officers for communicating and receiving the requisitions for interceptions should also be followed in emergent cases/unavoidable cases where prior approval of the competent authority has not been obtained;[29]
The designated nodal officers of the service providers should forward every fifteen days a list of interception authorizations received by them during the preceding fortnight to the nodal officers of the security and Law Enforcement Agencies for confirmation of the authenticity of such authorizations;[30]
Service providers are required to put in place adequate and effective internal checks to ensure that unauthorized interception of messages does not take place, that extreme secrecy is maintained and that utmost care and precaution is taken with regards to the interception of messages;[31]

Service providers are held responsible for the actions of their employees. In the case of an established violation of license conditions pertaining to the maintenance of secrecy and confidentiality of information and unauthorized interception of communication, action shall be taken against service providers as per the provisions of the Indian Telegraph Act, and this shall not only include a fine, but also suspension or revocation of their license;[32]

Service providers should destroy records pertaining to directions for the interception of messages within two months of discontinuance of the interception of such messages and in doing so they should maintain extreme secrecy.[33]

Review Committee

Rule 419A of the Indian Telegraph Rules requires the establishment of a Review Committee by the Central Government and the State Government, as the case may be, for the interception of communications, as per the following conditions:[34]

(1) The Review Committee to be constituted by the Central Government shall consist of the following members, namely:

(a) Cabinet Secretary - Chairman

(b) Secretary to the Government of India in charge, Legal Affairs - Member

(2) The Review Committee to be constituted by a State Government shall consist of the following members, namely:

(a) Chief Secretary – Chairman

(b) Secretary Law/Legal Remembrancer in charge, Legal Affairs – Member

(3) The Review Committee meets at least once in two months and records its findings on whether the issued interception directions are in accordance with the provisions of sub-section (2) of Section 5 of the Indian Telegraph Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and order for destruction of the copies of the intercepted message or class of messages;[35]

It must be noted that the Unlawful Activities (Prevention) Act, 1967, (which is currently used against most acts of urban terrorism) also allows for the interception of communications but the procedures and safeguards are supposed to be the same as under the Indian Telegraph Act and the Information Technology Act.[36]

3. Telecom Licenses

The telecom sector in India has seen immense activity in the last two decades ever since it was opened up to private competition. These last twenty years have seen a lot of turmoil and have offered a tremendous learning opportunity for the private players as well as the governmental bodies regulating the sector. Currently any entity wishing to get a telecom license is offered a UL (Unified License) which contains terms and conditions for all the services that a licensee may choose to offer. However there were a large number of other licenses before the current regime, and since the licenses have a long phase out, we have tried to cover what we believe are the four most important licenses issued to telecom operators starting with the CMTS License:

Cellular Mobile Telephony Services (CMTS) License

In terms of National Telecom Policy (NTP)-1994, the first phase of liberalization in mobile telephone service started with issue of 8 licenses for Cellular Mobile Telephony Services (CMTS) in the 4 metro cities of Delhi, Mumbai, Calcutta and Chennai to 8 private companies in November 1994. Subsequently, 34 licenses for 18 Territorial Telecom Circles were also issued to 14 private companies during 1995 to 1998. During this period a maximum of two licenses were granted for CMTS in each service area and these licensees were called 1st & 2nd cellular licensees.[37] Consequent upon announcement of guidelines for Unified Access (Basic & Cellular) Services licenses on 11.11.2003, some of the CMTS operators were permitted to migrate from CMTS License to Unified Access Service License (UASL) but currently no new CMTS and Basic service licenses are being awarded after issuing the guidelines for Unified Access Service Licence (UASL).

The important provisions regarding surveillance in the CMTS License are listed below:

Facilities for Interception: The CMTS License requires the Licensee to provide necessary facilities to the designated authorities for interception of the messages passing through its network.[38]

Monitoring of Telecom Traffic: The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the Licensor or its nominee have the right to monitor the telecommunication traffic in every MSC or any other technically feasible point in the network set up by the licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. The hardware at licensee’s end and software required for monitoring of calls shall be engineered, provided/installed and maintained by the Licensee at licensee’s cost. In case the security agencies intend to locate the equipment at licensee’s premises for facilitating monitoring, the licensee is required to extend all support in this regard including space and entry of the authorised security personnel. The interface requirements as well as features and facilities as defined by the Licensor are to be implemented by the licensee for both data and speech. The Licensee is also required to ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls.[39]

Monitoring Records to be maintained: Along with the monitored call following records are to be made available:

Called/calling party mobile/PSTN numbers.
Time/date and duration of interception.
Location of target subscribers. Cell ID should be provided for location of the target subscriber. However, Licensor may issue directions from time to time on the precision of location, based on technological developments and integration of Global Positioning System (GPS) which shall be binding on the LICENSEE.
Telephone numbers if any call-forwarding feature has been invoked by target subscriber.
Data records for even failed call attempts.
CDR (Call Data Record) of Roaming Subscriber.

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.[40]

Protection of Privacy: It is the responsibility of the Licensee to ensure the protection of privacy of communication and ensure unathorised interception of messages does not take place.[41]

License Agreement for Provision of Internet Services (ISP License)

Internet services were launched in India on 15th August, 1995 by Videsh Sanchar Nigam Limited. In November, 1998, the Government opened up the sector for providing Internet services by private operators. The major provisions dealing with surveillance contained in the ISP License are given below:

Authorization for monitoring: Monitoring shall only be by the authorization of the Union Home Secretary or Home Secretaries of the States/Union Territories.[42]

Access to subscriber list by authorized intelligence agencies and licensor: The complete and up to date list of subscribers will be made available by the ISP on a password protected website – accessible to authorized intelligence agencies.[43] Information such as customer name, IP address, bandwidth provided, address of installation, data of installation, contact number and email of leased line customers shall be included in the website.[44] The licensor or its representatives will also have access to the Database relating to the subscribers of the ISP which is to be available at any instant.[45]

Right to monitor by the central/state government: The designated person of the central/state government or the licensor or nominee will have the right to monitor telecommunications traffic in every node or any other technically feasible point in the network. To facilitate this, the ISP must make arrangements for the monitoring of simultaneous calls by the Government or its security agencies.[46]

Right of DoT to monitor: DoT will have the ability to monitor customers who generate high traffic value and verify specified user identities on a monthly basis.[47]

Provision of mirror images: Mirror images of the remote access information should be made available online for monitoring purposes.[48] A safeguard provided for in the license is that remote access to networks is only allowed in areas approved by the DOT in consultation with the Security Agencies.[49]

Provision of information stored on dedicated transmission link: The ISP will provide the login password to DOT and authorized Government agencies on a monthly basis for access to information stored on any dedicated transmission link from ISP node to subscriber premises.[50]

Provision of subscriber identity and geographic location: The ISP must provide the traceable identity and geographic location of their subscribers, and if the subscriber is roaming – the ISP should try to find traceable identities of roaming subscribers from foreign companies.[51]

Facilities for monitoring: The ISP must provide the necessary facilities for continuous monitoring of the system as required by the licensor or its authorized representatives.[52]

Facilities for tracing: The ISP will also provide facilities for the tracing of nuisance, obnoxious or malicious calls, messages, or communications. These facilities are to be provided specifically to authorized officers of the Government of India (police, customs, excise, intelligence department) when the information is required for investigations or detection of crimes and in the interest of national security.[53]

Facilities and equipment to be specified by government: The types of interception equipment to be used will be specified by the government of India.[54] This includes the installation of necessary infrastructure in the service area with respect to Internet Telephony Services offered by the ISP including the processing, routing, directing, managing, authenticating the internet calls including the generation of Call Details Record, IP address, called numbers, date, duration, time, and charge of the internet telephony calls.[55]

Facilities for surveillance of mobile terminal activity: The ISP must also provide the government facilities to carry out surveillance of Mobile Terminal activity within a specified area whenever requested.[56]

Facilities for monitoring international gateway: As per the requirements of security agencies, every international gateway location having a capacity of 2 Mbps or more will be equipped will have a monitoring center capable of monitoring internet telephony traffic.[57]

Facilities for monitoring in the premise of the ISP: Every office must be at least 10x10 with adequate power, air conditioning, and accessible only to the monitoring agencies. One local exclusive telephone line must be provided, and a central monitoring center must be provided if the ISP has multiple nodal points.[58]

Protection of privacy: There is a responsibility on the ISP to protect the privacy of its communications transferred over its network. This includes securing the information and protecting against unauthorized interception, unauthorized disclosure, ensure the confidentiality of information, and protect against over disclosure of information- except when consent has been given.[59]

Log of users: Each ISP must maintain an up to date log of all users connected and the service that they are using (mail, telnet, http, etc). The ISPs must also log every outward login or telnet through their computers. These logs as well as copies of all the packets must be made available in real time to the Telecom Authority.[60]

Log of internet leased line customers: A record of each internet leased line customer should be kept along with details of connectivity, and reasons for taking the link should be kept and made readily available for inspection.[61]

Log of remote access activities: The ISP will also maintain a complete audit trail of the remote access activities that pertain to the network for at least six months. This information must be available on request for any agency authorized by the licensor.[62]

