Centre for Internet and Society

Indian PM Narendra Modi’s digital dream gets bad reception

praskrishna — 2015-09-29T15:23:04Z

As Indian Prime Minister Narendra Modi told Silicon Valley’s most powerful chief executives this week how his government “attacked poverty by using the power of networks and mobile phones’’, the entire population of the state of Kashmir remained offline — by order of the state.

The article by Amanda Hodge was published in the Australian on September 29, 2015. Sunil Abraham gave inputs.

“I see technology as a means to empower and as a tool that bridges the distance between hope and opportunity,” Mr Modi said yesterday on a trip in which he will also discuss development at the UN.

Earlier, in a “town hall” meeting with Facebook chief Mark Zuckerberg Mr Modi hailed the power of social media networks that gave governments the opportunity to correct themselves “every five minutes”, rather than every five years.

His remarks during his Digital India tour of the US west coast sparked a storm of Twitter protest.

The northern state’s former chief minister Omar Abdullah, who noted the “irony of listening to Prime Minister Modi lecturing about connected digital India, while we are totally disconnected”.

The ban on mobile and broadband internet in Jammu and Kashmir was imposed last Friday, the beginning of the Muslim holiday of Eid-ul-Zuha during which animals are slaughtered and the meat fed to the poor, for fear social media could inflame tensions over the state government’s decision to enforce a beef ban.

It was to have lasted 24 hours but — notwithstanding Twitter feedback — was extended twice as a “precautionary” measure.

As Mr Modi outlined his dreams of a broadband network connecting the country’s most remote communities, millions of New Delhi mobile phone users continued their daily wrestle with line dropouts.

“We are bringing technology, transparency, efficiency, ease and effectiveness in governance,” he said, as in New Delhi the government talked of pulling down more mobile towers.

Centre for Internet and Society director Sunil Abraham said yesterday: “Schizophrenia between rhetoric and reality (on digital policy) is the global standard for all world leaders.

“Politicians in opposition are invariably opposed to surveillance and in favour of free speech but the very day that politician assumes office even if it is someone as splendid as Barack Obama, they change their opinions on these topics and become pro-surveillance and pro-censorship.”

Certainly successive Indian governments have had a patchy record on such issues. Last March India’s activist Supreme Court struck down a controversial section of the Information Technology Act which made posting information of a “grossly offensive or menacing character” punishable by up to three years’ jail.

That month police in northern Uttar Pradesh arrested a teenager for a Facebook post, which they said “carried derogatory language against a community”.

Previous cases under the former Congress-led government include that of a university professor detained for posting a cartoon about the chief minister of West Bengal and the arrest of two young women over a Facebook post criticising the shutdown of Mumbai following the death of a Hindu right politician.

While Mr Modi’s government welcomed the Supreme Court ruling as a “landmark day for freedom of speech and expression”, last month it attempted to block 857 random porn sites.

Notwithstanding the gulf between Mr Modi’s digital dream rhetoric and the reality at home, his second US visit in 17 months has reaped dividends. Google has committed to a joint initiative to roll out free Wi-Fi to 500 railway stations across the country, and Qualcomm has pledged a $US150 million ($213m) tech startup fund.

But Mr Abraham warned of the potential for such investments to compromise net neutrality — the principle of allowing internet users access to all content and applications.

For more details visit https://cis-india.org/internet-governance/news/the-australian-amanda-hodge-september-29-2015-indian-pm-narendra-modi-digital-dream-gets-bad-reception

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Open Governance and Privacy in a Post-Snowden World : Webinar

vanya — 2015-10-04T11:09:12Z

On 10th September 2015, the OGP Support Unit, the Open Government Guide, and the World Bank held a webinar on “Open Governance and Privacy in a Post-Snowden World” presented by Carly Nyst, Independent consultant and former Legal Director of Privacy International and Javier Ruiz, Policy Director of Open Rights Group. This is a summary of the key issues that were discussed by the speakers and the participants.

See Open Governance and Privacy in a Post-Snowden World

Summary

The webinar discussed how Government surveillance has become an important and key issue in the 21^st century, thanks to Edward Snowden. The main concern raised was with respect to what a democracy should look like in the present day. Should the states’ use of technology enable state surveillance or an open government? Typically, there is a balance that must be achieved between the privacy of an individual and the security of the state – particularly as the former is primarily about social rights and collective interest of citizens.

At the international level, the right to privacy has been recognized as a basic human right and an enabler of other individual freedoms. This right encapsulates protection of personal data where citizens have the authority to choose whether to share or reveal their personal data or not. Due to technological advancement that has enabled collection, storage and sharing of personal data, the right to privacy and data protection frameworks have become of utmost importance and relevance with regard to open government efforts. Therefore, it is important for Governments to be transparent in handling sensitive data that they collect and use.

Many countries have also introduced laws to balance the right to privacy and right to information. The role of the private sector and NGOs involved in enabling an open and transparent government must also be duly addressed at a national level.

Key Questions:

Why should the government release information?

There are multiple reasons for doing so including:

For the purposes of research and public policy (which relates to healthcare, social issues, economics, national statistics, census, etc.)

Transparency and accountability (politicians, registers, public expenses, subsidies, fraud, court records, education)

Public participation and public services (budgets, anti-corruption, engagement, and e-governance).

However, all these have certain risks and privacy implications:

Risk of identification of individual: Any individual whose information is released has the risk of identification, followed by issues like identity theft, discrimination, stigmatization or repression. Normally, the solution for this would be anonymization of the data; however, this is not an absolute solution. Privacy laws can generally cope with such risks, but with pseudonymous data it becomes difficult in preventing identification.
Profiling of social categories which can lead to discrimination: In such a situation, policies and other legislations regulating the use of data and providing remedy for violations can help.
Exploitation and unfair/unethical use of information: When understanding the potential exploitation of information it is useful to consider who is going to benefit from the release of information. For example, in UK, with respect to release of Health Data, the main concern is that people and companies will benefit commercially from the information released, despite of the result potentially being improved drugs and treatment.

What are the Solutions?

The webinar also discussed potential solutions to the questions and challenges posed. For example, when commitments of Open Government Data Partnership are considered, privacy legislations must also be proposed. Further, key stakeholders must make commitments to take pro-active measures to reduce informational asymmetries between the state and citizens. To reduce the risks, measures must be taken to publish what information the State has or what the Government knows about the citizens. For example, in UK, within the civil society network, it is being duly considered in the national plan that the government will publicize how it will share data and have a centralized view on the process of information handling and usage of the data.

The Open Government Guide provides for Illustrative Commitments like enactment of data protection legislation, establishing programmes for awareness and assessment of their impact, giving citizens control of their personal information and the right to redress when that information is misused, etc.

Surveillance

The issue of surveillance and the role of privacy in an open government context was also discussed. The need for creating a balance between the legitimate interest of national security and the privacy of individuals was emphasized. With the rise of digital technologies, many governmental measures pertaining to surveillance intervene in individual privacy. There are many forms of surveillance and this has serious privacy implications, especially in developing countries. For example:

Communications surveillance
Visual surveillance
Travel surveillance

This raises the question: When is surveillance legitimate and when must it be allowed?

The International Principles on the Application of Human Rights to Communications Surveillance acts as a soft law and tries to set out what a good surveillance system looks like by ensuring that governments are in compliance with international human rights law.

In essence surveillance does not violate privacy, however, there must be a clear and foreseeable legal framework laying circumstances when the government has the power to collect data and when individuals might be able to foresee when they might be under surveillance.

Also, a competent judicial authority must be established to oversee surveillance and keep a check on executive power by placing restrictions on privacy invasions. The actions of the government must be proportionate and the benefits must not outweigh harm caused by surveillance.

Role of openness in a “mass surveillance” state

Surveillance measures that are being undertaken by governments are increasingly secretive. The European court of Human Rights has held that Secret surveillance may undermine democracy under the cloak of protecting it. Hence, open government and openness will work towards protecting privacy and not undermining it.

To balance the measure of government surveillance with privacy, there is a need to publish laws regulating such powers; publish transparency reports about surveillance, interception and access to communications data; reform legislations relating to surveillance by state agencies to ensure it complies with human rights and establish safeguards to ensure that new technologies used for surveillance and interception respect the right to privacy.

Conclusion

The conclusion one can draw is that Privacy concerns have gained importance in today’s data driven world. The main question that needs to be answered is whether Government’s should adopt surveillance measures or adopt an Open Government?

Considering equal importance of national security and privacy of individuals, it is required that a balance must be crafted between the two. This could be possibly done by enacting foreseeable and clear laws outlining scope of surveillance by the Government on one hand, and informing citizens about such measures on the other. Establishment of a competent judicial authority to keep a check on Government actions is also suggested to work out the delicate balance between surveillance and privacy.

For more details visit https://cis-india.org/internet-governance/blog/open-governance-and-privacy-in-a-post-snowden-world-webinar

Govt presses 'undo' button on draft encryption policy

praskrishna — 2015-09-25T01:55:57Z

The decision came a day before PM embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla.

The article was published in Business Standard on September 23, 2015. Sunil Abraham gave inputs.

The government on Tuesday scrapped a draft national encryption policy that mandated firms and individuals to allow authorities access to all encrypted information on email, apps, websites and business servers.

The decision came a day before Prime MinisterNarendra Modi embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla. Activists and executives from technology firms had expressed outrage on the draft policy, saying the move would have taken India a step back in technology adoption.

At a meeting of the Union Cabinet on Tuesday, Modi was livid at the controversy generated by the draft policy and directed officials to withdraw it ahead of his US trip, sources said.

The draft had global ramifications, as Facebook,Twitter and messaging apps such as WhatsApp were named in it.

Ravi Shankar Prasad, Union minister for communications and information technology, distanced the government from the draft hosted on the IT department site, but admitted it gave “uncalled-for misgivings”. He directed officials to rework the draft but did not set a timeframe for seeking feedback from the public.

“Yesterday (Monday), it was brought to our notice that the draft had been put in the public domain for, seeking comment. I read the draft. I understand that the manner in which it was written could lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded. I personally feel some of the expressions used in the draft are giving rise to uncalled-for misgivings,” Prasad said. “Experts had framed the draft policy. It is not the government’s final view.”

According to the original draft, the encryption policy sought every message sent by a user, be it through services such as WhatsApp, an SMS or an email, be mandatorily stored in plain text format for 90 days and made available on demand to security agencies. Failure to do so, it added, would draw legal action.

This was because typically, all messaging apps and services such as WhatsApp, Viber, Line, Google Chat and Yahoo! Messenger have high levels of encryption, which security agencies find hard to crack and intercept.

Early on Tuesday, before Prasad announced the withdrawal of the draft policy, the government had issued an addendum to keep social media and web applications such as WhatsApp, Twitter and Facebook out of its purview.

In a three-point clarification, the Department of Electronics and Information Technology (DeitY) said some encryption products were exempt. “Mass-use encryption products, currently being used in web applications, social media sites and social media applications, such as WhatsApp, Facebook and Twitter…SSL/TLS encryption products being used in internet banking and payment gateways, as directed by the Reserve Bank of India”, and SSL/TLS encryption products being used for e-commerce and password based transactions,” it said.

“Ideally, the new policy should only focus on two objectives: It should mandate encryption standards within the government, military, law enforcement and intelligence agencies. It shouldn’t regulate the use of encryption by the private sector; the private sector should be allowed to use whatever it believes is appropriate, as long as it is considered a reasonable security measure by courts, under section 43A of the IT Act,” said Sunil Abraham, director,Centre for Internet and Society (CIS).

Prasad reiterated the government, under the leadership of Prime Minister Narendra Modi, had promoted social media activism. “The right of articulation and freedom we fully respect. But at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.

Opposition parties slammed the Draft policy. Congress communications in-charge Randeep Surjewala said, “Subjugation of individual freedom, surveillance of the citizen and suppression of dissent have emerged as the DNA of the Narendra Modi-led BJP government. The draft policy on encryption, first circulated, then amended and now, withdrawn with a rider for re-issuing it, is a totalitarian, misconceived and a failed attempt of the Modi government to override all sense of individual freedom of speech and expression and encroach upon the right to privacy of communication…With 243.1 million internet users in India at the end of 2014 (173 million being mobile internet users), 112 million Facebook users, 80 million WhatsApp users, 22 million Twitter users and 950 million mobile connections, the intrusion of individual liberty is fraught with dangerous dimensions under the Modi government.”

Aam Aadmi Party spokesperson Raghav Chadha said, “Only a fascist government can bring such a policy. The draft policy was in violation of the right to personal liberty and the fundamental tenets of freedom of speech and expression…the draft policy was for snooping. It presupposes the 1.2 billion people of India are potential criminals. It reflects the inclination of the government and its intention to turn India into a totalitarian state.”

