Centre for Internet and Society

J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts

praskrishna — 2017-05-04T02:12:23Z

Jammu and Kashmir's social media ban: Legal experts are not convinced this is a viable order

The article by Shruti Dhapola was published in the Indian Express on April 28, 2017. Pranesh Prakash was quoted.

For residents of Jammu and Kashmir, there’s a blanket ban on social media for the next one month. This means no access to Facebook, WhatsApp, Twitter, Snapchat, Skype WeChat, YouTube, Telegram and other social networks.

As The Indian Express reported, this ‘social media ban’ was ordered by the state government after Chief Minister Mehbooba Mufti chaired a meeting of the Unified Command Headquarters in Srinagar. The total list includes 22 social media websites, and the order, a copy of which is available with The Indian Express, says this is being done “in the interest of maintenance of public order.”

The order to block the sites was issued by RK Goyal, Principal Secretary in the Home department, and cites Section 5 of Indian Telegraph Act, which “confers powers upon the Central government or the state government to take possession of license telegraphs and order stoppage of transmission or interception or detention of messages”.

The order reasons that social media sites are “being used by anti-national and anti-social elements by transmitting inflammatory messages in various forms”. It directs all ISPs to block these websites in the state of Jammu and Kashmir.

But questions are already being raised over its legality.

“This is an illegal order because the Telegraph Act and Rules, which the order cites, doesn’t give the government the power to block websites. The Telegraph Act is a colonial-era legislation first passed in 1885 in the aftermath of the Mutiny, making telegraphs a monopoly of the colonial British government, and restricting Indians’ access to communications technologies. In 1996, in the PUCL case, the Supreme Court laid down that powers to intercept or block transmission of messages cannot be exercised without procedural safeguards in place. In 2007, procedural safeguards were made for interception, but not for blocking of telegraphic communications,” points out Pranesh Prakash, Policy Director at Centre for Internet and Society.

Pavan Duggal, senior lawyer specialising in cyberlaw, concurs. “Legally, the order is not viable. This is because the IT Act applies for blocking, under Section 69 (A). Also Section 81 of the IT Act also make it clear that this is a special law, which will prevail over any other older law. The IT ACT deals with everything related to the internet.”

The IT ACT notes in Section 1, that “It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention there under committed outside India by any person.”

But even blocking under the IT Act isn’t something that can be ordered over night, and the powers for this rest with the central government.

“There’s a provision (69A) in the Information Technology Act which provides for blocking of specific web pages for national security reasons, but only by the Central government. The J&K government, thus can only request the Central government to block. The central government has in the past denied requests by state governments as they were unlawful requests,” Prakash said.

However, blocking of URLs or in fact complete internet shutdowns is not new in India. “This is an example of Internet manipulation by the governments world over. The first casualty of any disturbance is now the Internet and the government, even the democratic ones living under rule of law have decided that is a-okay to prevent people from communicating in the name of law and order,” said Mishi Choudhary, President and Legal Director at SFLC.in

SFLC.in has also been keeping a track of internet shutdowns in India. It has a dedicated website Internetshutdowns.in which crowd-sources information on these bans, and India has already seen seven shut internet shutdowns in first three months of 2017. For instance, in the state of Nagaland internet and mobile services were down for nearly a month from January 30 to February 20.

The issue of url blocking and internet shutdowns inevitably gets linked to one of freedom of speech. While reasonable restrictions can be imposed under Article 19 (2) of the Constitution, experts are not convinced the current order makes enough of a case to justify such a blanket ban.

“The citizens of J&K are Indian citizens and can challenge the order as violative of Article 19 (1) (a) of the Constitution, violative of right to free speech and expression,” says Choudhary.

“Any kind of blocking must conform to the Constitutional guarantees of freedom of expression, and any blocking must be legally “reasonable” for it to be acceptable as a legitimate restriction under Art.19(2). This blanket ban of 22 arbitrarily chosen service — why block QQ or WeChat, but not LinkedIn — and that too for a month, cannot be called reasonable under any circumstances,” argues Prakash.

Prakash adds that the order also raises other international concerns for India. “It also violates India’s international legal obligations under the International Covenant on Civil and Political Rights (ICCPR), whose Article 19 protects the freedom of thought, opinion and expression. Only those restrictions that are provided by law, have a legitimate aim, are necessary with less restrictive option being available, and are proportionate to the harm being address are allowed. For instance, targeting of hate speech that is calling for genocide is reasonable. But such blanket bans of communications platforms are not,” he argues.

So can the citizens challenge such an order, which puts a blanket ban on social networks? The answer is yes, as in this case this order “is legally untenable,” explains Duggal.

On the practice of blocking, he points that in today’s world it can only be seen an antiquated practice. “To give an analogy it is like fixing a leaking roof with a band-aid. It will only increase traffic to the blocked websites, and there are indirect ways to reach these sites via proxies and other tools as well,” he adds.

The orders can always be reviewed by the courts. “While the IT Act allows for blocking, it should be remembered the process is always open to judicial review. Courts have final authority, and they can examine whether the principles of law were applied when passing such a blocking order,” explains Duggal.

The affected social media websites or ISPs don’t yet have a response to this order. When we reached out, Facebook said it did not have an official comment on the ban. Mobile internet service providers Vodafone and Airtel also refused to comment.

For more details visit https://cis-india.org/internet-governance/news/indian-express-april-28-2017-shruti-dhapola-j-k-social-media-ban

It's That Eavesdrop Endemic

praskrishna — 2016-07-30T15:45:31Z

Whatsapp Says It’s Snoop-Proof Now, But There’s Always A Way In

The article by Arindam Mukherjee was published in Outlook on July 25, 2016. Pranesh Prakash was quoted.

Lock and Key

WhatsApp says it has end-to-end encryption, so no one, not even WhatsApp, can snoop into calls.

Experts say any encryption can be broken by security agencies. Android phones can also get infected by malware.

For years, a Delhi power-broker used to call from nondescript landline numbers, changing them ever so often. Of late, he has started using WhatsApp calls for ‘sensitive’ conversations. He’s not alone. WhatsApp has revealed that over 100 million voice calls are being made on the social network every day. That’s over 1,100 calls a second! India is one of the biggest user bases of WhatsApp. And many Indian users are making the app their main engine for voice calls.

One reason for this shift is that WhatsApp calls are seen to be essentially free (though they indeed have data charges). But for a lot of people, the chief allure lies in the touted fact that WhatsApp calling is far more secure than mobile calling. In April, the app introduced end-to-end encryption for its messages and voice calls.

Consequent to this, Sudhir Yadav, a Gurgaon-based software engineer filed a PIL in the Supreme Court seeking a ban on WhatsApp on the grounds that its calls are so safe that it could be misused by ‘terrorists’. Last month, a court in Brazil issued orders to block WhatsApp for 72 hours after it failed to provide the authorities access to encrypted data.

Are WhatsApp calls really impenetrable? WhatsApp believes so and says that the encryption key is held by the two persons at the two ends of the message or call and no one, not even the company, can snoop in. “The calls are end-to-end encrypted so WhatsApp and third parties can’t listen to them,” a WhatsApp spokesperson told Outlook. This is precisely Yadav’s concern. “Because the encryption is end to end, the government can’t break it and WhatsApp cannot provide the decryption key,” he says.

However, experts do not buy this argument. They believe everything on the Internet is vulnerable. “Anything that uses a phone number is vulnerable,” says Kiran Jonnalagadda, founder of technology platform HasGeek. “Anyone can impersonate the phone number by getting a duplicate SIM and get access to a phone. There are also bugs in the system which security agencies use.”

WhatsApp uses a person’s phone number to open an account and authenticate a user. So, if the government or a security agency wants to get access to a WhatsApp call, it would be very easy. “Telecom companies cannot access these calls as they are encrypted before they reach the network. But the government can. It just has to replicate a SIM to access any number and its messages or voice calls,” says Aravind R.S., a volunteer for Save the Internet campaign and founder of community chat app Belong,

There are other modes of attack as well. It is a given that Android phones, which form the majority of mobile phones used in India today, are most vulnerable to malware attacks. So, even if the app itself is secure, the device is not and if the device is attacked, just about everything in it can be tapped into. For instance, there’s the ‘man in the middle’ mode of attack, where a third person gets into a call and mirrors the messages to both the sides and relays the messages or calls to a different server. There is also the SS7 signalling protocol that can help hackers get into networks and calls. These attacks can make even a WhatsApp encryption vulnerable.

Security agencies and hackers routinely implant viruses into the phones of people they are monitoring. Once a phone is “infected”, everything is accessible. And Android phones are extremely prone to attacks from malware. “It's not perfectly secure, especially if there is any virus in an Android phone, which is what security agencies work with. They have many more ways to get into a phone. There is no defence against that,” says Aravind,

Experts believe it is possible that US intelligence agencies like the FBI and the NSA may have access to or are capable of breaking into even the WhatsApp encryption. This is proven by the recent incident where the FBI, after being refused by Apple to open up an iPhone used by a terrorist, broke into the phone by itself.

“If you are on the NSA list, there is nothing you can do to protect yourself,” says Pranesh Prakash, policy director with the Centre for Internet and Society. “They will find a way to get into your phone. In WhatsApp, many things like photographs and videos are not encrypted; these can get access to a person’s account.”

In India, the debate on access to encrypted phones has been on since the government engaged with Blackberry a few years ago. “There is no law governing an Over The Top (OTT) service like WhatsApp. If the government orders decryption of a call and WhatsApp cannot comply, it will become illegal,” says cyber lawyer Asheeta Regidi. The government’s seeming comfort level with all this legal ambiguity is yet another indicator that all is not what is seems with WhatsApp. As for callers, they would do well to speak discreetly on any network.

For more details visit https://cis-india.org/internet-governance/news/outlook-july-25-2016-arindam-mukherjee-its-that-eavesdrop-endemic

It's September, and That Means It's Time for Software Freedom Day

subha — 2016-09-17T15:42:46Z

Software Freedom Day (SFD), which celebrates the use of free and open software, is just around the corner on September 17. When the day first started in 2004, only 12 teams from different places joined, but it has since grown to include hundreds registered events around the world, depending on the year.

The article was published by Global Voices on September 17, 2016.

Supported by several global organizations like Google, Canonical, Free Software Foundation, Joomla, Creative Commons and Linux Journal, Software Freedom Day draws its inspiration from the philosophy promoted by people like Richard Stallman who argue that free software is all about the freedom and not necessarily free of cost but provides the liberty to users from proprietary software developers’ power and influence. SFD encourages everyone to gather in their own cities (here's a map of places where SFD is organized this year), educate people around them about free software, and promote the cause on social media (with the hashtag #SFD2016 this year). There's also hackathons (hacking free software to modify the code and create what one wants to have in it), running free software installation camps, and even going creative with flying a drone running free software.	What are FOSS, free software, open source, and FLOSS? Free and open source software (FOSS or F/OSS), and free/libre and open-source software (FLOSS) are umbrella terms that are used to include both free software and open source software. Adopted by noted software freedom advocate Richard Stallman in 1983, free software has many names — libre software, freedom-respecting software and software libre are some of them. As defined by the Free Software Foundation, one of the early advocates of software freedom, free software allows users not just to use the software with complete freedom, but to study, modify, and distribute the software and any adapted versions, in both commercial and noncommercial form. The distribution of the software for commercial and noncommercial form, however, depends on the particular license the software is released under. “Open source” was coined as an alternative to free software in 1998 by educational-advocacy organization Open Source Initiative. Open source software is generally created collaboratively, made available with its source code, and it provides the user rights to study, change, and distribute the software to anyone and for any purpose.

From South Asia, there are 13 celebratory events in India, eight in Nepal, one in Bangladesh and four in Sri Lanka.

South Asian countries have seen adoption of both free software and open source software by individuals, organizations and the government. The Free Software Movement of India was founded in Bengaluru, India, in 2010 to act as a national coalition of several regional chapters working to promote and grow the free software movement in India.

The Indian government has launched an open data portal at data.gov.in portal for sharing large datasets like the census data under free licenses. The government's new policy emphasizes on adopting open source software. Moreover government's Ministry of Communication and Information Technology asked vendors to include open source software applications while making requests for proposals.

