Centre for Internet and Society

Pegasus snoopgate, an opportune moment to revisit legal framework governing state surveillance framework

Gurshabad Grover and Tanaya Rajwade — 2020-07-09T01:30:34Z

Revelations of hacking call for a relook at India’s surveillance regime

This article by Gurshabad Grover and Tanaya Rajwade was published in the Indian Express on December 25, 2019. The authors would like to thank Arindrajit Basu for his comments and suggestions.

In early November, it became clear that several lawyers and human rights activists had been targeted by spyware that allowed attackers unfettered access to information stored on victims’ phones. On November 29, in the Rajya Sabha, the Minister of Electronics and Information Technology was repeatedly asked whether any Indian agency had commissioned the attack vector ‘‘Pegasus” that was used in the attacks from the Israeli firm NSO. Where a categorical response would have sufficed, the minister chose to muddy the waters through vague assertions such as “standard operating procedures have been followed”.

There are cogent reasons pointing towards an Indian law enforcement agency’s hand in procuring Pegasus. First, NSO maintains that it only sells services and software to state agencies. Second, some of the known Indian targets of the vulnerability are human rights activists. These individuals work on India-specific issues and hardly qualify as serious threats in the eyes of a foreign government.

The government derives some of its powers to conduct electronic surveillance from Section 69 of the Information Technology (IT) Act. The procedures for such surveillance are defined in the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. It is these rules, and not the parent Act that define the terms “interception” and “monitoring” as “acquisition of the contents of any information through the use of any means” and “to view or to inspect or listen to or record information”, respectively. These all-encompassing definitions seemingly permit authorised law enforcement agencies to use Pegasus-like tools.

However, the IT Act also penalises unauthorised access to computers without the owner’s permission. These provisions, namely section 43 and 66, do not carve out an exception for law enforcement agencies. As lawyer Raman Chima highlighted recently, any action explicitly prohibited under the Act cannot be justified by procedures laid out in subordinate legislation. Therefore, no law enforcement agency can “hack” devices, though they may “intercept” or “monitor” through other means. Additionally, the Supreme Court’s privacy verdict held any invasion of privacy by the state must be based on a law. As some of the agencies authorised to conduct surveillance (like the Intelligence Bureau) do not have statutory backing, surveillance by them is unconstitutional.

The use of spyware gives the state access to private conversations, including privileged communications with lawyers. Such an infringement of rights may be justified for militants suspected of actively planning an armed attack. For academicians and human rights activists, the use of broad surveillance without any evidence or anticipation of such activities is unfathomable in a democracy.

With the popularity of end-to-end encryption, surveillance may require the exploitation of vulnerabilities on end-users’ devices. The Pegasus snoopgate is an opportune moment to revisit the legal framework governing the state surveillance framework. It is crucial to dismantle state agencies that run surveillance operations despite lacking statutory authority. For other agencies, there is a need to introduce judicial and parliamentary oversight. Depending on the concerns of law enforcement, it may be necessary to enact legislation permitting “hacking” into devices on extremely limited grounds.

Unfortunately, the government has taken a massive leap backwards by ignoring the standards laid down by the Supreme Court and Justice Srikrishna Committee’s recommendations, and introducing unconstitutional surveillance enablers in the Data Protection Bill. Now is the time for Parliament to guarantee the privacy and security of Indians.

Grover and Rajwade are researchers at the Centre for Internet and Society (CIS). Views are personal. Disclosure: CIS is a recipient of research grants from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/pegasus-snoopgate-an-opportune-moment-to-revisit-legal-framework-governing-state-surveillance-framework

Anushree Gupta - Ladies ‘Log’: Women’s Safety and Risk Transfer in Ridehailing

Anushree Gupta — 2020-05-19T06:29:12Z

Working in the gig-economy has been associated with economic vulnerabilities. However, there are also moral and affective vulnerabilities as workers find their worth measured everyday by their performance of—and at—work and in every interaction and movement. This essay by Anushree Gupta is the third among a series of writings by researchers associated with the 'Mapping Digital Labour in India' project at the CIS, supported by the Azim Premji University, that were published on the Platypus blog of the Committee on the Anthropology of Science, Technology, and Computing (CASTAC). The essay is edited by Noopur Raval, who co-led the project concerned.

Originally published by the Platypus blog of CASTAC on August, 1, 2019.

Summary of the essay in Hindi: Audio (YouTube) and Transcript (text)

Mumbai, India’s financial capital, is also often considered one of the safest cities for women in India, especially in contrast with New Delhi which is infamously dubbed as the “rape capital” within the country. Sensationalised incidents of harassment, molestation and rape serve as anecdotal references and warnings to other women who dare to venture out alone even during the daytime. The Delhi government recently proposed a policy for free transport for women in public buses and metro trains with the objective of increasing women’s affordability and access and to ensure safety in public transportation. [1] Despite such measures to increase women’s visibility and claims to public utilities and spaces, women who use public transport have historically suffered groping and stalking on buses and trains, which uphold self-policing and surveillance narratives. The issue of women’s safety in India remains a priority as well as a good rhetorical claim and goal to aspire to, for public and private initiatives. Ironically, the notion of women’s safety is also advanced to increase moral policing and censure women’s access to public spaces, which also perpetuates exclusion of other marginalised citizens (Phadke 2007). Further, and crucially, whose safety is being imagined, prioritized and designed for (which class of women are central to the imagination of the safety discourse) is often a point of contention.

In this context, ridehailing services offered by Uber and Ola have come to be frequently cited as safer and more reliable options for women to traverse the cityspace, compared to overcrowded buses and trains. Their mobile applications promise accountability and traceability, enforcing safety standards by way of qualified and well-groomed drivers, SOS buttons and location-sharing features. However, it has increasingly become common knowledge that these alternatives are prone to similar, if not worse, categories of crimes against women. While reports of violence against women in cabs have mostly been outside of Mumbai, due to “platform-effects,” such incidents have widespread ramifications for drivers across the country. Cab drivers who operate via cab aggregator platforms have come under heavy scrutiny not only by the corporate and legal infrastructures of aggregator companies but also in the public eye. On the other hand, platform companies independently, and in partnership with city and state administrations, continue to launch “social impact” initiatives aimed at women’s safety as well as employment (through taxi-driving training). [2] Incidents of violence against women present jarring narratives of risk not only for female passengers but also for the platform-workers, both of whom are responsible for abiding by the constructed notions of safety for women in urban spaces.

In this post, I explore women’s presence as workers as well as passengers/customers in the ridehailing platform economy, in the context of women’s safety, situating the analysis with a focus on Mumbai. The related discourses around risk for female commuters give rise to various interventions and women-centric services through female-only cab enterprises and training more women drivers to mitigate this risk. Through these, I will think through the figure of the woman in the ridehailing economy in Mumbai and by extension in India.

Platforms in Gendered Cityscapes

Mumbai’s public transport is comprised of the local train network, BEST buses and auto rickshaws, with the metro being the newest addition to the mix. Unlike in most of India, kaali-peelis (black-yellow cabs) have been a permanent feature of Mumbai’s landscape since the 1950s and, taking a cab is not necessarily a luxury. Against this backdrop, platform companies have sought to make the claims of democratizing public transport and providing safer travel options to women in the city.

Cab drivers on ridehailing platforms in Mumbai are usually domestic male migrants or Muslim drivers from within and outside the city, who are more often than not overworked and stressed due to the falling incomes and rising debts. It is important to recognise the ‘veiled masculinities’ (Chopra 2006) which labor to service the emergent platform economy and the hierarchies of caste and class which are sustained through their labor. The incongruence between the masculinity of a working class man and the demands of the service economy (Nixon 2009) exacerbates emotional pressures in customer-facing services, which can offer an explanation for angry outbursts and conflicts between drivers and customers.

Uber’s ad on a billboard in Mumbai promises earnings of more than Rs. 1 lakh per month. Using a woman’s image illustrates the extent of their potential for transforming lives and livelihoods. Source: Drivers’ Union Telegram Group.

While Uber and Ola claim that a large number of women drivers work on their platforms, actual experiences of passengers and the male drivers I spoke to, suggested otherwise. Ironically, mass driver-training programs are seen as a quick way to make low-skilled and migrant male workers employable in Indian cities while, despite public-private partnerships to train women, it has been impossible to retain women drivers due to stereotypical perceptions of gender and persistent social stigma. [3] This made the ridehailing passenger woman (upper middle class, affording professional) a stakeholder to design for, while female drivers (but all female workers) appeared as liability for platforms.

These narratives speak directly to the construction of insecurity and risk for women (Berrington and Jones 2002) on public transport systems as they highlight vulnerabilities due to public exposure of women’s bodies. Pandering to a moral panic standpoint and creating personalised or ‘inside’ safe spaces for women to manage risk (Green and Singleton 2006), these platforms can then be imagined as a boundary-setting exercise. Access to public spaces is encouraged but it is delimited by confining the woman’s body to a singular vehicle in the custody of the cab driver. Autonomy and access afforded by the platform manages to transform women—particularly upper class and upper caste women who can afford these services—into potential customers. Their agency is bounded though by tasking the driver to ferry her across the otherwise hostile cityscape filled with ‘unfriendly bodies’ (Phadke 2013). The production of the city’s gendered space goes hand in hand with the confinement/erasure of female bodies in the public space as they embody patriarchal norms even in a city as ‘progressive’ as Mumbai. As demonstrated by studies mapping the movement of women in the city (Ranade 2007), the spatio-temporal factors lend themselves to creating gendered bodies in order to keep patriarchal norms intact. These norms, as I argue in this post, are detrimental not just to women but also other marginalised sections of the urban population, in this case platform workers.

Terms of Safety

Male drivers’ social identities as lower class, lower caste individuals do not inspire confidence in the standards of safety boasted by these companies in the eyes of their predominantly upper caste and upper class customer base. Risk to female passengers is further exaggerated due to the closed space in which the service is provided, highlighting the proximity to a potential aggressor by way of these platforms. In specific situations wherein a female passenger is inebriated or is travelling alone at night, drivers report being extra cautious and helpful towards her. Many respondents proudly mention going out of their way to make sure women get home safely, for instance, prolonging waiting time or escorting them to the entrance of their residential buildings or involving the security guard at the gate.

However, there have also been cases wherein the driver has been under scrutiny either by an overly careful passenger or by the public. One driver reported being surrounded by a crowd at a traffic signal, only to realise that he was being suspected of foul play with the female passenger who had fallen asleep on the backseat of the car. In contrast to their western counterparts, the class differences between drivers and passengers in India exacerbate doubts, fears and insecurities in India which tend to take a caste-purity angle as well. The woman’s body undergoes an exchange of custody in these instances wherein she is deemed incapable of taking care of herself and requires external assistance. Imagining a deterrence effect of ridesharing services (Park et. al 2017) reinforces the logic of guardianship and protectionism for the woman. The risk of carrying her in the vehicle in these situations is borne by the cab driver, operating under a framework of overbearing protectiveness which holds him culpable for any misgivings, assumed or otherwise.

Cautionary listicles advise women to not take a cab alone at night, carrying pepper sprays/umbrellas as tools for self-defence, refrain from conversations with drivers or talk continuously on the phone, among other things. The onus of the woman’s safety is either on the individual herself or the driver who is ferrying her. Moreover, the driver is a likely assailant whom the woman should guard against as well. Source: HelloTravel.