ABOUT THE NATIONAL ENCRYPTION POLICY

Five things the government draft policy wanted

Information security for individuals, businesses and government agencies
Development of indigenous encryption standards
Use of digital signatures to authenticate transactions
Legal interception and data retention
Service providers to register under appropriate government agency

Things that caused outrage

Regulation of private sector encryption
Storage of all encrypted communications for

90 days

Gaining backdoor into private communications of users

Amendment & withdrawal

Omission of mass encryption products such as those used by social networks
Withdrawal of draft policy following Ravi Shankar Prasad’s statement

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy

The Internet in the Indian Judicial Imagination

Divij Joshi — 2015-09-09T05:26:50Z

This post by Divij Joshi is part of the 'Studying Internets in India' series. Divij is a final year student at the National Law School of India University, Bangalore and is a keen observer and researcher on issues of law, policy and technology. In this essay, he traces the history of the Internet in India through the lens of judicial trends, and looks at how the judiciary has defined its own role in relation to the Internet.

Introduction

On the 14th of August, 1995, the eve of the 48th anniversary of Indian Independence, India began a new, and wholly unanticipated tryst with destiny - Videsh Sanchar Nigam Limited (VSNL) launched India's first full Internet service for public access [1]. In 1998, just a few years after VSNL introduced dial-up Internet, around 0.5% of India’s population had regular Internet access. By 2013, the latest estimate, 15% of the country was connected to the Internet, and the number is growing exponentially [2]. As the influence of the Internet grew, the law and the courts began to take notice. In 1998, there were four mentions of the Internet in the higher judiciary (the High Courts in States and the Supreme Court of India), by 2015, it was referred to in hundreds of judgements and orders of the higher judiciary [3].

The revolutionary capacity of the Internet cannot be understated. It has played a critical part in displacing, creating and enhancing social structures and institutions – from the market, to ideas of community – and its potential still remains unexplored. The Internet has also unsettled legal systems around the world, because of its massive potential to create very new forms of social and legal relationships and paradigms which extant law was unequipped for. The dynamism of the Internet means that legislation and statutory law, being static and rigid, is inherently ill suited for the governance of the Internet, and much of this role is ultimately ceded to the judiciary. In a widely unregulated policy background, the role played by this institution in identifying and dealing with the peculiar nature of regulatory issues on the Internet – such as the central role of intermediaries, the challenges of intellectual property rights concerns, the conflicts of law between different jurisdictions, and the courts’ own role in being a regulator – is tremendously important. In this article, an attempt is made to weave a thread through judicial decisions as well as judicial obiter (or peripheral text) regarding the Internet, to explain how the judiciary has captured and defined the Internet and its capacities, potentials and actors, and what effects this has on the Internet and on society. Inter alia, this article examines how judicial disputes have shaped internet policy in India.

The Internet and the Role of the Courts

The relationship between the law and technology is reminiscent of the famous paradox posed by the greek philosopher Zeno – Achilles and a tortoise agree to race. The tortoise has a head start, and, by the logic of the paradox, Achilles is never able to catch up to him. Every time Achilles covers the distance between himself and the tortoise at any point, the tortoise has moved ahead some distance, which need to be covered once again. As Achilles covers that distance, the tortoise has once again moved a distance away, and so on, to infinite progression, proving that Achilles can never catch up to the tortoise [4].

The legal regulation of the Internet follows a similar path. The Internet was not an immediate concern for law and policy, which meant that its evolution was largely determined in a space free from centralized governmental regulation. By the time parliaments and courts began to understand the implications of Internet regulation, it was apparent that such regulation would be constrained by the very features of the Internet. The core feature of the Internet is decentralization of control, which is necessarily antithetical to creating a centralized legal regulation with. Moreover, the constant mutation in the function and use of the technology renders statutory law incredibly ineffective in being an adequate regulator. Even where legislatures determined a need to step in and draw special regulations for the Internet, they need to be either so broad or vague that they cede much of the regulatory space to interpreters – the courts – or be so specific that much of the regulation quickly becomes obsolete. Most importantly, the final authority to determine matters of constitutional import such as the content and scope of fundamental rights rests with the higher judiciary. In this scenario, the courts become the de facto policy makers for regulating technology. In light of our current political and social context, where the level of legislative debate on issues of public importance and constitutional import is negligible, the judiciary’s analysis of Internet regulation becomes even more important [5].

The judiciary is thus in a unique position to decide Internet policy and governance. The preliminary question is whether there is even a need to talk about the Internet as a special system with distinct policy concerns. The regulation of the Internet is certainly fundamental to the development of knowledge and education in societies, but do its unique features merit a departure from traditional law? The second and connected question is whether the law can actually play a role in determining how the Internet is shaped, i.e. how does technology respond to the law? The architecture of the system that defines the functionality of the Internet – like the TCP/IP protocol – has embodied certain values such as decentralization, autonomy, openness and privacy [6], which have to a large extent underlined the social and ethical implications of the Internet – the way it is used, the way it functions and the way it grows. These were the values explicitly introduced into the systems we use today to communicate and interact on the Internet [7]. However, there is no a priori, fixed nature of the Internet. The form the technologies that make up the Internet take, depend upon its architecture and its design, which are malleable, and to which laws contribute by incentivizing certain values and encumbering others. The legal regulation of the Internet, therefore critically affects the architecture of the system, and promotes and secures certain values.

Recognizing the effect of law upon the architecture of the Internet is critical to any balancing exercise that the judiciary has to conduct when it decides disputes about the Internet. The Internet is a unique public resource, in that its participants are (mostly) private actors pursuing a vareity of goals and interests. The values outlined above emerged in this context, where control was decetnralized and regulation depended to a large extent upon how these disparate parties act. However, the same values also disturb existing structures to control information for legitimate causes - such as protecting intellectual property rights or preventing hate speech. Adjudicating these values, often in the absence of any explicit social or political moral framework (with respect to lack of legislative or constitutional guidance on these values), the judicial responses end up as policy directions that shape the Internet. Seen outside a broader, progressive social context, which takes into account the impact of shaping technologies to reflect values, interests on the Internet are generally adjudicated and enforced as proprietary rights between private actors, which ultimately results in changing the dynamics and relative distribution of control over the technologies that make up the Internet. This proprietory conception of interests on the Internet is highly insular, and tends to undermine the intersts of the public as a stakeholder in the regulation of the Internet. This can play out in many ways – from regulation being overwhelmingly determined according to private interests like restricting new technologies in order to protect intellectual property; or with private actors imputed as the focal point of regulation, and therefore given massive control over the Internet. However, the courts can take a different approach to regulating the Internet. The judiciary, especially the Indian Supreme Court, has a generally activist trend, especially in environmental matters [8]. One of the most elegant principles invoked by the courts for the protection of the common environment, has been the public trust doctrine, which postulates that certain (environmental) resources exist for the public benefit and can only be eroded upon to ensure that they develop in the most beneficial way for the common resources [9]. A commons approach to the Internet would require a comprehensive evaluation of the roles played by different actors across different layers of the Internet and how to regulate them [10], but would be principally similar, in that rules of private property would be constrained by potential spillover effects on intellectual information resources.

As a prelude to examining the judicial analysis of the Internet, it is interesting to examine the judiciary’s own perception of its role in Internet regulation. Courts are constrained in their exercise of power by rules of jurisdiction, which become incredibly convoluted on the Internet. A broad assertion of state power over the net can potentially fragment it, which is an obvious problem. At the same time, state sovereignty and protection of the interests of its citizens and laws has to be balanced with the above concerns [11]. The judiciary in India first attempted to grapple with the problem by exercising ‘universal jurisdiction’ over all actions on the Internet, which allowed the Court to claim jurisdiction over a defendant as long as the website or service could be accessed from within its jurisdiction [12]. This broad-reaching standard was antithetical to the development of a harmonized, unfragmented Internet and created problems of jurisdictional and sovereign conflict. As the implications of such a direction became clear, the court evolved different standards for jurisdiction which were based on whether the Internet service had some connection with the territorial jurisdiction of the court in question. The judiciary began to develop caution in its approach towards exercising personal jurisdiction in Internet cases, first applying the ‘interactivity test’ and then the ‘specific targeting’ standards for questions of jurisdiction [13]. However, the judiciary continues to adhere to a ‘long-arm’ standard for copyright and trademark violations, which allows it to extend its jurisdiction extra-territorially under those laws, through rather specious analogies with pre-internet technologies. For example, in WWE v Reshma [14], the Court explicitly analogized sale of services or goods on the Internet with contracts concluded over the telephone. Although analogies provide a comfortable framework for analysis, they also shield important distinctions between technologies from legal analysis. Problems arising from Internet cases – where many actors across many jurisdictions are involved in varying degrees – are unique to Internet technologies and such analogies ignore these important distinctions. Morever, in all the above cases, the judiciary’s assertions of power over the Internet seems to be restricted only by pragmatic regulatory concerns (such as whether personal obedience of the defendant can be secured) and its evolving understanding of questions of jurisdiction are explicitly linked to changes in the use and perception of the Internet and an understanding of interactivity and communication on the Internet.

The Early Internet and Judicial Perceptions

The Internet crept into the judicial vocabulary in 1996; a year after public access was made available, when the Supreme Court first took cognizance of ‘Internet’ as a means of interlinking countries and gathering information instantaneously [15]. Several other cases in the High Courts also spoke of the ‘Information Highway’ [16] and the various services that companies were offering, which could be availed by individuals on the Internet [17]. This corresponded with the popular understanding of the ‘first wave’ of the Internet, mostly relating to business providing services and information to users on the World Wide Web or as a space for limited personal interaction (such as through email) [18].

Some of the earliest cases where the Courts had the opportunity to examine the nature of the Internet were related to Intellectual Property on the Internet, specifically trademark and copyright in the online world. The Domain Name System, which serve to identify devices accessible on the Internet, was one of the first regulatory challenges on the Internet. Domain name disputes were unprecedented in the analog world of intellectual property, since domain names were uniquely scarce goods due to the limitations of the DNS technology. In India, the Delhi High Court in the case of Yahoo v Akash Arora first took cognizance of regulatory challenges of the DNS system on the Internet, a space which it conceptualized as a large public network of computers, and held that domain names serve the same functions on the Internet as trademarks. This case saw the recognition of the Internet as a separate, regulable space, which the Court defined as “a global collection of computer networks linking millions of public and private computers around the world.” The Court recognized some of the core, democratic features of the Internet: “The Internet is now recognized as an international system, a communication medium that allows anyone from any part of the lobe with access to the Internet to freely exchange information and share data.” In this case, the Court upheld traditional trademark rights in the case of use of domain names. The Court’s first recognition of trademark on the Internet heralded the imputation of proprietary interests on the decentralized, shared network that was the Internet, and was a precursor to the many such cases, which mostly focused on private commercial concerns. Even as the Court understood the importance of the Internet commons, i.e. the information and architecture that makes up the Internet, it chose to ignore concerns of public interest in the openness of those commons, in its balancing of proprietary rights for trademark cases. The commercial significance of the Internet was echoed in the Rediff case, where the Bombay High Court opined that “Undoubtedly the Internet is one of the important features of the Information Revolution. It is increasingly used by commercial organisations to promote themselves and their product and in some cases to buy and sell” [19]. Moreover, in these early cases, the law of the analog age was applied wholesale to the Internet, without examining in-depth the possible differences in principle and approach, providing no precedent for the development of an ‘internet law’ [20]. Overly focussed on the proprietary nature of Internet interests, the conception of the Internet as a non-commercial space for collaboration at a decentralized or an individual level is absent from the judicial vocabulary at this stage.

Private Actors and Public Interest

The Internet permits decentralization in the hands of several private actors, which makes control of information over it so difficult. However, the information and technology that makes up the Internet are also highly centralized at certain nodal points, such as the services which provide the physical infrastructure of the Internet (like ISPs) or intermediaries which create platforms for distribution of information. Since the Internet has no centralized architecture to enable governmental control, these private intermediaries fall squarely in the crosshairs of regulatory concerns, specifically concerning their liability as facilitators of offensive or illegal content and actions. Facebook, Ebay, Twitter, Myspace, YouTube and Google are examples of private actors that have emerged as dominant service providers that host, index or otherwise facilitate access to user-generated content. Other forms of intermediaries, such as software like Napster or torrent databases like The Pirate Bay, are responsible for driving the growth of Internet-based technologies, like new modes of information sharing and communication. These services have emerged as the most important platform for sharing of information and free speech on the Internet. Most of the interaction and communication on the Internet takes place through these intermediaries and therefore they are in a position to control much of the speech that takes place online. The implications of regulating such actors are quite enormous, and its context is unique to the Internet. These private actors now control the bulk of the information that is shared online, and many of them have almost monopolistic control over certain unique forms of information sharing – think Google in the case of search engines. Developing an adequate regulatory mechanism for them is therefore critical to the future of the net. If the laws do not adequately protect their ability to host content without being liable for the same, it is likely that these actors will lean towards collateral censorship of speech beyond that which is prohibited by law, simply to protect against liability. Secondly, such liability would tend to disincentivise the creation of new platforms and services that increase access to knowledge, which have been integral to innovation on the Internet [21]. The issue of intermediary liability at this scale is unique to the Internet. The court has to adequately frame policy considerations which strike at the fundamental nature of the Internet, such as intellectual property and access to information. At the same time, concerns about legal accountability need to also be addressed. The approach that courts have taken towards the role of intermediaries is therefore critical towards any examination of Internet regulation [22].