Similarly, there are several free and open source communities and organizations operating from the subcontinent, like Mozilla India, Wikimedia India, the Centre for Internet and Society, Open Knowledge India, Mozilla Bangladesh, Wikimedia Bangladesh, Bangladesh Open Source Network, Open Knowledge Bangladesh, Mozilla Nepal, Wikimedians of Nepal, Open Knowledge Nepal, Wikimedia Community User Group Pakistan, and the Lanka Software Foundation in Sri Lanka.

Mohammad Jahangir Alam, a lecturer from Southern University Bangladesh, argues in a research paper that the use of open source software can help the government save a enormous amount of money that are spent in purchasing proprietary software:

A Large amount of money of government can be saved if the government uses open source software in different IT sectors of government offices and others sectors, Because government is providing computer to all educational institute from school to university level and they are using proprietary software. For this reason government is to expend a large amount of many for buying proprietary software to run the computers. Another one is government paying significant amount of money to the different vendors for buying different types of software to implement e-Governance project. So, the Government can use open source software for implanting projects to minimize cost of the projects.

For more details visit https://cis-india.org/openness/global-voices-september-17-2016-subhashish-panigrahi-it-is-september-and-that-means-it-is-time-for-software-freedom-day

It Took Just 355 Indians to Mine the Data of 5.6 Lakh Facebook Users. Here's How

Admin — 2018-04-07T15:33:46Z

Data privacy in India is still a nascent subject. Experts say cheap data has led to unprecedented Facebook penetration. Often, it is seen that those who open an account are not aware of the privacy concerns.

The blog post by Subhajit Sengupta was published in CNN-News 18 on April 7, 2018. Sunil Abraham was quoted.

Over 5.6 lakh Indian Facebook profiles have allegedly been compromised and their data leaked to the controversial data analytics firm Cambridge Analytica. As per the company, only 335 people in India installed the App yet they managed to penetrate over half a million profiles.

So, how does this work?

Once a user downloaded the quiz app called “thisisyourdigitallife”, Global Science Research Limited got access to the entire treasure trove of data. There are two mechanisms which are used for this.

First, the Application Program Interface (API) of Facebook called ‘Social Graph’ allows any app to harvest the entire contact list and everything else that could be seen on a users’ friend’s profile. This would take place even for private profiles, says Sunil Abraham, Executive Director of Bangalore based research organization ‘Centre for Internet and Society’.

The second way is when users have a public profile. The algorithm seeks out public profiles from the friend list and would go on multiplying from one public profile to another without any of the users even coming to know what is happening. This is like the ‘True Caller’ application, for it to get your number, you don’t need to download the software. If anyone has the app and your number, then it gets automatically logged there.

Facebook says "Cambridge Analytica’s acquisition of Facebook data through the app developed by Dr Aleksandr Kogan and his company Global Science Research Limited (GSR) happened without our authorisation and was an explicit violation of our Platform policies."

GSR continued to access this data from all the Facebook profiles throughout the entire lifespan of the app on the Facebook platform, which was roughly two years between 2013 and 2015. This means, even if a user is careful enough to not download the application but his/her profile’s privacy settings are weak, the algorithm would infiltrate the data bank.

Amit Dubey, a Cyber Security Expert goes into the details of what the app did, “The app called 'thisisyourdigitallife', which was created for research work by Aleksandr Kogan, was eventually used for psychometric profiling of users and then manipulating their political biases. The app was offered to users on the pretext to take a personality test and it agreed to have their data collected for academic use only. But the app has exploited a security vulnerability of Facebook application.”

Facebook “platform policy” allowed only collection of friends’ data to improve user experience in the app and barred it from being sold or used for advertising.

But this kind of data scrapping is not just limited to Cambridge Analytica. The Social Media Algorithm is often abused in the world of data scavenging and analytics. Even law enforcement agencies have often used similar means to locate possible miscreants.

According to Shesh Sarangdhar, Chief Executive Officer in Seclabs & Systems Pvt Ltd, similar data scrapping helped them unearth the terror module behind one of the attacks at an airbase last year. Shesh said that through Social Media Algorithm they would often narrow down on unknown terror modules. What his team did was to connect to the profile the whereabouts of multiple known nods converging. That is how the mastermind was located.

Data privacy in India is still a nascent subject. Experts say cheap data has led to unprecedented Facebook penetration.

Often, it is seen that those who open an account are not aware of the privacy concerns. But as Sunil Abraham puts it, Caveat emptor or ‘Let the Buyers Beware’ does not even apply here. It is not possible for anyone to go through the entire privacy policy.

“So it is not even right to ask if the consumer can protect his/her own interest. Thus, the state should proactively regulate the industry,” said Abraham.

Facebook has brought in a number of changes to its privacy settings. It now allows you to remove third-party apps in bulk. This welcome change has come after sustained pressure on the tech giant from users and a number of regulatory bodies across the world.

For more details visit https://cis-india.org/internet-governance/news/news-18-subhajit-sengupta-how-just-355-indians-put-data-of-5-6-lakh-facebook-users-at-risk

IT Act if enforced will leave internet use in India no freer than in China

praskrishna — 2011-05-18T02:28:38Z

The Centre for Internet & Societies (CIS), a Bangalore-based NGO, recently filed an RTI query with the Department of Information Technology (DIT), asking for a list of websites blocked by the Indian government under the IT Act. The department handed them a list of 11 websites. It was just one department’s list, but this was the first time such a list was being made public. This news written by R Krishna was published by the Daily News & Analysis on May 15, 2011.

"The information given was not comprehensive. For instance, we still don’t know who ordered these blocks," says Sunil Abraham, executive director, CIS, "We will file another RTI application to get those details out."

As of now, Indians enjoy considerably free access to information online, and the right to freedom of expression is protected by the Constitution. But you run into a veil of secrecy when trying to find out what sort of information is being blocked online, who is doing it, and for what reason. The list of 11 revealed by the DIT is only representative — no one can even guess the real number because, well, there is no way of knowing when a website gets blocked.

What is more disturbing is that the government has formulated a set of rules that can block content considered "disparaging", "harassing", or "blasphemous", besides a whole range of other labels that are vague and hence open to interpretation. The rules put the onus of removing such material on intermediaries such as ISPs (internet service providers) and websites that host the content — within 36 hours of a complaint being filed. And just about anyone can request that the content be taken down — all they have to do is write a letter or an email with an electronic signature. There is no provision for the intermediary to challenge the complainant’s assessment of the content in question.

Users will be afraid

In other words, censorship will now be a free-for-all exercise. Protests, such as the one we saw during the Jan Lokpal agitation, can be nipped in the bud since anyone, including politicians, can claim that they are being "harassed". Information revealed by websites like WikiLeaks can be blocked because they may "threaten friendly relations with foreign states".

There is a sense of shock among the handful of netizens who are aware of these rules and the potential for their misuse. "What are we, Saudi Arabia? We don’t expect this from India. This is something very serious," Pushkar Raj, general secretary of the People’s Union for Civil Liberties, has been quoted as saying. MediaNama, a website reporting on the media industry, points out, "Who defines 'blasphemous'?... India doesn’t even have a blasphemy law, so who interprets what is blasphemous or not?" Media watchdog The Hoot’s Geeta Seshu says, "This is chilling. Websites will be wary of putting up content. How can one appeal? How can one have a free discussion on anything at all online?"

Vishal Anand, product manager at Burrp, an online startup that hosts user-generated reviews of restaurants, is worried about the impact it will have on the discussions happening on the website. "I hope the ecosystem is not impacted. Users may be more afraid to respond, and businesses will be afraid about the content they host."

Guilty until proven innocent

The fundamental issue is that the onus is on the carrier or host to prove that the content is inoffensive, if any objection is raised. "The regulation is placing the burden on the intermediary so that there is no need to go to court (to get content blocked). This is going to lead to a lot of private intervention. You will have to go to court to get the content back up online, rather than the other way around," says Delhi-based lawyer Apar Gupta.

In fact, intermediary liability is a contentious topic globally, and this is not the first time it has caused a controversy in India. Back in 2004, Ebay India’s CEO Avinash Bajaj was arrested because a user tried to sell a pornographic CD on its website. This set off a furious debate on the issue, with the government finally agreeing to amend the IT Act. Gupta notes on his blog, "Even after the IT Act was amended, the government failed to make any rules… In the absence of rules, intermediaries continued to be dragged to court and to the police station. This includes a recent incident where an FIR was registered against Facebook."

Checks and balances exist

These developments lend credence to a recent report on internet freedom released by US-based NGO Freedom House, which ranks India 14th out of the 37 countries surveyed. Stating that the internet in India is only "partly free", the report notes, “Pressure on private intermediaries to remove certain information in compliance with administrative censorship orders has increased since late 2009, with the implementation of the amended IT Act. The revised law grants (the government) the authority to block internet material that is perceived to endanger public order or national security… and assigns up to seven years' imprisonment for representatives of a wide range of private service providers… if they fail to comply with government blocking requests." What is even more troubling is that the current rules weren’t even in place when this report was being prepared.

The new rules could worsen India’s internet freedom rankings. Responding to DNA, Sarah Cook, Asia research analyst and assistant editor, Freedom House, said, “We would have concerns over some of the rules and how they came about. This includes broad and vaguely worded censorship criteria, apparent initiation of the regulations "quietly" without significant consultation with key stakeholders, and absence of an appeals process for those who might disagree with censorship decisions."

Legal experts in India too are puzzled by the new restrictions when there are already reasonable restrictions on freedom of expression that the Constitution defines.

"There are anti-defamation provisions in the law. Then why include 'disparaging' in the new rules? Why is impersonating being made illegal? For example, on online dating websites for gays, users may not feel comfortable revealing their identities straightaway. And if somebody is impersonating to commit fraud, there are laws that already exist that deal with it. Instead of incorporating existing offences, the scope of what may be considered illegal is being broadened," says CIS’s Abraham.

The new rules are so broad-based that anyone can claim they are offended and demand that content be taken down, even out of business rivalry.

For example, Zone-H.org, run by Italy-based Roberto Preatoni, was one of the 11 websitesblocked by the Department of Information Technology. This was done after the Delhi High Court passed an ex-parte interim order (where the other party is not present) in the E2 Labs versus Zone-H case to block the website.

"This seems unnecessary since it is some kind of private business battle between E2 Labs and Zone H. Where was the need for the Indian government to get involved?" asks Abraham.

Bangalore-based cyber law expert N Vijayashankar agrees. "Websites are being blocked using interim orders. There is no national interest involved in some of these cases. Plus, there is no need to block the entire website, just a particular page could be blocked."

In fact, one of the webpages blocked was an opinion piece Vijayashankar had written about the Zone-H case on BloggerNews.net. "I had no intimation that the webpage was being blocked," says Vijayashankar, who got to know about the blockage only after CIS published the DIT’s response.

Learn from the world

Globally, excessive regulation of online discussions, particularly those related to political and social issues, can kill the open exchange of information. "In many countries, we saw that new laws, prosecutions, or proactive government censorship contributed to greater self-censorship among users. This is particularly pernicious when it affects discussions that relate to public interest or that affect people's well-being — such as an Indonesian housewife facing high fines for circulating critical comments about a local hospital, the Chinese authorities censoring content on torture in police custody, or the Korean government prosecuting a blogger who posted pessimistic predictions about the country’s economy," says Cook.

Cook acknowledges that balancing the right to freedom of expression against security threats, hate speech or child pornography is quite difficult — even for nations that rank high in their study. But there are a few best practices that India could learn from. "Examples of good practices would include no criminal defamation provisions (though criminal penalties for inciting violence would be appropriate), immunity for online content providers from being held liable for the information posted by their users (there is such a law in the United States), and multi-stakeholder consultations prior to the passing of regulations related to the internet/digital media."

The new rules India has come up with fly in the face of such best practices. Authorities and netizens alike should be on the guard, lest we go the China way.

Read the original story published by DNA here

For more details visit https://cis-india.org/news/it-act-internet-use

IT Accessibility for People with Disabilities Policy and Guidelines

praskrishna — 2017-05-19T15:25:49Z

For more details visit https://cis-india.org/accessibility/files/policy-and-guidelines.pdf

Issue of duplication of identities of users under control: Nilekani

praskrishna — 2013-07-02T10:13:10Z

Nandan Nilekani says UIDAI system almost completely accurate, duplication of identities virtually negligible.