Notions of safety and risk are embodied in everyday interactions in urban spaces and mediated by disparate infrastructures of knowledge across distinctions of caste, class and gender. These distinctions define constraints which govern social interactions between actors of these categories. Interactions between lower caste or Muslim men and upper caste/class women are circumscribed by what Tuan (1979) describes as ‘landscapes of fear’. Be it the apprehensions about sharing a ride with a passenger of the opposite sex (Sarriera et. al 2017) or reports of gang-rapes by cab drivers, the boundaries of social conduct are laid out clearly by constructing narratives of risk and safety. The protection of the female body and her sexual safety is not her responsibility alone but that of the society as a whole. The so called preventive measures for rape and violence against women produce the dichotomies of frailty and strength (Campbell 2005) in so far as they project the woman as always at risk with the shadow of a potential assault always looming large.

When asked about interactions with women as customers or fellow drivers, drivers performed exaggerated respectability for women. The catch in these narratives however was that drivers justified and extended respect only to ‘good’ customers, where a ‘good’ woman was a certain kind of a moral actor.

Given the prevailing discontent with redressal mechanisms for workers on the platforms, it was not surprising to witness a group of drivers at the Uber Seva Kendra (help centre) in Mumbai, debating whether they should be accepting requests from any female customers at all. Drivers also had to attend mandatory training sessions for ‘good conduct’ with customers wherein they underwent behavioral correction and gender sensitisation lessons. [4] The gendering of the platform economy is baked into these instructions and trainings that reproduce male drivers as figures of safety and constant positive affect.

Gender, Safety, and Enterprise

In my fieldwork, I also came across a slew of ventures run by fleet owners and others that sought to service women passengers and employ women drivers exclusively. Claiming to fill in the gaps of inadequate vetting mechanisms in existing platforms, these alternate ventures purportedly smoothened out some anxieties by eliminating the risk of interacting with a man from different socio-economic strata. The premium charged by these companies was telling of the value of safety and affordability of these services for a large section of their intended audience, namely women with higher disposable incomes residing in metropolitan cities.

On the flipside, these enterprises encouraged women to break stereotypical perceptions about women drivers, also giving a nod to increasing and diversifying opportunities of employment for women. However, these ideas remained attractive only in principle and fizzled out sooner or later as most of these ventures did not succeed. A severe capital crunch due to unsustainable business models, limited funding options and lack of substantial supportive ecosystems for training and upkeep are possible reasons for failure. [5] Even so, the idea of a women-centric service continues to remain valuable because of the promise of safety which is produced through considerations of class, caste, gender and religion (Phadke 2005). Any alternative to avoid interaction with men from a lower class or caste background or from another religion (especially Hindu/Muslim in Mumbai) is welcome in a society which is deeply stratified and entrenched in caste-class systems of religion and economy alike.

Conclusion

The pervasiveness of the discourses of safety and risk in the ride hailing space became apparent to me during field research. Respondents indicated a heightened awareness of my gender, referring to me as “madam” and taking measures to ensure my safety. They advised me to use a separate phone to interact with drivers and moderated my interactions with drivers on the Telegram group (run by one of the Unions in Mumbai). Union representatives were also diligent in moderating the group to filter out abusive language as a token of respect for women. My apprehensions in interacting with drivers, most of whom were older men from a lower class/caste community, were also indicative of my social conditioning as an upper class and upper caste woman. Self-policing and boundary setting in both physical and virtual interactions, while necessary to some extent, were often rendered useless as the shifting of risks became apparent to me in my interactions with the drivers.

In this piece, I have tried to show how gendered norms govern the construction of safety and risk which in turn regulate social interactions. Limiting exposure in a personal cab as opposed to a public bus/train also heightens considerations of intimacy and proximity to a potential aggressor (often from a marginalised sociocultural background). Women-centric cab services mitigate this by promoting the image of the female driver who breaks social norms. However, these services dwindle till they completely disappear due to a capital crunch or insufficient infrastructural support. Patriarchal contexts reaffirm the woman as a risky object by highlighting narratives of vulnerabilities and insecurities in the ridehailing space. Besides the woman, the cab drivers are held accountable for bearing this risk and ensuring her sexual and physical safety. These patriarchal hierarchies of protectionism are sustained by platform workers’ affective labour which lubricate the wheels of the platform economy.

Endnotes

[1] https://www.thehindu.com/news/cities/Delhi/free-rides-for-women-only-the-starting-point-say-activists/article28111938.ece

[2] https://www.olacabs.com/media/in/press/ola-foundation-launches-drive-to-enable-sustainable-livelihoods-for-500000-women-by-2025

[3] https://www.buzzfeed.com/soniathomas/girl-power

[4] https://yourstory.com/2018/11/uber-gender-awareness-sensitisation-driver

[5] https://www.livemint.com/Companies/bo4534H8mOWo0oG6VQ0xbM/As-demand-for-womenonly-cab-services-grow-challenges-loom.html

References

Berrington, E. and Jones, H., 2002. Reality vs. myth: Constructions of women’s insecurity. Feminist Media Studies, 2(3), pp.307-323.

Campbell, A., 2005. Keeping the ‘lady’ safe: The regulation of femininity through crime prevention literature. Critical Criminology, 13(2), pp.119-140.

Chopra, R., 2006. Invisible men: Masculinity, sexuality, and male domestic Labor. Men and Masculinities, 9(2), pp.152-167.

Green, E. and Singleton, C., 2006. Risky bodies at leisure: Young women negotiating space and place. Sociology, 40(5), pp.853-871.

Nixon, D., 2009. I Can’t Put a Smiley Face On’: Working‐Class Masculinity, Emotional Labour and Service Work in the ‘New Economy. Gender, Work & Organization, 16(3), pp.300-322.

Park, J., Kim, J., Pang, M.S. and Lee, B., 2017. Offender or guardian? An empirical analysis of ride-sharing and sexual assault. An Empirical Analysis of Ride-Sharing and Sexual Assault (April 10, 2017). KAIST College of Business Working Paper Series, (2017-006), pp.18-010.

Phadke, S., 2005. ‘You Can Be Lonely in a Crowd’ The Production of Safety in Mumbai. Indian Journal of Gender Studies, 12(1), pp.41-62.

Phadke, S., 2007. Dangerous liaisons: Women and men: Risk and reputation in Mumbai. Economic and Political Weekly, pp.1510-1518.

Phadke, S., 2013. Unfriendly bodies, hostile cities: Reflections on loitering and gendered public space. Economic and Political Weekly, pp.50-59.

Ranade, S., 2007. The way she moves: Mapping the everyday production of gender-space. Economic and Political Weekly, pp.1519-1526.

Raval, N. and Dourish, P., 2016, February. Standing out from the crowd: Emotional labor, body labor, and temporal labor in ridesharing. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing (pp. 97-107). ACM.

Sarriera, J.M., Álvarez, G.E., Blynn, K., Alesbury, A., Scully, T. and Zhao, J., 2017. To share or not to share: Investigating the social aspects of dynamic ridesharing. Transportation Research Record, 2605(1), pp.109-117.

Tuan, Y.F., 2013. Landscapes of fear. U of Minnesota Press.

For more details visit https://cis-india.org/raw/anushree-gupta-ladies-log-women-safety-risk-transfer-ridehailing

November 2019 Newsletter

Admin — 2019-12-31T14:53:11Z

CIS newsletter for November 2019

Highlights for November 2019
If you think that Indian languages are as important as international languages, like English, then, you are on the same page with this article. Suswetha Kolluru and Nitesh Gill explains this in their blog posts published in multiple languages: English, Punjabi, Hindi and Telugu. Gurshabad Grover was nominated through the Bureau of Indian Standards (BIS) to be a member of the Advisory Group AG) on Open Source Software for ISO/IEC JTC 1. CIS is a partner on the project 'Gender, Health Communications and Online Activism in the Digital Age'. The project is lead by Dr. Carolina Matos, Senior Lecturer in Sociology and Media in the Department of Sociology at City University. Ambika Tandon, Policy Officer at CIS, conducted fieldwork for the project in May and June 2019 as a research assistant. Dr. Carolina Matos's presentation can be accessed here. The need for intervention in the cybersecurity imagery in media publications was realised during a brainstorming workshop that was conducted by CIS with illustrators, designers, and cybersecurity researchers. Towards this CIS compiled a handbook introducing Cybersecurity Visuals Media. CIS, along with Design Beku launched the Cybersecurity Visuals Media Handbook. This handbook has been conceived to be a concise guide for media publications to understand the specific concepts within cybersecurity and use it as a reference to create visuals that are more informative, relevant, and look beyond stereotypes. Anusha Madhusudhan authored a research paper titled "Blockchain: A primer for India". The paper aims to provide a comprehensive review of existing research and major debates surrounding Blockchain technology and its developments in select jurisdictions with a specific focus on India. Vipul Kharbanda authored a research paper titled Draft Security Standards for The Financial Technology Sector in India. This document includes draft information security standards, which seek to ensure that not only the data of users is dealt with in a secure and safe manner but also that the smaller businesses in the fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches. Pukhraj Singh, a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies authored a guest blog post titled "Before cyber norms, let’s talk about disanalogy and disintermediation". Pukhraj looks at the critical fissures – at the technical and policy levels – in global normative efforts to secure cyberspace. CIS was acknowledged in the final report of the Global Commission on Stability of Cyberspace.

CIS and the News

The following articles and research papers were authored by CIS secretariat during the month:

India’s Role in Global Cyber Policy Formulation (Arindrajit Basu; Lawfare; November 7, 2019). The article was reviewed and edited by Elonnai Hickok and Justin Sherman.
The Telecom Crisis is an NPA Problem (Shyam Ponappa; Business Standard; November 7, 2019).

CIS in the News

CIS secretariat was consulted for the following articles published during the month in various publications:

Why having more CCTV cameras does not translate to crime prevention (Manasa Rao; News Minute; September 3, 2019). Published on the CIS website on December 5, 2019.
Activists demand judicial probe into WhatsApp snooping (K.V. Kuramath; Hindu Businessline; November 1, 2019).
Cyber law experts asks why CERT-In removed advisory warning about WhatsApp vulnerability (Megha Mandavia; ET Tech.com; November 4, 2019).
WhatsApp spy attack and after (Theres Sudeep; Deccan Herald; November 6, 2019).
Should online political advertising be regulated? (P.J. George; Hindu; November 8, 2019).
India facial recognition: How effective will it be? (Al Jazeera; November 8, 2019).
Proposals to regulate social media run into multiple roadblocks ( Saumya Tewari and Abhijit Ahaskar; Livemint; November 27, 2019).

Access to Knowledge

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape.

Wikipedia

Under a grant from Wikimedia Foundation we are doing a project for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Blog Entries

Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in English
Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in Punjabi
Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in Hindi
Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in Telugu

Internet Governance

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programmes that shape the evolution and use of the Internet. As part of internet governance work we work on policy issues relating to freedom of expression primarily focusing on the Information Technology Act and issues of liability of intermediaries for unlawful speech and simultaneously ensuring that the right to privacy is safeguarded as well.

Freedom of Speech & Expression

Under a grant from the MacArthur Foundation, CIS is doing research on the restrictions placed on freedom of expression online by the Indian government and contribute studies, reports and policy briefs to feed into the ongoing debates at the national as well as international level. As part of the project we bring you the following outputs:

Blog Entry

Reliance Jio is using SNI inspection to block websites (Gurshabad Grover and Kushagra Singh, and edited by Elonnai Hickok; November 7, 2019).

Participation in Events

Roundtable Discussion on Intermediary Liability (Organized by SFLC and the Dialogue; New Delhi; October 17, 2019). Tanaya Rajwade participated in a roundtable discussion on intermediary liability.