In India, the first court to explicitly examine the public importance in issues of online intermediary liability was in the context of regulation of pornography, specifically child pornography, which has been a mainstay of regulatory concerns on the Internet. The case prompted legislative action in the form of creating rules to secure intermediary immunity. In this case the Court imputed liability for the listings of certain offensive content upon the owners of the website, Bazzee.com. Hard cases make bad law, and the same was true of this case. Referring to the challenges of regulating content on the Internet, due to the inability of methods to screen and filter such content, the Court held that intermediaries must be strictly liable for all offensive content on their site. The Court held that:

The proliferation of the internet and the possibility of a widespread use through instant transmission of pornographic material, calls for a strict standard having to be insisted upon. Owners or operators of websites that offer space for listings might have to employ content filters if they want to prove that they did not knowingly permit the use of their website for sale of pornographic material…even if for some reason the filters fail, the presumption that the owner of the website had the knowledge that the product being offered for sale was obscene would get attracted.

Intermediaries, therefore, were imputed with the liability of controlling ‘obscene’ speech – a vague and over-broad standard which did not account for the realities of online speech [23]. The above analysis reflects the judiciary’s refusal to take into account the technical concerns on the Internet which ultimately shape its architecture – and the limitations of the judiciary in reflecting upon their own role in policy making on the internet. Ultimately, the decision was overturned by a legislative act, which invoked different standards of liability for intermediaries.

In Consim Info Pvt. Ltd vs Google India Pvt. Ltd [24], the Madras High Court considered “Keyword Advertising” and the liability of search engines and competitors for ‘meta-tags’ that resulted in search engine results which may divert a trademark holder’s traffic. Google’s AdWord programme, which allows purchase of certain ‘keywords’ for the search engine results, and can potentially enable certain forms of trademark infringement, was at issue [25]. Trademarks as AdWords or search terms fulfil and important social utility of information access [26]. However, the Court’s reasoning was conspicuously missing an analysis of the public interest in protecting and promoting search engines, which were important concerns taken into account when these issues were deliberated in other forums [27]. The Court saw this dispute only taking into account private property interests and not public interest considerations, such as the general public benefit of technology which enables new forms of searching and indexing. In fact, an argument by the defendant based on the fundamental right to free (commercial) speech was raised and ignored by the court. The Court therefore ignored the public importance of search engines in favour of protecting proprietary interests which arose in a different context.

Copyright law also has tremendous implications on the Internet. As the Internet became the primary mode for the distribution of different kinds of information and creative content, the very ease of sharing that contributed to its popularity made it prone to violations of copyright, and this created a conflict between the interests of traditional rights holders and the development of the Internet as a means of better sharing of information and knowledge. The problem of holding intermediaries liable for conduct has been compounded in cases where the Court ordered ex-parte ‘John Doe’ orders against unknown defendants likely to be infringing copyright, and imputed the liability for removal of such content on the intermediaries or ISP’s, effectively issuing wide blocking orders without considering their implications or even providing a fair hearing [28]. In RK Productions [29], for instance, when holding that ISPs could be liable for failure to follow blocking orders against infringing content, the Madras High Court described the role of ISPs, such as Airtel and VSNL, as “vessels for others to use their services to infringe third party works.” Once again, the court took a particularly pessimistic view of the Internet’s capabilities, limiting its analysis to the ISP’s function in facilitating infringement and holding that “Without the ISPs, no person would be in a position to access the pirated contents nor would the unknown persons be in a position to upload the pirated version of the film.” In Myspace, the Delhi High Court held that no different standard for secondary infringement (by intermediaries) applied on the Internet, and imputed the same standard as in the 1957 Copyright Act. (In fact, it explicitly compared Myspace to brick and mortar shops selling infringing DVD’s or CD’s) [30]. The Court held that the principles of immunity under the IT Act were overridden by the provisions of the Copyright Act, and then went on to impute a strict standard for intermediaries seeking safe harbor for infringing material, including, inexplicably, that provision of some means to tackle infringement would be sufficient proof of knowledge of actual infringement, and therefore implicating mere passive platforms as infringers. Further, the Court expressly rejected a post-hoc solution for the same, and held that the intermediaries must ensure prior restraint of infringing works to escape liability. The claims that arise in cases of infringement of intellectual property on the Internet, specifically in the liability of intermediaries, are unique, and have unique implications. The inability or refusal of the judiciary to identify claims of freedom of speech and freedom of information of the larger public within the internet commons, in response to broad censorship orders for preventing infringement means that implicitly, policy takes a direction that favours private interests.

An analysis of the above cases shows that important implications of intermediary liability such as the effect on the public’s access to information and the freedom of speech in the context of the Internet did not play a role in the Courts decisions. In particular, the examination of cases above shows that private disputes are now at the forefront of issues of public importance. The Courts have unfortunately taken an insular view of these disputes, adjudicating them as inter-party, without considering the public function that private players on the Internet provide, and how their decisions should factor in these considerations.

However, the recent case of Shreya Singhal v Union of India [31], decided by the Supreme Court this March, hopefully announces a departure from this insular examination of the Internet towards a constitutional analysis, where framing an appropriate public policy for the Internet is at the forefront of the Court’s analysis.

Shreya Singhal and Constitutionalizing the Internet

In March, 2015, the Supreme Court of India struck down the notoriously abused Section 66A of the Information Technology Act, which criminalized certain classes of speech, and hopefully heralded a new phase of Internet jurisprudence in India, which imports constitutionalism into matters of cyberspace. Section 66A, premised on the pervasiveness of the Internet, criminalized online speech on vague grounds such as ‘grossly offensive’ or ‘menacing’. The Court’s examination of the nature of the Internet is particularly important. While dismissing a challenge that speech on the Internet should not be treated as distinct from other speech, the Supreme Court opined that “the internet gives any individual a platform which requires very little or no payment through which to air his views”, and by this reasoning concluded that to a limited extent, specific offences could be drawn for online speech. However, this understanding of the features of the Internet – the democratization of knowledge sharing by making it cheap and expansive, was implicit throughout the Court’s judgement, which upheld the idea of the Internet as a ‘marketplace of ideas’ and a space for free and democratic exchange, and struck down the impugned restrictive provisions as unconstitutional, in part because of their vagueness and likelihood to censor legitimate speech, bearing no relation to the constitutional restrictions on free speech under Article 19(2). Moreover, the Court understood the importance of collateral censorship and intermediary safe harbor, although only briefly examined, and read down expansive intermediary liability terms under the IT Rules to include prior judicial review of takedown notices [32].

Hopefully, the Shreya Singhal judgement marks the beginning of constitutional engagement of the judiciary with the Internet. At this moment itself, the Supreme Court is grappling with questions of limitations of online pornography [33]; search engine liability for hate speech [34]; intermediary liability for defamation [35]; and liability for mass surveillance. How the Supreme Court takes cognizance of these cases, how they ultimately proceed, and how they take into account the principles sounded by the Shreya Singhal court, will have a tremendous impact on the internet and society in India.

Conclusion

This article was an attempt to study the Internet in India, and look at the relationship between the judiciary and the Internet. But ‘the Internet’ is not some fixed, immutable space, and any study has to take this into account. The function of the Internet depends upon the values built in to it. These values can be in favor of free speech, or enable censorship. They can protect privacy, or enable mass surveillance. The growth of the Internet as a medium of free speech and expression has been fuelled to a large extent in the spaces free of legal regulation, but the law is perhaps the most important regulator of the Internet, in its ability to use state power to create incentives for certain values, and to change the nature of the Internet. This study, therefore, charted the dynamic relationship between judicial law and other factors responsible for the regulation of the Internet.

For a technology which is so pervasive in our daily lives, and growing in importance day by day, it is surprising that the Supreme Court of India has only recently taken cognizance of constitutional issues on the Internet. While important internet-specific issues have arisen in disputes before the judiciary, judicial examination has generally ignored technical nuances of the new technology, and furthermore ignored the wider implications of framing Internet policy by applying rules that applied in other contexts, such as for copyright or trademark. Without a clear articulation of political and moral bases to guide Internet policy, a clear policy-driven approach to the Internet remains absent, and the regulatory space has been captured by fragmented interest groups without an assessment of larger interests in maintaining the Internet commons, such as allowing peer-based production and sharing of information.

There is, however, reason to be optimistic about the courts and the Internet. The Supreme Courts reaffirmation and identification of the freedom of speech on the Internet in Shreya Singhal, will, hopefully, resonate in the policy decisions of both the courts and legislators, and the internet can be reformulated as a space deserving constitutional scrutiny and protection.

References

[1] VSNL Starts India's First Internet Service Today, The Indian Technomist, (14th August, 1995), available at http://dxm.org/techonomist/news/vsnlnow.html.

[2] Internet Statistics by Country, International Telecommunication Union, available at http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx.

[3] Source: http://manupatra.com/.

[4] Nick Huggett, Zeno's Paradoxes, The Stanford Encyclopedia of Philosophy, Edward N. Zalta (ed.), available at http://plato.stanford.edu/archives/win2010/entries/paradox-zeno/.

[5] See: http://indianexpress.com/article/india/india-others/a-little-reminder-no-one-in-house-debated-section-66a-congress-brought-it-and-bjp-backed-it/; Publicly available records of Lok Sabha debates also show no mention of this controversial law.

[6] I take values to mean certain desirable goals and methods, which could be both intrinsically good to pursue and whose pursuit allows other instrumental goods to be achieved. See Michael J. Zimmerman, Intrinsic vs. Extrinsic Value, The Stanford Encyclopedia of Philosophy, Edward N. Zalta (ed.), available at http://plato.stanford.edu/archives/spr2015/entries/value-intrinsic-extrinsic/.

[7] Hellen Nissenbaum, How Computer Systems Embody Values, Computer Magazine, 118, (March 2001), available at https://www.nyu.edu/projects/nissenbaum/papers/embodyvalues.pdf.

[8] S.P. Sathe, Judicial Activism: The Indian Experience, 6 Washington University Journal of Law & Policy, 29, (2001).

[9] M.C. Mehta v. Kamal Nath and Ors., 2000(5) SCALE 69.

[10] Yochai Benkler, From Consumers to Users: Shifting the Deeper Structures of Regulation Toward Sustainable Commons and User Access, 52(3) Federal Communications Law Journal, 561, (2000).

[11] Thomas Shultz, Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface, 19(4) European Journal Of International Law, 799, (2008); Wendy A. Adams, Intellectual Property Infringement in Global Networks: The Implications of Protection Ahead of the Curve, 10 Int’l J.L. & Info. Tech, 71, (2002).

[12] Casio India Co. Limited v. Ashita Tele Systems Pvt. Limited, 2003 (27) P.T.C. 265 (Del.) (India).

[13] Banyan Tree Holding (P) Ltd. v. A. Murali Krishna Reddy & Anr., CS(OS) 894/2008.

[14] World Wrestling Entertainment v. Reshma Collection (FAO (OS) 506/2013 (Delhi).

[15] Dr. Ashok v. Union of India and Ors., AIR 1997 SC 2298.

[16] Rajan Johnsonbhai Christy vs State Of Gujarat, (1997) 2 GLR 1077.

[17] Union Of India And Ors. Vs. Motion Picture Association And Ors, 1999 (3) SCR 875; Yahoo!, Inc. vs Akash Arora & Anr., 1999 IIAD Delhi 229 – “The Internet provides information about various corporations, products as also on various subjects like educational, entertainment, commercial, government activities and services.”

[18] Yochai Benkler, The Wealth of Networks.

[19] Rediff Communication Limited vs Cyberbooth & Another, 1999 (4) Bom CR 278.

[20] Even when the Supreme Court finally recognized these concerns a few years later, when the Internet had morphed into a massive commercial platform and an important forum for free speech, in the Satyam Infotech case (2004(3)AWC 2366 SC), it discussed the unique problem of domain name identifiers and scarcity of domain names, yet went on to hold that an even higher standard of passing off for trademarks should apply in domain names, disregarding the prior standard of an ‘honest concurrent user’.

