Centre for Internet and Society

Iraqi Public Data Scenario Workshop

praskrishna — 2013-03-26T09:43:47Z

For more details visit https://cis-india.org/openness/blog-old/iraqi-public-data.pdf

IPv6: Embrace The Change

nishant — 2012-06-13T06:09:43Z

A moment of transition is always filled with anxiety. There is concern over the unknown and there is a reluctance to move out of the familiar. However, a transition does not necessarily mean migration; or in other words, as we transition to IPv6 as the new protocol for digital and electronic communication, it does not mean that we are going to abandon the internet as we know it.

In fact, for most of the users, it is going to be a transparent transition, where their devices are going to be able to harness the powers of IPv4 and 6. While there are huge benefits at the back-end, leading to better security protocols and low maintenance, there are a few advantages that the user should also celebrate.

Faster Internet: Because IPv6 will open up a huge range of IP addresses, direct routing of data becomes a possibility. As data does not have to be routed through many servers or nodes within a network, it can reach its destination faster. With the way our digital access and sharing is going right now, this is not to be taken lightly. In many ways this is the same transition we had from the dial-up connections, where the transfer of picture and video files within minutes was totally unheard of, while now we’re in an age where we stream high density video on all our computing devices with ease.

More collaborative and shared Internet: With the abundance of IP addresses coming our way, there is going to be more scope for multiple devices to be connected online. New platforms of collaborative knowledge production and sharing can be designed to become infinite and inclusive in their scale and architecture.

More connected devices: The inter-operability features of IPv6 ensure that more devices are able to communicate with each other with ease. The science-fiction futuristic dream of a completely connected environment where human and artificial intelligence can work together, using a range of devices, is actually a material possibility with large scale IPv6 implementation. This can also trigger new innovation that helps reconstruct some of our existing devices in new forms and shapes.

While affordability and the migration to new network infrastructure are the gating factors to this transition, these are diminishing costs and we are looking at more interesting internet architecture as we move towards IPv6. Perhaps, one of the most reassuring points of this transition is that we do not need to abandon the familiar internet we are already working with; the transition is not a moving on, but a moving to, and in it are the promises of a safe, secure and speedy internet. Global technology organisations like Tata Communications have embraced this change; it’s only a matter of time before others too recognise the need for IPv6 and the huge difference it will make to our lives.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

Nishant Shah is Director-Research at the Bangalore based Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com

For more details visit https://cis-india.org/internet-governance/ip-v-6-embrace-the-change

IP Watchlist 2009

praskrishna — 2012-06-21T08:57:23Z

India report prepared by Pranesh Prakash in 2009.

For more details visit https://cis-india.org/a2k/ip-watchlist-2009.pdf

IP Meetup #02: Prabir Purkayastha on the CRI Guidelines and software patenting in India

sinha — 2016-03-29T17:06:13Z

Prabir Purkayastha will deliver a short talk on what the Guidelines on Computer Related Inventions mean for software patenting, and the way forward, on Sunday, March 20th, 2016 at the CIS Delhi office, at 4 p.m.

We would like to invite you to the second session of a series of IP focused meetups. The meetups are aimed at bringing folks together working within or interested in IP law, to discuss recent developments with reference to access to knowledge, climate change, health, trade, etc.

The talk will be followed by a round of discussion, after which the floor will be thrown open for other pressing/relevant IP developments.

Please join us for tea and refreshments at 3.30 pm.

Please RSVP by dropping a line at anubha@cis-india.org.

CIS Delhi's location on Google Maps: https://goo.gl/maps/nPKkoQFhRSt

For more details visit https://cis-india.org/a2k/events/ip-meetup-02-prabir-purkayastha-on-the-cri-guidelines-and-software-patenting-in-india

IP Meetup #01: Prof. Biswajit Dhar on 'Intellectual Property issues: The Way Forward post Nairobi WTO Ministerial'

sinha — 2016-02-04T13:25:34Z

Prof. Biswajit Dhar will deliver a short talk on what the WTO Nairobi Ministerial means for intellectual property issues, and the way forward, on Sunday, February 7, 2016 at the Centre for Internet & Society's Delhi office, at 4 p.m.

We would like to invite you to the inaugural session of a series of IP focused meetups. The meetups are aimed at bringing folks together working within or interested in IP law, to discuss recent developments with reference to access to knowledge, climate change, health, trade, etc.

The talk will be followed by a round of discussion, after which the floor will be thrown open for other pressing/relevant IP developments.

Please join us for tea and refreshments at 3.30 pm.

Please RSVP by dropping a line at anubha@cis-india.org.

CIS Delhi's location on Google Maps: https://goo.gl/maps/nPKkoQFhRSt

For more details visit https://cis-india.org/a2k/events/ip-meetup-01-prof-biswajit-dhar-on-intellectual-property-issues-the-way-forward-post-nairobi-wto-ministerial

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.

Notes

[1].Hafeez, M., 2011. A tangled web of vengeance. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-03-28/mumbai/29353669_1_boyfriend-social-networking-police-officer [Accessed June 21, 2011].

[2].Adapted from the Wikipedia entry on IP Address.

[3].McIntyre, Joshua J., Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011. Available at SSRN: http://ssrn.com/abstract=1621102 [Accessed June 21, 2011] .

[4].Anon, 2010. Army officer held in city for child porn -. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-05-08/mumbai/28292650_1_hard-disks-obscene-clippings-downloading [Accessed June 15, 2011].

[5].Anon, 2011. Anti-Ambedkar page on Facebook blocked. Hindustan Times. Available at: http://www.hindustantimes.com/Anti-Ambedkar-page-on-Facebook-blocked/Article1-663383.aspx [Accessed May 24, 2011].

[6].Sarokin, David. Google Ordered to Reveal Blogger Identity in Defamation Suit in India:Gremach Infrastructure vs Google India [Internet]. Version 5. Knol. 2008 Aug 15. Available from: http://knol.google.com/k/david-sarokin/google-ordered-to-reveal-blogger/l9cm7v116zcn/7.

[7].Anon, 2009. Mumbai: Man held for blackmailing Anoushka Shanka. Rediff.com. Available at: http://news.rediff.com/report/2009/sep/20/police-arrest-man-for-blackmailing-anoushka-shankar.htm [Accessed May 24, 2011].

[8].Anon, 2010. Cyber cell nets Delhi teen for lewd online posts - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011].

[9].Hafeez, M., 2011. Police find runaway student “online” - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-02-17/mumbai/28554314_1_social-networking-networking-site-sim-card [Accessed June 21, 2011].

[10].Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[11].Ibid.

[12].This is not atypical. In the US, for instance, as Joshua McIntyre writes, “While various federal statutes protect similar data such as telephone numbers and mailing addresses as Personally Identifiable Information (PII), federal privacy law does not generally regard IP addresses as information worthy of protection. It has, therefore, become commonplace for litigants to subpoena ISPs to unmask online speakers. Many ISPs have no reason to fight these subpoenas and readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to the subscriber. Even when courts become involved, a full consideration of the online speaker’s privacy interests is far from certain” Joshua McIntyre, supra note 3 at p.5.