Monitoring requirements: The ISP must make arrangements for the monitoring of the telecommunication traffic in every MSC exchange or any other technically feasible point, of at least 210 calls simultaneously.[63]

Records to be made available:

CDRS: When required by security agencies, the ISP must make available records of i) called/calling party mobile/PSTN numbers ii) time/date and duration of calls iii) location of target subscribers and from time to time precise location iv) telephone numbers – and if any call forwarding feature has been evoked – records thereof v) data records for failed call attempts vi) CDR of roaming subscriber.[64]
Bulk connections: On a monthly basis, and from time to time, information with respect to bulk connections shall be forwarded to DoT, the licensor, and security agencies.[65]
Record of calls beyond specified threshold: Calls should be checked, analyzed, and a record maintained of all outgoing calls made by customers both during the day and night that exceed a set threshold of minutes. A list of suspected subscribers should be created by the ISP and should be informed to DoT and any officer authorized by the licensor at any point of time.[66]
Record of subscribers with calling line identification restrictions: Furthermore, a list of calling line identification restriction subscribers with their complete address and details should be created on a password protected website that is available to authorized government agencies.[67]

Unified Access Services (UAS) License

Unified Access Services operators provide services of collection, carriage, transmission and delivery of voice and/or non-voice messages within their area of operation, over the Licensee’s network by deploying circuit and/or packet switched equipment. They may also provide Voice Mail, Audiotex services, Video Conferencing, Videotex, E-Mail, Closed User Group (CUG) as Value Added Services over its network to the subscribers falling within its service area on a non-discriminatory basis.

The terms of providing the services are regulated under the Unified Access Service License (UASL) which also contains provisions regarding surveillance/interception. These provisions are regularly used by the state agencies to intercept telephonic and data traffic of subscribers. The relevant terms of the UASL dealing with surveillance and interception are discussed below:

Confidentiality of Information: The Licensee cannot employ bulk encryption equipment in its network. Any encryption equipment connected to the Licensee’s network for specific requirements has to have prior evaluation and approval of the Licensor or officer specially designated for the purpose. However, any encryption equipment connected to the Licensee’s network for specific requirements has to have prior evaluation and approval of the Licensor or officer specially designated for the purpose. However, the Licensee has the responsibility to ensure protection of privacy of communication and to ensure that unauthorised interception of messages does not take place.[68] The Licensee shall take necessary steps to ensure that the Licensee and any person(s) acting on its behalf observe confidentiality of customer information.[69]

Responsibility of the Licensee: The Licensee has to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides the service and from whom it has acquired such information by virtue of the service provided and shall use its best endeavors to secure that :

No person acting on behalf of the Licensee or the Licensee divulges or uses any such information except as may be necessary in the course of providing such service to the third party; and
No such person seeks such information other than is necessary for the purpose of providing service to the third party.[70]

Provision of monitoring facilities: Requisite monitoring facilities /equipment for each type of system used, shall be provided by the service provider at its own cost for monitoring as and when required by the licensor.[71] The license also requires the Licensee to provide necessary facilities to the designated authorities for interception of the messages passing through its network.[72] The licensor in this case is the President of India, as the head of the State, therefore all references to the term licensor can be assumed to be to the government of India (which usually acts through the department of telecom (DOT). For monitoring traffic, the licensee company has to provide access of their network and other facilities as well as to books of accounts to the security agencies.[73]

Monitoring by Designated Person: The designated person of the Central/ State Government as conveyed to the Licensor from time to time in addition to the Licensor or its nominee has the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG or any other technically feasible point in the network set up by the Licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. The hardware at Licensee’s end and software required for monitoring of calls shall be engineered, provided/installed and maintained by the Licensee at Licensee’s cost. However, the respective Government instrumentality bears the cost of user end hardware and leased line circuits from the MSC/ Exchange/MGC/MG to the monitoring centres to be located as per their choice in their premises or in the premises of the Licensee. In case the security agencies intend to locate the equipment at Licensee’s premises for facilitating monitoring, the Licensee should extend all support in this regard including space and entry of the authorized security personnel. The Licensee is required to implement the interface requirements as well as features and facilities as defined by the Licensor for both data and speech. The Licensee is to ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies.[74]

Monitoring Records to be maintained: Along with the monitored call following records are to be made available:

Called/calling party mobile/PSTN numbers.
Time/date and duration of interception.
Location of target subscribers. Cell ID should be provided for location of the target subscriber. However, Licensor may issue directions from time to time on the precision of location, based on technological developments and integration of Global Positioning System (GPS) which shall be binding on the LICENSEE.
Telephone numbers if any call-forwarding feature has been invoked by target subscriber.
Data records for even failed call attempts.
CDR (Call Data Record) of Roaming Subscriber.

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.[75]

List of Subscribers: The complete list of subscribers shall be made available by the Licensee on their website (having password controlled access), so that authorized Intelligence Agencies are able to obtain the subscriber list at any time, as per their convenience with the help of the password.[76] The Licensor or its representative(s) have an access to the Database relating to the subscribers of the Licensee. The Licensee shall also update the list of his subscribers and make available the same to the Licensor at regular intervals. The Licensee shall make available, at any prescribed instant, to the Licensor or its authorized representative details of the subscribers using the service.[77] The Licensee must provide traceable identity of their subscribers,[78] and should be able to provide the geographical location (BTS location) of any subscriber at a given point of time, upon request by the Licensor or any other agency authorized by it.[79]

CDRs for Large Number of Outgoing Calls: The call detail records for outgoing calls made by subscribers making large number of outgoing calls day and night and to the various telephone numbers should be analyzed. Normally, no incoming call is observed in such cases. This can be done by running special programs for this purpose.[80] Although this provision itself does not say that it is limited to bulk subscribers (subscribers with more than 10 lines), it is contained as a sub-clause of section 41.19 which talks about specific measures for bulk subscribers, therefore it is possible that this provision is limited only to bulk subscribers and not to all subscribers.

No Remote Access to Suppliers: Suppliers/manufacturers and affiliate(s) are not allowed any remote access to the be enabled to access Lawful Interception System(LIS), Lawful Interception Monitoring(LIM), Call contents of the traffic and any such sensitive sector/data, which the licensor may notify from time to time, under any circumstances.[81] The Licensee is also not allowed to use remote access facility for monitoring of content.[82] Further, suitable technical device is required to be made available at Indian end to the designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes.[83]

Monitoring as per the Rules under Telegraph Act: In order to maintain the privacy of voice and data, monitoring shall be in accordance with rules in this regard under Indian Telegraph Act, 1885.[84] It interesting to note that the monitoring under the UASL license is required to be as per the Rules prescribed under the Telegraph Act, but no mention is made of the Rules under the Information Technology Act.

Monitoring from Centralised Location: The Licensee has to ensure that necessary provision (hardware/ software) is available in its equipment for doing lawful interception and monitoring from a centralized location.[85]

Unified License (UL)

The National Telecom Policy - 2012 recognized the fact that the evolution from analog to digital technology has facilitated the conversion of voice, data and video to the digital form which are increasingly being rendered through single networks bringing about a convergence in networks, services and devices. It was therefore felt imperative to move towards convergence between various services, networks, platforms, technologies and overcome the incumbent segregation of licensing, registration and regulatory mechanisms in these areas. It was for this reason that the Government of India decided to move to the Unified License regime under which service providers could opt for all or any one or more of a number of different services.[86]

Provision of interception facilities by Licensee: The UL requires that the requisite monitoring/ interception facilities /equipment for each type of service, should be provided by the Licensee at its own cost for monitoring as per the requirement specified by the Licensor from time to time.[87] The Licensee is required to provide necessary facilities to the designated authorities of Central/State Government as conveyed by the Licensor from time to time for interception of the messages passing through its network, as per the provisions of the Indian Telegraph Act.[88]

Bulk encryption and unauthorized interception: The UL prohibits the Licensee from employing bulk encryption equipment in its network. Licensor or officers specially designated for the purpose are allowed to evaluate any encryption equipment connected to the Licensee’s network. However, it is the responsibility of the Licensee to ensure protection of privacy of communication and to ensure that unauthorized interception of messages does not take place.[89] The use of encryption by the subscriber shall be governed by the Government Policy/rules made under the Information Technology Act, 2000.[90]

Safeguarding of Privacy and Confidentiality: The Licensee shall take necessary steps to ensure that the Licensee and any person(s) acting on its behalf observe confidentiality of customer information.[91] Subject to terms and conditions of the license, the Licensee is required to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides services and from whom it has acquired such information by virtue of the service provided and shall use its best endeavors to secure that: a) No person acting on behalf of the Licensee or the Licensee divulges or uses any such information except as may be necessary in the course of providing such service; and b) No such person seeks such information other than is necessary for the purpose of providing service to the third party.