[21] Jack Balkin, The Future of Free Expression in a Digital Age, 36 Pepperdine Law Review, (2008)

[22] Id.

[23] Avnish Bajaj v. State (NCT of Delhi), 3 Comp. L.J. 364 (2005).

[24] 2013 (54) PTC 578 (Mad)

[25] The judgement also reveals the predominance of Google’s search engine service. The Court defines the operation of “search engines” as synonymous with Google’s particular service – including adding elements like the ‘I’m Feeling Lucky’ option as defining elements of search engines.

[26] David J. Franklyn & David A. Hyman, Trademarks As Search Engine Keywords: Much Ado About Something?, 26(2) Harvard Journal of Law and Technology, 540, (2013).

[27] Id.

[28] Reliance Big Entertainment v. Multivision Network and Ors, Delhi High Court, available at http://cis-india.org/internet-governance/resources/john-doe-order-reliance-entertainment-v-multivision-network-and-ors.-movie-singham; Sagarika Music Pvt. Ltd. v. Dishnet Wireless Ltd., C.S. No. 23/2012, G.A. No. 187/2012 (Calcutta High Court Jan. 27, 2012) (order); See Generally, Ananth Padmanabhan, Give Me My Space and Take Down His, 9 Indian Journal of Law and Technology, (2013).

[29] R.K. Productions v. BSNL Ltd and Ors. O.A.No.230 of 2012, Madras High Court.

[30] Super Cassetes Industries Ltd. v. Myspace Inc. and Anr., 2011 (47) P.T.C. 49 (Del.)

[31] Shreya Singhal and Ors. V Union of India and Ors., W.P.(Crl).No. 167 of 2012, Supreme Court, (2015).

[32] The courts refusal to address important questions of intermediary responsibility has also been criticized, see Jyoti Pandey, The Supreme Court Judgment in Shreya Singhal and What It Does for Intermediary Liability in India?, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/sc-judgment-in-shreya-singhal-what-it-means-for-intermediary-liability.

[33] See: http://sflc.in/kamlesh-vaswani-v-uoi-w-p-c-no-177-of-2103/.

[34] See: http://cis-india.org/internet-governance/blog/search-engine-and-prenatal-sex-determination.

[35] See: https://indiancaselaws.wordpress.com/2013/10/23/google-india-pvt-ltd-vs-visaka-industries-limited/.

The post is published under Creative Commons Attribution 4.0 International license, and copyright is retained by the author.

For more details visit https://cis-india.org/raw/blog_the-internet-in-the-indian-judicial-imagination

Data Flow in the Unique Identification Scheme of India

vidushi — 2015-09-03T17:02:44Z

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback

These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:[1]

Data Capture

Filling out an enrollment form – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center.

Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.

The 'introducer' system: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.

Vulnerability: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.[2]

Categories of data for enrollment: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.

Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..[3]

Verification of Resident’s Documents: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”[4]

Vulnerability: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency” and states that the “Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.” [5] The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.

Data collection for enrollment: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.

Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.[6] There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse[7] and loss of data is a very real possibility, and irregularities have been reported as well.[8] By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.

Import pre-enrolment data into Aadhaar enrollment client, Syncing NPR/census data into the software: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.

Vulnerability: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.

Resident’s consent: for “whether the resident has agreed to share the captured information with organizations engaged in delivery of welfare services.”

Vulnerability: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.

Biometric exceptions: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.

Vulnerability: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. [9]

Operator checks if resident wants Aadhaar enabled bank account: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.

Vulnerability: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.

Capturing biometrics- The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.[10] The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.[11]

Vulnerabilities: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.[12] Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.

After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.

Operator Sign off – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.

Vulnerability: Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.[13]

After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.

Document Storage, Back up and Sync

After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.

Vulnerability: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. [14]

Transfer of Demographic and Biometric Data Collected to CIDR

“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.

Vulnerability: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database[15] but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.

Data De-duplication and Aadhar Generation at CIDR

On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.

Vulnerability:

This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.[16]
The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. [17]
General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,[18] and innumerable examples of faulty Aadhaar cards being issued.[19]

[1] Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[2] UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram, Economic Times, (Jan 31, 2012), http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register.

[3]See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[4]http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[5] Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf

[6] Arindham Mukherjee, Lola Nayar, Aadhaar,A Few Basic Issues, Outlook India, (December 5, 2011), http://dataprivacylab.org/TIP/2011sept/India4.pdf.

[7] Aadhaar: UIDAI probing several cases of misuse of personal data, The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.

[8] Harsimran Julka, UIDAI wins court battle against HCL technologies, The Economic Times, (October 4, 2011), http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm.

[9] Chetan Chauhan, UIDAI cancels 3.84 lakh fake Aadhaar numbers, The Hindustan Times, (December 26, 2012), http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx.

[10] Usha Ramanathan, “Inclusion project that excludes the poor”, The Statesman (July 4, 2013).

[11] UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html.

[12] Snehal Sengupta, Queue up again to apply for Aadhaar, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko

[13] Chauhan, supra note 7.

[14] Usha Ramanathan, Three Supreme Court Orders Later, What’s the Deal with Aadhaar? Yahoo News, (April 13, 2015), https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html.

[15] Usha Ramanathan, “Threat of Exclusion and of Surveillance”, The Statesman (July 2, 2013).

[16] Over 9 Crore Aadhaar enrolments rejected by UIDAI, Zee News (May 8, 2015).

[17] Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[18] Surabhi Agarwal, Duplicate Aadhar numbers within estimate, Live Mint (March 5, 2013).

[19] Usha Ramanathan, “Outsourcing enrolment, gathering dogs and trees”, The Statesman (August 7, 2013).

For more details visit https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

August 2015 Bulletin

praskrishna — 2015-10-27T00:25:02Z

We are happy to share with you the eighth issue of the Centre for Internet and Society (CIS) newsletter (August 2015). The past editions of the newsletter can be accessed at http://cis-india.org/about/newsletters.

Highlights

Researchers at Work programme has published a book titled Digital Activism in Asia Reader exploring in detail digital activism in Asia. The Reader was edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun. The pre-publication drafts of two sections written by Sumandro Chattapadhyay for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon have been posted for open-review process. As part of the 'Studying Internets in India' series, RAW published blog entries on Governing Speech on the Internet and Mock-Calling - Ironies of Outsourcing and the Aspirations of an Individual. NVDA team conducted a workshop at Jeevan Jyoti School for the Blind, Varanasi from August 26 to 28, 2015. Eighty five students and 13 teachers took part in the training programme. NVDA team had conducted another workshop earlier in Nashik. The workshop was conducted in June. A batch of 17 Special Educators and teachers of the blind attended the workshop. Maggie Huang, Arpita Sengupta and Paavni Anand as part of the Pervasive Technologies project co-authored a research paper that seeks to compare the publicly available information on the websites of music collective management organizations ("CMOs") operating within India, the United States, and the United Kingdom. Amulya Purushothama, Nehaa Chaudhari and Varun Baliga in a blog entry have delved into the question of what the mandate of the Sectoral Innovation Council is, what its activities are, and what vision for IPR development in India has it put forth. An RTI Application has been filed by CIS to attain information on these issues. In a blog post, Amulya Purushothama announced our new MHRD IPR Chair Series and has charted the sequence of events, starting from the establishment of MHRD IPR Chairs, to discussions surrounding their purpose and functioning, to concerns surrounding the lack of information about the IPR Chairs, the first round of RTIs that CIS had filed in regard to this and the responses it solicited. Subhashish Panigrahi interviewed Prateek Pattanaik. Prateek has not just digitized as many as 54 Odia-language poetry dating early 18th century but has also annotated, both poetic and prosaic translation in his blogs "Sri Jagannatha" and "Utkal Sangeet". He has also published a complete book "Kisora chandranana champu" on Odia Wikisource. A recent entrant into the Odia Wikimedia community, Prateek is also the youngest Odia Wikimedian. Rohan George and Elonnai Hickok in a blog post analyzed consent, big data and data protection that examines in detail why the principle of consent is providing us increasingly less of an aegis in protecting our data. Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh on behalf of CIS submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015. Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar co-authored an article titled Security: Privacy, Transparency and Technology. The article was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2. Elonnai Hickok in a blog post titled A Review of the Policy Debate around Big Data and Internet of Things has done an analysis as to how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things. The Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist. Vipul Kharbanda analyses this in a blog entry. Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations. Elonnai Hickok has provided an initial evaluation of how Big Data could impact India's current data protection standards. Elonnai Hickok has provided a comparison of Human DNA Profiling Bill 2012 vs. the Human DNA Profiling Bill 2015, CIS's main recommendations vs. the 2015 Bill, Sub-Committee Recommendations vs. the 2015 Bill, and the Expert Committee Recommendations vs. the 2015 Bill. CIS submitted its comments to the non-paper on the UNGA Overall Review of the Implementation of the WSIS outcomes, evaluating the progress made and challenges ahead. In a policy brief, Vipul Kharbanda has analyzed the different laws regulating surveillance at the state and central level in India and calls out ways in which the provisions are unharmonized. The brief then provides recommendations for the harmonization of surveillance law in India. Hardnews interviewed Sunil Abraham about the future of the internet in India. The article was published in their August edition. Shyam Ponappa in an Op-ed published by Business Standard has given an analysis on the reasons of the number of dropped calls on our mobile phones.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing a project on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here. The project on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India got over and the compilation has been printed.

NVDA and eSpeak

Monthly Updates

August 2015 Report (Suman Dogra; July 31, 2015).

Event Reports

Training in eSpeak Marathi (Organized by NVDA team; National Association for the Blind; Nashik; June 22 - 23, 2015). The workshop was held in the month of June but the report got published later in August.
Training in eSpeak Hindi (Organized by NVDA team; Jeevan Jyoti School for the Blind; Varanasi; August 26 - 28, 2015).

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Pervasive Technologies

Blog Entries

Methodology: Patent Landscaping in the Indian Mobile Device Market (Rohini Lakshané; November 10, 2014). This blog post published last year has been recently updated.
Comparative Transparency Review of Collective Management Organisations in India, United Kingdom and the United States (Maggie Huang, Arpita Sengupta and Paavni Anand; August 1, 2015).

Other (Copyright and Patent)

Blog Entries

CCI Participation at the Upcoming 3rd International Conference on IPR and Competition (Amulya Purushothama; August 5, 2015). CIS wrote to the Competition Commission of India Chairman on August 5, 2015 about participation at a conference organised by Ericsson and concerns regarding conflict of interest. We also had several other NGOs sign on to the letter.
MHRD IPR Chair Series: Introduction (Amulya Purushothama; August 10, 2015). Aditya Garg assisted in research and writing.
National IPR Policy Series: What Have the Sectoral Innovation Councils Been Doing on IPR (Nehaa Chaudhari and Varun Baliga; August 13, 2015). Amulya Purushothama assisted with research and writing.

Media Coverage

Competition Commission of India chariman's participation in Assocham conference raises conflict of interests (Rema Nagarajan; The Times of India; August 6, 2015).
Assocham event sparks row over conflict of interest by CCI (Dilasha Seth and Deepak Patel; Business Standard; August 6, 2015).

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entry

Odia Wikisource has a new Wikisourcer, and he is the youngest in the Odia Wikimedia community! (Subhashish Panigrahi; August 21, 2015).

Events Co-organized

Annamaya Library edit-a-thon (Organized by CIS-A2K and Telugu Wikipedia Community; August 6, 2015; Andhra Loyola College; Vijaywada).
International Workshop on Digitization and Archiving (Organized by CIS-A2K and Wikipedia Community; August 19 - 21, 2015). Rahmanuddin Shaik was one of the trainers.

FOSS

Participation in Events

Workshop on digital collaborations in Tamil-language, Tamil Virtual Chennai (Organized by Tamil Virtual University, Anna University Campus, Chennai; August 8 - 9, 2015). Dr. U.B. Pavanaja atttended this event.
Open Innovation, entrepreneurship, and our digital future (Organized by iSpirit; Bangalore; August 13, 2015). Rohini Lakshané attended the event. Rohini wrote a report on this .