[13].Anon, 2011. User Data Requests - India. Google Transparency Report. Available at: http://www.google.com/transparencyreport/governmentrequests/IN/?p=2010-12&p=2010-12&t=USER_DATA_REQUEST&by=PRODUCT [Accessed June 29, 2011].

[14].Ibid.

[15].Anon, 2007. Orkut’s tell-all pact with cops. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson [Accessed June 15, 2011].

[16].In June 2011, Hotmail supplied IP Address details which enabled Delhi Police to trace, with further assistance from Airtel, the sender of obscene emails to a noted actress. Sharma, M., 2011. Priyanka Chopra’s cousin harrassed in Delhi. Mid-Day. Available at: http://www.mid-day.com/news/2011/jun/100611-news-delhi-priyanka-chopra-cousin-Meera-Chopra-harrassed.htm [Accessed June 28, 2011].

[17]. In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

[18].Thomas Philip, J., 2010. Intelligence Bureau wants ISPs to log all customer details. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps [Accessed June 28, 2011].

[19].The Monitoring Rules list 10 ‘cyber security’ concerns for which Monitoring may be ordered: (a) forecasting of imminent cyber incidents; (b) monitoring network application with traffic data or information on computer resource; (c) identification and determination of viruses/computer contaminant; (d) tracking cyber security breaches or cyber security incidents; (e) tracking computer resource breaching cyber security or spreading virus/computer contaminants; (f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force; (i) any other matter relating to cyber security.

[20].Respectively the INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF INFORMATION) RULES, 2009, G.S.R. 780(E) (2009), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/Itrules301009.pdf (last visited Jun 30, 2011). and INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009, G.S.R. 782(E) (2009), http://cca.gov.in/rw/resource/gsr782.pdf?download=true (last visited Jun 30, 2011).

[21].Section 69 lists the following grounds for which interception may be ordered : a) sovereignty or integrity of India, b) defense of India, c) security of the State, d)friendly relations with foreign States or e)public order or f)preventing incitement to the commission of any cognizable offence relating to above or g) for investigation of any offence.

[22].Rule 2(d) of the Monitoring and Collecting of Traffic Data Rules 2009.

[23].Telegraph (Amendment) Rules 2007, Available at: http://www.dot.gov.in/Acts/English.pdf [Accessed June 28, 2011].

[24].INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION), (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[25].The full list under Rule 3 includes : password; financial information such as Bank account or credit card or debit card or other payment instrument details ; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

[26].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[27].This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6..

[28].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?.

[29].The consequence of disobeying the rules is that the ‘body corporate’ is legally deemed not to have observed ‘reasonable security practices’. Section 43A penalizes such failure if it causes wrongful loss due to the disclosure.

[30].INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[31].The easily-affronted have thus been provisioned with a cheaper, swifter and more decisive means of curtailing free speech, where courts in India might have dithered ponderously instead Or they might not have. As of this writing, an obscure court in a Silchar, Assam issued an ex-parte injunction prohibiting the online publication of a highly-acclaimed biopic about Arindam Chaudhuri – a self-proclaimed ‘management guru’ who has gained notoriety in India due the questionable nature of a management institute that he runs. The choice of this particular court as the venue to file the suit, rather than one in New Delhi where both the plaintiff and the publisher reside, coupled Chaudhuri’s consistent success in obtaining such plenary gag-orders from this judge against any content he deems unflattering to himself, strongly suggests foul-play. Although this is not a typical case, it does caution against placing too much optimism on supposed judicial restraint and conservativeness. Anon, 2011. IIPM’s Rs500-million lawsuit against The Caravan. The Caravan, 3(6). Available at: http://caravanmagazine.in/Story/950/IIPM-s-Rs500-million-lawsuit-against-The-Caravan.html [Accessed June 28, 2011].

[32].See Ali, S.A., 2010. Cyber cell nets Delhi teen for lewd online posts. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011]. (“During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer.”); See also Rehman, T., 2008. A Case For Fools? Tehelka. Available at: http://www.tehelka.com/story_main40.asp?filename=Ws181008case_fools.asp [Accessed June 30, 2011].(“ The state police reportedly traced the email to the cyber café through its IP address. “We traced the email to a BSNL line. The BSNL has a cell in Bangalore to track such details. They traced the number to that particular cyber café in Shillong,” S.B. Singh, IGP (special branch) Meghalaya police told TEHELKA”)..

[33].Anon, 2010. Privacy Policy. Google Privacy Center. Available at: http://www.google.com/privacy/privacy-policy.html [Accessed June 28, 2011].

[34].Ibid.

[35].Anon, 2010. Privacy Policy. Facebook. Available at: http://www.facebook.com/policy.php [Accessed June 28, 2011].

[36].Ibid.

[37].R. M. Malkani v State Of Maharashtra AIR 1973 SC 157, 1973 SCR (2) 417.

[38].Eg. Title 18 US Code § 2703 provides for mandatory notice in case of wiretapping with a provision of ‘delayed notice’ where an ‘adverse result’ is apprehended such as (A) endangering the life or physical safety of an individual; (B) flight from prosecution; (C) destruction of or tampering with evidence; (D) intimidation of potential witnesses; or (E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. Title 18,2705., Available at: http://www.law.cornell.edu/uscode/18/usc_sec_18_00002705----000-.html [Accessed June 28, 2011].

[39].Ministry of Communications & IT. Letter to All Internet Service Providers. “Instructions under the ISP License regarding provisioning of Wi-Fi internet service under delicenced frequency band”, February 23, 2009. http://www.dot.gov.in/isp/Wi-%20fi%20Direction%20to%20ISP%2023%20Feb%2009.pdf (last visited Jun 30, 2011). Internationally, this does not appear to be an uncommon move. See Thompson, C., 2011. Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi. Huffington Post. Available at: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html [Accessed June 30, 2011]. (“In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.”).

[40].INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011., G.S.R. 315(E) (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[41].See State Of Maharashtra v. Natwarlal Damodardas Soni AIR 1980 SC 593 , 1980 SCR (2) 340.

[42].Supra note 15.

[43].Manocha, S., 2009. Cops no more interested in checking cyber cafes. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2009-08-03/lucknow/28172232_1_cyber-cafe-proper-records-ip-address [Accessed June 28, 2011]. (The cyber cafe owners claim that the registers which they maintain are seldom checked by the police. "I maintained the records properly which included recording of the name and address of the visitors and a photocopy of their identification proofs but not even once any cop had checked my records," said Rajeev, a cyber cafe owner in Aliganj. "It is this carelessness on the part of cops that gives those not maintaining proper records to carry on their business without any fear of the law," he added).

[44].Barrett, S., 2010. Blogger News Censored In India. Blogger News Network. Available at: http://www.bloggernews.net/124890 [Accessed June 28, 2011].