Provided the above para does not apply where: a) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or b) The information is already open to the public and otherwise known.[92]

No Remote Access to Suppliers: Suppliers/manufacturers and affiliate(s) are not allowed any remote access to the be enabled to access Lawful Interception System(LIS), Lawful Interception Monitoring(LIM), Call contents of the traffic and any such sensitive sector/data, which the licensor may notify from time to time, under any circumstances.[93] The Licensee is also not allowed to use remote access facility for monitoring of content.[94] Further, suitable technical device is required to be made available at Indian end to the designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes.[95]

Monitoring as per the Rules under Telegraph Act: In order to maintain the privacy of voice and data, monitoring shall be in accordance with rules in this regard under Indian Telegraph Act, 1885.[96] Just as in the UASL, the monitoring under the UL license is required to be as per the Rules prescribed under the Telegraph Act, but no mention is made of the Rules under the Information Technology Act.

Terms specific to various services

Since the UL License intends to cover all services under a single license, in addition to the general terms and conditions for interception, it also has terms for each specific service. We shall now discuss the terms for interception specific to each service offered under the Unified License.

Access Service: The designated person of the Central/ State Government, in addition to the Licensor or its nominee, shall have the right to monitor the telecommunication traffic in every MSC/ Exchange/ MGC/ MG/ Routers or any other technically feasible point in the network set up by the Licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. For establishing connectivity to Centralized Monitoring System, the Licensee at its own cost shall provide appropriately dimensioned hardware and bandwidth/dark fibre upto a designated point as required by Licensor from time to time. In case the security agencies intend to locate the equipment at Licensee’s premises for facilitating monitoring, the Licensee should extend all support in this regard including space and entry of the authorized security personnel.

The Interface requirements as well as features and facilities as defined by the Licensor should be implemented by the Licensee for both data and speech. The Licensee should ensure suitable redundancy in the complete chain of Lawful Interception and Monitoring equipment for trouble free operations of monitoring of at least 480 simultaneous calls as per requirement with at least 30 simultaneous calls for each of the designated security/ law enforcement agencies. Each MSC of the Licensee in the service area shall have the capacity for provisioning of at least 3000 numbers for monitoring. Presently there are ten (10) designated security/ law enforcement agencies. The above capacity provisions and no. of designated security/ law enforcement agencies may be amended by the Licensor separately by issuing instructions at any time.

Along with the monitored call following records are to be made available:

Called/calling party mobile/PSTN numbers.
Time/date and duration of interception.
Location of target subscribers. Cell ID should be provided for location of the target subscriber. However, Licensor may issue directions from time to time on the precision of location, based on technological developments and integration of Global Positioning System (GPS) which shall be binding on the LICENSEE.
Telephone numbers if any call-forwarding feature has been invoked by target subscriber.
Data records for even failed call attempts.
CDR (Call Data Record) of Roaming Subscriber.

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.[97]

The call detail records for outgoing calls made by those subscribers making large number of outgoing calls day and night to the various telephone numbers with normally no incoming calls, is required to be analyzed by the Licensee. The service provider is required to run special programme, devise appropriate fraud management and prevention programme and fix threshold levels of average per day usage in minutes of the telephone connection; all telephone connections crossing the threshold of usage are required to be checked for bona fide use. A record of check must be maintained which may be verified by Licensor any time. The list/details of suspected subscribers should be informed to the respective TERM Cell of DoT and any other officer authorized by Licensor from time to time.[98]

The Licensee shall provide location details of mobile customers as per the accuracy and time frame mentioned in the Unified License. It shall be a part of CDR in the form of longitude and latitude, besides the co-ordinate of the BTS, which is already one of the mandated fields of CDR. To start with, these details will be provided for specified mobile numbers. However, within a period of 3 years from effective date of the Unified License, location details shall be part of CDR for all mobile calls.[99]

Internet Service: The Licensee is required to maintain CDR/IPDR for Internet including Internet Telephony Service for a minimum period of one year. The Licensee is also required to maintain log-in/log-out details of all subscribers for services provided such as internet access, e-mail, Internet Telephony, IPTV etc. These logs are to be maintained for a minimum period of one year. For the purpose of interception and monitoring of traffic, the copies of all the packets originating from / terminating into the Customer Premises Equipment (CPE) shall be made available to the Licensor/Security Agencies. Further, the list of Internet Lease Line (ILL) customers is to be placed on a password protected website in the format prescribed in the Unified License.[100]

Lawful Interception and Monitoring (LIM) systems of requisite capacities are to be set up by the Licensees for Internet traffic including Internet telephony traffic through their Internet gateways and /or Internet nodes at their own cost, as per the requirement of the security agencies/Licensor prescribed from time to time. The cost of maintenance of the monitoring equipment and infrastructure at the monitoring centre located at the premises of the licensee shall be borne by the Licensee. In case the Licensee obtains Access spectrum for providing Internet Service / Broadband Wireless Access using the Access Spectrum, the Licensee shall install the required Lawful Interception and Monitoring systems of requisite capacities prior to commencement of service. The Licensee, while providing downstream Internet bandwidth to an Internet Service provider is also required to ensure that all the traffic of downstream ISP passing through the Licensee’s network can be monitored in the network of the Licensee. However, for nodes of Licensee having upstream bandwidth from multiple service providers, the Licensee may be mandated to install LIM/LIS at these nodes, as per the requirement of security agencies. In such cases, upstream service providers may not be required to monitor this bandwidth.[101]

In case the Licensee has multiple nodes/points of presence and has capability to monitor the traffic in all the Routers/switches from a central location, the Licensor may accept to monitor the traffic from the said central monitoring location, provided that the Licensee is able to demonstrate to the Licensor/Security Agencies that all routers / switches are accessible from the central monitoring location. Moreover, the Licensee would have to inform the Licensor of every change that takes place in their topology /configuration, and ensure that such change does not make any routers/switches inaccessible from the central monitoring location. Further, Office space of 10 feet x 10 feet with adequate and uninterrupted power supply and air-conditioning which is physically secured and accessible only to the monitoring agencies shall be provided by the Licensee at each Internet Gateway location at its cost.[102]

National Long Distance (NLD) Service: The requisite monitoring facilities are required to be provided by the Licensee as per requirement of Licensor. The details of leased circuit provided by the Licensee is to be provided monthly to security agencies & DDG (TERM) of the Licensed Service Area where the licensee has its registered office.[103]

International Long Distance (ILD) Service: Office space of 20’x20’ with adequate and uninterrupted power supply and air-conditioning which is physically secured and accessible only to the personnel authorized by the Licensor is required to be provided by the Licensee at each Gateway location free of cost.[104] The cost of monitoring equipment is to be borne by the Licensee. The installation of the monitoring equipment at the ILD Gateway Station is to be done by the Licensee. After installation of the monitoring equipment, the Licensee shall get the same inspected by monitoring /security agencies. The permission to operate/commission the gateway will be given only after this.[105]

The designated person of the Central/ State Government, in addition to the Licensor or its nominee, has the right to monitor the telecommunication traffic in every ILD Gateway / Routers or any other technically feasible point in the network set up by the Licensee. The Licensee is required to make arrangement for monitoring simultaneous calls by Government security agencies. For establishing connectivity to Centralized Monitoring System, the Licensee, at its own cost, is required to provide appropriately dimensioned hardware and bandwidth/dark fibre upto a designated point as required by Licensor from time to time. In case the security agencies intend to locate the equipment at Licensee’s premises for facilitating monitoring, the Licensee should extend all support in this regard including Space and Entry of the authorized security personnel. The Interface requirements as well as features and facilities as defined by the Licensor should be implemented by the Licensee for both data and speech. The Licensee should ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations of monitoring of at least 480 simultaneous calls as per requirement with at least 30 simultaneous calls for each of the designated security/ law enforcement agencies. Each ILD Gateway of the Licensee shall have the capacity for provisioning of at least 5000 numbers for monitoring. Presently there are ten (10) designated security/ law enforcement agencies. The above capacity provisions and number of designated security/ law enforcement agencies may be amended by the Licensor separately by issuing instructions at any time.[106]

The Licensee is required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies in the format prescribed from time to time.[107]

Global Mobile Personal Communication by Satellite (GMPCS) Service: The designated Authority of the Central/State Government shall have the right to monitor the telecommunication traffic in every Gateway set up in India. The Licensee shall make arrangement for monitoring of calls as specified in the Unified License.[108]

The hardware/software required for monitoring of calls shall be engineered, provided/installed and maintained by the Licensee at the ICC (Intercept Control Centre) to be established at the GMPCS Gateway(s) as also in the premises of security agencies at Licensee’s cost. The Interface requirements as well as features and facilities shall be worked out and implemented by the Licensee for both data and speech. The Licensee should ensure suitable redundancy in the complete chain of Monitoring equipment for trouble free operations. The Licensee shall provide suitable training to the designated representatives of the Licensor regarding operation and maintenance of Monitoring equipment (ICC & MC). Interception of target subscribers using messaging services should also be provided even if retrieval is carried out using PSTN links. For establishing connectivity to Centralized Monitoring System, the Licensee at its own cost shall provide appropriately dimensioned hardware and bandwidth/dark fibre upto a designated point as required by Licensor from time to time.[109] The License also has specific obligations to extend monitored calls to designated security agencies as provided in the UL.[110] Further, the Licensee is required to provide the call data records of all the calls handled by the system at specified periodicity, if and as and when required by the security agencies.[111] It is the responsibility of the service provider for Global Mobile Personal Communication by Satellite (GMPCS) to provide facility to carry out surveillance of User Terminal activity.[112]

The Licensee has to make available adequate monitoring facility at the GMPCS Gateway in India to monitor all traffic (traffic originating/terminating in India) passing through the applicable system. For this purpose, the Licensee shall set up at his cost, the requisite interfaces, as well as features and facilities for monitoring of calls by designated agencies as directed by the Licensor from time to time. In addition to the Target Intercept List (TIL), it should also be possible to carry out specific geographic location based interception, if so desired by the designated security agencies. Monitoring of calls should not be perceptible to mobile users either during direct monitoring or when call has been grounded for monitoring. The Licensee shall not prefer any charges for grounding a call for monitoring purposes. The intercepted data is to be pushed to designated Security Agencies’ server on fire and forget basis. No records shall be maintained by the Licensee regarding monitoring activities and air-time used beyond prescribed time limit.