The article by Anirban Sen was published in Livemint on June 29, 2013. Sunil Abraham is quoted.

The Unique Identification Authority of India (UIDAI) chief Nandan Nilekani said the government agency was in preliminary discussions with some embassies to use the Aadhaar project to simplify visa application procedures and that the issue of duplication of identities of users was well under control.

In March, a UIDAI spokesperson told Mint that it had detected 34,015 cases where one person had been issued two Aadhaar numbers. The figures represented a little over 0.01% of the 290 million people who had been enrolled at the time.

Nilekani, who was delivering a keynote address at a three-day conference on the success and failures of information technology (IT) in the public and private sector at the Indian Institute of Management in Bangalore, said the UIDAI system was almost completely accurate and duplication of identities was virtually negligible.

“Knowing what we know now, we believe we have accuracy of upto 99.99%,” said Nilekani, chairman of the Unique Identification Authority of India (UIDAI).

Nilekani, on Saturday, assured that the project was completely secure and user data and biometrics were safe in the hands of the agencies it works with and brushed aside any concerns on security of user data that have been widely raised by Internet security groups and activists.

“We’re not giving any access to data, except when it is resident authorized. It is shared only when a resident participates in a transaction and authorizes the data which is shared,” said Nilekani, who was one of the seven co-founders of India’s second largest software exporter Infosys Ltd. He served as CEO of Infosys from 2002 to 2007.

“The system is also not open to the internet—the system has rings of authentications of service agencies. There are lots of concentric rings of security,” he added. “The biometric data is not used except for enrolment, re-duplication and authentication.”

Internet rights groups and activists such as Sunil Abraham of the Centre for Internet and Society (CIS), a research thinktank that focuses on issues of Internet governance, have often raised concerns over UID’s overtly broad scope and privacy issues in the project.

“We don’t need Aadhaar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the Internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies,” Abraham wrote in a blog post on the CIS website last year.

Nilekani also acknowledged that the department had faced several challenges, due to the sheer scale of the project that aims to cover the country’s entire population of 1.2 billion.

“We have had lots of challenges on this project—we have backlogs of enrolment because we have more packets than we can process, we backlogs of letter deliveries because we cannot handle so many letters…but fundamentally notwithstanding those challenges, we believe we are on the right track,” said Nilekani.

Both UIDAI and the census department under the National Population Register project are recording biometric data, which includes fingerprint and iris data. Even though both the agencies reached a truce after a cabinet decision in January 2012 and were allowed to co-exist, there have been several reports of duplication between the two agencies in biometric collection.

UIDAI is not just being used as the main platform for rolling out the government’s direct cash transfer scheme, but is also being regarded as an important authentication scheme for financial transactions and other security measures.

For more details visit https://cis-india.org/news/livemint-anirban-sen-june-29-2013-issue-of-duplication-of-identities-of-users-under-control

iSpirt's Sharad Sharma: Sorry, I trolled Aadhaar critics

praskrishna — 2017-05-26T00:13:38Z

Sharad Sharma, the man who is seen as one of the critical backbones of India's digital drive, profusely apologized on Tuesday for anonymously trolling those arguing for better privacy and security standards in Aadhaar.

The article by Shalina Pillai and Anand J was published in the Times of India on May 24, 2017.

The apology came a few days after Kiran Jonnalagadda, co-founder of developer community platform HasGeek and one of those who were at the receiving end of the trolling, used internet tools to discover the faces behind the trolling.

The trolls allegedly included several other members of iSpirt, the software product association co-founded by Sharma and which leads IndiaStack, a set of technologies that can be used to digitise many everyday processes used by common people. The issue has divided India's nascent startup community like never before, and coming soon after the division over the arrest of Stayzilla co-founder Yogendra Vasupal, there are many who now worry for the ecosystem.This may also explain the apology by Sharma, who has been at the forefront of building this ecosystem.

In the apology mail that he tweeted, Sharma said: "There was a lapse of judgment on my part. I condoned tweets with uncivil comments. So I would like to unreservedly apologise to everybody who was hurt by them. Anonymity seemed easier than propriety, and tired as I was by personal events and attack on iSpirt's reputation, I slipped. I won't be part of anything like this again nor passively allow such behaviour to happen, even in the worst of times."

Nandan Nilekani tweeted in response to Sharma's apology that it was brave of him to do so. Several others in iSpirt also backed Sharma after the public apology . There was a surge of tweets in response to Sharma's and Nilekani's tweets, some welcoming the turn of events and others saying it wasn't enough. Jonnalagadda is among those who are not satisfied. "There were several individuals at iSpirt behind these trolls and Sharma's apology is not enough," he told TOI.

Aadhaar, aggressively pushed by the government, is being fiercely questioned by privacy and security advocates. Though most of these activists say they are asking for implementation of safeguards, the Twitter hashtags used by some of them include #antiaadhaar, #destroyaadhaar and #attackaadhaar, which seem to suggest they are entirely opposed to the authentication mechanism.

Both sides have used intemperate and often abusive language on social media -many using anonymous names. The latest flashpoint was a report by the Centre for Internet and Society (CIS) released earlier this month that said some 135 million Aadhaar numbers were leaked through government databases. There have also been accusations that private companies that verify Aadhaar credentials often get access to the full Aadhaar information of individuals. These provoked the proAadhaar trolls. Jonnalagadda, Nikhil Pahwa, co-founder of the Internet Freedom Foundation, which works on issues including net neutrality, and free expression and privacy on the internet, and Sunil Abraham of CIS were under particular attack.

Some of the iSpirt fellows and volunteers TOI spoke to had little remorse. "I am not saying iSpirt should have done what it did. But I can imagine why iSpirt reacted like this as we all have been under constant personal attack for a year now," said an iSpirt fellow, who did not want to be identified. Jas Gulati, co-founder and CEO at Nowfloats and a volunteer at iSprit, said iSpirt was an open organisation. "Sharad was upfront about it and I think it's very positive."

The Aadhaar privacy advocates, including Jonnalagadda and Pahwa, are clear they value iSpirt, but say it was undermining itself by its actions. One pointed to a February meeting of iSpirt where they created a programme called Sudham that distributed prominent Aadhaar critiques into four quadrants -`Misinformed, fearful and engaging', `Informed, fearful and engaging', `Misinformed and trolling' and `Informed and trolling' -and assigned different members to deal with each quadrant. Some of those who were assigned responsibilities appear to have taken their job too seriously .

Pahwa told TOI, "The work done by the Product Nation initiative at iSpirt is what makes it an important organization. But when people raise questions of IndiaStack and Aadhaar, many in that team respond with venom. iSpirt is unique, in that it is a thinktank that plays the role of an activist and lobbyist with a high degree of influence with the government and so they must develop processes for better governance, transparency and accountability ."

Anand Venkatanarayanan, a senior engineer at NetApp and independent Aadhaar researcher, said iSpirt should not be judged based on what Sharma did. "What we are trying to do is strengthen the Aadhaar system. Currently, they do not even have a process to report bugs. Large companies all have SOPs (standard operating procedures) to deal with issues. UIDAI does not," he said, noting that his views are personal and not that of his employer's.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-24-2017-shalina-pillai-anand-j-ispirts-sharad-sharma-sorry-i-trolled-aadhaar-critics

ISOC Report

akriti — 2019-07-03T12:44:43Z

For more details visit https://cis-india.org/internet-governance/files/isoc-report.pdf

Is the WIPO Treaty for Broadcasters Moving Forward at SCCR 27?

praskrishna — 2014-05-02T11:58:15Z

The WIPO treaty for the Protection of Broadcasting Organization: The Way Forward?

CIS statement at WIPO is quoted in this post submitted by Manon Ress to Knowledge Ecology International on April 29, 2014.

On day 2 of Standing Committee on Copyright and Related Rights (SCCR) 27, it looks as if the US delegation was showing the SCCR delegates a "way forward" for a new treaty for broadcasting organizations. It seemed as if US diplomacy was working efficiently and the US proposal was gathering support. However, while the US proposal was indeed gathering support, public interest groups and copyright owners also became more vocal in their opposition to the proposal on the table.

Let me highlight aspects of the first 2 days (Monday and Tuesday 28-29 April, 2014) of discussions on the treaty. Wednesday half day is in principle devoted to conclusions on the first topic of the SCCR 27 and will be dealt with in a separate blogpost.

On Monday, led by Martin Moscoso, a most efficient Chair, the delegates moved quickly through the text (with many alternatives) and discussed the various technological platforms as well as the various forms of transmission for broadcasting. They decided to come up (later) with a matrix to, if not clarify at least simplify the work on the proposal. Monday was about the object of protection (what is a signal?) and Tuesday was about Article 9. which is the Article about rights. The issues were: what are the rights that will be granted or not granted to the broadcasters in the treaty.
Until lunch time Tuesday, the mood was quite optimistic and it was no longer "if there is a treaty" ...but when there is a treaty. Delegates were chatting everywhere and one could almost feel a treaty fever coming to the SCCR again.

The discussions were quite diplomatic but also technical. The Delegates are, after all, copyright and related rights experts obviously enjoying arguing and debating, subject matter protection, scope and of course nature of rights. Here is the Secretariat comprehensive review of Article 9 which include the many Exclusive rights that are on the table.

SECRETARIAT: this very high level. We have for Article 9 on page 8 two alternatives, alternative A and Alternative B. Then we have Article 9 in the annex, a proposal from India and then we also, of course, have the new proposal on, in that document, annex 6, I believe this is covered in Article 6 of the cablecasting organizations.Starting with the working text,Ssccr/27/2rev. Both of these Articles, they deal with exclusive rights to authorize by broadcasting organizations, the first one lists fewer rights it covers retransmission, performance, the use of a pre-broadcast signal with them and then with the performance (?), it leaves it as a matter of domestic law to determine the conditions under which this may be exercised provided that the protection is adequate and effective.

Alternative B has a more extensive list of exclusive rights that broadcasting organizations may authorize.

Fixation, direct, indirect production, retransmission by any means, communication to the public, making available, transmission for the reception by the public following fixation and making available to the public of the original and copies of fixations of broadcasts with respect to this alternative, there are two subparagraphs, two and three, that address some flexibilities. Two says that the indirect reproduction and retransmission rights may be a matter for domestic law where the protection of the right is claimed to determine the conditions under which it may be exercised provided that the protection is adequate and effective.

It is possible under 3 to deposit a notification with the Director General saying that instead of the exclusive right of authorizing providing for in subparagraphs 2, 4, 5, 6 and 7 there could be a right to prohibit with a notification.

Then there's a general final subparagraph talking about adequate, effective legal protection to signals. With the means of the protection being governed by legislation of the country where the protection is claimed.

The Annex includes various proposals and the Chair asked each proponents to explain:
For example, here is the US Intervention:
quote

The U.S. proposal for discussion is found in the annex at page 4, we first suggested this concept a year ago at intercessional meeting and fleshed it out in actual language at the last SCCR session. As we described then, the goal of our suggested language for discussion is to try to cut through the same debate of the scope of rights for this treaty that's been going on for in the range of 15 years now. What we were attempting to do was to identify a single core right, that would be very narrowly focused to address the fundamental concerns of broadcasters, to do so within the scope of the General Assemblies mandate to deal with signal protection, signal-based protection. As you see from the language, I won't go in a lot of detail, we have described this before, we would suggest that no post-fixation rights would be required at the international level, just protection for the signal itself and that after fixation we would be relying on protection for the content rather than the signal so not through this treaty, but through other treaties and through national laws.

So the way we formulated it was to focus on simultaneous or near simultaneous retransmission to the public of both the signal and the pre-broadcast signal because the broadcasters had made a case for the need of protection for pre-broadcast signal as well. As you can see from our proposed definition for discussion purposes we would define near simultaneous retransmission to be a transmission that's delayed only to the extent necessary to accommodate time differences or to facilitate the technical transmission of the signal. So recognizing that -- well sometimes there's a delay but we would be talking about delays of something more like seconds and hours rather than years.

What we would also like to do at this point, rather than spend many hours having everyone discuss again what their original proposals were, perhaps there's a way forward that this committee could consider. We do have a number of complex alternatives with multiple rights for Article 9 before us at this point.