For more details visit https://cis-india.org/internet-governance/ip-addresses-and-identity-disclosures

Investigating Limits to Innovation and Peer Production in India's Mobile Apps Economy

praskrishna — 2016-09-28T14:14:14Z

For more details visit https://cis-india.org/a2k/blogs/investigating-limits-to-innovation-and-peer-production-in-indias-mobile-apps-economy

Investigating Encrypted DNS Blocking in India

divyank — 2020-10-27T11:21:08Z

We find that encrypted DNS protocols are not blocked in India and share our test methodology.

This report was edited and reviewed by Gurshabad Grover and Simone Basso.

The Domain Name System (DNS) translates human-readable web addresses, like ‘cis-india.org’, into machine-readable IP addresses, such as ‘172.67.211.18’, that the routers that comprise the internet can understand and direct traffic to. This basic function of the web has historically operated unencrypted — allowing intermediaries that facilitate access to the internet, like coffee shop Wi-Fi operators and internet service providers (ISPs), to view what websites we visit. This gap in privacy is being exploited by both public and private entities to censor access to the web and surveil our browsing habits.

New internet protocols are being deployed that attempt to encrypt connections to DNS providers. Through the use of these methods, the contents of DNS queries are hidden from network intermediaries and eavesdroppers and are only visible to the DNS provider chosen by an individual or a default one assigned to them by their ISP or web browser. While there are other ways of censoring web traffic, encrypted DNS protocols prevent censors from using their older DNS-based methods. In response to these new protocols, states like Iran are trying to block them entirely, to maintain the status quo.

In this report, we investigate and find that encrypted DNS protocols, specifically the DNS over HTTPS (DoH) and DNS over TLS (DoT) standards, are accessible through major Indian ISPs, and describe the technical details of our testing methodology.

Test Setup

We compiled a list of publicly accessible DNS resolvers that support the encrypted DoH and DoT protocols and tested access to them from four popular Indian ISPs, namely Airtel, Atria Convergence Technologies (ACT), Reliance Jio, and Vodafone. Together, these cover a large majority (roughly 95%, as reported by TRAI) of the Indian internet subscriber base.

To test connectivity, we used the Open Observatory for Network Interference (OONI) probe engine (version 0.18.0). Specifically, the ‘miniooni’ command-line interface tool bundled with it. Instructions on how to install this can be found here.

Test methodology

To test whether DNS providers are reachable over encrypted communication protocols, the tool performs a DNS query using the specified one (either DoH or DoT). If the connection is successful and we receive a response from the DNS server, we conclude that the protocol is not blocked. Failing to query a specific DNS server over DoT or DoH does not necessarily mean that it has been censored. To understand whether a failure could be censorship, rather than a transient error, we would correlate measurements from many users within the same ISP and country and use an alternate network, such as a VPN, to access the possibly blocked service from another country.

In Iran, where DNS over TLS is reported to be blocked, it was found that censorship occurs by interfering with the TLS handshake. Traffic corresponding to DNS over TLS is easier to identify and block as it communicates over a unique port and a distinctive ALPN, while DNS over HTTPS traffic is harder to block effectively as the HTTPS standard is widely used on the web and interference would lead to collateral censorship.

Results

The tests were run on each ISP in early October 2020 using the following command:

$ ./miniooni --file=./resolvers.txt dnscheck

The raw results in the OONI data format can be found here. A summary of the observations are as follows:

All DNS resolvers tested were accessible over both DoH and DoT protocols from all ISPs tested.
IPv6 addresses were not reachable through ACT broadband. This limitation was independently confirmed using the Test-IPv6 tool and has also been discussed on Reddit.

Limitations

As our previous research by the Centre for Internet and Society indicates, censorship practices vary across ISPs. While we find no evidence of encrypted DNS protocols being blocked on these four major ISPs, there may be others implementing such blocking.

The second limitation is that these tests were run on a handful of connections from a couple of locations (Delhi and Bangalore). Web censorship mechanisms may vary by location within the country.

Finally, the results only indicate the accessibility of encrypted DNS resolvers at a particular point in time. We have not put in place any continuous monitoring of the censorship of encrypted DNS protocols.

Conclusion

Broadly, the legal framework of web censorship in India allows the Government and courts to ask ISPs to block access to online resources. The precise technical details of how to implement the censorship are left to the ISPs.

Because of net neutrality obligations, ISPs are not supposed to arbitrarily block resources. Coupled with the fact that the use of encrypted DNS protocols is not related to any particular content/website deemed unlawful, it might be expected that ISPs are not blocking encrypted DNS protocols. However, previous evidence of arbitrary blocking by ISPs motivated us to study whether any major ISP was blocking the use of these protocols or preventing access to any third-party DNS server.

As part of this exercise, we also contributed code to the OONI probe engine, making it easier for other researchers to test connectivity to multiple DNS providers.

For more details visit https://cis-india.org/internet-governance/blog/investigating-encrypted-dns-blocking-in-india

Interviews with App Developers: Open Source, Community, and Contradictions – Part III

samantha — 2015-04-03T08:15:25Z

The following is a third post within a series reporting on interviews conducted with 10 of Bangalore's mobile app developers and other industry stakeholders. Through this research, CIS attempts to understand how the developers interviewed engage with the law within their practice, particularly with respect to IP. Here we examine different attitudes and perspectives towards themes related to open software, as well as contract agreements.

While interviewing 10 of Bangalore's mobile app developers, the conversations that proceeded the immediate responses to our questions posed proved to be the most insightful. Previously, we examined responses surrounding different views on intellectual property rights (IPR) and potential factors influencing these individuals' attitudes and practices within their work. Within these preceding blog posts reporting on our interviews, a prevalent device we have made reference to is the dichotomy across positions that app developers take at polar ends of various spectrums. Here are some examples of the ways we have observed individuals to have opposing standpoints:

To work within a large corporate body	versus for a small startup enterprise
To develop mobile apps as one's own product	versus to develop apps as a service for another
To be familiar with intellectual property	versus to disregard intellectual property
To desire protection for one's intellectual property	versus not to care about protection for one's intellectual property

Contrary to some pro-IPR stances, several of our app developers strongly opposed notions of strict IPR regimes (patents, especially) and advocated on behalf of the open source community. And yet, others expressed their appreciation for open source software (OSS), all the while pursuing their own IP protection—a contradiction?

But is it really so cut and dry? Must an individual represent one side or the other? And if he or she does straddle the line that divides these opposing stances, is it by choice? Or necessity?

And what other dichotomies exist for the mobile app developer?

Open values and open source

Those interviewed who spoke highly of open source software often did so in referring to personal values of openness and the ability to share and use others' code freely within their work. One developer within a nonprofit enterprise explained that he would not want to restrict the future development and utilization of their idea, and would only consider licensing his source code under open source licensing, and not copyright.

Another common claim across developers is their involvement within the developer community, and contributions to open source libraries—and not only as a hobby. Large software development social enterprise, Mahiti, along with other interviewees representing social or nonprofit enterprises exhibited a particular interest in the use of and contributions to open source libraries.