Media Coverage

CIS gave its inputs to the following:

Telugu Wikipedia Edit-a-thon at ALC (Eenadu; August 6, 2015)
Telugu Wiki Edit-a-thon in ALC (Eenadu; August 6, 2015)
Rare Telugu religious and historical work preserved at Annamacharya library to come on Wikisource! (The Hans India; August 7, 2015).
ಗ್ರಾಮೀಣ ಪ್ರದೇಶದ ಆರ್ಥಿಕ ಪ್ರಗತಿಯಿಂದ ದೇಶದ ಆರ್ಥಿಕ ಪ್ರಗತಿ ಸಾಧ್ಯವಾಗುತ್ತದೆ. (Mangalorean.com; August 13, 2015).
ವಿಕಿಪಿಡಿಯ ಮುಕ್ತವಾಗಿ ಬಳಸಿ: ಡಾ.ಪವನಜ (Karavali Karnataka; August 14, 2015).
ಬೆಳ್ತಂಗಡಿ:ಎಲ್ಲಾ ಕಾಲಕ್ಕೂ ಲಭ್ಯ ಇರುವ ಸ್ವತಂತ್ರ ಹಾಗೂ ಮುಕ್ತ ವಿಶ್ವಕೋಶ ವಿಕಿಪೀಡಿಯಾ-ಪವನಜ (SahilOnline; August 14, 2015).
Talamaddale on August 23 (Hindu; August 16, 2015).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

Privacy

Article

Security: Privacy, Transparency and Technology (Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar; Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2 ; August 19, 2015).

Submission

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015 (Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh; August 27, 2015).

Blog Entries

Policy Paper on Surveillance in India (Vipul Kharbanda; August 3, 2015).
Comparison of the Human DNA Profiling Bill 2012 with: CIS recommendations, Sub-Committee Recommendations, Expert Committee Recommendations, and the Human DNA Profiling Bill 2015 (Elonnai Hickok; August 10, 2015).
Right to Privacy in Peril (Vipul Kharbanda; August 13, 2015).
Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data (Vanya Rakesh; August 26, 2015).
Are we Throwing our Data Protection Regimes under the Bus? (Elonnai Hickok and Rohan George; August 29, 2015).
Supreme Court Order is a Good Start, but is Seeding Necessary? (Elonnai Hickok and Rohan George; August 29, 2015).

Big Data

Blog Entries

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Elonnai Hickok; August 11, 2015).
A Review of the Policy Debate around Big Data and Internet of Things (Elonnai Hickok; August 17, 2015).

Participation in Event

The Changing Landscape of ICT Governance and Practice - Convergence and Big Data (Co-organized by Innovation Center for Big Data and Digital Convergence, Yuan Ze University, Taiwan; August 24 - 25, 2015). Sharat Chandra Ram was granted the Young Scholar Award 2015 to attend theYoung Scholar Workshop followed by main CPRSouth2015 conference (Communication Policy Research South) conference.

Free Speech and Expression

Submission

CIS submission to the UNGA WSIS+10 Review (Jyoti Panday; August 9, 2015),

Cyber Security

Upcoming Event

Bangalore Chapter Meet of DSCI (Co-organized by DSCI and CIS; September 26, 2015). Melissa Hathaway, Commissioner, Global Commission for Internet Governance and Sunil Abraham will be speaking at this event.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Op-ed

Those Dropped Calls (Shyam Ponappa; Business Standard; August 5, 2015 and Organizing India Blogspot; August 6, 2015).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Books

Digital Activism in Asia Reader (edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay, with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun; August 8, 2015).

Books Chapters

Civil Society Organisations and Internet Governance in Asia - Open Review (Sumandro Chattapadhyay; Asia Internet History Vol. 3, edited by Prof. Kilnam Chon). Comments are invited.
Civil Society Organisations and Internet Governance in India - Open Review (Sumandro Chattapadhyay; Asia Internet History Vol. 3, edited by Prof. Kilnam Chon). Comments are invited.

Accepted Paper Abstract

Studying the Emerging Database State in India: Notes for Critical Data Studies (Sumandro Chattapadhyay; August 2, 2015). The paper has been provisionally accepted.

Blog Entries

Mock-Calling - Ironies of Outsourcing and the Aspirations of an Individual (Sreedeep; August 6, 2015).
Governing Speech on the Internet: From the Free Marketplace Policy to a Controlled 'Public Sphere' (Smarika Kumar; August 28, 2015).

News & Media Coverage

CIS gave its inputs to the following media coverage:

Why the DNA Bill is open to misuse: Sunil Abraham (Kanika Datta; Business Standard; August 1, 2015)
Porn ban: People will soon learn to circumvent ISPs and govt orders, expert says (Karthikeyan Hemalatha; The Times of India; August 2, 2015).
Indian government orders ISPs to block 857 porn websites (John Ribeiro; IDG News and PC World; August 2, 2015)
India blocks access to 857 porn sites (BBC; August 3, 2015).
India launches crackdown on online porn (James Crabtree; Financial Times; August 3, 2015).
Proxies and VPNs: Why govt can't ban porn websites? (Siladitya Ray; August 3, 2015; Hindustan Times)
Nanny state rules porn bad for you (Anahita Mukherji; The Times of India; August 4, 2015).
Ban on pornography temporary, says government (Business Standard; August 4, 2015)
Porn block in India sparks outrage (Australian; August 5, 2015).
Indian Porn Ban is Partially Lifted But Sites Remain Blocked (Sean Mclain; Wall Street Journal; August 5, 2015)
Genetic Profiling: Is it all in the DNA? (Ullekh N.P.; The Open Magazine; August 7, 2015)
India partially lifts Porn Ban? (Nazhat Khan; DESI blitz; August 7, 2015)
Net Neutrality: India is a Key Battleground (Abeer Kapoor; Hardnews; August 10, 2015)
Stats from 2014 reveal horror of scrapped section 66A of IT Act (Aloke Tikku; Hindustan Times; August 20, 2015).
The seedy underbelly of revenge porn (Sandhya Soman; The Times of India; August 23, 2015).
The new tattler in town (P. Anima; Hindu Businessline; August 28, 2015).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the mediation and reconfiguration of social and cultural processes and structures by the internet and digital media technologies.

► Follow us elsewhere

CIS - Twitter: http://twitter.com/cis_india
Access to Knowledge - Twitter: https://twitter.com/CISA2K
Access to Knowledge - Facebook: https://www.facebook.com/cisa2k
Access to Knowledge - E-Mail: a2k@cis-india.org
Researchers at Work - E-Mail: raw@cis-india.org
Researchers at Work - Mailing List: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, Access to Knowledge, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/august-2015-bulletin

Supreme Court Order is a Good Start, but is Seeding Necessary?

Elonnai Hickok and Rohan George — 2015-09-07T13:21:58Z

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Introduction

On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled  'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2

Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.

What is Seeding?

In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4

According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.

Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8

How does the seeding process work?

The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9

Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10

According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11

In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13

What are the concerns with seeding?

With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access,  consent and choice.  To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.

The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform,  and that profiling of individuals can take place through the linking of data points via the Ginger platform.

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:

The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15

In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.

These include:

The Process of Seeding

Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that  "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".

However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of  proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the  Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:

Access: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.

Consent: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:

"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."

"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number.

"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17

Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of  consenting  to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18

Withdrawing Consent: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.

Verification and liability: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22

The Scope of the UIDAI's mandate and the necessity of seeding

Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.

On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.

In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system,  seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26

Conclusion

Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?

Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.

[1]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[2]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12^th 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/

[3]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf

[4]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf

[5]. Version 1.0 pg. 2

[6]. Version 1.0 pg. 19

[7]. Version 1.1 pg. 3

[8]. Version 1.1 pg. 7

[9]. Version 1.1 pg. 5 -7

[10]. Version 1.1 pg. 7-13

[11]. Version 1.0 pg 19-22

[12]. Version 1.0 pg. 4

[13]. Version 1.1 pg. 5, figure 3.

[14]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf

[15]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[16]. Version 1.1 pg. 18

[17]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf

[18]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27^th 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece

[19]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15^th 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms

[20]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544

[21]. Version 1.1 pg. 3

[22]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf

[23]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[24]. Version 1.0 pg.3

[25]. Version 1.0 pg.4

[26]. Version 1.1 pg. 3

[27]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21^st, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece

[28]. For example see: Salil Tripathi. A dangerous convergence. July 31^st. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html

For more details visit https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary

Are we Throwing our Data Protection Regimes under the Bus?

Rohan George — 2015-09-10T14:02:08Z

In this blog post Rohan examines why the principle of consent is providing us increasingly less of an aegis in protecting our data.

Consent is complicated. What we think of as reasonably obtained consent varies substantially with the circumstance. For example, in treating rape cases, the UK justice system has moved to recognise complications like alcohol and its effect on explicit consent[1]. Yet in contracts, consent may be implied simply when one person accepts another’s work on a contract without objections[2]. These situations highlight the differences between the various forms of informed consent and the implications on its validity.

Consent has emerged as a key principle in regulating the use of personal data, and different countries have adopted different regimes, ranging from the comprehensive regimes like of the EU to more sectoral approaches like that in the USA. However, in our modern epoch characterised by the big data analytics that are now commonplace, many commentators have challenged the efficacy and relevance of consent in data protection. I argue that we may even risk throwing our data protection regimes under the proverbial bus should we continue to focus on consent as a key pillar of data protection.

Consent as a tool in Data Protection Regimes

In fact, even a cursory review of current data protection laws around the world shows the extent of the law’s reliance on consent. In the EU for example, Article 7 of the Data Protection Directive, passed in 1995, provides that data processing is only legitimate when “the data subject has unambiguously given his consent”[3]. Article 8, which guards against processing of sensitive data, provides that such prohibitions may be lifted when “the data subject has given his explicit consent to the processing of those data”[4]. Even as the EU attempts to strengthen data protection within the bloc with the proposed reforms to data protection[5], the focus on the consent of data subject remains strong. There are proposals for an “unambiguous consent by the data subject”[6] requirement to be put in place. Such consent will be mandatory before any data processing can occur[7].

Despite adopting very different overall approaches to data protection and privacy, consent is an equally integral part of data protection frameworks in the USA. In his book Protectors of Privacy[8], Abraham Newman describes two main types of privacy legislation: comprehensive and limited. He argues that places like the EU have adopted comprehensive regimes, which primarily seek to protect individuals because of the “informational and power asymmetry” between individuals and organisations[9]. On the other hand, he classifies the American approach as limited, focusing on more sectoral protections and principles of fair information practice instead of overarching legislation[10]. These sectors include the Fair Credit Reporting Act[11] (which governs consumer credit reporting), the Privacy Act[12] (which governs data collected by Federal government) and Electronic Communications Privacy Act[13] (which deals with email communications) among others. However, the Federal Trade Commission describes itself as having only “limited authority over the collection and dissemination of personal data collected online”[14].

This is because the general data processing that is commonplace in today’s era of big data is only regulated by the privacy protections that come from the Federal Trade Commission’s (FTC) Fair Information Practice Principles (FIPPs). Expectedly, consent is equally important under the FTC’s FIPPs. The FTC describes the principle of consent as “the second widely-accepted core principle of fair information practice”[15] in addition to the principle of notice. Other guidelines on fair data processing published by organisations like the Organisation for Economic Cooperation and Development[16] (OECD) or Canadian Standards Association[17] (CSA) also include consent as a key mechanism in data protection.

The origins of consent in privacy and data protection

Given the clearly extensive reliance on consent in data protection, it seems prudent to examine the origins of consent in privacy and data protection. Just why does consent have so much weight in data protection?

One reason is that data protection, along with inextricably linked concerns about privacy, could be said to be rooted in protecting private property. It was argued that the “early parameters of what was to become the right to privacy were set in cases dealing with unconventional property claims”[18], such as unconsented publication of personal letters[19] or photographs[20]. It was the publication of Brandeis and Warren’s well-known article “The Right to Privacy”[21], that developed “the current philosophical dichotomy between privacy and property rights”[22], as they asserted that privacy protections ought to be recognised as a right in and of themselves and needed separate protection[23]. Indeed, it was Warren and Brandeis who famously borrowed Justice Cooley's expression that privacy is the “right to be let alone”[24].

On the other side of the debate are scholars like Epstein and Posner, who see privacy protections as part of protecting personal property under tort law[25]. However, the central point is that most scholars seem to acknowledge the relationship between privacy and private property. Even Brandeis and Warren themselves argued that one general aim of privacy is “to protect the privacy of private life, and to whatever degree and in whatever connection a man's life has ceased to be private”[26].

It is also important to locate the idea of consent within the domain of privacy and private property protections. Ostensibly, consent seems to have the effect of lessening the privacy protections afforded in a particular situation to a person, because by acquiescing to the situation, one could be seen as waiving their privacy concerns. Brandeis and Warren concur with this position as they acknowledge how “the right to privacy ceases upon the publication of the facts by the individual, or with his consent”[27]. They assert that this is “but another application of the rule which has become familiar in the law of literary and artistic property”[28].