And in the interest of being able to make progress, we would like to put forth an idea for consideration. In the discussion of our proposal for discussion purposes of this new approach we have not yet in the meetings that we have held since we first put it forward, we have not yet heard opposition to the Treaty covering at least that much and the main area of this agreement seems to be whether there should also be additional rights particularly relating to post-fixation uses. So one suggestion we put forward for consideration on how to move forward in this meeting would be to see if we can as a committee try to narrow the range of choices before us and there are a number of ways that this can be done. One possibility would be to say that one choice is the U.S. suggested approach in our proposal for discussion, and the other main choice would be to start with that, but then also add some version of the various post-fixation rights that other Delegations have proposed as the alternative. Maybe there's a way that the proponents could combine some of their catalog of rights into a shorter catalog or a single more general right dealing with post fixation uses and then although certainly the United States isn't in a position to agree to such a broader catalog, we would have a clearer idea of what the two main fundamental approaches are, and that would help us all clarify the situation and present the alternatives to be negotiated as we move forward and make it easier to look for potential compromises.

I don't know if that's entirely clear, and I would be I don't know if that's entirely clear, and I would be glad to describe in more detail what we were thinking about, but we put this out for everyone's consideration as a possible way to move forward rather than just to continue to go in circles with everyone explaining their own position. And again, you know, as we keep saying, we want to stress that all we're talking about again is a international minimum and that doesn't prevent anyone from having the entire catalog of rights that they may have in their current national system to preserving those rights and urging others to adopt them as well. We're looking for something that we can all agree to at international level.

This US Proposal which is about a narrow right (a signal-based approach) and also a way to limit the proposals on the table by having only two fundamental approaches on the table. The signal-based narrow approach or the US proposal by contrast with the catalog of rights proposed by the EU (and its supporters).

One had to note that what was in December for SCCR 26, an informal US proposal in the annex, had gathered many supporters. For example, the US proposal was supported in some ways by India:

INDIA: Good morning, Mr. President.
I think Belarus, the Distinguished Delegate from Belarus and the Distinguished Delegate from the U.S. started the day with good morning, with good initiatives. We're open to discuss those issues. Going back to the comments made by the Distinguished Delegate from belarus, we do agree that no additional protection to the content should be given because content, the content, it is either author or the performer, asper the convention or the WCPT or the sin graphic producer, the producer of the sin graphic or the sound performing. Already the protection, is that.

What we need to protect here, it is the signal as said by the Distinguished Delegate of the United States also. The signal-based approach, that's what it says, the signal has to be protected. If you look at the definition of signal which India has given in annex, Article 5, page 1, it clearly said that the signal means an electronically generated carrier consisting of a specific program whether encrypted or not and then encryption, it is the dpm, we all know that, you know that that's the business model, the technical model followed by most. Coming to the program carried by the signal, that's the broadcast content.

So we have to see what exactly the signal is carrying the broadcast. It contains, you know, various types of Intellectual Property that's a copyrighted material that we can divide into four main categories. One is, of course, the program content, whether it is in-house production, created by -- acquired from the content owner, and then the other content is the advertisement, and then the moment you will see these two things, each has its own look and appearance just like CNN or BBC, the moment that content is on the screen, you know this is CNN content, you know that this is BBC content, even the same if their live casting, this, you see, in the Standing Committee, you know how it is different, it is a CNN journalist, a B cc journal. Then becomes the way they arrange the content, that's the full thing. The way it is presented. So, these are the four things, the signal, broadcast content, content, so various licensing and arguments are there. The advertising appearing between the few seconds in the BBC journal is different than what advertisement of the CNN and apart from the look and feel of the journal, and then coming to the proposal I would like to briefly explain and make sure we're given the Article 9. It is totally based on the signal-based approach in what we have explained here that the broadcasting organization hall enjoy the right to prohibit if done without authorization the rebroadcast of the signal through traditional procedure casting means, so rebroadcast not only the broadcast, the rebroadcast has to be protected. Here the question of fixation comes, you know, the fixation to be allowed only for the purposes of the rebroadcasting are in the near simultaneous broadcast, which was our Distinguished Delegate from the U.S. was telling, maybe deferred on the delayed -- unless you fix it, you don't do that. Coming to the simultaneous broadcasting, the U.S. Delegate was talking about, here simultaneous in the traditional sense only, it is clear it is a signal-base aid approach in the traditional sense, not the webcasting or simulcasting, what we need to protect here, if any unscrupulous guy, unauthorized manner taking this program-carrying signal, putting it over the internet, the investment of that broadcaster has to be protected. So that's what our proposal talks about, not about the simulcasting, live screaming and other platforms. So there -- otherwise, we will be including the webcasting and simulcasting in the traditional approach. In the traditional platform doesn't carry the webcasting of the simulcasting in the traditional sense and also in the webcasting. That's the simulcasting, doing the same thing, in two different platforms.The simulcasting can be allowed here in the traditional sense, if the BBC wants to, at the same time, broadcasting the same problem, the reach of the B cc in that territory would be different and it is different, they're covering different parts of the world.

So, that's what I would approach here. Then with that, the Distinguished Delegate from U.S. raising the post mixation rights, one significant until appears on the screen, there is l. C or led, nowadays the technology, it is crazy. It is on the screen. So only the content, not the signal. So the fixation of signal, then post-fixation don't come in the signal-based approach. What we need to do is the Protection of Country the signal and if fixation is coming, that fixation is allowed only for the rebroadcast, deferred or delayed broadcast purposes. We'll come back in these issues as the further discussion continues.
Thank you.
And by by Mexico.
> MEXICO: Thank you, Chairman. It gives me great pleasure to see you Chairing and you have the full support of my Delegation in all your work and moving forward in the topics of this committee such valuable work from Mexico. I would like to thank the Secretariat for the document that they provided us with in such a punctual manner. Thank you for helping us with our work. I would like to recall all Delegations. That we need to be seeking the establishment of general standards to feel more comfortable within the legal framework of these particular topic. We shouldn't be looking for participation on any individual basis because we will move forward with our work.

I recall that any international Treaty has to be based on general principles and not on details and the details should be stipulated in the respective domestic legislation of each Member State. On that note I would like to support the proposals from the Distinguished Delegate from the United States that we should, yes, move forward in this way with the work of this committee
And by Japan:
JAPAN: Good morning, Mr. Chair.
Good morning, everyone. I'm speaking on behalf of the Japanese Delegation.
We're in the position to support the suggestion by the Distinguished Delegates from the U.S. to put to option related to scope of protection. With respect to scope protection, some Member States seems to find great value in wide variety of rights including fixation rights, including the right of production and the right of making available after the fixation. For such members, post-fixation rights should be included in this Treaty. On the other hand, some Member States are of the view that the minimum fixation rights, simultaneous or near simultaneous retransmission and the right of pre-broadcast is enough under this Treaty.

Here we would like to point out that in order to find the way forward in our discussion more flexible approach may be necessary. From our perspective one possible way while setting the common denominator among all Member States of subject matters for minimum mandatory protection, other rights which not all the members must -- most members think is necessary and this is treated as the subject matter for optional protection. Of course, even if we take such an approach we have to further discuss which rights should be mandatory protection and which rights should be optional protection.

And by South Africa:
SOUTH AFRICA: Thank you very much, Mr. Chairman.
In fact, I would like to associate myself with the previous speaker, Mexico and the U.S. I think it would be better to have just a general and another scope of rights for the broadcasters sips we're dealing with the signal-based approach and so as always to avoid having to include issues and list of issues that are covered by other Treaties. It may cause a problem in the long run in the sense that some Member States may find themselves want to be a part of this Treaty having to do a balancing act as to whether they need to join into this Treaty to be parties to the other Treaties or to the other issues that are being included in this particular Treaty. It would favor a very narrow, general scope of rights as I think the U.S. has captured that very well. I think it will help us to move forward. Otherwise we'll never -- a long, protracted kind of discussion and we have a very good experience in this, we have been looking at this for a very long time and part of the problems lie in this -- having a very long list of rights and so on, so on. I think that domestic legislation can do justice into the catalog of rights that Member States will now want to prescribe.

But things were not that easy with the EU:
EUROPEAN UNION: Thank you very much, Mr. Chairman. Good morning to everyone. We tried to look at all the possibilities and options on the table and tried to think of some matrix as you proposed yesterday for which we have to find for both the object of protection and for the rights. Looking at what was presented and discussed today, we tried to put this into some kind of order also in response to the proposal by the Delegation of The United States. What I will present now is our understanding of where we understand with these discussions on various rights and, of course, there may be rates where we have not understood properly.

To us, it seems that there is a consensus in the room as to simultaneous, as to the right to authorize a prohibited or prohibit simultaneous retransmission by any means. As long as we talk about simultaneous retransmission we think from the discussions that took place here, but everybody agrees with simultaneous transmission, that should be covered by the catalog of rights.
Then the other category, the important category here, are any transmissions from fixation. In our view, we should in a way separate the discussion on transmission from fixation from other post fixation points. I think often we use here the term simultaneous retransmission versus post-fixation rights. I think there is a bit of a more nuance to the situation here because we have the post fixation rights because of the reproduction and distribution which we'll talk about later. We have the core right here, the core right which is a retransmission from fixation.
In the U.S. proposal there is also an element of such transmission from fixation as far as we understand, but it is limited. It is limited by technical means and limited in time because it is only to take account of time zones.

In other alternatives that we have on the table as far as we understand in the working document, alternative A, Alternative B, the proposal which was presented today by Belarus on behalf of some members of the CACEEC group, and to the extent that we understand the proposal of the Delegation of India, all these proposals include the right to authorize and prohibit only the right to prohibit in case of the proposal from India transmissions from fixation. We have -- atlas the way we see it, on one side we have the U.S. proposal with transmissions from fixations limited in some way and specifically in time, and then we have a number of proposals where we have transmissions from fixations included. For us, that would be the second block after the simultaneous retransmission, the second block to look at is this block of transmission from fixation. Within this block there are a number of Delegations that in the very explicit way include the so-called making available right. This is the case of Alternative B in the working document, this is the case of the proposal -- proposal presented by Belarus today and this of course has been the position of the European Union as well.

So that's for us, the second thing to look at, maybe to put in this matrix.

We would like to somehow maybe separate this block of transmissions from fixation from what we usually call post-fixation rights. When we move to post-fixation rights you have -- this is always interesting, helpful to look at the table proposed by by the Japanese Delegation, there are a number of rights so that you have the right of fixation itself, of course, that's not exactly post-fixation rights but I think belongs to this group of rights, reproduction and distribution and the right of public performance in places without accessible, for repayment of the fee. All these rights, we think belong to this third block. To be looked at.
Of course, there are certain overlaps, when you look at the various proposals, some extend to all the rights, some extend to only some of these rights. In our view, these three groups are -- it is something to be looked at.

Further, I think if we look at this, if we create in matrix in that sense, it will help us to move further. Then, of course, for us, the next step of the discussion is to then understand in more detail various proposals and I'll just give a couple of examples. I think it is clear for everybody in the room to understand the proposal of the United States on near simultaneous transmission T will have to be very clear what is near simultaneous means, and especially since it is limited in time, in the U.S. today, they indicated, that limited in time not in terms of years, but rather in terms of hours or let's say shorter periods of time, it is very important to know how this would be, how it would be understood and how it works in practice. I think as regards to proposal from India, one thing for us is still maybe not entirely clear is this reference that in all cases the protection has to be subject to the extent of rights acquired from the owners of copyright and related rights. That's, for example, in terms of transmissions of sport events, which are not covered by copyright, we don't understand how this would be covered or whether the proposal of India is, but these would not be covered at all by these Treaties but there is a number of issues that we can go into more depth with each of these proposals. I think that the final, final block is what kind of rights are we talking about in terms of exclusive rights, rights to prohibit. That's all other rights.

In a number of these proposals, we have the right to offer us and prohibit, why for example in the proposal from India we have clearly right to prohibit. That's the final element of the matrix with which we have to look at because maybe not necessarily for all of the rights we have to have the same right. In the sense the same category of right. Maybe we can have some rights that are exclusive rights and for some rights, rights to prohibit, of course, we should not finally forget the protection for the pre-broadcast signal because we have not mentioned it today, but I think on that element also there is quite a broad consensus to have this as a right to the protection for pre-broadcasting. Thank you very much.
After quite a few confused and confusing interventions, the US took the floor again urging the delegates to separate the two main issues, what are we trying to protect and with what rights:
United States.