Sreekanth S. Rameshaiah, cofounder and CEO of Mahiti explains that they “require all software to be GNU licensed, unless decided otherwise by the clients.” GNU General Public License (GPL) is considered a free software license—one that allows the licensed works to be freely accessible to all and to be used, copied, and altered as desired—as well as copyleft—in requiring all users of any component of the previous work to license their succeeding work under the same license as well. Some clients for Mahiti, of course, wouldn't find such conditions desirable, if they are ever to profit off or retain full ownership over their products and services.

Open source for future protection

One designer from a services SME enlightened us of a different reason for doing so: to guarantee their ability to use their work again. “Since we use a bunch of templates and things like that, those we license using a non-exclusive license, because we reuse those elements on different bits of code in different projects,” he explains, “so there are bits of it which is used over multiple projects and there are stuff that is built exclusively for the client.”

Here we are given some insight, that perhaps developers do not necessarily license for community values primarily, but for the ability to use their own work across clients. That being said, we begin to wonder what the possibility that open source code may serve as a loophole for work-for-hire contracts, which require the developer to assign all written intellectual property to whoever is commissioning the project. If the code happened to “already be available by open source,” a developer may still be honouring any restrictive agreements with clients, and ensuring their ability to use their code in this future again.

Such a strategy complies with the advice of Jayant Tewari of Out Sourced CFO & Business Advisory Services. Some advice Tewari has for startups is to first and foremost protect themselves by making wiser choices related to code in order to prevent being litigated against by others—such as using an open source equivalent to a piece of code that one does not have the rights to, or instead putting the extra time in to develop it from scratch.

Conflicting perspectives: hypocrisy or realism?

Of those who expressed an interest in the open source movement, not all had said that their products were to be open licensed as well. One developer explicitly stated: “I like the idea of open source, and building upon others' work...but our app is not open source, it's proprietary.” It may be a given, then, that all or most developers within our interview sample rely on open source code within their practice, but not all may contribute their resulting product's source code back.

Vivek Durai, from Humble Paper says that despite the fact that “open source has really taken route... on the smaller levels, people will come to a point when philosophies begin to change the moment you start seeing commercial.”

In our first blog post, we established the tendency for startup app developers to move away from the services model towards a product-oriented business model. If app developers most often contribute back to open source libraries when they do not have any mobile app products of their own to protect, I begin to wonder if we would see any change to the levels of content generation across open source libraries if, hypothetically speaking, all services app development enterprises began to solely develop their own products.

Which brings us to an additional mobile app ecosystem dichotomy:

To license mobile app code as proprietary VS to license mobile app code as open source

As individuals move away from the services model to focus their energy and investments on their own products, I begin to wonder if there is a tendency for them to also move away from the open source model as well...

Although perhaps irrelevant, we also consider the question concerning the reasons mobile app developers moving away from the services model to begin with. In the first part of this series, we heard from industry consultants of the little financial incentive the services sector has to offer, but can that be all there is to it?

Join us in our next post as we look closer at the mobile app ecosystem's business model trends, as well as its startup culture with regards to contracts and copyright.

For more details visit https://cis-india.org/a2k/blogs/interviews-with-app-developers-open-source-community-and-contradictions-iii

Interviews with App Developers: Name of the Game (Part IV)

samantha — 2015-04-03T08:58:27Z

The following is a concluding piece in a series reporting on interviews conducted with 10 of Bangalore's mobile app developers and other industry stakeholders. Within this research, CIS attempts to understand how they engage with the law within their practice, particularly with respect to IP. Here we examine responses given across interviews regarding instances of infringement of IP within their work.

Before commencing our interviews with India's mobile app developers and other industry players, a small series of questions had been devised in hopes of enabling us a glimpse at the facets of the picture of our main interest: those related to intellectual property. What we soon came to find, was that these questions may have too bluntly stated, producing hesitant and wary responses from those interviewed. After breaking this immediate ice, however, we often were given the privilege of hearing from these talented and thoughtful individuals several times over. And it is through this set of questions that the space was created for us to work together to reach an understanding of how different types of players orient themselves within the industry, in relation to their practices, policies, and business relationships, and voice any concerns or questions of their own.

The last of these questions to look at, is arguably the most sensitive in nature, asking whether one has ever had their works infringed upon, or has been accused for infringement upon those of others. In asking this question, we had hoped to gain some insight about occurrences of infringement taking place within the mobile app ecosystem, how this occurs, and in what sort of context.

Preceding conversations revealed differing experiences related to infringement; some experiences common across most, while others limited to one or two individuals. What these experiences, in turn, revealed, is what seems to be polarized stances on the very notion of infringement, reflecting personal histories and differing interests.

But what even is “infringement?” The term may be generally defined as:

infringement

noun

The action of breaking the terms of a law, agreement, etc.; a violation

But what exactly does this mean for a mobile app developer? Having not been previously defined or explained to those interviewed, the term had been used across responses in reference to various instances of infringement, spanning across many areas related to mobile app development. These instances will be looked at to follow.

Mobile app content (i.e. logos, pictures, etc.)
Pirated apps in app stores
“Dummy apps” or imitations of another's app
Breaching app stores user agreement
License agreements of code created by another
Open source licenses
Breaching of terms of agreement for by commissioning clients
Breaching of terms of agreement for by those hired

Not a threat to the threatening

After implying that his enterprise uses components that are owned by another without the proper permission to do so (whether source code or visual components was not specified), one developer simply stated that “no one would come after us—we have no money!” IP Strategy Consultant, Arjun Bala, explained to us that “here, developers do not need to worry about being sued. The big companies do not go after small developers; it depends on how much money they're making.” Bala continues in saying that, “Patent lawsuits can cost something like millions of dollars, so unless they're going to get more back, they wouldn't go throught the trouble of doing so... but that is true even in the US.”

This soon revealed to be a demonstrated theme known across those within the developer ecosystem. Developer, Aravind Krishnaswamy stated that the “startup mentality is to break all of the rules first, then concern themselves with IP as a means of covering their own tracks.” There is a perceivable difference, he says in their motives regulating their behaviours that differ from “I shouldn't do this because I can get caught vs. I shouldn't do this because it's against the law.”

Towards being infringed upon

For those within service agreements, this was generally so due to the fact that one does not own their works and instead assigns ownership to their mobile apps to clients. Rahul of Uncommon explains that any cases of infringement upon their work is unconcerning to his team: “Because once we hand it off [to clients], it's their issue,” he says.

Contrasting to this perspective, however, is the apprehension exhibited by some towards not clearly knowing whether they are incidently infringing upon others people's work. Because of this unknowing, however, others are indifferent. "There's a few people who I think looked at what we're doing and tried to copy some of the features or just the positioning,” Krishnaswamy suspects, “but, ultimately there are some things you can be bothered about as a small company.” He continues in saying that those suspects to be copying you “could have been working on their product independently—it's quite possible.”