Perhaps the most eloquent articulation of the importance of consent in privacy comes from Sir Edward Coke’s idea that “every man’s house is his castle”[29]. Though the ‘Castle Doctrine’ has been used as a justification for protecting one’s property with the use of force[30], I think that implied in the idea of the ‘Castle Doctrine’ is that consent is necessary in order to preserve privacy. If not, why would anyone be justified in preventing trespass, other than to prevent unconsented entry or use of their property. The doctrine of “Volenti non fit injuria”[31], or ‘to one who consents no injury is done’, is thus the very embodiment of the role of consent in protecting private property. And as conceptions of private property develop to recognise that the data one gives out is part of his private property, for example in US v. Jones, which led scholars to assert that “people should be able to maintain reasonable expectations of privacy in some information voluntarily disclosed to third parties”[32], so does consent act as an important aspect of privacy protection.

Yet, linking privacy with private property is not universally accepted as the conception of privacy. For instance, Alan Westin, in his book Privacy and Freedom[33], describes privacy as “the right to control information about oneself”[34]. Another scholar, Ruth Gavison, contends instead that “our interest in privacy is related to our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others' attention”[35].

While these alternative notions about privacy’s foundational principles may differ from those related to linking privacy with private property, locating consent within these formulations of privacy is possible. Regarding Westin’s argument, I think that implicit in the right to control one’s information are ideas about individual autonomy, which is exercised through giving or withholding one’s consent. Similarly, Gavison herself states that privacy functions to advance “liberty, autonomy and selfhood”[36]. Consent plays a key role in upholding this liberty, autonomy and selfhood that privacy affords us. Clearly therefore, it is far from unfounded to claim that consent is an integral part of protecting privacy.

Consent, Big Data and Data protection

Given the solid underpinnings of the principle of consent in privacy protection, it was hardly a coincidence that consent became an integral part of data protection. However, with the rise of big data practices, one quickly finds that consent ceases to work effectively as a tool for protecting privacy. In a big data context, Solove argues that privacy regulation rooted in consent is ineffective, because garnering consent amidst ubiquitous data collection for all the online services one uses as part of daily life is unmanageable[37]. Additionally, the secondary uses of one’s data are difficult to assess at the point of collection, and subsequently meaningful consent for secondary use is difficult to obtain[38]. This section examines these two primary consequences of prioritising consent amidst Big data practises.

Consent places unrealistic and unfair expectations on the Individual

As noted by Tene and Polonetsky, the first concern is that current privacy frameworks which emphasize informed consent “impose significant, sometimes unrealistic, obligations on both organizations and individuals”[39]. The premise behind this argument stems from the way that consent is often garnered by organisations, especially regarding use of their services. An examination of various terms of use policies from banks, online video streaming websites, social networking sites, online fashion or more general online shopping websites reveals a deluge of information that the user has to comprehend. Moreover, there are a too many “entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity”[40].

As Cate and Mayer-Schönberger note in the Microsoft Global Privacy Summit Summary Report, “almost everywhere that individuals venture, especially online, they are presented with long and complex privacy notices routinely written by lawyers for lawyers, and then requested to either “consent” or abandon the use of the desired service”[41]. In some cases, organisations try to simplify these policies for the users of their service, but such initiatives make up the minority of terms of use policies. Tene and Polonetsky assert that “it is common knowledge among practitioners in the field that privacy policies serve more as liability disclaimers for businesses than as assurances of privacy for consumers”[42].

However, it is equally important to consider the principle of consent from perspective of companies. At a time where many businesses have to comply with numerous regulations and processes in the name of ‘compliance’[43], the obligations for obtaining consent could burden some businesses. Firms have to gather consent amidst enhancing user or customer experiences, which represents a tricky balance to find. For example, requiring consent at every stage may make the user experience much worse. Imagine having to give consent for your profile to be uploaded every time you make a high score in a video game? At the same time, “organizations are expected to explain their data processing activities on increasingly small screens and obtain consent from often-uninterested individuals”[44]. Given these factors, it is somewhat understandable for companies to garner consent for all possible (secondary) uses as otherwise it is not feasible to keep collecting.

Nonetheless, this results in situations where “data processors can perhaps too easily point to the formality of notice and consent and thereby abrogate much of their responsibility”[45].The totality of the situation shows the odds stacked against the individual. It could be even argued that this is one manifestation of the informational and power asymmetry that exists between individuals and organisations[46], because users may unwittingly agree to unfair, unclear or even unknown terms and conditions and data practices. Not only are individuals greatly misinformed about data collected about them, but the vast majority of people do not even read these Terms and Conditions or End User license agreements[47]. Solove also argues that “people often lack enough expertise to adequately assess the consequences of agreeing to certain present uses or disclosures of their data”[48].

While the organisational practice of providing extensive and complicated terms of use policies is not illegal, the fact that by one estimation, it may take you would have to take 76 working days to review the privacy policies you have agreed to online[49], or by another, that in the USA the opportunity cost society incurs in reading privacy policies is $781 billion[50], should not go unnoticed. I do think it is unfair for the law to put users into such situations, where they are “forced to make overly complex decisions based on limited information”[51]. There have been laudable attempts by some government organisations like Canada’s Office of the Privacy Commissioner and USA’s Federal Trade Commission to provide guidance to firms to make their privacy policies more accessible[52]. However, these are hard to enforce. Therefore, it can be assumed that when users have neither the expertise nor the rigour to review privacy policies effectively, the consent they provide would naturally be far from informed.

Secondary use, Aggregation and Superficial Consent

What amplifies this informational asymmetry is the potential for the aggregation of individual’s data and subsequent secondary use of that data collected. “Even if people made rational decisions about sharing individual pieces of data in isolation, they greatly struggle to factor in how their data might be aggregated in the future”[53].

This has to do with the prevalence of big data analytics that characterizes our modern epoch, and has major implications for the nature and meaningfulness of the consent users provide. By definition, “big data analysis seeks surprising correlations”[54] and some of its most insightful results are counterintuitive and nearly impossible to conceive at the point of primary data collection. One noteworthy example comes from the USA, with the predictive analytics of Walmart. By studying purchasing patterns of its loyalty card holders[55], the company ascertained that prior to a hurricane the most popular items that people tend to buy are actually Pop Tarts (a pre-baked toaster pastry) and Beer[56]. These correlations are highly counterintuitive and far from what people expect to be necessities before a hurricane. These insights led to Walmart stores being stocked with the most relevant products at the time of need. This is one example of how data might be repurposed and aggregated for a novel purpose, but nonetheless the question about the nature of consent obtained by Walmart for the collection and analysis of the shopping habits of its loyalty card holders stands.

One reason secondary uses make consent less meaningful has been articulated by De Zwart et al, who observe that “the idea of consent becomes unworkable in an environment where it is not known, even by the people collecting and selling data, what will happen to the data”[57]. Taken together with Solove’s aggregation effect, two points become apparent:

Data we consent to be collected about us may be aggregated with other data we may have revealed in the past. While separately they may be innocuous, there is a risk of future aggregation to create new information which one may find overly intrusive and not consent to. However, current data protection regimes make it hard for one to provide such consent, because there is no way for the user to know how his past and present data may be aggregated in the future.
Data we consent to be collected for one specific purpose may be used in a myriad of other ways. The user has virtually no way to know how their data might be repurposed because often time neither do the collectors of that data[58].

Therefore, regulators reliance on principles of purpose limitation and the mechanism of consent for robust data protection seems suboptimal at the very least, as big data practices of aggregation, repurposing and secondary uses become commonplace.

What can organisations do better to obtain more meaningful consent

Organisations that collect data could alter the way the obtain user consent. Most people can attest to having checked a box that was lying surreptitiously next to the words ‘I agree’, thereby agreeing to the Terms and Conditions or End-user License Agreement for a particular service or product. This is in line with the need for both parties to assent to the terms of a contract as part of making valid a contract[75]. Some of the more common types of online agreements that users enter into are Clickwrap and Browsewrap agreements. A Clickwrap agreement is “formed entirely in an online environment such as the Internet, which sets forth the rights and obligations between parties”[76]. They “require a user to click "I agree" or “I accept” before the software can be downloaded or installed”[77]. On the other hand, Browsewrap agreements “try to characterize your simple use of their website as your ‘agreement’ to a set of terms and conditions buried somewhere on the site”[78].

Because Browsewrap agreements do not “require a user to engage in any affirmative conduct”[79], the kind of consent that these types of agreements obtain is highly superficial. In fact, many argue that such agreements are slightly unscrupulous because users are seldom aware that such agreements exist[80], often hidden in small print[81] or below the download button[82] for example. And the courts have begun to consider such terms and practices unfair, which “hold website users accountable for terms and conditions of which a reasonable Internet user would not be aware just by using the site”[83]. For example, In re Zappos.com Inc., Customer Data Security Breach Litigation, the court said of their Terms of Use (which is in a browsewrap agreement):

“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use. No reasonable user would have reason to click on the Terms of Use”[84]

Clearly, courts recognise the potential for consent or assent to be obtained in a hardly transparent or hands on manner. Organisations that collect data should be aware of this and consider other options for obtaining consent.

A few commentators have suggested that organisations switch to using Clickwrap or clickthrough agreements to obtain consent. Undergirding this argument is the fact that courts have on numerous occasions, upheld the validity of a Clickwrap agreement. Such cases include Groff v. America Online, Inc[85] and Hotmail Corporation v. Van Money Pie, Inc[86]. These cases built upon the precedent-setting case of Pro CD v. Zeidenberg, in which the court ruled that “Shrinkwrap licenses are enforceable unless their terms are objectionable on grounds applicable to contracts in general”[87]. Shrinkwrap licenses, which refer to end user license agreements printed on the shrinkwrap of a software product which a user will definitely notice and have the opportunity to read before opening and using the product, and the rules that govern them, have seen application to clickthrough agreements. As Bayley rightly noted, the validity of clickthrough agreements is dependent on “reasonable notice and opportunity to review—whether the placement of the terms and click-button afforded the user a reasonable opportunity to find and read the terms without much effort”[88].

From the perspective of companies and other organisations which attempt to garner consent from users to collect and process their data, utilizing Clickwrap agreements might be one useful solution to consider in obtaining more meaningful and informed consent. In fact Bayley contends that clear Clickwrap agreements are “the “best practice” mechanism for creating a contractual relationship between an online service and a user”[89]. He suggests the following mechanism for acquiring clear and informed consent via contractual agreement[90]:

Conspicuously present the TOS to the user prior to any payment (or other commitment by the user) or installation of software (or other changes to a user’s machine or browser, like cookies, plug-ins, etc.)
Allow the user to easily read and navigate all of the terms (i.e. be in a normal, readable typeface with no scroll box)
Provide an opportunity to print, and/or save a copy of, the terms
Offer the user the option to decline as prominently and by the same method as the option to agree
Ensure the TOS is easy to locate online after the user agrees.

These principles make a lot of sense for organisations, as it requires relatively minor procedural changes instead of more transformational efforts to alter the way the validate their data processing processes entirely.

Herzfield adds two further suggestions to this list. First, organisations should not allow any use of their product or service until “express and active manifestation of assent”[91]. Also, they should institute processes where users re-iterate their consent and assent to the terms of use[92]. He goes further to propose a baseline that organisations should follow: “companies should always provide at least inquiry notice of all terms, and require counterparties to manifest assent, through action or inaction, in a manner that reasonable people would clearly understand to be assent”[93].

While obtaining informed and meaningful consent is neither fool proof nor a process which has widely accepted clear steps, what is clear is that current efforts by organisations may be insufficient. As Cate and Mayer-Schönberger note, “data processors can perhaps too easily point to the formality of notice and consent and thereby abrogate much of their responsibility”[94]. One thing they can do to both ensure more meaningful and informed consent (from the perspective of the users) and preventing potential legal action for unscrupulous or unfair terms is to change the way they obtain consent from opt out to opt in.

Conclusion – how should regulation change

In conclusion, the current emphasis and extensive use of consent in data protection seems to be limited in effectively protecting against illegitimate processing of data in a big data context. More people are starting to use online services extensively. This is coupled by the fact that organisations are realizing the value of collecting and analysing user data to carry out data-driven analytics for insights that can improve the efficacy of the product. Clearly, data protection has never been more crucial.

However not only does emphasising consent seem less relevant, because the consent organisations obtain is seldom informed, but it may even jeopardise the intentions of data protection. Commentators are quick to point out how nimble firms are at acquiring consent in newer ways that may comply with laws but still allow them to maintain their advantageous position of asymmetric power. Kuner, Cate, Millard and Svantesson, all eminent scholars in the field of Big data, asked the prescient question: “Is there a proper role for individual consent?”[95]They believe consent still has a role, but that finding this role in the Big data context is challenging[96]. However, there is surprising consensus on the approach that should be taken as data protection regimes shift away from consent.