A lot of issues have been raised in the last round of interventions. I do think it is important to keep our minds fixed on the idea that there is two separate issues and one is the scope or object of protection and the other is what the nature of the rights are. Sometimes I think we're conflating them in the discussions, if we look at the matrix, the object of protection, what that is, I just wanted to note one more time while we've got the broadcasters in the room that I do think there is still some open questions that would be good to get answers to if not -- if it is not possible to get the answers this week, then the next time that this committee meets, and those were my questions about to what extent the uses of new technology described by the BBC and summarized in Japan's little summary document, to what extent the uses of new technology have become standard and how widely adopted they are among broadcasters in different countries and of different types and sizes. I think that would be helpful to know.

Also where the piracy takes place, where it is that those who are Pirating, getting the signals from would be useful to know as well and I partly raise these questions because to the extent we're debating the inclusion of or consideration of simulcasting, deferred, on demand transmission signals, in addition to the question of what extent the piracy problems would be covered by copyright in the content and another question with could be could this be seen an an issue of infringe.

Rather than the issue of protection. If we're protecting over the air broadcast signals, is the problem that the piracy of those signals is taking place using the simulcast versus using the actual over the air broadcast. That's why I see the issues as related, and I think it would be helpful to get more answers to those questions as we look at whatever matrix is prepared.

In terms In terms of the rights, the Article 9 issues, the EU asked a number of questions, I think the Delegate from the EU is correct that there's -- it is not just that the rights are prefixation and post fixation, there is probably at least three different types of things we're talking about. In the language the U.S. has proposed for discussion we're not presuming that the existence of a fixation at any point along the way negates the right, not at all. In fact, you certainly could have a simultaneous, near simultaneous near transmission of the public even where the retransmission is made from a fixation and indeed some technologies may require the use of a fixation to enable the retransmission.

I think what we're focusing on is the idea that there is no right to control the fixation itself or what is otherwise done with subsequent copies, including consumer copying, that would not fall within the right.

Then, just to say that we appreciated the comments from the Delegate of Brazil and also wanted to clarify our proposal was really a matter of process, not substance. We agree with Russia that we're looking to move this forward and so even though our view is that a single right rather than a combination is the most likely way to be able to make progress and move the debate forward, and achieve an outcome, we also think we could make progress here this week if we could simplify the full range of rights that are on the table and figure out a way to present two options for consideration and further negotiation.

That would only be for purposes of the negotiation rather than an agreement on substance at this point, that that's the right approach so then each of us could still be able to convince other Member States of our own view or to find some way to accommodate the concerns once we see what the two approaches clearly are.

It is a matter of process to be able to move forward from the complex text that we currently have before us.

Then just finally, we also agree that we still have open the exact wording of what the right would be in Article 9, is it a right to authorize, exclusive right to authorize, a right to prohibit, prevent, maybe at this point in time we need to keep those things in brackets also for further consideration, negotiation, including the issue razed by the E.U. Delegate that possibly the exact wording may be different depending on what the right is that we're talking about.

Following the US intervention, India discussed the very many different kind of piracy. Then, the Chair gave the floor to the NGOs and before lunch, the NAB (the demandeur for the treaty) made some clarifications related to the Monday presentation by the BBC (the red button or on demand webcast of BBC programs). Which was followed by KEI which stated:
quote.

This is not a treaty about copyright piracy but a special ride for broadcasters. I think it is not a good idea to sort of refer to cases where there is already a right, the copyright owners have (kei) unless you make it relevant to what's discussed here this week. IP rights are a form of regulation, and they create monopolies, rights to exclude, new layers of rights to clear, a shrinking of the public domain, and more obligations for consumers, libraries, businesses to pay more money not to copyright holders,but to the distributors of content. Don't go overboard. Don't approach this like you're a rich relative giving gifts to nephews and nieces, interventions should be narrow and only where they're actually needed to solve a problem like signal piracy to the extent that it is understood and can be remedied through an instrument, or to achieve a predictable, a desired redistribution of income to broadcasters. You're in this case extending rights to entirely new beneficiaries, it is not just people that broadcast in radio and television which was what the Rome convention addressed and make the service available that no one could charge for. Now you're talking about pay services protected by under legal protections such as regulatory provisions, contracts, theft of service laws, you're talking about cable tv service shut off if you didn't pay, cable -- satellite services that are shut off if you don't pay, you're talking about a wide-range of internet delivery issues and people are talking about post fixation rights.

You have what the BBC has described, you have people talking about services now provided under services in the United States such as hulu using platforms like these decidings, tablet computers, the explosion of services, and most of the people doing most of the innovative services outside of BBC are not here demanding a WIPO treaty but doing things, it is working, exploding and it is happening without this new form of regulation. So, I would say conclude by saying that the Rome convention or the WPPT or the Beijing treaty should not be the basis of the rights. Those rights already exist, they address different issues. You're talking about something new today and this new thing should be justified by some coherent explanation of a problem you are trying to solve and should be comfortable because of the cost of the regulation you're introducing to the information society is somehow justified by the benefit.

The Chair called then on the American Society of Archivists:

Thank you, Mr. Chair. On behalf of the society of American Archivists, the largest organization of archivists, we want to commend you for the continued wise chairmanship of the srcr and thank you to the Secretariat for the excellent support of the Committee's work. For decades archives included not just paper records but also important sound and video recordings, many of which have come from broadcasters. These are invaluable documents for connecting society to its past. Think of a major event in the past 15 years, the fall of the Berlin wall or the collapse of the twin towers on September 11th, without the video images that were created, these are the documents that will provide the stuff of history that connects future users to the archives. Thus, regardless of whatever measures are put into place to provide the signal protection that broadcasters need, the new rights should not add any further layers on the already existing copyright protection that exists in the content. Over the long passage of time the archives have to span, and given the vigories of institutions that disappear with regularly, adding a new right on broadcast content would add imher rationally for the orphan work in providing abscess to the dock ministry sector that is such an important part of society's historical record. After the lunch break, eIFL took the floor. The giddy mood of "moving forward" that we had witnessed in the morning was slowly changing (the momentum keep changing said a broadcaster sitting behind me).
[...]
eIFL: As stated at previous sessions of this Committee we see no compelling public policy reason for a new international treatment on the protection of broadcast organisations because piracy of broadcast signals is adequately dealt with under existing laws and treaties as outlined in the earlier statement by KEI. And the creation of a new layer of rights that affects access to content is of great concern to librarians because it imposes an additional barrier on access to knowledge especially to content in the public domain.

As stated which the Delegation of Ecuador, a new layer of rights will in addition to creating problems for users create froshes rights holders of content that will impact on their ability to freely licensed their works. Libraries have practical experience of such over protection caused by multiple layers of rights. For example, a library in northern Europe wanted to publish a sound recording from their archive that was originally broadcast in the 1950s. The recording was taken from a rebroadcast in the 1980s. And all of the performers'rights had expired and the authors waived their fees due to the importance of the work, the library had to pay $10,000 for the permission to use the recording because the signal protection applied also to the the retransmission.

So for many libraries, as you can imagine, such costs are out of the question. As a result, socially valuable works remain inaccessible in libraries and archives, depriving the public of the enjoyment of their work. So Distinguished Delegates, please consider the costs to taxpayers and society as well as the perceived benefits of this proposed treaty. Thank you.

After the Libraries, --except for the European Broadcasters under ACT which came to support the NAB and the proposed treaty--, other consumer/public interest groups such as TACD and CIS (India) followed by many many right holders (copyright holders or as they say at WIPO content owners) such as IFPI, FILA, BCC and FIAPS (representing authors, performers, music producers) took the floor one after the other to express their strong opposition to the proposed treaty. The main point for the Music industry representative was that before the broadcasters get a new exclusive rights, they should first recognize the rights of the music producers and pay for music that they broadcast. While this is actually happening in many countries already, the US broadcasters do not pay and that should change first according to the IFPI. Finally (and that was a surprise for many), a representative from Direct TV attending the SCCR for the first time expressed its strong concerns for a treaty that would give broadcasters exclusive rights and thus more power to control the media market.

Here is the Indian NGO CIS statement:
We have some concerns regarding the intended scope and language of Article 9 in Working Document SCCR/27/2 Rev. We believe that this expands the scope of this proposed treaty and is likely to have the effect of granting broadcasters rights over the content being carried and not just the signal. On this issue, we have two brief observations to make:

First- Article 9 envisages fixation and post fixation rights for broadcasting organizations- for instance among others, those of reproduction, distribution and public performance This, we believe is not within the mandate of this Committee, being as it is, inconsistent with a signal based approach.

Second- we express our reservations on the inclusion of “communication to the public” reflected in Article 9 Alternative B, which also relates to the definition of communication to the public under alternative to d of Article 5 of this document. Communication to the public is an element of copyright and governs the content layer, as distinct from the “broadcast” or “transmission” of a signal.

Therefore, attempts to regulate “communication to the public” would not be consistent with a signal based approach.Notes during the excellent IFPI statement as well as statements by the other copyright owners will be in my next blog for your enjoyment.

For more details visit https://cis-india.org/news/knowledge-ecology-international-manon-ress-april-29-2014-is-wipo-treaty-for-broadcasters-moving-forward-at-sccr-27

Is the govt bid to regulate content on the Internet a good thing?

praskrishna — 2011-12-08T07:12:24Z

The recent move by Union Minister Kapil Sibal to engage leading Internet platform providers like Google, Facebook, etc in regulating content has seen netizens react in different manners. The question of freedom of expression vis-a-vis objectionable content has come to the fore. Pranesh Prakash who deals with such issues on a regular basis at the Centre for Internet and Society was answering questions (more like comments) live on CNN-IBN's chat feature on December 7, 2011.

Q: OK... then how about this... People report abuse against a page...and after some hits that report will go to the governmental organization, and they will decide on what action to take... this may include hiring of some IT services company to do that and gives more employment to people too. Anyways thanks for replying to my questions.

Asked by: Tilak Kamath

A: How about just approaching courts, who are in a far better position to judge what is legal and what is illegal under Indian law than any IT services company or government organization.

Q: Suppose a group of rabble rousers does indeed use a forum and become violent, (the group being identifiable) would the state have the right to ask the forum to be discontinued?

Asked by: Zeus

A: Of course (if what you meant is 'the right to ask the forum to remove the violence-inciting content'). Indeed, this is how ultra-left wing and ultra-right wing publications that advocate violence (which is an imminent threat) are proscribed in India. And the same laws already apply for online fora. But just as you wouldn't ban a newspaper like DNA for carrying an offensive article (such as the anti-Muslim screed written by Subramanian Swamy a few months back), and just as the postal service wouldn't be discontinued for carrying Maoist letters, a forum shouldn't be banned for offensive content. There is no need for a new 'self-regulation code', since the 'report abuse' links found on many of these sites are exactly that: self-regulation.

Q: Article 19(2) of our constitution places arbitrary and subjective restrictions on free speech - public order, decency, morality are all subjective, according to the whims and fancies of those who are in control. Aren't you concerned this is going down the exact path (ignoring that this is impractical to begin with)?

Asked by: Karunakaran

A: No, because there is a rich jurisprudence laid down by the Supreme Court of what is and what isn't a "reasonable restriction". While I do believe that our Constitution does go beyond what the International Covenant on Civil and Political Rights (to which India is a signatory) allows for, Article 19(2)'s interpretation by the Supreme Court and the High Courts have been very progressive for the most part.

Q: The government has a mandate to govern and keep the society in harmony and take care of law & order... If no check on the expressions of netizens the chances of a spark generating debate can escalate to violence given the extremism we see today. The media in print as well as electronic we know & see does it's CENSORING, calling it as editing and publishing only what it likes and wants.This style is for all including CNN-IBN.The difference is in media, the EDITOR gets responsible in case of offensive or blashphemous material gets published. Social network the responsibility seems missing. Freedom always needs to be enjoyed with discipline. How do you the minority indisciplined netizens, who are there and no denying on that ?

Asked by: sundar1950in

A: I believe that killing speech is not the right way to prevent violence. Indeed, a newspaper editor in the Maldives recently noted that they have had less violence committed against the newspaper office ever since they allowed for online comments. Speech often allows people to vent out violence instead of acting it out. Violence should be curbed by reining in those who're committing it, and those who're inciting it on the ground. At any rate, the laws that apply to inciting violence in print apply to the Web also, and no new rules need to be drafted.