Sree of Mahiti, on the other hand is not too concerned about others infringing upon their products or copying them as such is “irrelevant to their business model.” In making their software products open source, Sree explains, that they do not care how people use it, but if he were to come across infringement, he would likely act upon it.

But how can one be indifferent to infringement while licensing under GNU, a perpetual copyleft license?

Name of the game

Perhaps one could even go a step further in arguing that being a developer (a startup developer, especially) necessitates bending the rules at some point. Of all of the bits of open source code used, how many of the licenses are actually considered and complied to in their entirety? As stated by Vivek Durai of Humble Paper: “In a mobile app where you're producing software, you could potentially be violating the terms of OS licenses.” Tewari argues that this actually occurs in pretty much all cases.

“Everyone is in non-compliance. That is a given,” Tewari asserts. However, the distinction he makes is that more corporate players are in non-compliance knowingly than not, where is more SMEs infringe upon others without being aware that they are. Just as well, the degree to which infringement takes place may differ between the two types of industry players: “At the corporate level, where they know they are not in compliance, the degree of non-compliance might be very small or specific, but it still exists.” On the other hand, for startup developers, a substantial amount of their code may not comply with the licenses and agreements they are obliged to—something that could pose problems for them later down the road if left unfixed.

“Everyone is in non-compliance. That is a given... It is similar to asking 'do I know anyone who has never paid a bribe?' My answer is no.”

To put simply, Tewari draws the following comparison “It is similar to asking 'do I know anyone who has never paid a bribe?' My answer is no.” Here, he suggests that non-compliance to legal agreement, although technically unjust, is as tacit to the software sector as bribes are to the justice sector. Although perhaps not a perfect comparison, it definitely helps to put things into perspective.

Mope App Matrix

After speaking with numerous mobile app developers, lawyers, and other community players, it is difficult to say whether our findings have brought clarity to the nature the problem at hand, or if our research has, instead, shed light on additional problems within our realm of vision—at varying heights and depths, cutting across one another to form a matrix of indivisible linkages, or just plain chaos.

In the next of our exercises, we hope to comprehensively illustrate this matrix, by categorizing the different stakeholders across this ecosystem according to their interests and the ways in which they operate, and in turn, affect each other.

We look forward to bringing to completion (even if only to return to later) the first of our stages within this chapter of the Pervasive Technologies Project, which, to recap, had initially been to understand the mobile app ecosystem in light of India's IP regime. But what we are arriving at may be regarded, instead, as an understanding of the ecosystem informed by the stories and experiences of the ecosystem's central organisms: its developers. Perhaps it can only be here, at the intersection of stories—whether complementary or contradictory in nature—where the intricacies of processes deeply-embedded and their implications begin to reveal themselves.

For more details visit https://cis-india.org/a2k/blogs/interviews-with-app-developers-name-of-the-game-part-iv

Interviews with App Developers: [dis]regard towards IPR vs. Patent Hype – Part II

samantha — 2014-08-19T03:51:39Z

The following is a second post within a series reporting on interviews conducted with 10 of Bangalore's mobile app developers and other industry stakeholders. Within this research, CIS attempts to understand how they engage with the law within their practice, particularly with respect to IP. Here we examine how these developers responded to a question on legal protection for their works.

Before one can identify the solution, one must first identify the problem. Yet, in order to understand the problem, we must first understand the individuals involved and the how the problem affects these individuals. We hope that the findings of this preliminary research initiative will provide sufficient groundwork to understand the problems that exist and the different ways of approaching them before determining the most suitable prospective option in changes at the policy level. In this case, the individuals under study are the key contributors to the mobile app space within India; and the problem, being those faced by them as they attempt to navigate an emerging and ambiguous ecosystem.

Previously, we looked at responses that were given across these mobile app developers interviewed which revealed how they orient notions of intellectual property within their practice and own products, specifically. Findings that were made included deductions that the majority of those interviewed developed mobile app products for clients, and in turn assigned ownership of their products to their clients. Just as well, they commonly shared an interest in leaving the services sector to create products of their own, with some of them already having made the transition within their business model.

Question 2: “How is your IP protected?”

Next, we asked how they go about protecting their intellectual property to get a feel of who is protecting their apps and who is not. In asking this question, we hoped to learn how they go about protecting their work via legal means. Across their various responses, we observed many patterns and contradictions which are conveyed here with reference to comments made across interviews. It is important to note, however, that no causal relations intend for be argued for, only suggested correlations.

How they responded

When asked, those interviewed responded with a variance in answers. Some simply stated that their work is not protected, while a few mentioned that they acquired trademark or intend to apply for trademark protection. One interviewee had a patent pending in India and the US, as well. In many of our conversations, developers mentioned that their code for their apps is under open source licenses, and a couple others entailed sharing that the content is under creative commons licenses, “individual licenses,” or joint copyright. Additionally, within one interview, one mentioned the use of encryption tools as a technical means of protection for their work.

“The concept of securing IP is relatively new within the Indian context... it becomes a question of priority between innovation and protection" — Aravind Krishnaswamy, Levitum

Of the developers interviewed, many exhibited some sort of confusion or misunderstanding related to the protection of their works by means of intellectual property rights (IPR). Those interviewed seemed to either express an interest to acquire IPR in the future for their products in the forms of patent or trademark protection, or expressed their appreciation for openness source licensing—or both! Beneath these immediate responses, however, many repeated patterns, as well as contradictions, are revealed. Conversations that followed within these interviewed entailed the opportunity to hear from personal experiences and opinions on different areas within their practice intersecting IPR.

Reasons for IPR protection

If a startup or SME is bootstrapped with very little cash flow to begin with, what would provoke or inspire one to pursue the process of acquiring patent protection then? Aravind Krishnaswamy of startup, Levitum, considers “the concept of securing IP is relatively new within the Indian context.” So if this is the case, why did so many developers interviewed express an interest in IPR?

For those who did express interest in acquiring IPR as protection for their mobile app products, most seemed to express an interest in proving ownership over their work, or preventing problems in the future. One developer's commented on how the mobile app market is a “new and potentially volatile area for software development.” For this reason, it was imperative that he and his team attempted to avoid trouble in the future, and ensure that they going about mobile app development the right and moral way.

Within another interview, developer, John Paul of mobile app SME, Plackal, explains his motives for seeking to acquire patent protection, the application for which is currently pending in India and the US: "For us, applying for a patent is primarily defensive. And if it does get infringed upon, it would give us a good opportunity to generate revenue from it." For the company's trademark, they sought to be able to enforce their ownership over their product's brand: “As a precautionary, we've trademarked the app so that should there be a situation where the app is pirated, we can claim ownership for that app.”

Security not so easily attainable

“To some extent, IPR law is only accessible after moving away from the startup phase."—John Paul, Plackal

However, for the startup especially, such protection does not come without a cost. For this reason, IPR is generally perceived as a gamble or tradeoff. It becomes a “question of priority between innovation and protection,” says Krishnaswamy. He continues in saying that, "I feel like even if it’s a great idea if someone else copies it, that’s some level of validation, but as a small company I’d rather be nimble in terms of how we build it up and get it to a certain point. We're trying to move fast and get something going, and then figure it out.” For Krishnaswamy and his team, securing a patent on an area where they feel they feel they have unique work is on their list of things to do, “It's something for us to revisit in the future.”