The Licensee has to ensure that any User Terminal (UT) registered in the gateway of another country shall re-register with Indian Gateway when operating from Indian Territory. Any UT registered outside India, when attempting to make/receive calls from within India, without due authority, shall be automatically denied service by the system and occurrence of such attempts along with information about UT identity as well as location shall be reported to the designated authority immediately.

The Licensee is required to have provision to scan operation of subscribers specified by security/ law enforcement agencies through certain sensitive areas within the Indian territory and shall provide their identity and positional location (latitude and longitude) to Licensor on as and when required basis.

Public Mobile Radio Trunking Service (PMRTS): Suitable monitoring equipment prescribed by the Licensor for each type of System used has to be provided by the Licensee at his own cost for monitoring, as and when required.[113]

Very Small Aperture Terminal (VSAT) Closed User Group (CUG) Service: Requisite monitoring facilities/ equipment for each type of system used have to be provided by the Licensee at its own cost for monitoring as and when required by the Licensor.[114] The Licensee shall provide at its own cost technical facilities for accessing any port of the switching equipment at the HUB for interception of the messages by the designated authorities at a location to be determined by the Licensor.[115]

Surveillance of MSS-R Service: The Licensee has to provide at its own cost technical facilities for accessing any port of the switching equipment at the HUB for interception of the messages by the designated authorities at a location as and when required.[116] It is the responsibility of the service provider of INSAT- Mobile Satellite System Reporting (MSS-R) service to provide facility to carry out surveillance of User Terminal activity within a specified area.[117]

Resale of International Private Leased Circuit (IPLC) Service: The Licensee has to take IPLC from the licensed ILDOs. The interception and monitoring of Resellers circuits will take place at the Gateway of the ILDO from whom the IPLC has been taken by the Licensee. The provisioning for Lawful Interception & Monitoring of the Resellers’ IPLC shall be done by the ILD Operator and the concerned ILDO shall be responsible for Lawful Interception and Monitoring of the traffic passing through the IPLC. The Resellers shall extend all cooperation in respect of interception and monitoring of its IPLC and shall be responsible for the interception results. The Licensee shall be responsible to interact, correspond and liaise with the licensor and security agencies with regard to security monitoring of the traffic. The Licensee shall, before providing an IPLC to the customer, get the details of services/equipment to be connected on both ends of IPLC, including type of terminals, data rate, actual use of circuit, protocols/interface to be used etc. The Resellers shall permit only such type of service/protocol on the IPLC for which the concerned ILDO has capability of interception and monitoring. The Licensee has to pass on any direct request placed by security agencies on him for interception of the traffic on their IPLC to the concerned ILDOs within two hours for necessary actions.[118]

4. The Information Technology Act, 2000

The Information Technology Act, 2000, was amended in a major way in 2008 and is the primary legislation which regulates the interception, monitoring, decryption and collection of traffic information of digital communications in India.

More specifically, section 69 of the Information Technology Act empowers the central Government and the state governments to issue directions for the monitoring, interception or decryption of any information transmitted, received or stored through a computer resource. Section 69 of the Information Technology Act, 2000 expands the grounds upon which interception can take place as compared to the Indian Telegraph Act, 1885. As such, the interception of communications under Section 69 is carried out in the interest of[119]:

The sovereignty or integrity of India

Defence of India

Security of the State
Friendly relations with foreign States
Public order
Preventing incitement to the commission of any cognizable offense relating to the above
For the investigation of any offense

While the grounds for interception are similar to the Indian Telegraph Act (except for the condition of prevention of incitement of only cognizable offences and the addition of investigation of any offence) the Information Technology Act does not have the overarching condition that interception can only occur in the case of public emergency or in the interest of public safety.

Additionally, section 69 of the Act mandates that any person or intermediary who fails to assist the specified agency with the interception, monitoring, decryption or provision of information stored in a computer resource shall be punished with imprisonment for a term which may extend to seven years and shall be liable for a fine.[120]

Section 69B of the Information Technology Act empowers the Central Government to authorise the monitoring and collection of information and traffic data generated, transmitted, received or stored through any computer resource for the purpose of cyber security. According to this section, any intermediary who intentionally or knowingly fails to provide technical assistance to the authorised agency which is required to monitor and collection information and traffic data shall be punished with an imprisonment which may extend to three years and will also be liable to a fine.[121]

The main difference between Section 69 and Section 69B is that the first requires the interception, monitoring and decryption of all information generated, transmitted, received or stored through a computer resource when it is deemed “necessary or expedient” to do so, whereas Section 69B specifically provides a mechanism for all metadata of all communications through a computer resource for the purpose of combating threats to “cyber security”. Directions under Section 69 can be issued by the Secretary to the Ministry of Home Affairs, whereas directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology.

Overlap with the Telegraph Act

Thus while the Telegraph Act only allows for interception of messages or class of messages transmitted by a telegraph, the Information Technology Act enables interception of any information being transmitted or stored in a computer resource. Since a “computer resource” is defined to include a communication device (such as cellphones and PDAs) there is a overlap between the provisions of the Information Technology Act and the Telegraph Act concerning the provisions of interception of information sent through mobile phones. This is further complicated by the fact that the UAS License specifically states that it is governed by the provisions of the Indian Telegraph Act, the Indian Wireless Telegraphy Act and the Telecom Regulatory Authority of India Act, but does not mention the Information Technology Act.[122] This does not mean that the Licensees under the Telecom Licenses are not bound by any other laws of India (including the Information Technology Act) but it is just an invitation to unnecessary complexities and confusions with regard to a very serious issue such as interception. This situation has thankfully been remedied by the Unified License (UL) which, although issued under section of 4 of the Telegraph Act, also references the Information Technology Act thus providing essential clarity with respect to the applicability of the Information Technology Act to the License Agreement.

Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

The interception of internet communications is mainly covered by the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009under the Information Technology Act (the “IT Interception Rules”). In particular, the rules framed under Section 69 and 69B include safeguards stipulating to who may issue directions of interception and monitoring, how such directions are to be executed, the duration they remain in operation, to whom data may be disclosed, confidentiality obligations of intermediaries, periodic oversight of interception directions by a Review Committee under the Indian Telegraph Act, the retention of records of interception by intermediaries and to the mandatory destruction of information in appropriate cases.

According to the IT Interception Rules, only the competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub-section (2) of section 69 of the Information Technology Act.[123] At the State and Union Territory level, the State Secretaries respectively in charge of the Home Departments are designated as “competent authorities” to issue interception directions.[124]In unavoidable circumstances the Joint Secretary to the Government of India, when so authorised by the Competent Authority, may issue an order. Interception may also be carried out with the prior approval of the Head or the second senior most officer of the authorised security agency at the Central Level and at the State Level with the approval of officers authorised in this behalf not below the rank of Inspector General of Police, in the belowmentioned emergent cases:

(1) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or

(2) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generation, transmitted, received or stored in any computer resource is not feasible,

however, in the above circumstances the officer would have to inform the competent authority in writing within three working days about the emergency and of the interception, monitoring or decryption and obtain the approval of the competent authority within a period of seven working days. If the approval of the competent authority is not obtained within the said period of seven working days, such interception or monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the competent authority.[125] If a state wishes to intercept information that is beyond its jurisdiction, it must request permission to issue the direction from the Secretary in the Ministry of Home Affairs.[126]

In order to avoid the risk of unauthorised interception, the IT Interception Rules provide for the following safeguards:

If authorised by the competent authority, any agency of the government may intercept, monitor, or decrypt information transmitted, received, or stored in any computer resource only for the purposes specified in section 69(1) of the IT Act.[127]
The IT Interception Rules further provide that the competent authority may give any decryption direction to the decryption key holder.[128]
The officer issuing an order for interception is required to issue requests in writing to designated nodal officers of the service provider.[129]
Any direction issued by the competent authority must contain the reasons for direction, and must be forwarded to the review committee seven days after being issued.[130]
In the case of issuing or approving an interception order, in arriving at its decision the competent authority must consider all alternate means of acquiring the information.[131]
The order must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources.[132]
The reasons for ordering interceptions must be recorded in writing, and must specify the name and designation of the officer to whom the information obtained is to be disclosed, and also specify the uses to which the information is to be put.[133]
The directions for interception will remain in force for a period of 60 days, unless renewed. If the orders are renewed they cannot be in force for longer than 180 days.[134]
Authorized agencies are prohibited from using or disclosing contents of intercepted communications for any purpose other than investigation, but they are permitted to share the contents with other security agencies for the purpose of investigation or in judicial proceedings. Furthermore, security agencies at the union territory and state level will share any information obtained by following interception orders with any security agency at the centre.[135]
All records, including electronic records pertaining to interception are to be destroyed by the government agency “every six months, except in cases where such information is required or likely to be required for functional purposes”.[136]
The contents of intercepted, monitored, or decrypted information will not be used or disclosed by any agency, competent authority, or nodal officer for any purpose other than its intended purpose.[137]
The agency authorised by the Secretary of Home Affairs is required to appoint a nodal officer (not below the rank of superintendent of police or equivalent) to authenticate and send directions to service providers or decryption key holders.[138]

The IT Interception Rules also place the following obligations on the service providers:

In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the service provider within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings.[139]
Upon receiving an order for interception, service providers are required to provide all facilities, co-operation, and assistance for interception, monitoring, and decryption. This includes assisting with: the installation of the authorised agency's equipment, the maintenance, testing, or use of such equipment, the removal of such equipment, and any action required for accessing stored information under the direction.[140]
Additionally, decryption key holders are required to disclose the decryption key and provide assistance in decrypting information for authorized agencies.[141]

Every fifteen days the officers designated by the intermediaries are required to forward to the nodal officer in charge a list of interceptions orders received by them. The list must include the details such as reference and date of orders of the competent authority.[142]
The service provider is required to put in place adequate internal checks to ensure that unauthorised interception does not take place, and to ensure the extreme secrecy of intercepted information is maintained.[143]
The contents of intercepted communications are not allowed to be disclosed or used by any person other than the intended recipient.[144]
Additionally, the service provider is required to put in place internal checks to ensure that unauthorized interception of information does not take place and extreme secrecy is maintained. This includes ensuring that the interception and related information are handled only by the designated officers of the service provider.[145]

Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009

The Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009, under section 69B of the Information Technology Act, stipulate that directions for the monitoring and collection of traffic data or information can be issued by an order made by the competent authority[146] for any or all of the following purposes related to cyber security:

forecasting of imminent cyber incidents;
monitoring network application with traffic data or information on computer resource;
identification and determination of viruses or computer contaminant;
tracking cyber security breaches or cyber security incidents;
tracking computer resource breaching cyber security or spreading virus or computer contaminants;
identifying or tracking any person who has breached, or is suspected of having breached or likely to breach cyber security;
undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;
accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
any other matter relating to cyber security.[147]

According to these Rules, any direction issued by the competent authority should contain reasons for such direction and a copy of such direction should be forwarded to the Review Committee within a period of seven working days.[148] Furthermore, these Rules state that the Review Committee shall meet at least once in two months and record its finding on whether the issued directions are in accordance with the provisions of sub-section (3) of section 69B of the Act. If the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue an order for the destruction of the copies, including corresponding electronic record of the monitored or collected traffic data or information.[149]

Information Technology (Guidelines for Cyber Cafes) Rules, 2011

The Information Technology (Guidelines for Cyber Cafes) Rules, 2011, were issued under powers granted under section 87(2), read with section 79(2) of the Information Technology Act, 2000.[150] These rules require cyber cafes in India to store and maintain backup logs for each login by any user, to retain such records for a year and to ensure that the log is not tampered. Rule 7 requires the inspection of cyber cafes to determine that the information provided during registration is accurate and remains updated.

5. The Indian Post Office Act, 1898
Section 26 of the Indian Post Office Act, 1898, empowers the Central Government and the State Governments to intercept postal articles.[151] In particular, section 26 of the Indian Post Office Act, 1898, states that on the occurrence of any public emergency or in the interest of public safety or tranquility, the Central Government, State Government or any officer specially authorised by the Central or State Government may direct the interception, detention or disposal of any postal article, class or description of postal articles in the course of transmission by post. Furthermore, section 26 states that if any doubt arises regarding the existence of public emergency, public safety or tranquility then a certificate to that effect by the Central Government or a State Government would be considered as conclusive proof of such condition being satisfied.

According to this section, the Central Government and the State Governments of India can intercept postal articles if it is deemed to be in the instance of a 'public emergency' or for 'public safety or tranquility'. However, the Indian Post Office Act, 1898, does not cover electronic communications and does not mandate their interception, which is covered by the Information Technology Act, 2000 and the Indian Telegraph Act, 1885.

6. The Indian Wireless Telegraphy Act, 1933
The Indian Wireless Telegraphy Act was passed to regulate and govern the possession of wireless telegraphy equipment within the territory of India. This Act essentially provides that no person can own “wireless telegraphy apparatus”[152] except with a license provided under this Act and must use the equipment in accordance with the terms provided in the license.[153]

One of the major sources of revenue for the Indian State Broadcasting Service was revenue from the licence fee from working of wireless apparatus under the Indian Telegraph Act, 1885.The Indian State Broadcasting Service was losing revenue due to lack of legislation for prosecuting persons using unlicensed wireless apparatus as it was difficult to trace them at the first place and then prove that such instrument has been installed, worked and maintained without licence. Therefore, the current legislation was proposed, in order to prohibit possession of wireless telegraphy apparatus without licence.

Presently the Act is used to prosecute cases, related to illegal possession and transmission via satellite phones. Any person who wishes to use satellite phones for communication purposes has to get licence from the Department of Telecommunications.[154]

7. The Code of Criminal Procedure
Section 91 of the Code of Criminal Procedure regulates targeted surveillance. In particular, section 91 states that a Court in India or any officer in charge of a police station may summon a person to produce any document or any other thing that is necessary for the purposes of any investigation, inquiry, trial or other proceeding under the Code of Criminal Procedure.[155] Under section 91, law enforcement agencies in India could theoretically access stored data. Additionally, section 92 of the Code of Criminal Procedure regulates the interception of a document, parcel or thing in the possession of a postal or telegraph authority.

Further section 356(1) of the Code of Criminal Procedure provides that in certain cases the Courts have the power to direct repeat offenders convicted under certain provisions, to notify his residence and any change of, or absence from, such residence after release for a term not exceeding five years from the date of the expiration of the second sentence.

Policy Suggestions

In order to avoid the different standards being adopted for different aspects of surveillance and in different parts of the country, there should be one single policy document or surveillance and interception manual which should contain the rules and regulations regarding all kinds of surveillance. This would not only help in identifying problems in the law but may also be useful in streamlining the entire surveillance regime. However it is easier said than done and requires a mammoth effort at the legislative stage. This is because under the Constitutional scheme of India law and order is a State subject and the police machinery in every State is under the authority of the State government. Therefore it would not be possible to issue a single legislation dealing with all aspects of surveillance since the States are independent in their powers to deal with the police machinery.

Even when we look at the issue of interception, certain state legislations especially the ones dealing with organized crime and bootleggers such as the Maharashtra Control of Organized Crime Act, 1999, the Andhra Pradesh Control of Organized Crime Act, 2001, also deal with the issue of interception and contain provisions empowering the state government to intercept communications for the purpose of using it to investigate or prevent criminal activities. Further even the two central level legislations that deal with interception, viz. the Telegraph Act and the Information Technology Act, specifically empower the State governments also to intercept communications on the same grounds as the Central Government. Since interception of communications is mostly undertaken by security and law enforcement agencies, broadly for the maintenance of law and order, State governments cannot be prevented from issuing their own legislations to deal with interception.

Due to the abovementioned legal and constitutional complexities the major problem in achieving harmonization is to get both the Central and State governments on to the same page. Even if the Central government amends the Telegraph Act and the IT Act to bring them in line with each other, the State governments will still be free to do whatever they please. Therefore it seems the best approach in order to achieve harmonization may be to have a two pronged strategy, i.e. (i) issue a National Surveillance Policy covering both interception and general surveillance; and (ii) amend the central legislations i.e. the Telegraph Act and the Information Technology Act in accordance with the National Surveillance Policy. Once a National Surveillance Policy, based on scientific data and the latest theories on criminology is issued, it is hoped that State governments will themselves like to adopt the principles enshrined therein and amend their own legislations dealing with interception to fall in line with the National Surveillance Policy.

[1] Section 6(2)(b) of the Model Police Manual.

[2] Section 191 (D) of the Model Police Manual.

[3] Section 200 (D) of the Model Police Manual.

[4] Section 2011 (I) of the Model Police Manual.

[5] Section 201 (II) of the Model Police Manual.

[6] Section 201 (IV) of the Model Police Manual.

[7] Section 193 (III) of the Model Police Manual.

[8] Surjan Das & Basudeb Chattopadhyay, Rural Crime in Police Perception: A Study of Village Crime Note Books, 26(3) Economic and Political Weekly 129, 129 (1991).

[9] Section 201 (III) of the Model Police Manual.

[10] Section 201 (V) of the Model Police Manual.