Q: Thanks for the information on the report abuse button. but can't we have a Governmental agency regulating websites like FB or Google... they can't say no, cos India is a Huge market for such companies.. and why don't we find many ultra offensive posts about the U.S. or other countries, as we find for Indians..

Asked by: Tilak Kamath

A: That would be a very bad idea. Governments don't have a regulatory agency to dictate what letters post-offices shouldn't carry, nor what articles newspapers shouldn't publish. They should definitely not have a regulatory agency dictate what status updates Facebook or Google+ should and shouldn't carry. You don't find ultra-offensive posts about the U.S. because you aren't looking around. They're *everywhere*, even more so than those that bad-mouth India. Yet, such offensive speech is the price we have to pay (gladly, I should add) for democracy and the freedom of speech.

Q: The idea to ban any post on something that would lead to communal strike is fine however, I feel this is not the intention. The intention is clearly political and due to the Anna movement becoming popular thanks to the posts on the internet as also certain remarks on the Gandhi family in particular and Congress leaders specifically has led to this decision. Kapil Sibal is a smart alec and he knows that this can be used against any adverse comments against them.

Asked by: Arun

A: I am less suspicious of Mr. Sibal. I believe, especially after speaking with some senior lawyer friends of his, that he genuinely believes what he is doing to be required and legal and constitutional, and not for the appeasement of one or two Congress leaders. That, however, does not make his suggested solution correct. Multiple High Courts' decisions have held otherwise, and the Supreme Court's decision in Ajay Goswami v. Union of India also provides them support.

Q: One best possible thing is to advertise the Report Abuse button on the Internet, don't you think so? again there should be proper authentication to do so to avoid miscreants blocking some good pages unnecessarily.

Asked by: Tilak Kamath

A: I believe that the "Report Abuse" option available on most large social media and social network websites is useful, but it is also potentially dangerous since it allows a private party (such as Facebook or Google), rather than a court, to dictate what content is and isn't acceptable, to the possible detriment of larger society.

Q: Good evening sir, my question is that it is legal to pre-screen the private data of users by sites and to interfere between their privacy.

Asked by: Shrey Goswami

A: Whether this proposal by Shri Sibal necessarily involves an invasion of privacy is an open question, since the details of the proposal as as yet not fully sketched out. On Google Plus and Facebook, one can restrictedly share information. Will such restricted sharing also have to be pre-screened, or only information that is going to be available to all members of the public? The proposal still consists only of press articles and a press conference held by the Minister. Even assuming it only require pre-screening of information that is going to be publicly accessible, it imposes too high a burden on intermediaries, and is impractical. And, as you might be aware, only very limited pre-censorship is allowed in India, and such a general requirement of pre-censorship does not seem to be constitutional, in my opinion.

Q: Yes, we were browsing FB yesterday and some content in there, could not be opened in front of my children. So Content is not always good, and there must be some kind of screening. Again, the current trend in India, to think that whatever the government does is not at all a good one. Governing must be left to government and not to news channels/civil society, etc. This looks dangerous, and sad no one is realising this.

Asked by: Narayanan S

A: Perhaps I should allow former Supreme Court Justice Hidyatullah's words speak for themselves: "Our standards must be so framed that we are not reduced to a level where the protection of the least capable and the most depraved amongst us determines what the morally healthy cannot view or read." - Justice Hidyatullah in K.A. Abbas v. Union of India. In the Janhit Manch case, the Bombay High Court held: "By the present petition what the petition seeks is that this court which is a protector of free speech to the citizens of this country, should interfere and direct the respondents to make a coordinated and sustained effort to close down the websites as aforestated. Once Parliament in its wisdom has enacted a law and has provided for the punishment for breach of that law any citizen of this country including the Petitioner who is aggrieved against any action on the part of any other person which may amount to an offence has a right to approach the appropriate forum and lodge a complaint upon which the action can be taken if an offence is disclosed. Court in such matters, the guardians of the freedom of speech, and more so a constitutional court should not embark on an exercise to direct State Authorities to monitor websites. If such an exercise is done, then a party aggrieved, depending on the sensibilities of persons whose view may differ on what is morally degrading or prurient will be sitting in judgment, even before the aggrieved person can lead his evidence and a competent court decides the issue. The Legislature having enacted the law a person aggrieved may file a complaint."

Q: Kapil Sibal has not been able to give conviction to objectionable content as social unrest can't take place through web and it needs well oiled machinery and as far as using offensive language against politicians is concerned it won't be curtailed through web and it will require better self regulation among politicians rather than being irresponsible

Asked by: Rij

A: I agree completely.

Q: Do you feel that Government (Congress in particular ) is trying to impose restrictions on social media to stifle the peoples anger against the Government and its leaders due to various scams and corruption?

Asked by: Santosh

A: No. I am taking Mr. Sibal's words at face value, that what they are trying to prevent is hate speech, inciting speech. Still, the means of doing so are undemocratic, ignorant of how the Internet functions, and liable to have very harmful consequences on our polity.

Q: Are our laws going to be like those in gulf countries with respect to censorship? In the name of communal messages, is there a motive to censor something else?

Asked by: Gaurav

A: It doesn't matter what the 'ulterior motive' is, and I'm not sure there is one. The touchstone should should be that of our Constitution and Article 19(1)(a), which guarantees freedom of speech and expression with the Article 19(2) laying down the reasons for which reasonable restrictions can be laid down. And in many ways our laws are worse than those in Saudi Arabia. There at least when a website is blocked or content removed the public is notified when they try and access the content. In India, there is no such notification.

Q: Is this being done as the politicians on the whole and congressmen in particular are not upon notwithstanding how true the comment is. Is it particular so when they are charry if any adverse comment is made on the Gandhis. All these politicians who have opted for public life need to be open for adverse comments as they are in the public limelight and or it is their privilege.

Asked by: Arun

A: The examples being cited by Kapil Sibal are of harming religious sentiments and inciting hatred. Be that as it may, even if the content deserves to be removed—and I can't comment until I see the content he finds offensive—doing so by mandating pre-censorship by intermediaries with liability fixed on them otherwise is a wrong way of going about it.

* The chat is over. Read the original published in IBN Live Chat here

For more details visit https://cis-india.org/news/ibn-live-chat-with-pranesh

Is India's Digital Health System Foolproof?

aayush — 2019-12-30T17:58:00Z

This contribution by Aayush Rathi builds on "Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?" (by Aayush Rathi and Ambika Tandon, EPW Engage, Vol. 54, Issue No. 6, 09 Feb, 2019) and seeks to understand the role that state-run reproductive health portals such as the Mother and Child Tracking System (MCTS) and the Reproductive and Child Health will play going forward. The article critically outlines the overall digitised health information ecosystem being envisioned by the Indian state.

This article was first published in EPW Engage, Vol. 54, Issue No. 47, on November 30, 2019

Introduced in 2013 and subsequently updated in 2016, the Ministry of Health and Family Welfare (MHFW) published a document laying out the standards for electronic health records (EHRs). While there exist varying interpretations of what constitutes as EHRs, some of its characteristics include electronic medical records (EMRs) of individual patients, arrangement of these records in a time series, and inter-operable linkages of the EMRs across various healthcare settings (Häyrinen et al 2008; OECD 2013).

To work effectively, EHRs are required to be highly interoperable so that they can facilitate exchange among health information systems (HIS) across participating hospitals. For this, the Integrated Health Information Platform (IHIP) is being developed so as to assimilate data from various registries across India and provide real-time information on health surveillance (Krishnamurthy 2018).

EHR Implementation: Unpacking the (Dis)incentive Structure

As the implementation of EHR standards is voluntary, anecdotal evidence indicates that their uptake in the Indian healthcare sector has been very slow. Here, the opposition of the Indian Medical Association to the Clinical Establishments (Registration and Regulation) Act, 2010, resulting in nationwide protests and subsequent legal challenges to the act, is instructive. To start with, the act prescribes the minimum standards that have to be maintained by clinical establishments which are registered or seeking registration (itself mandatory to run a clinic under the act) [1]. Further, Rule 9(ii) of the Clinical Establishments (Registration and Regulation) Rules, 2012, drafted under the act, requires clinical establishments to maintain EMRs or EHRs for every patient. However, with health being a state subject in India, the act has only been enforced in 11 states and all union territories except the National Capital Territory of Delhi (Jyoti 2018). The resistance to the act is largely due to protests by stakeholders from within the medical fraternity regarding its adverse impact on small- and medium-sized hospitals (Jyoti 2018).

Contextualising Clinicians' Inertia

Another major impediment to the adoption of EHRs by health service providers is reluctance on the part of individual physicians to transition to an EHR system. This is because compliance with EHR standards requires physicians to input clinical notes themselves.

Comparing the greater patient load faced by doctors in India vis-à-vis the United States (US), the chief medical officer of an EHR vendor in India estimates that the average Indian doctor sees about 40–60 patients a day, whereas in the US it may be around 18–20 patients (Kandhari 2017). This is suggestive of the wide disparity in the number of physicians per 1,000 citizens in both countries (World Bank nd). Given this, doctors in India tend to be more problem-oriented, time-strapped, and pay less attention to clinical notes (Kandhari 2017). Thus, clinicians will consider a system to be efficient only if the system reduces their documentation time, even if the time savings do not translate into better patient care (Allan and Englebright 2000). The inability of EHRs to help reduce documentation time deters clinicians from supporting their implementation (Poon et al 2004). Additionally, research done in the United States indicates that there is no evidence to suggest that an information system helps save time expended by clinicians on documentation (Daly et al 2002). Moreover, the use of an information system is stated to have had no impact on patient care, but doctors have acknowledged its use for research purposes (Holzemer and Henry 1992).

Prohibitive Costs of Implementation

While national-level EHRs have been adopted globally, their distribution across countries is telling. In a survey published in 2016 by the World Health Organization, wealthier countries were over-represented, with two-thirds from the upper-middle-income group and roughly half from the high-income countries having introduced EHR systems. On the other hand, only a third of lower-middle-income countries and 15% of low-income countries reported having implemented EHRs (World Health Organization 2016). A major reason for the slow uptake of EHRs in poorer countries is likely to be funding as EHR implementation requires considerable investment, with most projects averaging several million dollars (US) (Kuperman and Gibson 2003). Although various funding models for EHR implementation are being utilised globally, it is unclear what model will be adopted in India to bring in private healthcare service providers within its ambit (Healthcare Information and Management Systems Society 2007). This absence of funding direction for private actors poses to be a significant impediment in the integration of private databases with other public ones.

In general, poorer countries are also more likely to have less developed infrastructure and health Information and Communication Technology (ICT) to support EHR systems. Besides this, they not only lack the capacity and human resources required to develop and maintain such complex systems (Tierney et al 2010; McGinn et al 2011), but training periods have also been found to be long and more costly than expected (Kovener et al 1997).

Socio-economic Exclusions and Cross-cultural Barriers

There exists scant research investigating the existing use of EHRs in India, though preliminary work is being undertaken to assess EHR implementation in other developing countries (Tierney et al 2010; Fraser et al 2005). Even in the context of developed countries, where widespread adoption of EHRs has been gaining traction for some time now, very little data exists around implementation and efficacy in underserved regions and communities. This is further problematised as clinical information systems and user populations also vary in their characteristics and, for this reason, individual studies are unable to identify common trends that would predict EHR implementation success.

Underserved settings may lack the infrastructure needed to support EHRs. The risk of exclusion already exists in parts such as difficulties inherent in delivering care to remote locations, barriers related to cross-cultural communication, and the pervasive problem of providing care in the setting of severe resource constraints. Equally important is the fact that health workers who already report significant existing impediments in their delivery of routine care in these settings do not necessarily see EHRs as being useful in catering to the specific needs of their patient population (Bach et al 2004). Moreover, experience with EHRs also reveals that there are cultural barriers to capturing accurate data (Miklin et al 2019). What this could mean is that stigma associated with the diagnosis of conditions such as HIV/AIDS or induced abortions will result in their under-reporting even within EHR systems.

Stick or Twist?