Paul explains that he and his team didn't always have IPR within reach: “To some extent, IPR law is only accessible after moving away from the startup phase.” So what discourages startups from acquiring IPR, or simply seeking it out?

Patent attorney and IP consultant, Arjun Bala explains that “there is a lot to figure out. One aspect is filling it out, the other is how you write it so that it is easily granted and gives you the right sort of patent protection you are looking for. It is a very complex process that requires a lot of technical and legal expertise.” But even if one successfully manoeuvres the IPR system, is protection guaranteed?

Business Financial Strategist of Out Sourced CFO & Business Advisory Services, Jayant Tewari, illustrates the lack of security for the SME in the patent system, specifically, in saying, “Since a patent becomes public domain on filing, it can be effectively infringed based on the filing, even before it is granted.” Tewari continues in stressing the irrelevance of patents for SMEs due to the difficulty of enforcement: “the infringement will be adjudicated after 2 years at an immense cost to the SME patent-holder, who will go commercially belly-up due to the infringement. The regime does not protect the SME at all.”

“It is easy to say 'this is the method and no once can copy', but unless the look and feel is the same, it is very hard to demonstrate that you have been infringed on.”
—Samuel Mani, Mani Chengappa & Mathur

Nevermind enforcement...

Not only did our interviews shed light on the difficulty for a startup developer to apply for and be granted protection for their intellectual property, but also for the enforcement of such. Partnering Lawyer, Samuel Mani, of technology-focused law firm, Mani Chengappa & Mathur, speaks to us about the extensive procedure required to prove one's ownership over their IP: “To demonstrate copyright infringement, it requires going into millions of lines of code—unless it is the interface that is copied, which is easily visible.” Mani continues on the enforcement of patent protection by saying, “For a patent, the scope is even wider. It is easy to say 'this is the method and no once can copy', but unless the look and feel is the same, it is very hard to demonstrate that you have been infringed on.”

Planting the initial seed

If there is arguably so much risk associated with applying for IPR protection, as well with enforcement, what specifically gets startups thinking about IPR initially within their practice? What experiences help them formulate their opinions on the matter, and which forms of IPR do they seek out?

Across interviews conducted, one particular observation entailed the tendency for developers to have worked in the past for corporate employers that have dealt with cases of infringement or have acquired IP protection. Almost half of those interviewed shared the fact that they worked for a corporate employer and became better familiar with different notions of intellectual property through that experience. It may not be too farfetched to suggest, then, that for the developer the idea of acquiring IPR protection is one that may be reinforced from previous employers or other successful development companies with IPR of their own.

Cofounder and developer for a medium-sized software development enterprise, Anoop[1] explained that it wasn't until after the success of his enterprise's first application with $1 million in sales, that they started thinking about intellectual property and began to understand the value of it. This newly attained understanding, however, had not been enough to sufficiently equip his team with the knowledge to properly secure protection. For them, going after patent protection turned out to be a pursuit in vain.

Loss of faith in patents for SMEs

Anoop shares his disappointing experience after attempting to secure a patent for one of their mobile apps:

“We burned our fingers with patents. We spent a lot of money for a game we invented about 3 years ago. We had a law firm in the US to help us. We applied for it, and it went through 3-4 revisions, costing us $25-30,000. We finally closed the file when we could not get it due to an existing patent. We were really surprised."

After much disappointment from not being successful in their attempts to acquire patent protection, however, Anoop came out of the experience with a new outlook on patents and their role for SMEs:

“They're meant for large companies as means to bully your competitor. Only big players with the capacity to file for a patent as soon as it takes off benefit. The existing system doesn’t really work for startup companies. In India and anywhere. It’s an expensive process. If you’re a startup who’s just bootstrapping, there’s no guarantee that you will get it. It’s going to take you years.”

Patent hype
Anoop is a prime example of developers in the startup space that fall victim to the promises of the patent system—only to be spat back out having exhausted their time and earnings. Already being aware of the probability for failure, Mani strongly discourages going after patent protection as a means of staying in the race. “With people spending millions on litigation, it is a recipe for disaster, especially considering the inherent delay of the Indian system.” For this reason, Mani stresses the importance of applying for the right protection.

Mani also suggests that the patent debate is driven by self-interest—people who simply make money off of application filing, regardless of whether or not the case succeeds. As a lawyer in the IT space, Mani claims to have turned away several prospective clients looking to patent their products when he insisted that such means of protection was not suitable for their product and interests...which brings us to an additional area of heated debate: the patentability of mobile apps.

Can mobile apps be patented?[2]

One concept that seemed to receive contested responses across interviews is that of the patentability of mobile apps in the first place. When asked if mobile apps could be patented, former lawyer and startup founder, Vivek Durai, of HumblePaper, put it blatantly in responding, “absolutely not.” Others offered explanations of the Indian Patent Law nuances regarding when a mobile app is patentable and when one is not.

While consulting a SME with their own patent application, Bala explains their approach to ensure the mobile app's eligibility for patent protection, while providing some insight into the Indian patent system:

“One approach that we've taken to getting a patent in India is it's not just a pure software, but a software plus a hardware—as in it requires a specific hardware to function. If [the software] makes the hardware perform better, then it has a technical effect... In which case, we have a better chance of getting a patent in India. If your software is agnostic to hardware, however, it is much more difficult to receive a patent in India.”

To patent or not to patent? (or any IPR for that matter)
To Tewari, on the other hand, the question of whether a mobile app can be patented is one entirely irrelevant. The question Tewari introduces into the developer's market strategy is not 'can I patent my app?' but instead, 'should I do so?' In response to which; he would predominantly reply: No.

“How [startup] mobile app developers regard IP laws—or better yet, disregard—is fine for their sake,” argues Tewari. Alternatively, he suggests developers learn how to maneuver the laws, to prevent themselves from arriving at any sticky situations after unknowingly using another's code. To his clients who have mobile apps of their own, he advises to use an open source equivalent of a piece of code if they do not have the rights to it. Doing so will help keep infringement upon others at a minimal and prevent litigation against oneself.

“How [startup] mobile app developers regard IP laws—or better yet, disregard—is fine for their sake."—Jayant Tewari, Out Sourced CFO & Business Advisory Services

Not all developers interviewed, however, aspired to acquiring patent protection. In fact, some strongly opposed software patents, while expressing their appreciation for openness across the developer community. The other side to the IPR-Open Source dichotomy will be examined in the blog post to follow, after which, we will then look at accounts of infringement and threats of litigation across mobile app developers interviewed.

To recap

By looking closely at the individual experiences across mobile app developers interviewed, we hope to begin to map out the mobile app ecosystem and the ways in which industry players engage with each other regarding their IPR. We also hope to begin to shed light on the different attitudes towards the law within one's practice, and how they shape their decisions related to their work. Only after doing so, may we be able to sufficiently assess how India's current IP laws govern this landscape.