[11] Section 201 (VII) of the Model Police Manual.

[12] Section 356(1) of the Criminal Procedure Code states as follows:

356. Order for notifying address of previously convicted offender.

(1) When any person, having been convicted by a Court in India of an offence punishable under section 215, section 489A, section 489B, section 489C or section 489D of the Indian Penal Code, (45 of 1860 ) or of any offence punishable under Chapter XII or Chapter XVII of that Code, with imprisonment for a term of three years or upwards, is again convicted of any offence punishable under any of those sections or Chapters with imprisonment for a term of three years or upwards by any Court other than that of a Magistrate of the second class, such Court may, if it thinks fit, at the time of passing a sentence of imprisonment on such person, also order that his residence and any change of, or absence from, such residence after release be notified as hereinafter provided for a term not exceeding five years from the date of the expiration of such sentence.

[13] The Indian Telegraph Act, 1885, http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf

[14] Privacy International, Report: “India”, Chapter 3: “Surveillance Policies”, https://www.privacyinternational.org/reports/india/iii-surveillance-policies

[15] Rule 419A(1), Indian Telegraph Rules, 1951.

[16] Rule 419A(1), Indian Telegraph Rules, 1951.

[17] Rule 419A(2), Indian Telegraph Rules, 1951.

[18] Rule 419A(3), Indian Telegraph Rules, 1951.

[19] Rule 419A(4), Indian Telegraph Rules, 1951.

[20] Rule 419A(5), Indian Telegraph Rules, 1951.

[21] Rule 419A(6), Indian Telegraph Rules, 1951.

[22] Rule 419A(7), Indian Telegraph Rules, 1951.

[23] Rule 419A(8), Indian Telegraph Rules, 1951.

[24] Rule 419A(9), Indian Telegraph Rules, 1951.

[25] Rule 419A(18), Indian Telegraph Rules, 1951.

[26] Ibid.

[27] Rule 419A(10), Indian Telegraph Rules, 1951.

[28] Rule 419A(11), Indian Telegraph Rules, 1951.

[29] Rule 419A(12), Indian Telegraph Rules, 1951.

[30] Rule 419A(13), Indian Telegraph Rules, 1951.

[31] Rule 419A(14), Indian Telegraph Rules, 1951.

[32] Rule 419A(15), Indian Telegraph Rules, 1951.

[33] Rule 419A(19), Indian Telegraph Rules, 1951.

[34] Ibid.

[35] Ibid.

[36] Section 46 of the Unlawful Activities Prevention Act, 1967. The Unlawful Activities (Prevention) Act, 1967 has certain additional safeguards such as not allowing intercepted information to be disclosed or received in evidence unless the accused has been provided with a copy of the same atleast 10 days in advance, unless the period of 10 days is specifically waived by the judge.

[37] State owned Public Sector Undertakings (PSUs) (Mahanager Telephone Nigam Limited (MTNL) and Bharat Sanchar Nigam Limited (BSNL)) were issued licenses for provision of CMTS as third operator in various parts of the country. Further, 17 fresh licenses were issued to private companies as fourth cellular operator in September/ October, 2001, one each in 4 Metro cities and 13 Telecom Circles.

[38] Section 45.2 of the CMTS License.

[39] Section 41.09 of the CMTS License.

[40] Section 41.09 of the CMTS License.

[41] Section 44.4 of the CMTS License. Similar provision exists in section 44.11 of the CMTS License.

[42] Section 34.28 (xix) of the ISP License.

[43] Section 34.12 of the ISP License.

[44] Section 34.13 of the ISP License.

[45] Section 34.22 of the ISP License.

[46] Section 34.6 of the ISP License.

[47] Section 34.15 of the ISP License.

[48] Section 34.28 (xiv) of the ISP License.

[49] Section 34.28 (xi) of the ISP License.

[50] Section 34.14 of the ISP License.

[51] Section 34.28 (ix)&(x) of the ISP License.

[52] Section 30.1 of the ISP License.

[53] Section 33.4 of the ISP License.

[54] Section 34.4 of the ISP License.

[55] Section 34.7 of the ISP License.

[56] Section 34.9 of the ISP License.

[57] Section 34.27 (a)(i) of the ISP License.

[58] Section 34.27(a)(ii-vi) of the ISP License.

[59] Section 32.1, 32.2 (i)(ii), 32.3 of the ISP License.

[60] Section 34.8 of the ISP License.

[61] Section 34.18 of the ISP License.

[62] Section 34.28 (xv) of the ISP License.

[63] Section 41.10 of the ISP License.

[64] Section 41.10 of the ISP License.

[65] Section 41.19(i) of the ISP License.

[66] Section 41.19(ii) of the ISP License.

[67] Section 41.19(iv) of the ISP License.

[68] Section 39.1 of the UASL. Similar provision is contained in section 41.4, 41.12 of the UASL.

[69] Section 39.3 of the UASL.

[70] Section 39.2 of the UASL.

[71] Section 23.2 of the UASL. Similar provisions are contained in section 41.7 of the UASL regarding provision of monitoring equipment for monitoring in the “interest of security”.

[72] Section 42.2 of the UASL.

[73] Section 41.20(xx) of the UASL.

[74] Section 41.10 of the UASL.

[75] Section 41.10 of the UASL.

[76] Section 41.14 of the UASL.

[77] Section 41.16 of the UASL.

[78] Section 41.20(ix) of the UASL.

[79] Section 41.20(ix) of the UASL.

[80] Section 41.19(ii) of the UASL.

[81] Section 41.20(xii) of the UASL.

[82] Section 41.20(xiii) of the UASL.

[83] Section 41.20(xiv) of the UASL.

[84] Section 41.20 (xix) of the UASL.

[85] Section 41.20(xvi) of the UASL.

[86] The different services covered by the Unified License are:

a. Unified License (All Services)

b. Access Service (Service Area-wise)

c. Internet Service (Category-A with All India jurisdiction)

d. Internet Service (Category-B with jurisdiction in a Service Area)

e. Internet Service (Category-C with jurisdiction in a Secondary Switching Area)

f. National Long Distance (NLD) Service

g. International Long Distance (ILD) Service

h. Global Mobile Personal Communication by Satellite (GMPCS) Service

i. Public Mobile Radio Trunking Service (PMRTS) Service

j. Very Small Aperture Terminal (VSAT) Closed User Group (CUG) Service

k. INSAT MSS-Reporting (MSS-R) Service

l. Resale of International private Leased Circuit (IPLC) Service

Authorisation for Unified License (All Services) would however cover all services listed at para 2(ii) (b) in all service areas, 2 (ii) (c), 2(ii) (f) to 2(ii) (l) above.

[87] Chapter IV, Para 23.2 of the UL.

[88] Chapter VI, Para 40.2 of the UL.

[89] Chapter V, Para 37.1 of the UL. Similar provision is contained in Chapter VI, Para 39.4,

[90] Chapter V, Para 37.5 of the UL/

[91] Chapter V, Para 37.3 of the UL.

[92] Chapter V, Para 37.2 of the UL.

[93] Chapter VI, Para 39.23(xii) of the UL.

[94] Chapter VI, Para 39.23 (xiii) of the UL.

[95] Chapter VI, Para 39.23 (xiv) of the UL.

[96] Chapter VI, Para 39.23 (xix) of the UL.

[97] Chapter VIII, Para 8.3 of the UL.

[98] Chapter VIII, Para 8.4 of the UL.

[99] Chapter VIII, Para 8.5 of the UL.

[100] Chapter IX, Paras 7.1 to 7.3 of the UL. Further obligations have also been imposed on the Licensee to ensure that its ILL customers maintain the usage of IP addresses/Network Address Translation (NAT) syslog, in case of multiple users on the same ILL, for a minimum period of one year.

[101] Chapter IX, Paras 8.1 to 8.3 of the UL.

[102] Chapter IX, Paras 8.4 and 8.5 of the UL.

[103] Chapter X, Para 5.2 of the UL.

[104] Chapter XI, Para 6.3 of the UL.

[105] Chapter XI, Para 6.4 of the UL.

[106] Chapter XI, Para 6.6 of the UL.

[107] Chapter XI, Para 6.7 of the UL.

[108] Chapter XII, Para 7.4 of the UL.

[109] Chapter XII, Para 7.5 of the UL.

[110] Chapter XII, Para 7.6 of the UL.

[111] Chapter XII, Para 7.7 of the UL.

[112] Chapter XII, Para 7.8 of the UL.

[113] Chapter XIII, Para 7.1 of the UL.

[114] Chapter XIV, Para 8.1 of the UL.

[115] Chapter XIV, Para 8.2 of the UL.

[116] Chapter XV, Para 8.1 of the UL.

[117] Chapter XV, Para 8.5 of the UL.

[118] Chapter XVI, Paras 4.1 - 4.4 of the UL.

[119] Section 69 of the Information Technology Act, 2000.

[120] Ibid.

[121] Section 69B of the Information Technology Act, 2000.

[122] Section 32 of the ISP License.