Gender

Blog Entry

Project on Gender, Health Communications and Online Activism with City University (Ambika Tandon; November 28, 2019).

Cyber Security

Research Paper

Introducing the Cybersecurity Visuals Media Handbook (Handbook concept, content and design by: Padmini Ray Murray and Paulanthony George; Blog post authored by: Saumyaa Naidu and Arindrajit Basu; With inputs from: Karan Saini; Edited by: Shweta Mohandas; November 15, 2019).

Blog Entry

Before cyber norms, let’s talk about disanalogy and disintermediation (Pukhraj Singh; November 15, 2019).

Information Technology / Financial Technology

Research Papers

Draft Security Standards for The Financial Technology Sector in India (Vipul Kharbanda with inputs from Prem Sylvester; November 15, 2019).
Blockchain: A primer for India (Anusha Madhusudhan; with inputs from Karan Saini and Mira Swaminathan; edited by Elonnai Hickok, Siddharth Sonkar and Aayush Rathi; November 18, 2019).

Blog Entry

Event Report: Consultation on Draft Information Technology (Fintech Security Standards) Rules (Anindya Kanan; reviewed and edited by Vipul Kharbanda, Elonnai Hickok and Arindrajit Basu; November 12, 2019).

Privacy

Under a grant from Privacy International and IDRC we are doing a project on surveillance. CIS is researching the history of privacy in India and how it shapes the contemporary debates around technology mediated identity projects like Aadhar. As part of our ongoing research, we bring you the following outputs:

Participation in Event

IETF106 (Organized by IETF; Singapore; November 16 - 22, 2019). Gurshabad Grover participated in the meeting.

Researchers@Work

The researchers@work programme at CIS produces and supports pioneering and sustained trans-disciplinary research on key thematics at the intersections of internet and society; organise and incubate networks of and fora for researchers and practitioners studying and making internet in India; and contribute to development of critical digital pedagogy, research methodology, and creative practice.

Event Organized

Domestic Work in the ‘Gig Economy’ (Organized by CIS and Domestic Workers’ Rights Union; November 16, 2019; Student Christian Movement of India, Mission Road, Bangalore).

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum.

Monthly Blog

The Telecom Crisis is an NPA Problem (Shyam Ponappa; Business Standard and Organizing India Blogspot; November 7, 2019).

About CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

Follow CIS on:

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

Support CIS:

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

Collaborate with CIS:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/november-2019-newsletter

EXTRATERRITORIAL ALGORITHMIC SURVEILLANCE AND THE INCAPACITATION OF INTERNATIONAL HUMAN RIGHTS LAW

pranav — 2019-12-31T10:55:51Z

For more details visit https://cis-india.org/internet-governance/extraterritorial-algorithmic-surveillance-and-the-incapacitation-of-international-human-rights-law

Extra-Territorial Surveillance and the Incapacitation of Human Rights

Arindrajit Basu — 2020-01-02T11:02:26Z

This paper was published in Volume 12 (2) of the NUJS Law Review.

Our networked data trails dictate, define, and modulate societies in hitherto inconceivable ways. The ability to access and manipulate that data is a product of stark power asymmetry in geo-politics, leading to a dynamic that privileges the interests of a few over the right to privacy and dignity of the many. I argue that the persistent de facto violation of human rights norms through extraterritorial surveillance conducted by western intelligence agencies, compounded by the failure of judicial intervention in the West has lead to the incapacitation of international human rights law. Despite robust jurisprudence including case law, comments by the United Nations, and widespread state practice on the right to privacy and the application of human rights obligations to extraterritorial stakeholders, extraterritorial surveillance continues with aplomb. Procedural safeguards and proportionality tests regularly sway towards a ‘ritual incantation’ of national security even in scenarios where a less intrusive option is available. The vulnerable citizen abroad is unable to challenge these processes and becomes an unwitting victim of nefarious surveillance practices that further widens global power asymmetry and entrenches geo-political fissures.

The full article can be found here.

For more details visit https://cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights

Is India's Digital Health System Foolproof?

aayush — 2019-12-30T17:58:00Z

This contribution by Aayush Rathi builds on "Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?" (by Aayush Rathi and Ambika Tandon, EPW Engage, Vol. 54, Issue No. 6, 09 Feb, 2019) and seeks to understand the role that state-run reproductive health portals such as the Mother and Child Tracking System (MCTS) and the Reproductive and Child Health will play going forward. The article critically outlines the overall digitised health information ecosystem being envisioned by the Indian state.

This article was first published in EPW Engage, Vol. 54, Issue No. 47, on November 30, 2019

Introduced in 2013 and subsequently updated in 2016, the Ministry of Health and Family Welfare (MHFW) published a document laying out the standards for electronic health records (EHRs). While there exist varying interpretations of what constitutes as EHRs, some of its characteristics include electronic medical records (EMRs) of individual patients, arrangement of these records in a time series, and inter-operable linkages of the EMRs across various healthcare settings (Häyrinen et al 2008; OECD 2013).

To work effectively, EHRs are required to be highly interoperable so that they can facilitate exchange among health information systems (HIS) across participating hospitals. For this, the Integrated Health Information Platform (IHIP) is being developed so as to assimilate data from various registries across India and provide real-time information on health surveillance (Krishnamurthy 2018).

EHR Implementation: Unpacking the (Dis)incentive Structure

As the implementation of EHR standards is voluntary, anecdotal evidence indicates that their uptake in the Indian healthcare sector has been very slow. Here, the opposition of the Indian Medical Association to the Clinical Establishments (Registration and Regulation) Act, 2010, resulting in nationwide protests and subsequent legal challenges to the act, is instructive. To start with, the act prescribes the minimum standards that have to be maintained by clinical establishments which are registered or seeking registration (itself mandatory to run a clinic under the act) [1]. Further, Rule 9(ii) of the Clinical Establishments (Registration and Regulation) Rules, 2012, drafted under the act, requires clinical establishments to maintain EMRs or EHRs for every patient. However, with health being a state subject in India, the act has only been enforced in 11 states and all union territories except the National Capital Territory of Delhi (Jyoti 2018). The resistance to the act is largely due to protests by stakeholders from within the medical fraternity regarding its adverse impact on small- and medium-sized hospitals (Jyoti 2018).

Contextualising Clinicians' Inertia

Another major impediment to the adoption of EHRs by health service providers is reluctance on the part of individual physicians to transition to an EHR system. This is because compliance with EHR standards requires physicians to input clinical notes themselves.

Comparing the greater patient load faced by doctors in India vis-à-vis the United States (US), the chief medical officer of an EHR vendor in India estimates that the average Indian doctor sees about 40–60 patients a day, whereas in the US it may be around 18–20 patients (Kandhari 2017). This is suggestive of the wide disparity in the number of physicians per 1,000 citizens in both countries (World Bank nd). Given this, doctors in India tend to be more problem-oriented, time-strapped, and pay less attention to clinical notes (Kandhari 2017). Thus, clinicians will consider a system to be efficient only if the system reduces their documentation time, even if the time savings do not translate into better patient care (Allan and Englebright 2000). The inability of EHRs to help reduce documentation time deters clinicians from supporting their implementation (Poon et al 2004). Additionally, research done in the United States indicates that there is no evidence to suggest that an information system helps save time expended by clinicians on documentation (Daly et al 2002). Moreover, the use of an information system is stated to have had no impact on patient care, but doctors have acknowledged its use for research purposes (Holzemer and Henry 1992).

Prohibitive Costs of Implementation

While national-level EHRs have been adopted globally, their distribution across countries is telling. In a survey published in 2016 by the World Health Organization, wealthier countries were over-represented, with two-thirds from the upper-middle-income group and roughly half from the high-income countries having introduced EHR systems. On the other hand, only a third of lower-middle-income countries and 15% of low-income countries reported having implemented EHRs (World Health Organization 2016). A major reason for the slow uptake of EHRs in poorer countries is likely to be funding as EHR implementation requires considerable investment, with most projects averaging several million dollars (US) (Kuperman and Gibson 2003). Although various funding models for EHR implementation are being utilised globally, it is unclear what model will be adopted in India to bring in private healthcare service providers within its ambit (Healthcare Information and Management Systems Society 2007). This absence of funding direction for private actors poses to be a significant impediment in the integration of private databases with other public ones.

In general, poorer countries are also more likely to have less developed infrastructure and health Information and Communication Technology (ICT) to support EHR systems. Besides this, they not only lack the capacity and human resources required to develop and maintain such complex systems (Tierney et al 2010; McGinn et al 2011), but training periods have also been found to be long and more costly than expected (Kovener et al 1997).

Socio-economic Exclusions and Cross-cultural Barriers

There exists scant research investigating the existing use of EHRs in India, though preliminary work is being undertaken to assess EHR implementation in other developing countries (Tierney et al 2010; Fraser et al 2005). Even in the context of developed countries, where widespread adoption of EHRs has been gaining traction for some time now, very little data exists around implementation and efficacy in underserved regions and communities. This is further problematised as clinical information systems and user populations also vary in their characteristics and, for this reason, individual studies are unable to identify common trends that would predict EHR implementation success.

Underserved settings may lack the infrastructure needed to support EHRs. The risk of exclusion already exists in parts such as difficulties inherent in delivering care to remote locations, barriers related to cross-cultural communication, and the pervasive problem of providing care in the setting of severe resource constraints. Equally important is the fact that health workers who already report significant existing impediments in their delivery of routine care in these settings do not necessarily see EHRs as being useful in catering to the specific needs of their patient population (Bach et al 2004). Moreover, experience with EHRs also reveals that there are cultural barriers to capturing accurate data (Miklin et al 2019). What this could mean is that stigma associated with the diagnosis of conditions such as HIV/AIDS or induced abortions will result in their under-reporting even within EHR systems.

Stick or Twist?

Other modalities have been devised to nudge healthcare providers into adopting EHR standards voluntarily. The National Accreditation Board for Hospitals and Healthcare Providers (NABH), India, a constituent board of the Quality Council of India (a public–private initiative), has been reported to have incorporated the EHR standards within its accreditation matrix. NABH accreditation, considered an indicator of high quality patient care, is highly sought–after by hospitals in India in order to attract medical tourists as well as insurance companies: two prominent sources of income for hospitals (Kandhari 2017). Additionally, NABH accreditation is valid for a term of three years, thus requiring hospitals seeking to renew their accreditation to adopt EHR standards as well.

Another commercial use of EHR has been in health insurance. The Federation of Indian Chambers of Commerce and Industry (FICCI) and the Insurance Regulatory and Development Authority (IRDAI) have both voiced their support for expediting the implementation of the EHR standards (EMR Standards Committee 2013). Both, the FICCI and IRDAI have placed emphasis on adopting EHRs, seeing it as a necessary move for formalising the health insurance industry (FICCI 2015). They have also had representation on the committee that sent recommendations to the MHFW on the first version of the EHR standards in 2013 (FICCI 2015). FICCI had additionally played a coordination role in having the recommendations framed for the 2013 EHR standards.

Fluid Data Objectives

The push for EHR implementation is emblematic of a larger shift in the healthcare approach of the Indian state, that of an indirect targeting of demand-side financing by plugging data inefficiencies in health insurance.

The draft National Health Policy (NHP), published in 2015, reflected the mandate of the Ministry of Health and Family Welfare to strengthen the public health system by creating a right to healthcare legislation and reaching a public spend of 2.5% of the gross domestic product by 2018. The final version of the NHP, published in 2017, however, codified a shift in healthcare policy by focusing on strategic purchasing of secondary and tertiary care services from the private sector and a publicly funded health insurance model.