In fact, the alternative is staring at us in the face: data protection regimes have to look elsewhere, to other points along the data analysis process for aspects to regulate and ensure legitimate and fair processing of data. One compelling idea which had broad-based support during the aforementioned Microsoft Privacy Summit was that “new approaches must shift responsibility away from data subjects toward data users and toward a focus on accountability for responsible data stewardship”[97], ie creating regulations to guide data processing instead of the data collection. De Zwart et al. suggest that regulation must instead “focus on the processes involved in establishing algorithms and the use of the resulting conclusions”[98].

This might involve regulations relating to requiring data collectors to publish the queries they run on the data. This would be a solution that balances maintaining the ‘trade secret’ of the firm, who has creatively designed an algorithm, with ensuring fairness and legitimacy in data processing. One manifestation of this approach is in conceptualising procedural data due process which “would regulate the fairness of Big Data’s analytical processes with regard to how they use personal data (or metadata derived from or associated with personal data) in any adjudicative process, including processes whereby Big Data is being used to determine attributes or categories for an individual”[99]. While there is debate regarding the usefulness of a data due process, the idea of data due process is just part of the consortium of ideas surrounding alternatives to consent in data protection. The main point is that “greater transparency should be required if there are fewer opportunities for consent or if personal data can be lawfully collected without consent”[100].

It is also worth considering exactly what a single use of group or individual’s data is, and what types of uses or processes require a “greater form of authorization”[101]. Certain data processes could require special affirmative consent to be procured, which is not applicable for other less intimate matters. Canada’s Office of the Privacy Commissioner released a privacy toolkit for organisations, in which they provide some exceptions to the consent principle, one of which is if data collection “is clearly in the individual’s interests and consent is not available in a timely way”[102]. Some therefore suggest that “if notice and consent are reserved for more appropriate uses, individuals might pay more attention when this mechanism is used”[103].

Another option for regulators is to consider the development and implementation of a sticky privacy policies regime. This refers to “machine-readable policies [that] can stick to data to define allowed usage and obligations as it travels across multiple parties, enabling users to improve control over their personal information”[104]. Sticky privacy policies seem to alleviate the risk of repurposed, unanticipated uses of data because users who consent to giving out their data will be consenting to how it is used thereafter. However, the counter to sticky policies is that it places even greater obligations on users to decide how they would like their data used, not just at one point but for the long term. To expect organisations to state their purposes for future use of individuals data or that individuals are to give informed consent to such uses seems farfetched from both perspectives.

Still another solution draws from the noted scholar Helen Nissenbaum’s work on privacy. She argues that “the benchmark of privacy is contextual integrity”[105]. ”Contextual integrity ties adequate protection for privacy to norms of specific contexts, demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it”[106]. According to this line of thinking, legislators should instead focus their attention on what constitutes appropriateness in certain contexts, although this could be a challenging task as contexts merge and understandings of appropriateness change according to the circumstances of a context. .

While there is little consensus regarding the numerous ways to focus regulatory attention on data processing and the uses of data collected, there is more support for a shift away from consent, as exemplified by the Microsoft privacy Summit:

“There was broad general agreement that privacy frameworks that rely heavily on individual notice and consent are neither sustainable in the face of dramatic increases in the volume and velocity of information flows nor desirable because of the burden they place on individuals to understand the issues, make choices, and then engage in oversight and enforcement.”[107] I think Cate and Mayer- Schönberger make for the most valid conclusion to this article, as well as to summarise the debate I have presented. They say that “in short, ensuring individual control over personal data is not only an increasingly unattainable objective of data protection, but in many settings it is an undesirable one as well.”[108] We might very well be throwing the entire data protection regimes under the bus.

[1] Gordon Rayner and Bill Gardner, “Men Must Prove a Woman Said ‘Yes’ under Tough New Rape Rules - Telegraph,” The Telegraph, January 28, 2015, sec. Law and Order, http://www.telegraph.co.uk/news/uknews/law-and-order/11375667/Men-must-prove-a-woman-said-Yes-under-tough-new-rape-rules.html.

[2] Legal Information Institute, “Implied Consent,” accessed August 25, 2015, https://www.law.cornell.edu/wex/implied_consent.

[3] European Parliament, Council of the European Union, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995, http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:31995L0046.

[4] See supra note 3.

[5] European Commission, “Stronger Data Protection Rules for Europe,” European Commission Press Release Database, June 15, 2015, http://europa.eu/rapid/press-release_MEMO-15-5170_en.htm.

[6] Council of the European Union, “Data Protection: Council Agrees on a General Approach,” June 15, 2015, http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/.

[7] See supra note 6.

[8] Abraham L. Newman, Protectors of Privacy: Regulating Personal Data in the Global Economy (Ithaca, NY: Cornell University Press, 2008).

[9] See supra note 8, at 24.

[10] Ibid.

[11] 15 U.S.C. §1681.

[12] 5 U.S.C. § 552a.

[13] 18 U.S.C. § 2510-22.

[14] Federal Trade Commission, “Privacy Online: A Report to Congress,” June 1998, https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf: 40.

[15] See supra note 14, at 8.

[16] Organisation for Economic Cooperation and Development, “2013 OECD Privacy Guidelines,” 2013, http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm.

[17] Canadian Standards Association, “Canadian Standards Association Model Code,” March 1996, https://www.cippguide.org/2010/06/29/csa-model-code/.

[18] Mary Chlopecki, “The Property Rights Origins of Privacy Rights | Foundation for Economic Education,” August 1, 1992, http://fee.org/freeman/the-property-rights-origins-of-privacy-rights.

[19] See Pope v. Curl (1741), available here.

[20] See Prince Albert v. Strange (1849), available here.

[21] Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220, doi:10.2307/1321160.

[22] See supra note 18.

[23] Ibid.

[24] See supra note 21.

[25] See for example, Richard Epstein, “Privacy, Property Rights, and Misrepresentations,” Georgia Law Review, January 1, 1978, 455. And Richard Posner, “The Right of Privacy,” Sibley Lecture Series, April 1, 1978, http://digitalcommons.law.uga.edu/lectures_pre_arch_lectures_sibley/22.

[26] See supra note 21, at 215.

[27] See supra note 21, at 218.

[28] Ibid.

[29] Adrienne W. Fawcett, “Q: Who Said: ‘A Man’s Home Is His Castle’?,” Chicago Tribune, September 14, 1997, http://articles.chicagotribune.com/1997-09-14/news/9709140446_1_castle-home-sir-edward-coke.

[30] Brendan Purves, “Castle Doctrine from State to State,” South Source, July 15, 2011, http://source.southuniversity.edu/castle-doctrine-from-state-to-state-46514.aspx.

[31] “Volenti Non Fit Injuria,” E-Lawresources, accessed August 25, 2015, http://e-lawresources.co.uk/Volenti-non-fit-injuria.php.

[32] Bryce Clayton Newell, “Local Law Enforcement Jumps on the Big Data Bandwagon: Automated License Plate Recognition Systems, Information Privacy, and Access to Government Information,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, October 16, 2013), http://papers.ssrn.com/abstract=2341182.

[33] Alan Westin, Privacy and Freedom (Ig Publishing, 2015).

[34] Helen Nissenbaum, “Privacy as Contextual Integrity,” Washington Law Review 79 (2004): 119.

[35] Ruth Gavison, “Privacy and the Limits of Law,” The Yale Law Journal 89, no. 3 (January 1, 1980): 421–71, doi:10.2307/795891: 423.

[36] Ibid.

[37] Daniel J. Solove, “Privacy Self-Management and the Consent Dilemma,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, November 4, 2012), http://papers.ssrn.com/abstract=2171018: 1888.

[38] Ibid, at 1889.

[39] Omer Tene and Jules Polonetsky, “Big Data for All: Privacy and User Control in the Age of Analytics,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, September 20, 2012), http://papers.ssrn.com/abstract=2149364: 261.

[40] See supra note 37, at 1881.

[41] Fred H. Cate and Viktor Mayer-Schönberger, “Notice and Consent in a World of Big Data - Microsoft Global Privacy Summit Summary Report and Outcomes,” Microsoft Global Privacy Summit, November 9, 2012, http://www.microsoft.com/en-us/download/details.aspx?id=35596: 3.

^{^[42]} See supra note 39.

[43] See for example, US Securities and Exchange Commission, “Corporation Finance Small Business Compliance Guides,” accessed August 26, 2015, https://www.sec.gov/info/smallbus/secg.shtml and Australian Securities & Investments Commission, “Compliance for Small Business,” accessed August 26, 2015, http://asic.gov.au/for-business/your-business/small-business/compliance-for-small-business/.

[44] See supra note 39.

[45] See supra note 41.

[46] See supra note 8, at 24.

[47] See for example, James Daley, “Don’t Waste Time Reading Terms and Conditions,” The Telegraph, September 3, 2014, and Robert Glancy, “Will You Read This Article about Terms and Conditions? You Really Should Do,” The Guardian, April 24, 2014, sec. Comment is free, http://www.theguardian.com/commentisfree/2014/apr/24/terms-and-conditions-online-small-print-information.

[48] See supra note 37, at 1886.

[49] Alex Hudson, “Is Small Print in Online Contracts Enforceable?,” BBC News, accessed August 26, 2015, http://www.bbc.com/news/technology-22772321.

[50] Aleecia M. McDonald and Lorrie Faith Cranor, “Cost of Reading Privacy Policies, The,” I/S: A Journal of Law and Policy for the Information Society 4 (2009 2008): 541

[51] See supra note 41, at 4.

[52] For Canada, see Office of the Privacy Commissioner of Canada, “Fact Sheet: Ten Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency,” October 23, 2013, https://www.priv.gc.ca/resource/fs-fi/02_05_d_56_tips2_e.asp. And Office of the Privacy Commissioner of Canada, “Privacy Toolkit - A Guide for Businesses and Organisations to Canada’s Personal Information Protection and Electronic Documents Act,” accessed August 26, 2015, https://www.priv.gc.ca/information/pub/guide_org_e.pdf.

For USA, see Federal Trade Commission, “Internet of Things: Privacy & Security in a Connected World,” Staff Report (Federal Trade Commission, January 2015), https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[53] See supra note 37, at 1889.

[54] See supra note 39, at 261.

[55] Jakki Geiger, “The Surprising Link Between Hurricanes and Strawberry Pop-Tarts: Brought to You by Clean, Consistent and Connected Data,” The Informatica Blog - Perspectives for the Data Ready Enterprise, October 3, 2014, http://blogs.informatica.com/2014/03/10/the-surprising-link-between-strawberry-pop-tarts-and-hurricanes-brought-to-you-by-clean-consistent-and-connected-data/#fbid=PElJO4Z_kOu.

[56] Constance L. Hays, “What Wal-Mart Knows About Customers’ Habits,” The New York Times, November 14, 2004, http://www.nytimes.com/2004/11/14/business/yourmoney/what-walmart-knows-about-customers-habits.html.

[57] M. J. de Zwart, S. Humphreys, and B. Van Dissel, “Surveillance, Big Data and Democracy: Lessons for Australia from the US and UK,” Http://www.unswlawjournal.unsw.edu.au/issue/volume-37-No-2, 2014, https://digital.library.adelaide.edu.au/dspace/handle/2440/90048: 722.

[58] Ibid.

[59] See supra note 41, at 3.

[60] Julie E. Cohen, “What Privacy Is For,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, November 5, 2012), http://papers.ssrn.com/abstract=2175406.

[61] See supra note 37, at 1901.

[62] Ibid.

[63] See supra note 37, at 1899.

[64] Jon Leibowitz, “So Private, So Public: Individuals, The Internet & The paradox of behavioural marketing” November 1, 2007, https://www.ftc.gov/sites/default/files/documents/public_statements/so-private-so-public-individuals-internet-paradox-behavioral-marketing/071031ehavior_0.pdf: 6.

[65] See supra note 5.

[66] See supra note 37, at 1898.

[67] Ibid.

[68] Ibid.

[69] Ibid.

[70] Ibid.

[71] See supra note 41, at 3.

[72] See supra note 39, at 261.

[73] Richard H. Thaler, “Making It Easier to Register as an Organ Donor,” The New York Times, September 26, 2009, http://www.nytimes.com/2009/09/27/business/economy/27view.html.

[74] Ibid.

[75] The Oxford Introductions to U.S. Law: Contracts, 1 edition (New York: Oxford University Press, 2010): 67.

[76] Francis M. Buono and Jonathan A. Friedman, “Maximizing the Enforceability of Click-Wrap Agreements,” Journal of Technology Law & Policy 4, no. 3 (1999), http://jtlp.org/vol4/issue3/friedman.html.