[123] Rule 3, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[124] Rule 2(d), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[125] Rule 3, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[126] Rule 6, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[127] Rule 4, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[128] Rule 5, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[129] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[130] Rule 7, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[131] Rule 8, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[132] Rule 9, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[133] Rule 10, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[134] Rule 11, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[135] Rule 25(2)&(6), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[136] Rule 23, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[137] Rule 25, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[138] Rule 12, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[139] Rule 23(2), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[140] Rule 19, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[141] Rule 17, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[142] Rule 18, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[143] Rule 20& 21, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[144] Rule 25, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[145] Rule 20, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[146] Rule 3(1) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[147] Rule 3(2) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[148] Rule 3(3) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[149] Rules 7 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

[150] Introduction to the Information Technology (Guidelines for Cyber Cafe) Rules, 2011.

[151] The Indian Post Office Act, 1898, http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf

[152] The expression “wireless telegraphy apparatus” has been defined as “any apparatus, appliance, instrument or material used or capable of use in wireless communication, and includes any article determined by rule made under Sec. 10 to be wireless telegraphy apparatus, but does not include any such apparatus, appliance, instrument or material commonly used for other electrical purposes, unless it has been specially designed or adapted for wireless communication or forms part of some apparatus, appliance, instrument or material specially so designed or adapted, nor any article determined by rule made under Section 10 not to be wireless telegraphy apparatus;”

[153] Section 4, Wireless Telegraphy Act, 1933.

[154] Snehashish Ghosh, Indian Wireless Telegraphy Act, 1933, http://cis-india.org/telecom/resources/indian-wireless-telegraphy-act.

[155] The Code of Criminal Procedure, 1973, Section 91, http://www.icf.indianrailways.gov.in/uploads/files/CrPC.pdf

For more details visit https://cis-india.org/internet-governance/blog/policy-paper-on-surveillance-in-india

July 2015 Bulletin

praskrishna — 2015-11-21T16:23:52Z

Our newsletter for the month of July is below:

We are happy to share with you the seventh issue of the Centre for Internet and Society (CIS) newsletter (July 2015). The past editions of the newsletter can be accessed at http://cis-india.org/about/newsletters.

Highlights

NVDA team conducted a training at SIES College, Sion, Mumbai. Thirty-four delegates attended the training programme. A training workshop was held at Anne Jane Askwith Higher Secondary School for the Visually Impaired, Palayamkottai, Tirunelveli by NVDA team. Sixteen delegates participated in this. Konkani Wikipedia is the second Wikimedia project after Odia Wikisource that has gone live out of incubation. The project stayed in the incubation for nine long years and the community has gone through a long debate to have a Wikipedia of their own. Subhashish Panigrahi has blogged on this highlighting the three Konkani Wikimedians. The 30^th Session of the WIPO Standing Committee on Copyrights and Related Rights was held in Geneva from June 29 to July 3. Nehaa Chaudhari prepared a statement about the negotiations on the Proposed Treaty for Broadcasting Organisations. Sumandro Chattapadhyay wrote an article in the Hindustan Times about India’s “Digital India” initiative to develop communication infrastructure, government information systems, and general capacity to digitise public life in India. CIS published the first draft of its analysis on technology business incubators ("TBI") in India. The report prepared by Sunil Abraham, Vidushi Marda, Udbhav Tiwari and Anumeha Karnatak looks at operating procedures, success stories and lessons that can be learnt from TBIs in India. Pranesh Prakash did a brief analysis about the Department of Telecommunications Panel Report on Net Neutrality. CIS has participated in the Expert Committee for DNA Profiling constituted by the Department of Biotechnology in 2012 for the purpose of deliberating on and finalizing the draft Human DNA Profiling Bill and appreciates this opportunity. CIS has prepared a dissent note to the Expert Committee on DNA Profiling. In the last few decades, all major common law jurisdictions have decriminalised non-procreative sex – oral and anal sex (sodomy) – to allow private, consensual, and non-commercial homosexual intercourse. Bhairav Acharya brought out the developments from across the world in a blog entry. As part of its project on mapping cyber security actors in South Asia and South East Asia, CIS conducted interviews with a Tibetan security researcher and information activist and Shantanu Ghosh, Managing Director, Symantec Product Operations, India. CIS, the Observer Research Foundation, the Internet Policy Observatory, the Centre for Global Communication Studies and the Annenberg School for Communication, University of Pennsylvania had organized a conference in April in New Delhi. The findings have been condensed in a report titled “Effective research, policy formulation, and the development of regulatory frameworks in South Asia”. Pranesh Prakash in a research paper titled Regulatory Perspectives on Net Neutrality gives an overview on why India needs to put in place net neutrality regulations, and the form that those regulations must take to avoid being over-regulation. Rakshanda Deka undertook an analysis on the anti-spam laws in different jurisdictions. This analysis is a part of a larger attempt at formulating a model anti-spam law for India by analysing the existing spam laws across the world. As part of the 'Studying Internets in India' series, RAW has published blog entries on WhatsApp and the Creation of a Transnational Sociality; Users and the Internet; Effective Activism: The Internet, Social Media, and Hierarchical Activism in New Delhi; Studying the Internet Discourse in India through the Prism of Human Rights; and 'Originality,' 'Authenticity,' and 'Experimentation': Understanding Tagore’s Music on YouTube. The National Optic Fibre Network, a part of the Government's Digital India Initiative, has been in the news since the recent Expert Committee Report. Aditya Garg in a blog entry examined the accountability of the funding of the project.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing two projects. The first project is on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India. CIS in partnership with CLPR (Centre for Law and Policy Research) compiled the National Compendium of Policies, Programmes and Schemes for Persons with Disabilities (29 states and 6 union territories). The publication has been finalised and is being printed. The draft chapters and the quarterly reports can be accessed on the project page. The second project is on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here.

NVDA and eSpeak

Monthly Updates

July 2015 Report (Suman Dogra; July 31, 2015).

Event Reports

The training programmes were held in June and the reports were published in July:

Tamil Computing with NVDA Training Workshop (Organized by NVDA team: Anne Jane Ask with Higher Secondary School for the Visually Impaired, Palayamkottai, Tirunelveli; June 3 – 7, 2015).
Training in eSpeak Marathi (Organized by NVDA team; SIES College, Sion, Mumbai; June 28, 2015).

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Submission / Comment

Statement by the Centre for Internet and Society on the Broadcast Treaty at SCCR 30 (Nehaa Chaudhari; July 2, 2015).

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Reading Devanagari Script based sites like Konkani Wikipedia in Kannada Script (Dr. U.B. Pavanaja; July 13, 2015).
Konkani Wikipedia Goes Live After 'Nine Years' of Incubation (Subhashish Panigrahi; July 18, 2015).

Events Co-organized

Christ University Undergraduate Programme (Organized by CIS-A2K; Bangalore; July 1 - 8, 2015). Students were initiated into the Wikimedia activities with hands on sessions of typing on Wikisource. Faculty of the Christ University helped the A2K team in deciding on the texts that were to be typed. These texts will provide much needed impetus for Wikisource related activities in Indian Languages. Wikipedia Education Programme at Christ University received support from Ravishankar.A of the Tamil Wikimedia community and Sayant Mahato from Sanskrit Wikimedia community.
Aloysius College (Organized by CIS-A2K; Mangalore; July 1 – 4, 2015). Tulu and Kannada Wikipedia workshops were conducted in St. Aloysis College, Mangalore. Tulu Wikipedia is in Incubator and a small community is growing in Mangalore. Pavanaja U.B. and Rahmanuddin Shaik participated in this events.
Media Wiki Train the Trainer Program (Organized by CIS-A2K; Bangalore; June 24 – 27, 2015): A four-day long train-the-trainer program aimed at building leadership among technical contributors to Indic language Wikimedians in the areas of bugs, bots--Pywikipedia and Auto Wiki Browser, various MediaWiki tools, and translations. Ravishankar A. from Wikimedia India, MediaWiki developers Pavithra H., Yogesh Omshivaprakash H.L. and Harsh Kothari, and Tamil Wikimedian Dineshkumar Ponnusamy provided support for the event.

Participation in Events

Wikimania 2015 (Organized by Wikimedia Foundation; Mexico City; July 15 - 19, 2015): A whole day was dedicated for evaluation of strategies and activities by various major stakeholders of the Wikimedia movement. Community members who lead major activities, Wikimedia chapters, affiliate organizations and Wikimedia Foundation itself took part in the discussions. There were several group activities, exchange of ideas focused on project and community level outreach and other activities, tools and techniques, and best practices. Subhashish Panigrahi participated in this event and gave a talk on How to do Guerrilla GLAM. Subhashish Panigrahi was a panelist along with Rohini Lakshané in the session “Edit-a-thons for Bridging the Gender Gap on Wikimedia: A Panel Discussion”. An Indic Meet-up was also organized. Wikimedians from India, Bangladesh and Nepal representing various language communities, Wikimedia India, Wikimedia Bangladesh, Wikimedia Nepal, and Access to Knowledge (CIS-A2K) gathered to discuss about various challenges, cross-community collaborative projects, organizing larger events, and strategies to grow the Wikimedia movement in South Asia.
Classical Languages in the Digital Era Conference (Organized by Central Institute of Indian Languages, Mysore; July 17, 2015) Tanveer Hasan participated in this conference aimed at discussing about the future of Indian classical languages in the digital era.