In line with the vision of the NHP 2017, in February 2018, the Union Minister for Finance and Corporate Affairs, Arun Jaitley, announced two major initiatives as a part of the government’s Ayushman Bharat programme (Ministry of Finance 2018). Administered under the aegis of the Ministry of Health and Family Welfare, these initiatives are intended to improve access to primary healthcare through the creation of 150,000 health and wellness centres as envisioned under the NHP 2017, and improve access to secondary and tertiary healthcare for over 100 million vulnerable families by providing insurance cover of up to ₹ 500,000 per family per year under the Pradhan Mantri–Rashtriya Swasthya Suraksha Mission/National Health Protection Scheme (PM–RSSM/NHPS) (Ministry of Health and Family Welfare 2018). The NHPS, modelled along the lines of the Affordable Care Act in the US, was later rebranded as the Pradhan Mantri–Jan Arogya Yojana (PM-JAY) at the time of its launch in September 2018. It is claimed to be the world’s largest government-funded healthcare programme and is intentioned to provide health insurance coverage for vulnerable sections in lieu of the Sustainable Development Goal-3 (National Health Authority nd).

To enable the implementation of the Ayushman Bharat programme, the NITI Aayog then proposed the creation of a supply-side digital infrastructure called National Health Stack (NHS) (NITI Aayog 2018). As outlined in the consultation and strategy paper, the NHS is “built for NHPS, but beyond NHPS.” The NHS seeks to leverage the digitisation push through IndiaStack, which seeks to digitalise “any large-scale health insurance program, in particular, any government-funded health care programs.” The synergy is clear, with the NHPS scheme also aiming to be “cashless and paperless at public hospitals and empanelled private hospitals" (National Health Authority nd) [2].

The NHS is also closely aligned with the NHP 2017, which draws attention to leveraging technologies such as big data analytics on data stored in universal registries. The Vision document for the NHS emphasises the fragmented nature of health data as an impediment to reducing inequities in healthcare provision. The NHS, then, also seeks to be the master repository of health data akin to the IHIP. By creating a base layer of registries containing information about various actors involved in the healthcare supply chain (providers such as hospitals, beneficiaries, doctors, insurers and Accredited Social Health Activists), it potentially allows for recording of data from both public and private sector entities, plugging a significant gap in the coverage of the HIS currently implemented in India. With the provision of open, pullable APIs, the NHS also shares the motivations of the IndiaStack to monetise health data.

A key component of the proposed NHS is the Coverage and Claims platform, which the vision document describes as “provid[ing] the building blocks required to implement any large-scale health insurance program, in particular, any government-funded healthcare programs. This platform has the transformative vision of enabling both public and private actors to implement insurance schemes in an automated, data-driven manner through open APIs " (NITI Aayog2018). A post on the iSPIRT website further explains the centrality of this Coverage and Claims platform in enabling a highly personalised medical insurance market in India: “This component will not only bring down the cost of processing a claim but ... increased access to information about an individual’s health and claims history ... will also enable the creation of personalised, sachet-sized insurance policies." These data-driven customised insurance policies are expected to generate “care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers … [and] use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers" (Productnation Network 2019). The Coverage and Claims platform, and especially the Policy (generation) Engine that it will contain, is aimed at intensive financialisation of personal healthcare expenses, and extensive experiments with designing personalised nudges to shape the demand behaviour of consumers.

The imagination of healthcare the NHS demonstrates is one where broadening health insurance coverage is equated to providing equitable healthcare and as a panacea for the public healthcare sector. The first phase of this push towards better healthcare provision is to focus on contextualising the historical socio-economic divide. The next phase is characterised by digitalisation: the introduction of ICT to bridge the socio-economic divide in healthcare provision. In this process, the resulting data divide has been invisibilised in reframing better healthcare as an insurance problem for which data needs to be generated. Each policy innovation is then characterised by further marginalisation of those that were originally identified as underserved. This is a result of increasing repercussions of the data-divide, with access to benefits increasingly being mediated by technology.

Concluding Remarks

The idea that any person in India can go to any health service provider/ practitioner, any diagnostic center or any pharmacy and yet be able to access and have fully integrated and always available health records in an electronic format is not only empowering but also the vision for efficient 21st century healthcare delivery.
— Ministry of Health and Family Welfare, Electronic Health Record Standards For India (2013)

The objective of health data collection has evolved over the course of the institution of the HIS in 2011, to the development of the NHPS and National Health Policy in 2017. What began as a solution to measure and address gaps in access and quality in healthcare provisioning through data analysis has morphed into data centralisation and insurance coverage. Shifting goalposts can also be found in the objectives behind introducing digital systems to collect data.

In recent iterations of the healthcare imaginary, such as the IHIP and the NHS, data ownership by the beneficiaries is stressed upon. In the absence of a rights-based framework dictating the use of data, the role of ownership should be interrogated, especially in the context of a prevalent data divide (Tisne 2019). The legitimisation of data capture can be seen in the emergence of opt-in models of consent, data fiduciaries managing consent on the data subject’s behalf, etc. (Zuboff 2019).

This framing forecloses a discussion about the quality and kind of data being used. The push towards datafication needs to be questioned for its re-indexing of categorical meaning away from the complexities of narrative, context and history (Cheney-Lippold 2018). Instead, the proposed solution is one that stores datafied elements within a closed set (reproductive health= [abortion, aids, contraceptive,...vaccination, womb]). While this set may be editable, so new interpretations can be codified, it inherently remains stable, assuming a static relationship between words and meaning. Health is then treated as having an empirically definable meaning, thus losing the dynamism of what the health and wellness discourse could entail.

It has been historically demonstrated in the Indian context that multiple tools and databases for health data management are a barrier to an efficient HIS. However, generating centralised or federated databases without addressing concerns in data flows, quality, uses in existing data structures, and the digital divide across health workers and beneficiaries alike will lead to the amplification of existing exclusions in data and, consequently, service provisioning.

Acknowledgements

The author would like to express his gratitude to Sumandro Chattapadhyay and Ambika Tandon for their inputs and editorial work on this contribution. This work was supported by the Big Data for Development Network established by International Development Research Centre (Canada).

Notes

[1] Section 2 (a) of the Clinical Establishments (Registration and Regulation) Act, 2010: A hospital, maternity home, nursing home, dispensary, clinic, sanatorium or institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not.

[2] The National Health Stack, then, is the latest manifestation of the Indian government’s push for a “Digital India.” A key component of Digital India has been e-governance, financial inclusion, and digitisation of transaction services. The nudge towards cashless modes of transaction and delivery, also accelerated by India’s demonetisation drive in November 2016, has led to rapid uptake of digital payment services in particular, and that of the IndiaStack initiative in general. Developed by iSPIRT, IndiaStack (https://indiastack.org/) aspires to transform service delivery by public and private actors alike through its “presence-less, paperless, and cashless” mandate.

References

Allan, J and Jane Englebright (2000): “Patient-Centered Documentation,” JONA: The Journal of Nursing Administration, Vol 30, No 2, pp 90–95.

Bach, Peter, Hoangmai Pham, Deborah Schrag, Ramsey Tate and J Lee Hargraves (2004): “Primary Care Physicians Who Treat Blacks and Whites,” New England Journal of Medicine, Vol 351, pp 575–84.

Cheney-Lippold, John (2018): We Are Data: Algorithms and the Making of Our Digital Selves, New Delhi: Sage.

Daly, Jeanette, Buckwalter Kathleen and Meridean Maas (2002): “Written and Computerized Care Plans,” Journal of Gerontological Nursing, Vol 28, No 9, pp 14–23.

EMR Standards Committee (2013): “Recommendations on Electronic Medical Records Standards in India,” Ministry of Health and Family Welfare, Government of India, New Delhi, https://mohfw.gov.in/sites/default/files/24539108839988920051EHR%20Standards-v5%20Apr%202013.pdf.

Federation of Indian Chambers of Commerce and Industry (2015): "A Guiding Framework for OPD and Preventive Health Insurance in India: Supply and Demand Side Analysis," http://ficci.in/spdocument/20678/P&P-helath-insurance.pdf.

Fraser, Hamish, Paul Biondich, Deshendran Moodley, Sharon Choi, Burke Mamlin and Peter Szolovits (2005): “Implementing Electronic Medical Record Systems in Developing Countries,” Journal of Innovation in Health Informatics, Vol 13 No 2, pp 83–95.

Häyrinen, Kristiina, Kaija Saranto and Pirkko Nykänen (2008): “Definition, Structure, Content, Use and Impacts of Electronic Health Records: A Review of the Research Literature,” International Journal of Medical Informatics, Vol 77, No 5, pp 291–304.

Healthcare Information and Management Systems Society (2007): “Electronic Health Records: A Global Perspective,” http://www.providersedge.com/ehdocs/ehr_articles/Electronic_Health_Records-A_Global_Perspective-Exec_Summary.pdf.

Holzemer, William and S B Henry (1992): “Computer-supported Versus Manually-generated Nursing Care Plans: A Comparison of Patient Problems, Nursing Interventions, and AIDS Patient Outcomes,” Computers in Nursing, Vol 10 No 1, pp 19–24.

Jha, Ashish, Catherine DesRoches, Eric Campbell, Karen Donelan, Sowmya Rao, Timothy Ferris, Alexandra Shields, Sarah Rosenbaum and David Blumenthal (2009): "Use of Electronic Health Records in U.S. Hospitals," New England Journal of Medicine, Vol 360 No 16, pp 1628–1638.

Jyoti, Archana (2018): “States Give Clinical Establishment Act Cold Shoulder," Pioneer, https://www.dailypioneer.com/2018/india/states-give-clinical-establishment-act-cold-shoulder.html.

Kandhari, Ruhi (2017): “Why a Backdoor Push Towards eHealth,” Ken, https://the-ken.com/story/why-backdoor-push-towards-ehealth/.

Kovner, Christine, Lynda Schuchman and Catherin Mallard (1997): “The Application of Pen-Based Computer Technology to Home Health Care,” CIN: Computers, Informatics and Nursing, Vol 15, No 5, pp 237–44.

Krishnamurthy, R (2018): “Integrated Health Information Platform for Integrated Disease Surveillance Program,” Training of the Trainer Workshop, World Health Organisation, New Delhi, https://idsp.nic.in/WriteReadData/IHIP/IHIP%20ToT-Overview-Presentation.pdf.

Kuperman, Gilad and Richard Gibson (2003): “Computer Physician Order Entry: Benefits, Costs, and Issues,” Annals of Internal Medicine, Vol 139 No 1, pp 31–9.

Leung, Gabriel, Philip Yu, Irene Wong, Janice Johnston and Keith Tin (2003): “Incentives and Barriers That Influence Clinical Computerization in Hong Kong: A Population-based Physician Survey,” Journal of the American Medical Informatics Association, Vol 10 No 2, pp 201–12.

McGinn Carrie Anna, Sonya Grenier, Julie Duplantie, Nicola Shaw, Claude Sicotte, Luc Mathieu, Yvan Leduc, France Légaré and Marie-Pierre Gagnon (2011): “Comparison of User Groups' Perspectives of Barriers and Facilitators to Implementing Electronic Health Records: A Systematic Review,” BMC Medicine, Vol 9 No 46.

Miklin, Daniel, Sameera Vangara, Alan Delamater and Kenneth Goodman (2019): “Understanding of and Barriers to Electronic Health Record Patient Portal Access in a Culturally Diverse Pediatric Population,” JMIR Medical Informatics, Vol 7, No 2.