Stay tuned for the next in this blog series! We hope that you may benefit from our findings in your own practice as a mobile app industry player or enthusiast, as well.

Notes:
[1] Name changed to protect the interviewee's identity

[2] In conducting interviews, our goal was not to test the legitimacy of responses, but instead, to map them out across various industry stakeholders. For this reason, this blog series will not be able to sufficiently respond to legal question, such as whether or not mobile apps are patentable to begin with. We intend to, however, undergo legal analysis of the Indian IPR system at its intersection with the mobile app space in India at a later stage in this project.

For more details visit https://cis-india.org/a2k/blogs/interviews-with-app-developers-dis-regard-towards-ipr-vs-patent-hype-2013-part-ii

Interview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft

maria — 2013-11-06T08:16:05Z

Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!

Caspar Bowden is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.

From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.

The Centre for Internet and Society interviewed Caspar Bowden on the following questions:

1. Do you think India needs privacy legislation? Why / Why not?

Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state.

2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?

Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about.

3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.

Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.

Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.

4. Should people have the right to give up their right to privacy? Why / Why not?

In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!”

But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. There's no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.

5. Do you agree with India's UID scheme? Why / Why not?

There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way.

Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived.

There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds.

And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual.

Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.

6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?

Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy.

There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory.

We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term.

7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?

Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are software. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!

In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient.

8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?

In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies.

After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure.

It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today.

9. How would you advise young people working in the surveillance industry?

Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate

Interview with Bruce Schneier - Internationally Renowned Security Technologist

maria — 2013-10-17T08:54:32Z

Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist.

He is the author of 12 books -- including Liars and Outliers: Enabling the Trust Society Needs to Survive -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.

Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for BT -- formerly British Telecom.

The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:

Do you think India needs privacy legislation? Why/ Why not?
The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?
Should people have the right to give up their right to privacy? Why/ Why not?
Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?
How can individuals protect their data (and themselves) from spyware, such as FinFisher?
How would you advise young people working in the surveillance industry?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier

Internet-driven Developments — Structural Changes and Tipping Points

elonnai — 2012-12-28T15:34:51Z

A symposium on Internet Driven Developments: Structural Changes and Tipping Points was held in Cambridge, Massachusetts at Harvard University from December 6 to 8, 2012. The symposium was sponsored by the Ford Foundation and the MacArthur Foundation and was hosted by the Berkman Center for Internet & Society. In this blog post, I summarize the discussions that took place over the two days and add my own personal reflections on the issues.

The symposium served as an inaugural event for the Global Network of Interdisciplinary Centers, which currently includes as its members:

The Berkman Center for Internet and Society at Harvard University
The Alexander von Humboldt Institute for Internet & Society
The Centre for Internet and Society, Bangalore
The Center for Technology & Society at the Fundacao Getulio Vargas Law School, Keio University
The MIT Media Lab and its Center for Civic Media
The NEXA Center for Internet & Society at Politicnico di Torino.

Individuals and researchers from the Centers focused on understanding the effects of internet and society. The participants were brought together to explore the past, present, and future tipping points of the internet, to identify knowledge gaps, and to find areas of collaboration and future action between institutes and individuals. Specifically, the symposium set out to examine fundamental questions about the internet, identify structural changes that are occurring because of the internet, and the forces that are catalyzing these changes. Questions asked and discussed included:

What forces are changing production and service models?
What forces are influencing entrepreneurship and innovation? and
What forces are changing political participation?

Production and Service Models

Discussion

When participants discussed the changes that are happening to production and service models, concepts such as big data, algorithms, peer based models of production, and intermediaries were identified as actors and tools that are driving change in production and service models in the context of the internet. For example, big data and algorithms are being used to alter the nature, scope, and reach of business by allowing for the personalization and customization of services. To this end, many organizations have incorporated customer participation into business models, and provide platforms for feedback and input. The personalization of services has placed greater emphasis on the voice of the customer, allowing customers to guide and influence business by voicing preferences, satisfaction levels, etc. In this way, consumers can determine what type of service they want, and can also make political statements through their choices and feedback. In the process, however, such platforms generate and depend on large amounts of data and thus raise concerns about privacy.

Knowledge gaps that were identified during the conversation included how to predict what would make a participatory platform and peer based model successful, and how these platforms can be effectively researched. When looking at big data, a knowledge gap that was identified included how to ensure that data are collected ethically and accurately, as well as the related question: once large data sets are collected, how can the data be analyzed and used in a meaningful way?

There was also discussion about the increasingly critical and powerful role that intermediaries serve within the scope of the internet as they act as the platform provider and regulator for internet content. Intermediaries both allow for content to be posted on the internet, and determine what information is accessed through the filtering of web searches. Increasingly, governments are seeking to regulate intermediaries and create strict rules of compliance with governmental mandates. At the same time governments are placing the responsibility and liability of regulating what content is posted on internet on intermediaries, essentially placing them in the role of an adjudicator. This is one example of how the relationship between the private sector, the government, and the individual is changing, because it is only recently that private intermediaries have been held responsible first to governments, and only secondarily to customers.

Knowledge gaps identified in the discussion on intermediaries included understanding and researching how intermediaries decide to filter content found through searches. On what basis is each filter done? Are there actors influencing this process? And what are the economics behind the process?

Personal Thoughts

When reflecting on how the internet is changing and influencing the production of goods and services, I personally would add to the points discussed in the meeting the fact that the internet has also impacted the job economy. Reports show that jobs in the extraction and manufacturing sector are decreasing, as the internet has created a mandatory new tech oriented skill set that often outweighs the need for other skill sets. This change is far reaching as the job economy influences what skills students choose to learn, why and for what purposes individuals migrate across borders for employment, and in what industries governments invest money towards domestic development. In addition to changing the nature of skills in demand, the nature of the services themselves is changing. Though services are becoming more personalized and tailored to the individual, this personalization is automated, and replacing the ‘human touch’ that was once prized in business. Whether customers care if the service they are given is generated by an algorithm or delivered by an individual may depend on a person’s preference, but the European Union has seen this shift as being significant enough to address automated decision making in Article 15 of the EU directive, which provides individuals the right to not be subject to a decision which legally impacts him/her which is based only on automated processing of data. This directive encompasses decisions such as evaluation of a person’s performance at work, creditworthiness, reliability, conduct, etc.

The internet has also increased the cost of small mistakes made by businesses, as any mistake will now potentially impact millions of customers. The impact of any mistake makes risk management much more important and difficult, as businesses must seek to anticipate and mitigate any and all mistakes. The internet has also created a new level of dependency on the network, as businesses shift all of their services and functions over to the internet. Thus, if the network goes down, businesses will lose revenue and customers. This level of dependency on the network that exists today is different from past reliance’s on technology — in the sense that in the past there was not one single type of technology that would be essential for many businesses to run. The closest analogue was transportation: if trucks, trains, or ships were unavailable, multiple industries would be impacted. The difference is that those who relied on rail could shift temporarily to ships or trucks. Those relying on the network have no alternatives. Furthermore, past technologies were constantly evolving in the resources they depended on — from coal to gas, etc, but for the internet, it seems that the resource is not evolving, so much as expanding as increased bandwidth and connectivity are the solution to allowing technological evolution and innovation through the internet.