Media Coverage

Not many contributors for Kannada-centric Wiki page (The Times of India, July 5, 2015)
Upload More Kannada Articles on Wikipedia (Indian Express, July 5, 2015)
Kannada Wikipedia Workshop in Mangaluru (Udayavani; July 5, 2015)
Kannada Wikipedia Workshop in Mangaluru (Prajavani; July 5, 2015)

Staff Movement

Tito Dutta, Luis Gomes and Abhinav Garule have joined the CIS-A2K team as Programme Associates from March this year. Tito is working for internal documentation and resource building, and Luis and Abhinav are implementing the Konkani and Marathi work plan respectively along with community liaison.

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

Free Speech and Expression

Blog Entries

Regulatory Perspectives on Net Neutrality (Pranesh Prakash; July 8, 2015). Vidushi Marda and Tarun Krishnakumar assisted Pranesh Prakash in this.
Free Speech Policy in India: Community, Custom, Censorship, and the Future of Internet Regulation (Bhairav Acharya; July 13, 2015).
Net Neutrality and the Law of Common Carriage (Bhairav Acharya; July 14, 2015).
Freedom of Expression in a Digital Age (Geetha Hariharan and Jyoti Panday; July 14, 2015). CIS, the Observer Research Foundation, the Internet Policy Observatory, the Centre for Global Communication Studies and the Annenberg School for Communication, University of Pennsylvania organized this conference on April 21, 2015 in New Delhi. Elonnai Hickok edited the report.
Clearing Misconceptions: What the DoT Panel Report on Net Neutrality Says (and Doesn't) (Pranesh Prakash; July 21, 2015).
Role of Intermediaries in Countering Online Abuse (Jyoti Panday; July 31, 2015). This got published as two blog entries in the NALSAR Law Tech Blog. Part 1 can be accessed here and Part 2 here.

Event Co-organized

A Public Discussion on Criminal Defamation in India (Organized by CIS, the Network of Women in Media, India; and Media Watch; Bangalore; July 29, 2015). The event was a public discussion about the continued criminalisation of defamation in India.

Participation in Event

Roundtable discussion on WHOIS (Organized by Department of Electronics & Information Technology (DeitY), Govt. of India; July 28, 2015; New Delhi). Sunil Abraham and Vidushi Marda participated in the discussion remotely. Aditya Garg attended in person.

Privacy

Blog Entries

Anti-Spam Laws in Different Jurisdictions: A Comparative Analysis (Rakshanda Deka; July 2, 2015).
A Dissent Note to the Expert Committee for DNA Profiling (Elonnai Hickok; July 17, 2015). Click for DNA Bill Functions, DNA List of Offences, and CIS Note on DNA Bill. A modified version was published by Citizen Matters Bangalore on July 28.
Privacy, Autonomy, and Sexual Choice: The Common Law Recognition of Homosexuality (Bhairav Acharya; July 18, 2015).
Aadhaar Number vs the Social Security Number (Elonnai Hickok; July 21, 2015).

Participation in Event

7th Best Practices Meet 2015 (Organized by Data Security Council of India; Bangalore; July 9 – 10, 2015). Sunil Abraham was a panelist in the session "Architecting Security for transformation to Digital India". Elonnai Hickok was a panelist in the session "Steering privacy in the age of extreme innovation technology & business models."

Cyber Security

Videos

Cyber Security Series Part 23 (Purba Sarkar; July 13, 2015). CIS interviews a Tibetan security researcher and information activist.
Cyber Security Series Part 24 (Purba Sarkar; July 15, 2015). CIS interviews Shantanu Ghosh, Managing Director, Symantec Product Operations, India, as part of the Cybersecurity Series.

Miscellaneous

Article

Iron out contradictions in the Digital India programme (Sumandro Chattapadhyay; Hindustan Times; July 28, 2015).

Research Paper

First draft of Technology Business Incubators: An Indian Perspective and Implementation Guidance Report (Sunil Abraham, Vidushi Marda, Udbhav Tiwari and Anumeha Karnatak; July 25, 2015).

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Op-ed

The Centrality of Cash Flows (Shyam Ponappa; Business Standard; July 1, 2015 and Organizing India Blogspot; July 2, 2015).

Blog Entry

Funding of National Optic Fibre Network (NOFN) - Who's Accountable? (Aditya Garg; July 17, 2015).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Blog Entries

WhatsApp and the Creation of a Transnational Sociality (Maitrayee Deka; July 1, 2015).
Users and the Internet (Purbasha Auddy; July 10, 2015).
Effective Activism: The Internet, Social Media, and Hierarchical Activism in New Delhi (Sarah McKeever; July 16, 2015).
Studying the Internet Discourse in India through the Prism of Human Rights (Deva Prasad M.; July 22, 2015).
'Originality,' 'Authenticity,' and 'Experimentation': Understanding Tagore’s Music on YouTube) (Ipsita Sengupta; July 27, 2015).

News & Media Coverage

CIS gave its inputs to the following media coverage:

'IRCTC’s Aadhaar play can violate SC order and derail National Security' (Shubhra Rishi; CIO.IN; July 1, 2015).
The Digital Divide: pros and cons of Modi's latest big initiative (Suhas Munshi; July 2, 2015).
Corporate push to Modi’s Rs.4.5-billion digital dream (Rakesh Kumar; The Statesman; July 13, 2015).
Criminal Defamation: The Urgent Cause That has United Rahul Gandhi, Arvind Kejriwal and Subramanian Swamy (Betwa Sharma; Huffington Post; July 15, 2015).
Five Nations, One Future? (Bjorn Ludtke, Ellen Lee, Jaideep Sen, Gwendolyn Ledger, David Nicholson, and Jesko Johannsen; Voestalpine; July 18, 2015).
The scariest bill in Parliament is getting no attention – here’s what you need to know about it (Nayantara Narayanan; Scroll.in; July 24, 2015)
Regulation, misuse concerns still dog DNA profiling bill (Nikita Mehta; Livemint; July 29, 2015)

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the mediation and reconfiguration of social and cultural processes and structures by the internet and digital media technologies.

► Follow us elsewhere

CIS - Twitter: http://twitter.com/cis_india
Access to Knowledge - Twitter: https://twitter.com/CISA2K
Access to Knowledge - Facebook: https://www.facebook.com/cisa2k
Access to Knowledge - E-Mail: a2k@cis-india.org
Researchers at Work - E-Mail: raw@cis-india.org
Researchers at Work - Mailing List: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, Access to Knowledge, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/july-2015-bulletin

Centre for Internet and Society

Net Neutrality and the Law of Common Carriage

'We Need to Proactively Ensure that People Can't File Patents Representative of the Creativity of a FOSS Community'

Civil Society Organisations and Internet Governance in India - Open Review

Early Days

Key Organizations

Global and National Events

Internet Policies and Censorship

Reference

Civil Society Organisations and Internet Governance in Asia - Open Review

Preparations for the World Summit on the Information Society

Participation in the WSIS Process

Asian Civil Society Organizations at the IGFs

Internet Censorship and Civil Society Responses

Annexe – Tables

Table 1: Participation from Asian Countries and of representatives from Asian civil society organisations in IGFs, 2006-2010

Table 2: Internet Society Chapters in Asia

Reference

Security: Privacy, Transparency and Technology

Security and Privacy

Security and Transparency

Security and Technology

More Technology

Latest Technology

Complex Technology

Threat Scenarios and Possible Solutions

Conclusion

A Review of the Policy Debate around Big Data and Internet of Things

Defining and Connecting Big Data and Internet of Things

General Implications of Big Data and Internet of Things

Regulation of Big Data and Internet of Things

Possible Technical and Policy Solutions

Possible Regulatory Frameworks

Conclusion

War Driving in Lhasa Vegas

Monkeys would often climb up the poles to fool around with the routers forcing Yahel to fix a cage around them to make them “monkey-proof” — Eric Brewer

War is an outmoded concept — Dalai Lama

CIS submission to the UNGA WSIS+10 Review

Rare Telugu religious and historical work preserved at Annamacharya library to come on Wikisource!

Digital Activism in Asia Reader

The Book

Excerpt from the Foreword

Genetic Profiling: Is it all in the DNA?

India blocks access to 857 porn sites

India launches crackdown on online porn

Policy Paper on Surveillance in India

Introduction

Legal Regime

Overlap with the Telegraph Act

Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

Information Technology (Guidelines for Cyber Cafes) Rules, 2011

Policy Suggestions

July 2015 Bulletin

Highlights

Accessibility and Inclusion

NVDA and eSpeak

Access to Knowledge

Wikipedia

Internet Governance

Free Speech and Expression

Privacy

Cyber Security

Miscellaneous

Telecom

Researchers at Work

News & Media Coverage

About CIS

Monkeys would often climb up the poles to fool around with the routers forcing Yahel to fix a cage around them to make them “monkey-proof”
— Eric Brewer

War is an outmoded concept
— Dalai Lama