Ministry of Finance (2018): “Budget 2018-19: Speech of Arun Jaitley,” New Delhi, https://www.indiabudget.gov.in/ub2018-19/bs/bs.pdf.

Ministry of Health and Family Welfare, Government of India (2008): "4 Years of Transforming India-Healthcare for All," New Delhi. https://mohfw.gov.in/ebook2018/gvtbook.html.

Ministry of Health and Family Welfare, Government of India (2013): “Electronic Health Record Standards For India,” Government of India, New Delhi, https://www.nhp.gov.in/NHPfiles/ehr_2013.pdf.

Ministry of Health and Family Welfare, Government of India (2017): Request for Proposal: Development and Implementation of Integrated Health Information Platform (IHIP), Centre for Health Informatics, National Institute of Health and Family Welfare, New Delhi, https://nhp.gov.in/NHPfiles/IHIP_RFP%20.pdf.

Ministry of Health and Family Welfare, Government of India (2018): “IDSP Segment of Integrated Health Information Platform,” New Delhi, https://idsp.nic.in/index4.php?lang=1&level=0&linkid=454&lid=3977.

National Health Authority (nd): “About Pradhan Mantri Jan Arogya Yojana (PM-JAY) | Ayushmaan Bharat,” https://www.pmjay.gov.in/about-pmjay.

NITI Aayog (2018): “National Health Stack- Strategy and Approach,” NITI Aayog, New Delhi, http://www.niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf.

Organisation for Economic Co-operation and Development (2013): “Strengthening Health Information Infrastructure for Health Care Quality Governance: Good Practices, New Opportunities and Data Privacy Protection Challenges,” OECD Health Policy Studies, Paris, OECD Publishing, https://read.oecd-ilibrary.org/social-issues-migration-health/strengthening-health-information-infrastructure-for-health-care-quality-governance_9789264193505-en.

Poon, Eric, David Blumenthal, Tonushree Jaggi, Melissa Honour, David Bates and Rainu Kaushal (2004): “Overcoming Barriers to Adopting and Implementing Computerized Physician Order Entry Systems in U.S. Hospitals,” Health Affairs, Vol 23 No 4, pp 184–90.

Productnation Network (2019): “India’s Health Leapfrog–Towards A Holistic Healthcare Ecosystem,” iSpirt, https://pn.ispirt.in/towards-a-holistic-healthcare-ecosystem/.

Rathi, Aayush and Ambika Tandon (2019): “Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?” EPW Engage, https://www.epw.in/engage/article/data-infrastructures-inequities-why-does-reproductive-health-surveillance-india-need-urgent-attention.

Sequist, Thomas, Theresa Cullen, Howard Hays, Maile Taualii, Steven Simon, and David Bates (2007): “Implementation and Use of an Electronic Health Record Within the Indian Health Service,” Journal of the American Medical Informatics Association, Vol 14, No 2, pp 191–97.

World Bank (nd): Physicians (per 1,000 people) | Data, https://data.worldbank.org/indicator/SH.MED.PHYS.ZS.

Tierney, William et al. (2010): “Experience Implementing Electronic Health Records in Three East African Countries,” Studies in Health Technology and Informatics, Vol 160, No 1, pp 371–75.

Tisne, Martin (2018): “It’s Time for a Bill of Data Rights,” MIT Technology Review, https://www.technologyreview.com/s/612588/its-time-for-a-bill-of-data-rights/.

World Health Organization (2016): “Global Diffusion of eHealth: Making Universal Health Coverage Achievable,” https://apps.who.int/iris/bitstream/handle/10665/252529/9789241511780-eng.pdf;jsessionid=9DD5F8603C67EEF35549799B928F3541?sequence=1.

Zuboff, Soshana (2019): The Age of Surveillance Capitalism, New York: PublicAffairs.

For more details visit https://cis-india.org/raw/is-indias-digital-health-system-foolproof

Power over privacy: New Personal Data Protection Bill fails to really protect the citizen’s right to privacy

Nikhil Pahwa — 2019-12-15T05:57:31Z

Nikhil Pahwa throws light on the new personal data protection bill.

The article by Nikhil Pahwa was published in the Times of India on December 12, 2019. CIS report was mentioned.

Earlier this year, in April, a data breach in the Election Commission of Philippines led to the leakage of personal information of over 55 million eligible voters on a searchable website: including names, addresses and date of birth. This was not the first data breach from the Election Commission. After the first, which took place in March 2016, where 340 GB of voter data was published online by a group of hackers called LulzSec Pilipinas, the National Privacy Commission of Philippines found that the Election Commission had violated the Data Privacy Act of 2012, and recommended criminal prosecution of its chairman, finding him liable when the agency failed to dispense its duty as a “personal information controller”.

It’s 2019, and that recommendation has still not been acted upon, because the National Privacy Commission of Philippines only has recommendatory powers for criminal prosecution. Meanwhile, data breaches continue at the Election Commission of Philippines.

Between 2017 and 2018, Aadhaar related personally identifiable data of several Indian citizens, including names, addresses, bank account numbers, in some cases pregnancy information and even religion and caste information of individuals, was published online by Indian government departments. The Centre for Internet and Society, in a report, estimated that personally identifiable data for 130-135 million Indian citizens had been leaked, thus putting them at risk. 210 government websites had made Aadhaar related data public, UIDAI confirmed in response to an RTI in 2017.

No one was held liable. There was no data protection law, no data protection authority, no criminal prosecution was recommended. Around that time, the Indian government was instead arguing in the Supreme Court that privacy isn’t a fundamental right under the Indian Constitution.

What we can learn from these two instances is that for the enforcement of a citizen’s right to privacy, and ensuring that no one takes the protection of data lightly, there needs to be a strong privacy law that holds even the government responsible, and above all, a strong data protection authority that is independent and has powers to penalise even government officials. On some of these counts, the Personal Data Protection Bill, 2019, disappoints.

First, members of the Data Protection Authority will no longer be appointed by independent entities from diverse backgrounds: where they were previously going to be appointed by a committee comprising the Chief Justice of India or a Supreme Court judge, the Cabinet secretary, and an independent expert, the power to appoint members to DPA now rests solely with government officials, including the appointment of adjudicating officers. In addition, the central government, in the interest of “national security, sovereignty, international relations and public order, can issue directions to DPA, which DPA will be bound by. Powers of DPA have also been reduced: while in the previous version of the bill, DPA had the sole power to categorise data as sensitive personal data, in the current version, the power rests with the central government, albeit in consultation with DPA. The central government will also notify any social media company as a significant data fiduciary, and not DPA. Only the central government can determine what critical personal data is, and not DPA.

This dependence on the government for appointments, functions and definitions, will invariably impact the independence of DPA, and even though the 2019 version of the bill gives it the authority to fine the state a maximum of Rs 5-15 crore, depending on the offence, i’d be surprised if this ever happens.

The bill does create significant exceptions for the state to acquire and process data, and an opportunity to create a base for surveillance reform in the country has been lost. The previous version of the bill had brought some sense of safety against mass surveillance, when it included the condition that processing of data by the government must be “necessary and proportionate”, drawing from Supreme Court’s historic right to privacy judgment. This is particularly important given that the bill also gives power to the government to exempt any agency from the provisions of the bill for processing of personal data, which includes acquiring data from any public or private entity.

Effectively, this means that government agencies may be exempt from any scrutiny by DPA, and can even collect data from third parties (for example, fin-tech companies, health-tech startups) without the user even knowing. Forget recommending criminal prosecution for mass surveillance, India’s DPA won’t even be able to fine a government agency for such a violation of the fundamental right to privacy. The government also has vast exceptions for data processing: “for the performance of any function of the state authorised by law”.

This aside, one of the more curious clauses in the bill is around non-personal data. The government, a few months ago, constituted a committee led by Infosys co-founder Kris Gopalakrishnan to look into the governance of non-personal data. Non-personal data, as the term suggests, is any data that is not related to an individual. In the bill, the government has given itself the right to acquire this data, which is essentially a company’s intellectual property, to “promote framing of policies for digital economy”. Why non-personal data finds a mention in a Personal Data Protection Bill is beyond comprehension, and this move will not inspire much confidence in businesses operating in India, when the state claims eminent domain over intellectual property.

It’s unfortunate minister Ravi Shankar Prasad is sending the bill to a select committee, given the fact that such significant changes to the bill should have led to another public consultation.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-december-12-2019-power-over-privacy

Outrage As Privileged IITians Use Tech To Spy On Sweepers

Rachna Khaira — 2019-12-15T05:33:21Z

Some members of the housekeeping staff at IIT Ropar were put under round the clock surveillance during working hours for many days in February this year without their consent. IIT Ropar Director Prof S K Das has ordered a probe into the incident.

The article by Rachna Khaira was published in Huffington Post on December 31, 2019. Aayush Rathi was quoted.

The Indian Institute of Technology (IIT), Ropar is conducting a probe into the reported tagging and round the clock electronic surveillance of some housekeeping staff members as part of an experiment run by the Technology Business Incubation Foundation (TBIF) located at the IIT campus in February this year.

HuffPost India has learnt that the TBIF, a tech incubator run within IIT Ropar, signed off on the “Sweepy” project in which housekeeping staff were given wristbands and brooms secretly embedded with tracking chips, without seeking the consent of the janitorial staff, or informing IIT Ropar management.

While the housekeeping staff were told the wristbands would record their pulse and heart beat, and that they should wear it while cleaning the campus, the tracking chips were used to track to assess if they were sweeping out hard-to-reach corners of the institute.

Prof. Sarit Kumar Das, Director IIT Ropar told HuffPost India that a three member committee comprising of Prof. Bijoy H Barua, Prof. Javed Agrewala and Prof. Deepak Kashyap has been set up to look into the matter.

“We at the IIT Ropar respect privacy and condemn any such violation made by any of our student or staff member,” said Prof. Das. “Before conducting any experiment on human beings, an approval has to be sought from the human ethics team constituted in our institution and they present a case to me after seeking a written consent from the people who would undergo the experiment. Only, after getting my approval, such an experiment can be conducted at the campus.”

Sweeping surveillance

J K Sharma, the Chief Operating Officer of TBIF, told HuffPost India that his tech incubator deliberately misled the housekeeping staff about the true purpose of the wristband as they felt the housekeeping staff wouldn’t agree to wear such a device.

While elaborating more on the ‘Sweepy’ project, Sharma said that the project was based on an idea that came to the hostellers who were upset over the housekeeping staff for not cleaning their rooms.

“The sweepers were not working properly and despite reporting the matter several times to the authorities, they were not taking any cognisance. Perturbed, the students developed this programme in which the location of the sweeper can be recorded and monitored in a control room by a gadget tied to the sweeper’s wrist,” said Sharma.

He further added that a beacon records the activity of the sensor pasted to the broom or mop held by the sweeper and can monitor the area and the time in which it was used. The report was produced digitally on the screen.

Was a consent sought from the sweepers before tagging them?

“The testing was done in a secret manner as the housekeeping staff may not have given their consent for the trial. We tried it on three sweepers and while two of them were found working dedicatedly, one was found to have missed cleaning from few areas assigned to him,” said Sharma.

The findings were shared with the housekeeping supervisor who later directed his staff to do their duty more diligently.

The team working on the project however told HuffPost India that they secured the privacy of the housekeeping staff by removing the microphone from the gadgets tied to their wrists.

This technology does not have video feature and only monitors location of a moving object and is quite cheap as compared to the radio-frequency identification (RFID) technology that uses electromagnetic fields to automatically identify and track tags attached to objects.