As discussed above, intermediaries are becoming key and powerful players, but they also seem to be increasingly placed between a rock and a hard place, as governments around the world are asking national and multinational intermediaries to filter content that violates national laws in one context, but not another context. Furthermore, intermediaries are increasingly being asked to comply with law enforcement requests for access to data that is often not within the jurisdiction of the requesting country. The difficult position intermediaries are placed in demonstrates how the architecture of the internet is borderless but the regulation and use of the internet is still tied to borders and jurisdiction.

Entrepreneurship and Innovation

Discussion

When discussing entrepreneurship and innovation it was pointed out by participants that grey markets and market failures are important indicators for possibilities of new business models and forms of innovation. Because of that, it is important to study what has failed and why when identifying new possibilities and trends. The importance of policies and laws that allow for innovation and entrepreneurship was also highlighted.

Personal Thoughts

When thinking about entrepreneurship and innovation on the internet and forces driving them, it seems clear that tethering, conglomerating, and organizing information from multiple sources is one direction that innovation is headed. Services are coming out that have the ability to search the internet based on individual preferences and provide more accurate data quickly. This removes the need for individuals to search the internet at length to find the information or products they want. Along the same lines, it seems that there is a greater trend towards personalization. Services are finding new and innovative ways to bring individuals customized products. Another trend is the digitization of all services — from moving libraries online, to bookstores online, to grocery stores online. Lastly, there is a constant demand for new applications to be developed. These can range from applications enabling communication through social networking, to applications that act as personal financial consultants, to applications that act as personal trainers. The ability for concepts, trends, etc to go viral on the internet has also added another dimension to entrepreneurship and innovation as any individual can potentially become successful by something going viral. The ability for something to go viral on the internet does not just impact entrepreneurship and innovation, but also impacts political participation and production and service models.

Political Participation

Discussions also centered on how political participation is changing as the internet is being used as a new platform for participation. For example, it is now possible for individuals to leverage their voice and message to local and global communities. Furthermore, this message can be communicated on a seemingly personal scale. Individuals from one community are able to connect to communities from another location — both local and abroad, and to work together to catalyze change. Messages and communications can be spread easily to millions of people and can go viral. This ability has changed and created new public spheres, where anyone can contribute to a dialogue from anywhere. Empowerment is shifting as well, because the internet allows for new power structures to be created by any actor who knows how to leverage the network. These factors allow for more voices to be heard and for greater citizen participation. The role of the youth in political movements was also emphasized in the discussions. On the other hand governments have responded by more heavily regulating speech and content on the internet when dissenting voices and campaigns are seen as a threat. It was also brought out that though emerging forms of online political participation have been heralded by many for achievements such as facilitating democracy, transparency, and bringing a voice to the silenced — many have warned that analysis of these political forms of participation overlook individual contributions and time. Other critiques that were discussed included the fact that digital revolutions also exclude individuals who do not have access to the internet or to platforms/applications and overlook actions and movements that take place offline.

Knowledge gaps that were identified included understanding the basics of the change that is happening in political participation through the internet. For example, it is unclear who the actors are that determine the conditions and scope for these changes, and like participatory forms of business, what enables and mobilizes change. Furthermore, it is unclear who specifically benefits from these changes and how, and who participates in the changes — and in what capacity. Additionally, much of the change has been quantified in the dialogue of the ‘global’ — global voices, global movements — but that dialogue ignores the local.

Personal Thoughts

In addition to the discussions on political participation, I believe the internet has created the possibility for ‘social governance’. To address situations in which there is no particular law against an action, but individuals come together and speak out against actions that they see on the internet that they believe should be stopped or changed. Depending on the extent individuals choose to enforce these decisions, this can be potentially dangerous as individuals are essentially rewriting laws and social norms without subjecting them to the crucible of consensus decision-making or review. In addition, forms of political participation are not changing just in terms of how the individual engages politically with states and governments, but also in the ways that politicians are engaging with citizens. For example, politicians are using Facebook and Twitter as means to communicate and gather feedback from supporters. Politicians are also using technology to reach more individuals with their messages — from experimenting with 3D holograms, to web casting, to using technology like CCTV cameras to prove transparency. The impact of this could be interesting, as technology is becoming a mediating tool that works in both directions between citizens and governments. Is this changing the traditional understandings of the State and the relationship between the State and the citizen?

Conclusion and ways forward

The discussions also pulled out dichotomies that apply to the internet and illustrate tensions arising from different forces. These dichotomies can be shaped by individuals and actors attempting to regulate the internet, as for example with new models of regulation vs. old models of regulation, private vs. public, local vs. global, owned vs. unowned, and zoned vs. unzoned. These dichotomies can be shaped by how the internet is used. For example, fair vs. unfair, just vs. unjust, represented vs. silenced, and uniform vs. diverse.

Common questions being asked and areas for potential research that came out of these discussions included information communication and media, how to address different and at times contradictory policies and levels of development in different countries, and what is the impact of big data on different sectors and industries like e-health and journalism? What is the importance of ICT in creating economic progress? How is the Internet changing the nature of democracy?

When discussing ways forward and areas for future collaboration it was brought out that exploring ways to leverage open data, ways to effectively use and build off of perspectives and experiences from other contexts and cultures, and ways to share resources across borders including funding, human presence, and expertise were important questions to answer. Common challenges that were identified by participants ranged from cyber security and the rise of state and non-state actors in cyber warfare, finding adequate funding to support research, sustaining international collaborations, ensuring that research is meaningful and can translate into useful resources for policy and law makers, and ensuring that projects are designed with a long-term objective and vision in mind.

The discussions, presentations, and contributions by participants during the two day symposium were interesting and important as they demonstrated just how multi-faced the internet is, and how it is never one dimensional. How the internet is researched, how it is used, and how it is regulated will be constantly changing. Whether this change is a step forward, or a re-invention of what has already been done, is up to all who use the internet including the individual, the corporation, the researcher, the policy maker, and the government.

For more details visit https://cis-india.org/internet-governance/blog/internet-driven-developments

Internet, Society & Space in Indian Cities

praskrishna — 2011-10-16T08:17:13Z

The monograph on Internet, Society and Space in Indian Cities, by Pratyush Shankar, is an entry into debates around making of IT Cities and public planning policies that regulate and restructure the city spaces in India with the emergence of Internet technologies. Going beyond the regular debates on the modern urban, the monograph deploys a team of students from the field of architecture and urban design to investigate how city spaces – the material as well as the experiential – are changing under the rubric of digital globalisation.

For more details visit https://cis-india.org/raw/internet-society.pdf