Other modalities have been devised to nudge healthcare providers into adopting EHR standards voluntarily. The National Accreditation Board for Hospitals and Healthcare Providers (NABH), India, a constituent board of the Quality Council of India (a public–private initiative), has been reported to have incorporated the EHR standards within its accreditation matrix. NABH accreditation, considered an indicator of high quality patient care, is highly sought–after by hospitals in India in order to attract medical tourists as well as insurance companies: two prominent sources of income for hospitals (Kandhari 2017). Additionally, NABH accreditation is valid for a term of three years, thus requiring hospitals seeking to renew their accreditation to adopt EHR standards as well.

Another commercial use of EHR has been in health insurance. The Federation of Indian Chambers of Commerce and Industry (FICCI) and the Insurance Regulatory and Development Authority (IRDAI) have both voiced their support for expediting the implementation of the EHR standards (EMR Standards Committee 2013). Both, the FICCI and IRDAI have placed emphasis on adopting EHRs, seeing it as a necessary move for formalising the health insurance industry (FICCI 2015). They have also had representation on the committee that sent recommendations to the MHFW on the first version of the EHR standards in 2013 (FICCI 2015). FICCI had additionally played a coordination role in having the recommendations framed for the 2013 EHR standards.

Fluid Data Objectives

The push for EHR implementation is emblematic of a larger shift in the healthcare approach of the Indian state, that of an indirect targeting of demand-side financing by plugging data inefficiencies in health insurance.

The draft National Health Policy (NHP), published in 2015, reflected the mandate of the Ministry of Health and Family Welfare to strengthen the public health system by creating a right to healthcare legislation and reaching a public spend of 2.5% of the gross domestic product by 2018. The final version of the NHP, published in 2017, however, codified a shift in healthcare policy by focusing on strategic purchasing of secondary and tertiary care services from the private sector and a publicly funded health insurance model.

In line with the vision of the NHP 2017, in February 2018, the Union Minister for Finance and Corporate Affairs, Arun Jaitley, announced two major initiatives as a part of the government’s Ayushman Bharat programme (Ministry of Finance 2018). Administered under the aegis of the Ministry of Health and Family Welfare, these initiatives are intended to improve access to primary healthcare through the creation of 150,000 health and wellness centres as envisioned under the NHP 2017, and improve access to secondary and tertiary healthcare for over 100 million vulnerable families by providing insurance cover of up to ₹ 500,000 per family per year under the Pradhan Mantri–Rashtriya Swasthya Suraksha Mission/National Health Protection Scheme (PM–RSSM/NHPS) (Ministry of Health and Family Welfare 2018). The NHPS, modelled along the lines of the Affordable Care Act in the US, was later rebranded as the Pradhan Mantri–Jan Arogya Yojana (PM-JAY) at the time of its launch in September 2018. It is claimed to be the world’s largest government-funded healthcare programme and is intentioned to provide health insurance coverage for vulnerable sections in lieu of the Sustainable Development Goal-3 (National Health Authority nd).

To enable the implementation of the Ayushman Bharat programme, the NITI Aayog then proposed the creation of a supply-side digital infrastructure called National Health Stack (NHS) (NITI Aayog 2018). As outlined in the consultation and strategy paper, the NHS is “built for NHPS, but beyond NHPS.” The NHS seeks to leverage the digitisation push through IndiaStack, which seeks to digitalise “any large-scale health insurance program, in particular, any government-funded health care programs.” The synergy is clear, with the NHPS scheme also aiming to be “cashless and paperless at public hospitals and empanelled private hospitals" (National Health Authority nd) [2].

The NHS is also closely aligned with the NHP 2017, which draws attention to leveraging technologies such as big data analytics on data stored in universal registries. The Vision document for the NHS emphasises the fragmented nature of health data as an impediment to reducing inequities in healthcare provision. The NHS, then, also seeks to be the master repository of health data akin to the IHIP. By creating a base layer of registries containing information about various actors involved in the healthcare supply chain (providers such as hospitals, beneficiaries, doctors, insurers and Accredited Social Health Activists), it potentially allows for recording of data from both public and private sector entities, plugging a significant gap in the coverage of the HIS currently implemented in India. With the provision of open, pullable APIs, the NHS also shares the motivations of the IndiaStack to monetise health data.

A key component of the proposed NHS is the Coverage and Claims platform, which the vision document describes as “provid[ing] the building blocks required to implement any large-scale health insurance program, in particular, any government-funded healthcare programs. This platform has the transformative vision of enabling both public and private actors to implement insurance schemes in an automated, data-driven manner through open APIs " (NITI Aayog2018). A post on the iSPIRT website further explains the centrality of this Coverage and Claims platform in enabling a highly personalised medical insurance market in India: “This component will not only bring down the cost of processing a claim but ... increased access to information about an individual’s health and claims history ... will also enable the creation of personalised, sachet-sized insurance policies." These data-driven customised insurance policies are expected to generate “care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers … [and] use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers" (Productnation Network 2019). The Coverage and Claims platform, and especially the Policy (generation) Engine that it will contain, is aimed at intensive financialisation of personal healthcare expenses, and extensive experiments with designing personalised nudges to shape the demand behaviour of consumers.

The imagination of healthcare the NHS demonstrates is one where broadening health insurance coverage is equated to providing equitable healthcare and as a panacea for the public healthcare sector. The first phase of this push towards better healthcare provision is to focus on contextualising the historical socio-economic divide. The next phase is characterised by digitalisation: the introduction of ICT to bridge the socio-economic divide in healthcare provision. In this process, the resulting data divide has been invisibilised in reframing better healthcare as an insurance problem for which data needs to be generated. Each policy innovation is then characterised by further marginalisation of those that were originally identified as underserved. This is a result of increasing repercussions of the data-divide, with access to benefits increasingly being mediated by technology.

Concluding Remarks

The idea that any person in India can go to any health service provider/ practitioner, any diagnostic center or any pharmacy and yet be able to access and have fully integrated and always available health records in an electronic format is not only empowering but also the vision for efficient 21st century healthcare delivery.
— Ministry of Health and Family Welfare, Electronic Health Record Standards For India (2013)

The objective of health data collection has evolved over the course of the institution of the HIS in 2011, to the development of the NHPS and National Health Policy in 2017. What began as a solution to measure and address gaps in access and quality in healthcare provisioning through data analysis has morphed into data centralisation and insurance coverage. Shifting goalposts can also be found in the objectives behind introducing digital systems to collect data.

In recent iterations of the healthcare imaginary, such as the IHIP and the NHS, data ownership by the beneficiaries is stressed upon. In the absence of a rights-based framework dictating the use of data, the role of ownership should be interrogated, especially in the context of a prevalent data divide (Tisne 2019). The legitimisation of data capture can be seen in the emergence of opt-in models of consent, data fiduciaries managing consent on the data subject’s behalf, etc. (Zuboff 2019).

This framing forecloses a discussion about the quality and kind of data being used. The push towards datafication needs to be questioned for its re-indexing of categorical meaning away from the complexities of narrative, context and history (Cheney-Lippold 2018). Instead, the proposed solution is one that stores datafied elements within a closed set (reproductive health= [abortion, aids, contraceptive,...vaccination, womb]). While this set may be editable, so new interpretations can be codified, it inherently remains stable, assuming a static relationship between words and meaning. Health is then treated as having an empirically definable meaning, thus losing the dynamism of what the health and wellness discourse could entail.

It has been historically demonstrated in the Indian context that multiple tools and databases for health data management are a barrier to an efficient HIS. However, generating centralised or federated databases without addressing concerns in data flows, quality, uses in existing data structures, and the digital divide across health workers and beneficiaries alike will lead to the amplification of existing exclusions in data and, consequently, service provisioning.

Acknowledgements

The author would like to express his gratitude to Sumandro Chattapadhyay and Ambika Tandon for their inputs and editorial work on this contribution. This work was supported by the Big Data for Development Network established by International Development Research Centre (Canada).

Notes

[1] Section 2 (a) of the Clinical Establishments (Registration and Regulation) Act, 2010: A hospital, maternity home, nursing home, dispensary, clinic, sanatorium or institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not.

[2] The National Health Stack, then, is the latest manifestation of the Indian government’s push for a “Digital India.” A key component of Digital India has been e-governance, financial inclusion, and digitisation of transaction services. The nudge towards cashless modes of transaction and delivery, also accelerated by India’s demonetisation drive in November 2016, has led to rapid uptake of digital payment services in particular, and that of the IndiaStack initiative in general. Developed by iSPIRT, IndiaStack (https://indiastack.org/) aspires to transform service delivery by public and private actors alike through its “presence-less, paperless, and cashless” mandate.

References

Allan, J and Jane Englebright (2000): “Patient-Centered Documentation,” JONA: The Journal of Nursing Administration, Vol 30, No 2, pp 90–95.

Bach, Peter, Hoangmai Pham, Deborah Schrag, Ramsey Tate and J Lee Hargraves (2004): “Primary Care Physicians Who Treat Blacks and Whites,” New England Journal of Medicine, Vol 351, pp 575–84.

Cheney-Lippold, John (2018): We Are Data: Algorithms and the Making of Our Digital Selves, New Delhi: Sage.

Daly, Jeanette, Buckwalter Kathleen and Meridean Maas (2002): “Written and Computerized Care Plans,” Journal of Gerontological Nursing, Vol 28, No 9, pp 14–23.

EMR Standards Committee (2013): “Recommendations on Electronic Medical Records Standards in India,” Ministry of Health and Family Welfare, Government of India, New Delhi, https://mohfw.gov.in/sites/default/files/24539108839988920051EHR%20Standards-v5%20Apr%202013.pdf.

Federation of Indian Chambers of Commerce and Industry (2015): "A Guiding Framework for OPD and Preventive Health Insurance in India: Supply and Demand Side Analysis," http://ficci.in/spdocument/20678/P&P-helath-insurance.pdf.

Fraser, Hamish, Paul Biondich, Deshendran Moodley, Sharon Choi, Burke Mamlin and Peter Szolovits (2005): “Implementing Electronic Medical Record Systems in Developing Countries,” Journal of Innovation in Health Informatics, Vol 13 No 2, pp 83–95.

Häyrinen, Kristiina, Kaija Saranto and Pirkko Nykänen (2008): “Definition, Structure, Content, Use and Impacts of Electronic Health Records: A Review of the Research Literature,” International Journal of Medical Informatics, Vol 77, No 5, pp 291–304.

Healthcare Information and Management Systems Society (2007): “Electronic Health Records: A Global Perspective,” http://www.providersedge.com/ehdocs/ehr_articles/Electronic_Health_Records-A_Global_Perspective-Exec_Summary.pdf.

Holzemer, William and S B Henry (1992): “Computer-supported Versus Manually-generated Nursing Care Plans: A Comparison of Patient Problems, Nursing Interventions, and AIDS Patient Outcomes,” Computers in Nursing, Vol 10 No 1, pp 19–24.

Jha, Ashish, Catherine DesRoches, Eric Campbell, Karen Donelan, Sowmya Rao, Timothy Ferris, Alexandra Shields, Sarah Rosenbaum and David Blumenthal (2009): "Use of Electronic Health Records in U.S. Hospitals," New England Journal of Medicine, Vol 360 No 16, pp 1628–1638.

Jyoti, Archana (2018): “States Give Clinical Establishment Act Cold Shoulder," Pioneer, https://www.dailypioneer.com/2018/india/states-give-clinical-establishment-act-cold-shoulder.html.

Kandhari, Ruhi (2017): “Why a Backdoor Push Towards eHealth,” Ken, https://the-ken.com/story/why-backdoor-push-towards-ehealth/.

Kovner, Christine, Lynda Schuchman and Catherin Mallard (1997): “The Application of Pen-Based Computer Technology to Home Health Care,” CIN: Computers, Informatics and Nursing, Vol 15, No 5, pp 237–44.

Krishnamurthy, R (2018): “Integrated Health Information Platform for Integrated Disease Surveillance Program,” Training of the Trainer Workshop, World Health Organisation, New Delhi, https://idsp.nic.in/WriteReadData/IHIP/IHIP%20ToT-Overview-Presentation.pdf.

Kuperman, Gilad and Richard Gibson (2003): “Computer Physician Order Entry: Benefits, Costs, and Issues,” Annals of Internal Medicine, Vol 139 No 1, pp 31–9.