The testing was done in a secret manner as the housekeeping staff may not have given their consent for the trial. We tried it on three sweepers and while two of them were found working dedicatedly, one was found to have missed cleaning from few areas assigned to himJ K Sharma, Chief Executive Officer, Technology Business Incubation Foundation, IIT Ropar

Calling this an increasingly commonplace trend of covert spying on domestic workers without their knowledge, Ayush Rathi, Programme Officer, Centre for Internet and Society, said that the housekeeping staff was made to wear the gadget under a false pretense is telling.

“This is a classic example of how the access to privacy is stratified along the axes of class, caste and gender. And ties in closely with a key purpose of surveillance — that of exerting control over people’s bodies to conform to the surveiller’s ideas of right and wrong,” said Rathi.

He further added that in many ways, this story captures the zeitgeist of the 21st century. The is the essence of so much of what qualifies as innovation today is that they seek to find technological solutions to problems that are structural in nature.

“So, in this instance it is very evident that the objective sought to be achieved was not to merely ‘fix’ the problem of the housekeeping staff performing its duties well, but to solely hold them guilty for failing to do so,” said Rathi.

An alternate, albeit more tedious, approach would have been to speak with the workers and iron out the struggles they were facing at the workplace that were preventing them from performing their job well. Any solution could only have been prepared thereafter — he added.

As per Prof. Das, a major problem with the engineering students is that unlike medical students, 90 percent of their experiments are based on machines and not human beings.

“There is too much deficiency of the understanding of human psychology amongst engineering students. To curb this, we at the IIT have started a mandatory course on human ethics which is being taught by some of the renowned human psychology experts. Still sometimes, the violations gets reported,” said Prof. Das.

For more details visit https://cis-india.org/internet-governance/news/huffignton-post-december-13-2019-rachna-khaira-outrage-as-privileged-iit-ians-use-tech-to-spy-on-sweepers

WhatsApp spy attack and after

Theres Sudeep — 2019-12-15T05:06:27Z

Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.

The article by Theres Sudeep was published in Deccan Herald on November 6, 2019. Aayush Rathi was quoted.

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.

Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.

It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after

Why having more CCTV cameras does not translate to crime prevention

Manasa Rao — 2019-12-05T23:26:25Z

Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

The article by Manasa Rao was published the News Minute on September 3, 2019. Pranav M. Bidare was quoted.

In August, a couple from Tamil Nadu’s Tirunelveli district made national headlines for their bravery. True to the Tamil adage ‘vallavanukku pullum aayudham’ (for the strong man, even a blade of grass is a weapon), when thieves entered their home, they fought them with chairs, slippers and even a bucket. Despite being armed with sickles, the masked miscreants fled the scene unable to match the counter-attack mounted by 70-year-old Shanmugavel and 65-year-old Senthamarai. The incident was caught on CCTV camera and the couple, whose video quickly went viral, was celebrated for their valour and made for the perfect social media feel-good story. However, as the news cycle was focused on them, senior police officers from the state and many commentators pointed to the importance of the CCTV camera footage. After all, the whole world watched their courage thanks to the CCTV camera affixed on the couple's front yard.

Since 2017, the Tamil Nadu Police has been aggressively pushing for citizens to install CCTV cameras. A techno-futuristic awareness campaign video released last year even roped in popular Kollywood star Vikram to help the police force. “If there are CCTV cameras, crimes are prevented, evidenced and importantly, it provides evidence in court. So, each of us will compulsorily fix a CCTV camera wherever we are,” says Vikram. In a bold declaration, the motto of the campaign affirms, “With CCTV everywhere, Tamil Nadu has become a place without crime.” At the end of the video Vikram suggests Big Brother is watching, stating, “Everything. Everywhere. We're watching.”

But do more CCTV cameras necessarily translate to crime prevention and deterrence? Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

What the numbers say

A study released in August by tech research group Comparitech ranked Chennai as 32nd out of 50 of the most surveilled cities in the world. The research group, with the use of government reports, police websites and news articles, puts the total number of cameras in the city at 50,000. With a 2016 estimated population of 1.07 crore in Chennai, that is 4.67 cameras per 1,000 people.

With the help of Numbeo, a crowd-sourced database of perceived crime rates, the study puts Chennai’s crime index at 40.39. On a scale of 0 to 100, this is an estimation of overall level of crime in a given city. This score means Chennai’s crime index is ranked ‘moderate’. Similarly, on a 100 point scale, the city's safety index— quite the opposite of crime index— is at 59.61. The higher the safety index, the safer a city is considered to be.

The two other Indian cities on the list of 50 are New Delhi ranked No. 20 with 1,79,000 cameras for 1.86 crore people (9.62 cameras per 1,000 people) and Lucknow ranked at No. 40 with 9,300 cameras for 35.89 lakh people (2.59 cameras per 1,000 people). The capital's crime index is at 58.77 while its safety index is 41.23. The UP city on the other hand has a crime index of 45.30 and a safety index of 54.70.

Stating that the higher number of cameras ‘just barely correlates’ with a higher safety index and lower crime index, the study concludes, “Broadly speaking, more cameras doesn’t necessarily result in people feeling safer.” While the presence of CCTV cameras may not inherently be bad, experts say that they cannot become a substitute for tackling crime and its causes which transcend the realm of technology. These involve tailored and specific approaches which stem from community building.

The infallible CCTV myth

Pranav MB, policy officer at the Centre for Internet and Society in Bengaluru observes that in the long run, over-reliance on CCTV cameras would merely propel criminals to innovate, as opposed to helping deter the crime from taking place. He says, “While it seems intuitive that the presence of a CCTV camera will have a deterring effect on criminal activity, numerous studies over the past decade have concluded that this is not really the case. The idea of a deterring effect also relies on the assumption that the actors are making educated intelligent choices about their future, which is often not the case with persons that commit criminal acts. So the deterring effect of CCTV cameras is not likely to be much more than the already deterring effect that exists because of criminal law and law enforcement.”

Busting the myth that CCTV cameras are foolproof, Pranav adds that public infrastructure as simple as a streetlight could aid in safer neighbourhoods. “The fact remains, however, that if you are not using advanced technology, a simple mask will render you unidentifiable by most basic CCTV cameras. As more advanced and more expensive technology is used, you are only necessitating the need for innovation among criminals to identify new loopholes that they can exploit in the technology. This is not an argument that generally holds against the use of technology, but in the case of CCTV cameras, it has been seen that simple street lights much better serve the goal of deterrence of crimes,” he says.

However, cops disagree with the findings. One IPS officer who works with the police’s Law and Order department in Chennai tells TNM that the presence of CCTV cameras has helped them nab a range of criminals from chain-snatchers to stalkers who have hacked women to death. Praising the use of facial recognition software like FaceTagr that was introduced a few years ago, the officer says, “CCTV cameras have a dissuading effect on criminals. At the very least they serve as a warning but in most cases, we can easily match them to criminals on our existing local, station-wise database. Especially when it comes to areas like T Nagar, Purasawalkam or other crime-prone suburbs, CCTV cameras are an invaluable tool for law enforcement.”

“Even in cases of sexual abuse, street harassment or trafficking, private CCTV cameras have been helpful. Shop owners or residents have come forward with the footage in public interest,” he says, admitting that the Centre’s release of the long-pending National Crime Records Bureau (NCRB) statistics could show a correlation between the push to install CCTVs and crime rates.

With a lack of NCRB data, there are no statistical answers to whether indeed installation of CCTV cameras has helped lowering of crime rates. However, as per one report in The Hindu, the police report a 30% drop in the crime rate in the city following the installation of CCTV cameras. According to their estimate for chain snatching alone, the city police claims that the number of cases have dropped from 792 in 2012 to 538 following the installation of CCTV cameras in 2018.

Over-reliance on technology

Agreeing that law enforcement must be cautious while employing technology to solve crimes, Dr M Priyamvadha, associate professor at the Department of Criminology, University of Madras says her detailed interviews with over 200 incarcerated burglars across Tamil Nadu reveal that they are always on the lookout for a CCTV camera. “They simply use a jammer worth Rs 2,000 (a handy device that disrupts the signal range of a camera) to skirt the presence of a CCTV camera,” she reports. However, the professor cautions that one must not over-sell the capabilities of a CCTV camera in crime prevention.

“We must remember that CCTV cameras don't deter all crimes. If there is family or domestic violence, there won't be a CCTV camera inside the four walls of a house to reveal it. For burglaries, robberies and such offences, you can rely on CCTV cameras. How far it helps is a question mark. You can neither completely say it prevents crime nor that it is a waste,” she says.

The professor points out that even when deploying CCTV cameras across the city, law enforcement does not account for wear and tear and maintenance which forms an important part of monitoring security.

Echoing the sentiment, Pranav says that CCTV cameras primarily serve as sources of electronic evidence in criminal cases. “Their deterring effect has repeatedly been observed to not balance out the costs of installing and running them.”

Privacy, data protection concerns

Chennai-based independent tech researcher Srikanth points to the inherent surveillance dangers thanks to the centralised way in which the city police collects the CCTV data. “There is something concerning especially about Chennai City Traffic Police and other various city police’s approach to CCTV. The fundamental shift is that, at least in the city, these cameras are connected to the police control room. So data gets centrally collated. When centralization kicks in, power abuse isn't far away. This way it is far easier for police to destroy evidence,” he alleges.

Srikanth also points out, “CCTVs (especially connected ones) are usually funded by residents and/or merchants who spend their money in putting up the infrastructure, but freely give away the data to the police (often in good faith). There is no oversight on usage, storage, retention of this data and by sheer monopoly on law and order, the police is able to connect a vast number of private CCTVs on to its network.”

Significantly, he expresses concerns about there being no laws that govern the usage of CCTV footage by the police. “Even if one gives into the legitimate state aim to control crime, even if one can argue violation of privacy is proportional, there is no law around use of CCTV by police, let alone using them in investigations. That the state engages with private vendors (such as FaceTagr) and many others also provides these service providers access to data,” he explains.

Pranav also warns, “Furthermore, CCTV cameras also result in compromising the privacy of individuals, and if implemented by the state (as in the case of law enforcement), creates added surveillance risks. Compounding on this is the issue of the recorded video footage, which if stored/transmitted/managed in an non-secure manner creates data protection risks as well. This is especially true in India, where it is difficult to obtain the required infrastructure and expertise in running an effective and secure CCTV camera system.”

'Technology cannot replace interpersonal relationships'

Advising pragmatic thinking when it comes to crime prevention, professor Priyamvadha says that technology should complement what she calls the ‘human touch'. Junking the ‘holistic’ one-size-fits-all approach that is often paraded as a solution, the criminologist says that each crime requires a tailored method of tackling it. “For each and every crime, there is a different strategy. There maybe crimes committed by juveniles, crimes committed against women. For example, if female foeticide is rampant in a village, it is important to understand the village, the preferences of the people there and the caste practices present among them,” she observes.

While technology often allows law enforcement to cover more ground in cases of limited manpower, there’s also a chance the cameras could be seen as a substitute for forging interpersonal relationships between police and the people they seek to protect. “With quick transferring of cops nowadays, the local police station doesn’t have an understanding of the ongoings. Interpersonal relationships are more important than technological advances,” she notes.

For more details visit https://cis-india.org/internet-governance/news/why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

Introducing the Cybersecurity Visuals Media Handbook

Saumyaa Naidu and Arindrajit Basu — 2019-12-06T09:29:27Z

Handbook concept, content and design by: Padmini Ray Murray and Paulanthony George

Blog post authored by: Saumyaa Naidu and Arindrajit Basu

With inputs from: Karan Saini

Edited by: Shweta Mohandas

The need for intervention in the cybersecurity imagery in media publications was realised during a brainstorming workshop that was conducted by CIS with illustrators, designers, and cybersecurity researchers. The details and learnings from the workshop can be read here. The discusisons led to the initiative of creating a media handbook in collaboration with the designers at Design Beku, and the researchers at CIS.

This handbook was conceived to be a concise guide for media publications to understand the specific concepts within cybersecurity and use it as a reference to create visuals that are more informative, relevant, and look beyond stereotypes.

The limits of visibility and the need for relevant cybersecurity imagery

Due to the "limits of visibility" and relative complexity inherent in any representation of cybersecurity, objects and concepts in this field have no immediate visual representation. A Google Search of the term cybersecurity reveals padlocks, company logos, and lines of numbers indicating code-stereotypes that have very little with the substantive discourse prevailing in cybersecurity policy circles. This stereotype can be further understood by exploring the portrayal of a 'hacker' in the media, both in newspapers and popular culture.

Shires argues that a dominant association with ‘danger’ has made the hacker image a "rich repository of noir influences". Therefore, a hacker is usually depicted as a male figure in a dark-coloured hoodie, with no considerations of spatial, temporal, or cultural contexts.

Visuals influence various actors in any conflict. In traditional non-cyber domains, spatial representations of conflict often omit the blood and gore that is a core facet of reality, and therefore, in some ways ‘legitimize war.’ An impersonal, unrealistic depiction of cybersecurity threats vectors or substantive discussions have two key negatives.

First, it re-entrenches the notion of cybersecurity as distant and undecipherable discourse that eludes the individual. This undermines the critical importance of the participatory nature of the process. The goal of decision-making around cybersecurity should focus on individuals feeling secure and not be driven by policy-makers who decide technical parameters without broader consultation..

Second, it undermines the concept being discussed in the news article. If the visual is accompanying an op-ed, often the visual serves as a trigger for comprehending the content of the op-ed. Presently, op-eds on the global agreements in cyberspace, attribution of cyber attacks, and ‘total surveillance’ by Pegasus are depicted very similarly. These over-simplifications are inaccurate and undermine the nuances of the substantive content in each case, thereby impacting negatively the influence that each piece can have on public awareness and on the state of cybersecurity discourse.

Realistic descriptions of cybersecurity enable a granular understanding of threat vectors. There is also a need for signalling that celebrates and encourages greater diversity in this space. Cybersecurity discourse globally remains dominated by experts who are white and male. Explicitly re-conceptualizing these visuals to celebrate a variety of identities could be a push for other countries and communities (especially in the Global South)

This would enable the hitherto ‘disregarded communities’ in global cybersecurity discourse to understand and participate in the policy-making process.Our design handbook aims to guide media-persons in facilitating these goals.

An initial design brief for the media handbook was arrived at through our conversations with the designers at Design Beku. It was decided that the handbook would be concise and use a lighter tone in terms of language and be more visual than textual. For greater access, a digital, interactive format was seen as the most suitable option.

In order to scope the existing visuals, a sampling of cybersecurity coverage under different subjects in various media publications over the last one year was carried out. This included both global and Indian publications such as Livemint, Scroll, Tech Crunch, Motherboard - Vice, and the Economist. Research and op-eds by CIS researchers were also considered to broadly determine the most relevant subjects within cybersecurity.

The subjects selected based on the coverage were Cyberwarfare (Data Localisation), Cyber Attacks, Blockchain, Misinformation, Data Protection, Ethical Hacking, and Internet shutdowns. It was also gathered that there are several sub-topics within these subjects which would be indicated in the handbook.

The structure of the handbook was detailed out further to include a panorama image comprising illustrations that would speak to all the selected subjects, and text to explain the intention and process of making these illustrations. The handbook would begin with introducing its purpose, and go on to describe the concepts within each illustration, along with recommendations for illustrators working on such images. It would also consist of the definitions for each cybersecurity concept being visualised.

The handbook and accompanying illustrations were conceptualised and designed by Padmini Ray Murray and Paulanthony George from Design Beku. It was our great privilege to be a part of this process. We would also like to thank Karan Saini for his invaluable inputs that helped us commission this publication.

A draft of the handbook is hereby being published here. This would be followed by a final version which will be in the form of an interactive web platform for both desktop and mobile devices.

We thank the Hewlett Foundation for funding this research.

Annexure

While commissioning the research, we had deliberated upon a series of definitions that we felt would be useful for the designers in conceptualizing their illustrations. These are provided below, and will form a part of the final handbook described above.

Data Localisation

Data localisation can broadly be defined as 'any legal limitation on data moving globally and compelling it to remain locally’. These policies can take a variety of forms. This could include a specific requirement to locally store copies of data, local content production requirements, or imposing conditions on cross border data transfers that in effect act as a localization mandate.

Cyber Attacks/Warfare

Terms: Critical infrastructure, state-sponsored attackers, disruption and/or espionage, attribution, data leaks, bugs, zero days, misconfigurations

Cyber attacks are a hostile act using computer or related networks or systems, and intended to disrupt and/or destroy an adversary’s critical cyber systems, assets, or functions. The intended effects of cyber attack are not necessarily limited to the targeted computer systems or data themselves.

Blockchain

Terms: Crypto-currency, immutable infrastructure, node compromise

Blockchain is a list of records linked using cryptography. It relies on three core elements in order to function effectively-decentralization, proof of work consensus and practical immutability.

Misinformation

Terms: Propagation and spread, large-scale & inauthentic coordinated activities

The concerted spread of inaccurate information through one (or more) of four methods of propagation-doctored or manipulated primary information, genuine information shared in a false context,selective or misleading use of information and the misinterpretation of information.

Data Protection

Terms: Cryptographic protection, access controls, privacy

Data Protection is protection through legal means accorded to private data from misuse by private or state actors. It includes processes such as collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data.

Ethical Hacking

Terms: Diverse representation, and normalization/de-otherization of an “ethical hacker”

The term implies an ethical responsibility on the part of the hacker which compels them to inform the maintainers of a particular system about any discovered security flaws or vulnerabilities. While the ethics of "ethical hacking" differ for each individual, ethical hackers traditionally practice their craft out of a moral imperative. Ethical hackers are also described as independent computer security professionals who evaluate the system’s security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them.

Internet shutdowns

An internet shutdown is an intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information.

The interactive version of the handbook can be accessed here. The print versions of the handbook can be accessed at: Single Scroll Printing, Tiled-Paste Printing.

For more details visit https://cis-india.org/internet-governance/blog/introducing-the-cybersecurity-visuals-media-handbook

Cyber Security Media Handbook

karan — 2019-11-15T12:28:45Z

For more details visit https://cis-india.org/internet-governance/resources/cyber-security-media-handbook

Guest post: Before cyber norms, let’s talk about disanalogy and disintermediation

Pukhraj Singh — 2019-11-18T10:14:07Z

In a guest post in relation to CIS’s recently held roundtable onIndia’s cyber defense strategy, Pukhraj Singh looks at the critical fissures – at the technical and policy levels – in global normative efforts to secure cyberspace. By charting out the key vectors and power asymmetries among key stakeholders – both leading state actors and private actors like Microsoft – Singh posits that there is much to be done before we circumscribe cyber operations within legal strictures.

By: Pukhraj Singh
Reviewed and Edited by: Elonnai Hickok, Arindrajit Basu, and Karan Saini

The ongoing decoupling of norms

In September 2019, the French ministry of defense published a document stating its views on the applicability of international law to cyber operations. While it makes an unequivocal espousal of the rules-based order in cyberspace, some of the distinctions made by the paper within the ambit of international law could be of interest to technical experts.

The document makes two key contributions. First, it addresses two modes of power projection within cyberspace: cyber operations acting as a force multiplier in a hot war that is strictly delineated by kinetic and geographical redlines; and below-threshold, single-domain “dematerialized” operations leveraging cyber intrusions. Secondly, the document has made an attempt to gently decouple itself from the Tallinn Manual on some aspects.

In an unrelated development, Microsoft joined hands with a group of peers within the technology industry, civil society and government to set up the CyberPeace Institute – a private sector initiative to strengthen the rules-based order.

It is an outcome of the sustained, unrelenting effort of Microsoft in thwarting what it believes to be the unchecked weaponization of cyberspace. Suffering a major reputational loss after the Snowden leaks, the company has gradually cultivated fiercely contrarian positions on issues like state-enabled surveillance.

Microsoft’s daring contests and cases against the US government have been intimately recorded in the recently released book Tools and Weapons, authored by its chief legal officer Brad Smith.

Seen through the lens of the future, the aforementioned developments highlight the ongoing readjustment of the legal discourse on cyber operations to account for its incongruous technical dynamics.

As the structures of cyber power are peeled layer-by-layer, the need to address this technical divergence in the overly legal interpretations of cyber norms would only increase.

Disanalogy & disintermediation

Take the case of two fundamental dimensions – disanalogy and disintermediation – which have the potential to alter our understanding of how power is wedded with cyberspace.

Disanalogy is a logical postulation that challenges the primacy of “reasoning by analogy” using which international law is mapped to cyber conflict. Disintermediation highlights how the power dynamics of cyberspace have disrupted statism.

Understanding when and how the realization that international law is reasonably applicable to cyber operations dawned upon the international community leads one to an unending maze. It becomes a cyclical process where one set of initiatives only cross-reference the others, in a self-fulfilling sort of way.

The notes of the 2013 session of the United Nations’ Governmental Group of Experts, affirming the sanctity of international law in cyberspace, look like an exercise in teleology.

Not to be distracted by the deeply philosophical nature of war, Kubo Mačák of the University of Exeter did point out that “the unique teleological underpinning of the law of war” should be considered before it is exported to new normative frameworks.

The deductive process inspired by reasoning by analogy that lies at the heart of the cyber norms discourse has not undergone much scrutiny.

In his 2013 talk at NATO’s CCDCOE, Selmer Bringsjord, cognitive sciences professor at the Rensselaer Polytechnic Institute, introduced the idea of disanalogy. Citing the general schema of an analogical argument, Bringsjord arrived at a disproof divorcing the source domain (the just war theory for conventional war) and target domain (just war theory for cyberwar).

He mapped jus in bello in a conventional war across the dimensions of Control, Proportionality, Accessibility, and Discrimination.

Bringsjord further added that these source attributes would not be evident in the target domain for two reasons: the inevitable digitization of every analog object and its interfaces; and the inherent propensity of artificial intelligence to wage attacks on its own.

In a supporting paper, he exhorts that while “Augustine and Aquinas (and their predecessors) had a stunningly long run…today’s world, based as it is on digital information and increasingly intelligent information-processing, points the way to a beast so big and so radically different, that the core of this duo’s insights needs to be radically extended.”

Celebrated malware reverse engineer Thomas Dullien, too, is of the opinion that machine learning and artificial intelligence are more suited for cyber offence as it has remained a “stable-in-time distribution.”

Brandon Valeriano of the Marine Corps University has drawn upon the case of incendiary balloons to question the overreliance on reasoning by analogy. Sadly, such viewpoints remain outliers.

Senior computer scientist David Aucsmith wrote in Bytes, Bombs and Spies that “one of the major challenges in cyberspace is the disintermediation of government.” He adds that while cyberspace has become the “global center of gravity for all aspects of national power,” it further removes the government from the “traditional functions of safety and security.”

The commercialized nature of the Internet is obvious to many. But steadily over the years, the private sector has also acquired vast swathes of cyber power in a manner that strangely mirrors the military concepts of counterintelligence, defense and deterrence.