Leung, Gabriel, Philip Yu, Irene Wong, Janice Johnston and Keith Tin (2003): “Incentives and Barriers That Influence Clinical Computerization in Hong Kong: A Population-based Physician Survey,” Journal of the American Medical Informatics Association, Vol 10 No 2, pp 201–12.

McGinn Carrie Anna, Sonya Grenier, Julie Duplantie, Nicola Shaw, Claude Sicotte, Luc Mathieu, Yvan Leduc, France Légaré and Marie-Pierre Gagnon (2011): “Comparison of User Groups' Perspectives of Barriers and Facilitators to Implementing Electronic Health Records: A Systematic Review,” BMC Medicine, Vol 9 No 46.

Miklin, Daniel, Sameera Vangara, Alan Delamater and Kenneth Goodman (2019): “Understanding of and Barriers to Electronic Health Record Patient Portal Access in a Culturally Diverse Pediatric Population,” JMIR Medical Informatics, Vol 7, No 2.

Ministry of Finance (2018): “Budget 2018-19: Speech of Arun Jaitley,” New Delhi, https://www.indiabudget.gov.in/ub2018-19/bs/bs.pdf.

Ministry of Health and Family Welfare, Government of India (2008): "4 Years of Transforming India-Healthcare for All," New Delhi. https://mohfw.gov.in/ebook2018/gvtbook.html.

Ministry of Health and Family Welfare, Government of India (2013): “Electronic Health Record Standards For India,” Government of India, New Delhi, https://www.nhp.gov.in/NHPfiles/ehr_2013.pdf.

Ministry of Health and Family Welfare, Government of India (2017): Request for Proposal: Development and Implementation of Integrated Health Information Platform (IHIP), Centre for Health Informatics, National Institute of Health and Family Welfare, New Delhi, https://nhp.gov.in/NHPfiles/IHIP_RFP%20.pdf.

Ministry of Health and Family Welfare, Government of India (2018): “IDSP Segment of Integrated Health Information Platform,” New Delhi, https://idsp.nic.in/index4.php?lang=1&level=0&linkid=454&lid=3977.

National Health Authority (nd): “About Pradhan Mantri Jan Arogya Yojana (PM-JAY) | Ayushmaan Bharat,” https://www.pmjay.gov.in/about-pmjay.

NITI Aayog (2018): “National Health Stack- Strategy and Approach,” NITI Aayog, New Delhi, http://www.niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf.

Organisation for Economic Co-operation and Development (2013): “Strengthening Health Information Infrastructure for Health Care Quality Governance: Good Practices, New Opportunities and Data Privacy Protection Challenges,” OECD Health Policy Studies, Paris, OECD Publishing, https://read.oecd-ilibrary.org/social-issues-migration-health/strengthening-health-information-infrastructure-for-health-care-quality-governance_9789264193505-en.

Poon, Eric, David Blumenthal, Tonushree Jaggi, Melissa Honour, David Bates and Rainu Kaushal (2004): “Overcoming Barriers to Adopting and Implementing Computerized Physician Order Entry Systems in U.S. Hospitals,” Health Affairs, Vol 23 No 4, pp 184–90.

Productnation Network (2019): “India’s Health Leapfrog–Towards A Holistic Healthcare Ecosystem,” iSpirt, https://pn.ispirt.in/towards-a-holistic-healthcare-ecosystem/.

Rathi, Aayush and Ambika Tandon (2019): “Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?” EPW Engage, https://www.epw.in/engage/article/data-infrastructures-inequities-why-does-reproductive-health-surveillance-india-need-urgent-attention.

Sequist, Thomas, Theresa Cullen, Howard Hays, Maile Taualii, Steven Simon, and David Bates (2007): “Implementation and Use of an Electronic Health Record Within the Indian Health Service,” Journal of the American Medical Informatics Association, Vol 14, No 2, pp 191–97.

World Bank (nd): Physicians (per 1,000 people) | Data, https://data.worldbank.org/indicator/SH.MED.PHYS.ZS.

Tierney, William et al. (2010): “Experience Implementing Electronic Health Records in Three East African Countries,” Studies in Health Technology and Informatics, Vol 160, No 1, pp 371–75.

Tisne, Martin (2018): “It’s Time for a Bill of Data Rights,” MIT Technology Review, https://www.technologyreview.com/s/612588/its-time-for-a-bill-of-data-rights/.

World Health Organization (2016): “Global Diffusion of eHealth: Making Universal Health Coverage Achievable,” https://apps.who.int/iris/bitstream/handle/10665/252529/9789241511780-eng.pdf;jsessionid=9DD5F8603C67EEF35549799B928F3541?sequence=1.

Zuboff, Soshana (2019): The Age of Surveillance Capitalism, New York: PublicAffairs.

For more details visit https://cis-india.org/raw/is-indias-digital-health-system-foolproof

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

Is freedom of expression under threat in the digital age?

praskrishna — 2013-02-03T10:50:52Z

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

This post by Mahima Kaul was published in Index on Censorship on January 18, 2013.

Index on Censorship, in partnership with The Editors Guild of India, hosted a debate in New Delhi on Tuesday (15 January) asking, “Is freedom of expression under threat in the digital age?” Discussing the topic were Ajit Balakrishnan (founder and Chief Executive of rediff.com), Index on Censorship CEO Kirsty Hughes, Sunil Abraham (Executive Director of the centre for Internet and Society), and Professor Timothy Garton Ash, Director of the Free Speech Debate project.

Sunil Abraham questioned the idea of technology specific “internet freedom” that has been advocated by many not least the US Secretary of State Hillary Clinton. He said there was for instance much greater freedom and diversity on Indian TV than in the US. He also argued that that this freedom does not seem to extend to a right of access to knowledge, as demonstrated by the charges brought against open access activist and developer Aaron Swartz, who committed suicide earlier this month. Swartz was facing charges for allegedly downloading 4.8 million academic articles from subscription-only digital library JSTOR.

Abraham said one unintentional effect of censorship by governments is that it teaches citizens how to protect themselves online. Finally, he questioned the Indian government’s draconian laws and arbitrary actions in the digital realm, wondering whether this is the authorities’ way of warning future netizens about “acceptable online behaviour”, to condition the public not to criticise the government and to create a chilling effect.

Digital

Is freedom of expression under threat in the digital age?

18 Jan 2013

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

Freedom of expression is always under threat and in need of defending, argued Timothy Garton Ash. However, he didn’t think the threat was particularly high today in the digital realm — rather the threats to privacy were what were particularly concerning online. With 76.8 per cent of India’s 1.2 billion population connected by mobile phone, there is an extraordinary opportunity for the prevalence of freedom of expression brought about by new technologies. But he said there are also a lot of challenges to free expression in India — and that “swing states” such as Brazil and India will be very important in determining where the global conversation goes on freedom of expression

Ajit Balakrishnan, founder of web portal Rediff.com, explained that many of the problems that have occurred in the digital realm in India have to do with poor drafting of legislation. He was particularly concerned about intermediary liability and explained why and how intermediaries roles needed protecting. He also explained that government officials have genuine problems with phrasing, and that when it comes to the application of these laws, understanding them and when they should be applied will take another 25 years. He added that the country is challenged by a legal system ill-equipped for coping with new technologies.

Kirsty Hughes said that freedom of expression is a universal right, meant to be applied across borders not just within countries. She said that while the digital domain allowed a big expansion in freedom of expression there were risks we are heading towards a more controlled net, a partially censored net, and a fragmented net (for instance with Iran attempting to build its own internet disconnected from the rest of the world). She said that some of the negative reactions by government to social media in India were seen to in the UK where there had been a trend towards criminalising supposedly offensive comment — although the new interim guidelines on social media prosecutions were a step in the right direction. Hughes emphasised three main concerns — state censorship, privatisation of censorship and the role of big companies, and mass surveillance. She pointed out that the British government had pushed for extensive surveillance with the Communications Data Bill, but this has now been shelved after a critical report from MPs.

Ramanjit Singh Chima, policy adviser for Google, said that the question is not about absolute freedom, but about what is appropriate and lawful. He emphasised that in the US, judges had strongly defended free expression online as they saw the digital world as a powerful space for free exprssion. He pointed out how effective social media tools, including Google’s own products, have become in helping during emergency situations like natural disasters and terrorist attacks. He also pointed out that the internet is not only about free expression but business as well. The internet contributes to 1.6 per cent of India’s GDP. Singh Chima said positive judgements by US and EU courts protect the users, adding that regulation for the net should be appropriate for its engineering.

For more details visit https://cis-india.org/news/index-on-censorship-mahima-kaul-january-18-2013-is-freedom-of-expression-under-threat-in-the-digital-age

IRC22 - Proposed Session - #WaitingForFood

Admin — 2022-04-25T13:11:04Z

Details of a session proposed for the Internet Researchers' Conference 2022 - #Home.

Internet Researchers' Conference 2022 - #Home - Call for Sessions

Session Type: Presentation and Discussion of Papers

Session Plan

“Don’t come to Burger King, let the King come to you! Order safe deliveries from our kitchen to your doorstep on Swiggy or Zomato. Stay home, stay safe”.

The above caption is from an advertisement by the popular fast food joint Burger King, during the peak of the Covid-19 pandemic. Indeed, one would have come across many such advertisements, centering the safety of the customer, from restaurants and food delivery platforms during the pandemic. Delivery platforms also reinforced this idea of ‘safe access to food from home’ through measures such as temperature checks and vaccination status of the delivery workers, option of no-contact delivery etc. Within such a context, the idea of ‘home’ acquired a certain valence, imbued with a sense of comfort that allowed for multiplicity of food options to be delivered within a short span of time, without compromising one’s safety. In this session, we propose to explore aspects of time, space, and home in the context of food delivery in the pandemic. While we explore time through the concept of ‘waiting’, we look at space through processes of simultaneous compression and rarefaction.

A cursory glance at any food delivery app provides the customer with a certain distribution of time- order placed, preparing order, order picked up, order delivered- all of which are significantly tied to how the process of waiting at home is approached and experienced by the customer. Additionally, the tracking option on the app with an icon of the driver mediates the waiting experience. Similarly, such processes of waiting are experienced by the delivery worker in different ways albeit through multiple delivery cycles outside of home. In any given delivery cycle, a delivery worker waits for the order to be assigned and waits for the restaurant to prepare the order. In addition to this, incentives and long distance delivery produce other forms of waiting for the delivery worker. This waiting operates simultaneously with rapid movement often required to ensure that the order is delivered to the customer who is waiting at home. These forms of waiting are integral to the order-delivery chain and they take place on multiple registers- shaped by the space of home and outside home.

Various food delivery apps also communicate to the customer the promise of delivering different cuisines from across restaurants at the tip of their fingers. Such technologies entail a collapse of space that the customer experiences which varies drastically from the spatial organization of these said options. Many aspects of the app interface are directed towards this compression- the manner in which multiple cuisines and restaurants are organized on the app, the tracking interface that signals an apparent proximity mediated by time frame. Real time experience of delivery often punctures this idea of a seemingly seamless process- glitches in the map showing faulty directions and specifically in the context of Mumbai, the space itself is characterized by traffic jams, climate events etc- reconfiguring space in specific ways.

Drawing on the above discussions, the proposed session will include two papers exploring dimensions of space, time and home. Both papers will be presented In the first paper, (presenter's name) will discuss time in the context of waiting by asking how different modalities of waiting, experienced in the food-delivery process, are linked to the space of home and outside home. In the second paper, (presenter's name) will focus on space as a concept to understand how the perception of the compression of space in the app itself is animated in the order delivery process. Through both these papers, we attempt to explore how the idea of home itself gets restructured through the discourse of ‘staying at home to be safe’. Both papers draw on an ethnographic study conducted by the discussants in Central Mumbai.

Outline of the Session

The discussants will share a recording of their respective presentations of 15 minutes each (as stated in the call for papers). The session will begin with a short discussion between presenters for 20 minutes. This will be followed by an open floor discussion on the papers with the audience present for the subsequent 30 minutes.

Session Team

Nisha Subramanian is pursuing a PhD in Anthropology at Ashoka University. Their work explores rights of forest dwelling communities and temporalities of justice and injustice within the space of the forest

Rhea Bose is pursuing her PhD in The School of Development Studies (SDS), TISS Mumbai. Her work looks at the intersections of cyberspace and queer theory.

For more details visit https://cis-india.org/raw/irc22-proposed-session-waitingforfood