In Tools and Weapons, Brad Smith recalls a meeting of top technology executives at the White House. As the executives pushed for surveillance reform after the Snowden leaks, Obama defensively retorted that “the companies at the table collectively had far more data than the government.” The “signals intelligence” capabilities of Google and Microsoft rival that of a nation state.

Former deputy director of the NSA Chris Inglis writes in Bytes, Bombs and Spies:

In cyberspace, a small change in configuration of the target machine, system, or network can often negate the effectiveness of a cyber weapon against it. This is not true with weapons in other physical domains…The nature of target-weapon interaction with kinetic weapons can usually be estimated on the basis of physics experimentation and calculation. Not so with cyber weapons. For offensive cyber operations, this extreme “target dependence” means that intelligence information on target characteristics must be precise, high-volume, high-quality, current, and available at the time of the weapon’s use.

Inglis argues that fielding “ubiquitous, real-time and persistent” intelligence, surveillance and reconnaissance (ISR) frameworks is crucial for mustering the ability to produce cyber effects at a place and time of choosing.

Daniel Moore of King’s College London broadly categorizes cyber operations into event-based and presence-based.

The ISR framework envisioned by Inglis pre-positions implants with presence-based operations to make sure that the adversarial infrastructure -- perpetually in a state of flux -- remains primed for event-based operations. Falling prey to an analogy, this is as challenging as a group of river-rafters trying to keep their raft still at one position in a raging torrent of water.

However, it is worthy to note that a major component of such an ISR framework would manifest over privately-owned infrastructure.

It is exactly why the commercial threat intelligence industry lead by the likes of Fireeye, Kaspersky and Crowdstrike has flourished the way it has.

Joe Slowik, principal adversary hunter at Dragos, Inc., corroborates it: “An entire ecosystem of defense and security developed within the private space…essentially, private (defensive) ‘armies’ grew up and proliferated in the cyber security space over the course of many years.”

Jason Healey of Columbia’s School of International and Public Affairs has another way of looking at it: “In counterinsurgency, host nation must take lead & U.S. role is to provide aid & support. USG not seen as legitimate, may lack the local & cultural knowledge, & lack sufficient resources. In cyberspace, the private sector, esp tech & security companies, are the host nation (sic)”.

Initiatives like the CyberPeace Institute and Cybersecurity Tech Accord are to be seen as emerging geopolitical formations pivoted around the power vacuum created by growing disintermediation.

While Microsoft avows the applicability of international law, the decreasing technological dependence on it to enforce the rules-based order may herald data-driven normative frameworks solely originating from the private sector.

Take the specific case of fashionable “black-letter rules” – like barring cyber actors from hacking into adversary’s election infrastructure – variedly promulgated by the Tallinn Manual, Microsoft and Global Commission on the Stability of Cyberspace. They could very well act as impediments to the success of the norms process.

Cyber actors can be variedly be divided into various capability tiers: A, B, C or D Teams, etc. Such categorizations could be derived from multiple variables like operational structure, concept of operations, capabilities and toolchains, and operating budget, etc.

In what may sound paradoxical, mindless enforcement of such rules creates an inherently inequitable environment where actors would be compelled to flout them. Targeting and target discrimination are possibly the most expensive components of the cyber offensive toolchain. As intelligence analyst Grugq said, “You need a lot of people to have a small numbers of hackers hacking.”

The ability to avoid a vulnerable target or an attack surface without sacrificing the initiative is a luxury that only an A-team could afford, further disincentivizing smaller players from participating in confidence-building measures.

In such cases, the private sector could lead the way in the neutral and transparent interpretation of the dynamics and thresholds of power projection in cyberspace. Companies, not countries, have the vantage point and commercial interest to create a level playing field.

Taking the original case of France’s new dossier on cyber operations, its gradual rollback from the strictly black-and-white world of, say, the Tallinn Manual hints at a larger devolution of legally interpreted cyber operations, influenced by technical incongruities like disanalogy and disintermediation.

While the said document answers many questions relating to the applicability of international law to cyber operations with uncanny confidence, the devil still lies in the details.

For example, it talks about creating militaristic cyber effects by altering the confidentiality and availability of data on adversarial systems, but skirts around integrity – as if the three dimensions of data security are not symbiotic. Such picket-fencing may be trying to carefully avoid the legal ambiguity on information operations, post-ICJ US vs Nicaragua.

Ask any cyber operator, can a cyber operation proceed without sabotaging the integrity of log artifacts or other such stealthy or deceptive maneuvering?

It also postulates the export of “non-international armed conflict” to the territory of consenting nation states, as if such factors are completely controllable.

Discussed earlier, a majority of the cyber-ISR frameworks manifest over globally scattered private infrastructure. And almost every layer of the computing architecture is now network-enabled.

In cyberspace, the ‘territory’ of a nation state expands and contracts in real time. It may exist online as the sum of all the global information flows, across the many millions of interfaces, associated with it at any given moment. The sheer emergent complexity of this organism has baffled many.

The adversarial environment fluxes at such a rapid pace that taking “territorial” sanctity into account during an ongoing operation is nigh impossible. This, in fact, is the very premise of Defend Forward.

The French document is a good attempt at decoupling cyber operations from legal strictures, but it should be seen as the mere beginning of that process.

Cognitive cyber offence

Lastly, the complete absence of the cognitive dimension in the norms process is something that should be outrightly addressed.

Keith Dear, a research fellow at Oxford’s Changing Character of War Program, feels that war – as “a continuation of politics by other means” – is essentially persuasive and has predominantly psychological effects. They get aggravated more so by the scale and speed of cyber-enabled behavioral modelling.

The threat landscape is at a stage where we are going to see the increasing exploitation of cyber-cognitive attack surfaces – the cost-benefits are now heavily tilted towards their side. It is like what conventional cyber operations used to be 20 years ago: cheap and easy over scale and speed.

The cyber norms community only considers the first or second order effects of cyberattacks. The reality is that causation could be separated by many, many degrees – also missing out on the fact that a cyberattack is generally an indiscernible mixture of not just effects, but also perceptions. Every cyber operation could be deemed as an information operation even after full denouement.

We have only begun to understand the significance of the cognitive dimension. Leading thinkers like former Secretary of the Navy Richard Danzig had for long proposed perceptive instead of spatial redlines for cyber conflict, aptly capturing its emergent properties.

His suggested baseline was: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security.”

Danzig’s paradigm neatly fits into the Defend Forward philosophy of the US Cyber Command. Former director of the NSA Michael Hayden once said that Stuxnet had the “whiff of August 1945,” while former NSA exploitation engineer Dave Aitel labelled it as the “announcement of a team.” The theatres of war, frameworks for deterrence and parameters for proportional response may turn out to be purely perceptive in nature.

As the cyber option gets increasingly expended by militaries, we have come to understand that the esoteric cognitive parameters of digital conflict could be crucial enough to decide victory or defeat.

Conclusion

As the United Nations’ Governmental Group of Experts’ dialogue came to a grinding halt in 2016, Michelle Markoff, former deputy coordinator for Cyber Issues in the US State Department, gave a candid account of what went wrong.

She also went on to recommend “interleaving strategies” like defence, declaratory policies, alliance activities, and norms of behaviour. It is interesting to note all the four dimensions proffered by her neatly fit into the remit of the private sector when it comes to fostering cyber stability.

The threat intelligence industry, by its indirect participation in the great power play, is already carving a rudimentary framework for declaratory signaling. Private sector alliances – by being more open and neutral about attack attribution, adversarial intent and capabilities, and targeting criteria – may lower the incentives while increasing the costs of cyber actions. That may force various actors to the negotiating table.

The emergence of customary international law in cyberspace, as a precursor to effective normative frameworks, is a necessity that may squarely fall on the shoulders of corporations. In that sense, diplomatic initiatives and alliance activities by Microsoft and others must be keenly observed.

Pukhraj Singh is a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me. Views posited are the author’s alone.

For more details visit https://cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation

Comments: The Personal Data Protection Bill

pranav — 2019-11-15T09:35:33Z

For more details visit https://cis-india.org/internet-governance/comments-the-personal-data-protection-bill

Activists demand judicial probe into WhatsApp snooping

KV Kurmanath — 2019-11-15T00:53:02Z

Calls for Parliamentary supervision over Government interception, legal hacking.

The article by K.V. Kurmanath was published in the Hindu Businessline on November 1, 2019. Sunil Abraham was quoted.

With reports of Israeli spyware being used to snoop on scores of WhatsApp subscribers, cyber security activists have appealed to the Supreme Court to take up the issue suo moto and order an inquiry. Kiran Chandra, a leader of the Free Software Movement of India, has said that the Government should rein in WhatsApp and mandate it to submit the source code, stating that the privacy of individuals is at stake.

Though reports of a breach of the WhatsApp network hit the headlines in the US six months ago, it is only in the last few days that the impact in India has become a burning issue.

“We, for long, have been arguing that the privacy of individuals on the Internet is at risk. The Government should have enough safeguards to ensure their safety,” said Chandra.

Sunil Abraham, Executive Director of the Centre for Internet and Society, has called for a dedicated law to ensure Parliamentary supervision for all Government interception and legal hacking programmes. "The data protection law which is being contemplated by the current administration will not address the surveillance policy question in totality," he pointed out.

"It is a truly worrying development that members of civil society are being targeted using sophisticated surveillance technologies without proper legal basis and without any oversight," he said.

Cyber security and privacy experts took to social media to express concern about the vulnerabilities that expose people to potential risks.

Srinivas Kodali, a privacy activist, said the use of Israeli firm NSO Group’s Pegasus spyware to monitor human rights defenders and academics is a clear violation of their fundamental rights. “The Supreme Court judgement on right to privacy has been very loud and clear that Indians’ fundamental rights can’t be exempted under national security without defining it,” he said, responding to a query on the breach of WhatsApp subscribers’ privacy.

“The operations of national security agencies are completely hidden and are not subjected to any legislative or judicial oversight. This cannot continue as they misuse the powers bestowed on themselves without any law on surveillance from Parliament,” he said.

The Internet Freedom Foundation has expressed concerns about the breaches. It wanted the Government to explain on how this spyware was used in India to hack citizens.

“The Government must issue an official public statement providing complete information. It must also clarify which law empowers it to install such spyware,” it said in a statement.

The US-based social media platform has started sending messages to subscribers whose accounts may have been compromised. It contains information about the breach and a link with a to-do list to stay safe.

The victims of the attack, which purportedly took place in April-May 2019, included human rights activists, journalists and Dalit activists.

At least two victims of the spyware attack confirmed receipt of alert messages from WhatsApp. “I received a call (from abroad) in the first week of October. But I ignored it as it was from an unknown number. I received a message from WhatsApp, alerting me about a probable intrusion,” a civil rights lawyer said.

How it happened

“In May, we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices. There’s a possibility this phone number was impacted, and we want to make sure you know how to keep your mobile phone secure,” the message received by the victim said.

WhatsApp, a Facebook arm, sent these special messages to about 1,400 users who may have been impacted by the spyware attack. It is working with The Citizen Lab, a research group with the University of Toronto’s Munk School, to assess the impact of the attack on civil society.

In a statement, WhatsApp said: “We provide end-to-end encryption for all messages and calls by default. (But) This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones.”

WhatsApp moved a US court against the Israeli company NSO Group, and its parent company Q Cyber Technologies, alleging that they violated both US and California laws and WhatsApp’s Terms of Service, which prohibited such intrusions.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-november-1-2019-kv-kurmanath-activists-demand-judicial-probe-into-whatsapp-snooping