[77] North Carolina State University, “Clickwraps,” Software @ NC State Information Technology, accessed August 26, 2015, http://software.ncsu.edu/clickwraps.

[78] Ed Bayley, “The Clicks That Bind: Ways Users ‘Agree’ to Online Terms of Service,” Electronic Frontier Foundation, November 16, 2009, https://www.eff.org/wp/clicks-bind-ways-users-agree-online-terms-service.

[79] Ibid, at 2.

[80] Ibid.

[81] See Nguyen v. Barnes & Noble Inc., (9^th Cir. 2014), available here.

[82] See Specht v. Netscape Communications Corp.,(2d Cir. 2002), available here.

[83] See supra note 78, at 2.

[84] See In Re: Zappos.com, Inc., Customer Data Security Breach Litigation, No. 3:2012cv00325: pg 8 line 23-26, available here.

[85] See Groff v. America Online, Inc., 1998, available here.

[86] Hotmail Corp. v. Van$ Money Pie, Inc., 1998, available here.

[87] ProCD Inc. v. Zeidenberg, (7th. Cir. 1996), available here.

[88] See supra note 78, at 1.

[89] See supra note 78, at 2.

[90] Ibid.

[91] Oliver Herzfeld, “Are Website Terms Of Use Enforceable?,” Forbes, January 22, 2013, http://www.forbes.com/sites/oliverherzfeld/2013/01/22/are-website-terms-of-use-enforceable/.

[92] Ibid.

[93] Ibid.

[94] See supra note 41, at 3.

[95] Christopher Kuner et al., “The Challenge of ‘big Data’ for Data Protection,” International Data Privacy Law 2, no. 2 (May 1, 2012): 47–49, doi:10.1093/idpl/ips003: 49.

[96] Ibid.

[97] See supra note 41, at 5.

[98] See supra note 57, at 723.

[99] Kate Crawford and Jason Schultz, “Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, October 1, 2013), http://papers.ssrn.com/abstract=2325784: 109.

[100] See supra note 41, at 13.

[101] See supra note 41, at 5.

[102] See supra note 52, Privacy Toolkit, at 14.

[103] See supra note 41, at 6.

[104] Siani Pearson and Marco Casassa Mont, “Sticky Policies: An Approach for Managing Privacy across Multiple Parties,” Computer, 2011.

[105] See supra note 34, at 138.

[106] See supra note 34, at 118.

[107] See supra note 41, at 5.

[108] See supra note 41, at 4.

For more details visit https://cis-india.org/internet-governance/blog/are-we-throwing-our-data-protection-regimes-under-the-bus

The Four Parts of Privacy in India

bhairav — 2015-08-23T13:02:28Z

For more details visit https://cis-india.org/internet-governance/blog/four-parts-of-privacy.pdf

'We Need to Proactively Ensure that People Can't File Patents Representative of the Creativity of a FOSS Community'

rohini — 2015-09-27T11:51:50Z

Rohini Lakshané attended “Open Innovation, Entrepreneurship, and Our Digital Culture” in Bangalore on August 13, 2015. Major takeaways from the event are documented in this post.

Speakers: Prof. Eben Moglen, Keith Bergelt, and Mishi Choudhary; Panel discussion moderator: Venkatesh Hariharan. See the event page here. The organizers republished Rohini's report on their website.

Prof. Eben Moglen on FOSS and entrepreneurship

The culture of business in the 21^st century needs open source software or free software because there is one Internet governed by one set of rules, protocols and APIs that make it possible for us to interact with each another. The Internet made everybody interdependent on everybody else. Startup culture needs free and open source software (FOSS) because startups are an insurgency, a guerrilla activity in business. The incumbents in a capitalistic world dislikes competition and detests that existing resources, such as FOSS, enable insurgents to circumvent some of the steep curve that they had to climb in order to become incumbents.
Hardware is developing in ways that make the idea of proprietary development of software obsolete. There is no large producer of proprietary software that isn't also dependent on FOSS. Microsoft Cloud is based on deployments that do not use Windows but are based on FOSS. The era of Android as a semi-closed, semi-proprietary form of FOSS is over. Big and small companies around the world are exploiting the open source nature of Android.
Free software is a renewable resource not a commodity. Management is needed to avoid over-consumption or destruction of the FOSS ecosystem. Software is to the 21^st century economic life what coal, steel, and rare earth metals were at the end of the previous century.
FOSS turned out to be about developing human brains. It turned out to be about using human intelligence in software better. Earlier universities, engineering colleges and research institutions were the greatest manufacturers and users of FOSS. Now businesses of all sizes are.
When Richard Stallman and Prof. Eben Moglen set out to make GPL free, they initiated a large public discussion process, the primary goal of which was to ensure that individual developers have as much right to talk and to be heard as loudly as the largest firms in the world. At the end of the negotiation process, 35 or 36 of the largest patent holders in the IT industry accepted the basic agreement to be a part of the commons. --- Incumbents like people to pay for a seat at the table. Paying to have an opinion is a pretty serious part of the landscape of the patent system.

Prof. Eben Moglen on Digital India

Every e-governance project that the Indian government buys should use FOSS. The very nature of the way the citizens and governments interact can come to be mediated by software that people can read, understand, modify, and improve. An enormous ecosystem will come up -- a kind of public–private partnership (PPP) in the improvement of governance and government services, which is far more useful than most other forms of PPP conceptualised in the developed world in the 20^th century.
Everybody has a stake in the success of this policy. Several corporations are working against this policy as they once stated that they do not need FOSS.
The biggest market for both making and consuming software in the world is in India, because the science done here will dominate global software making, which in turn will define how the Internet works, which in turn will define society. One can't develop the largest society on earth by reinventing the wheel. The government is going to understand that only the sharing of knowledge and the sharing of forms of inventing would enable the largest society in the world to develop itself freely and take its place in the forefront of digital humanity.
If every state government's data centre across India is going to be turned into a cloud, one state might have VMWare, another might have AWS, and so on, it would be disastrous. To prevent this, all e-governance activities of every state government and federal agency in India could be conducted in one, big, homogeneous Indian cloud. This would enable utility computing across the country for all citizens, which would also make room for citizen computing to happen. When one moves towards architectures of omnipresent utility computing with large amounts of memory flatly available to everybody, one is going to be describing a national computing environment for a billion people. We can't even begin to model it until we start accomplishing it.
Prof. Eben Moglen's ambition is that there comes a time not very long from now when basic data science is taught in Indian secondary schools. The software is free and all the big data sets are public. A nation of a 100 million data scientists rules the world.

Keith Bergelt on the Open Invention Network

Over the past 10 years, Open Invention Network (OIN) has emerged as the largest patent non-aggression community in the history of technology. It has around 1,700 participants and is adding almost 2 participants every day. In the last quarter, OIN had approximately 200 licensees.
There is now a cultural transformation where companies are recognising that where OIN members collaborate, they shouldn't use patents to stop or slow down progress. Where members compete, they choose to invent while utilising defensive patents publications. What we are doing is a patent collaboration and a technical collaboration that exists in major projects around the world.
OIN has been making a major effort since January 2015 to spend more time in India and China to be able to ensure that the technological might and expertise represented in the two countries can be a part of the global community, and that global projects can start here. “We can expect to leverage the expertise of the community to be able to drive innovation from here [India and China]. It's not about IBM investing a billion dollars a year since 1999 and having some birthright to driving the open source initiatives around the world or about Google or Red Hat or anyone else. You have the ability to impact major changes and we want to be able to support you in the name of freedom of action as participants.”

Panel Discussion

Patent Wars and Innovation

In the past 5 to 7 years, patent wars in the handset segment of the information technology (IT) market have wasted tens of billions of dollars on litigation, and on raising the price of patent armaments. This patent litigation was purely an economic loss to the IT industry and it contributed nothing. If the patent system strangles invention, non-profit groups, non-commercial bodies, free software makers, and start-ups cannot invent freely.
Defensive patent publications, such as those made by IBM, lead to the gross underestimation of the inventive power and output of the company. People are struggling to find something to evaluate the productive output of an entity – startup, micro-industry or macro-industry. Patents are being used inappropriately and it's part of the corruption of the patent system. Any venture capitalist (VC) who believes that either the innovative capacities or the potential success factors of a start-up are tied to its patents should know that there are only a minuscule number of cases where patents are the differentiator. The differentiators required in order to sustain business are how smart the people are, how quickly they innovate, and how quickly they are able to adapt to complex situations. We see a trend in the US of not equating patents with innovation. The core-developer and hacker communities are largely anti-patent.
However, the flip side is that if the FOSS communities do not patent defensively, i.e., acquire and publish patents for their inventions in order to prevent others from getting patents in one jurisdiction or another, patent trolls will eventually encroach on the communities' inventive output. The only people making money out of this whole process are lawyers. It is slowing down the uptake of technology by creating fears and doubts in the system.
FOSS communities didn't qualify everything produced in the 23 years of (Linus') Linux, which would have let the service serve as stable prior art, preventing other people from filing patents. We can debate what is patentable subject matter in general or whether software should be patentable, but in the meantime if we can be proactive and file everything that we have in defensive publications and make it accessible to the patent and trademark offices here and around the world, we will have far fewer patents. We need to be activists in making sure that people can't file patents that are representative of the creativity of a community.
The Chinese government has instituted a programme designed to produce defensive publications in order to capture all the inventiveness across their industries, to be able to ensure that the quality of what ultimately gets patented is at least as high.
The US has a massive repository called ip.com, which is with every patent examiner of the USPTO.
India does not grant software patents as per section 3(k) of the Indian Patents Act, but that doesn't mean that no software patents are being granted. One of the empirical studies conducted by the Software Freedom Law Centre (SFLC) in India shows that 98.3% of the [telecom and computing technology] patents granted till 2013 went to multinational corporations. Almost none of the assignees are Indian.
In the context of the ongoing patent infringement law suits filed in the Delhi High Court by Ericsson [link]: The Delhi High Court has had a reputation of being very pro-intellectual property from the beginning.
Also, there is pressure from trade organisations. In August 2015, Ericsson along with ASSOCHAM invited the Director General of the Competition Commission of India to present a paper about why patents are good. It is essential to determine how the rules of conflict of interest apply here. This is exactly what the pharmaceutical industry would do. The only bodies who would object are Doctors Without Borders (MSF) or some local organisations who realise that high priced patented drugs is not what India needs and that we do not need to have the same IP policy as the US or Japan. We only need a different policy.
The Special 301 Report of the United States Trade Representative (USTR) is a big sham, and it suggests that India doesn't have strict enforcement of IP law. India does, unlike China.
Accenture has been granted a software patent in India. The patent is about an expert present in a remote location transferring knowledge to somebody who is listening in another location. Universities offering MOOCs, BPOs, and many other services would fall under such a patent. SFLC spent four years trying to fight this patent. The first defence of Accenture's battery of lawyers was that they won't use the patent.
Patents of very low quality are being bought at very high prices. The tax system or the subsidy system for innovation regards all patents as equal. This is a pricing failure and that should be corrected by other forms of intervention. The pendulum has already begun to swing the other way. Alice Corp was the third consecutive and unanimous ruling by the US Supreme Court that abstract ideas are not patentable. Patent applications pertaining to business methods and algorithms are increasingly being rejected by the USPTO after the ruling.

Prof. Eben Moglen on Facebook:

Facebook is a badly designed technology because there is one Man in the Middle who keeps all the logs. The privacy problem with Facebook is not just about what people post. It's about surveillance and data mining of web reading behaviour. It is a social danger that ought not to exist. I have said since 2010 is that we can't forbid it; let's replace it. It means bringing the web back as a writeable medium for people in an easy way. What I see as next-generation architecture could just as well be described as Tim Burners Lee's previous generation architecture.

You have to be able to trust the Internet. If you can't, you are going to be living in the shadow of govt surveillance, corporate surveillance, the fear of identity theft, and so on. We need to be able to explain to people what kind of software they can trust and what kind they can't. Distributed social networking will happen; it's not that difficult a problem.

An example of federated networking is Freedombox, a cheap hardware doing router jobs using free software in ways that encourage privacy. The pilot project for Freedombox has been deployed in little villages in Andhra Pradesh and Karnataka. These routers don't deliver logs to a thug in a hoodie in Menlo Park.

For more details visit https://cis-india.org/a2k/blogs/we-need-to-proactively-ensure-that-people-cant-file-representatives-of-the-creativity-of-a-foss-community

Civil Society Organisations and Internet Governance in India - Open Review

sumandro — 2015-11-13T05:51:03Z

This is a book section written for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon. The pre-publication text of the section is being shared here to invite suggestions for addition and modification. Please share your comments via email sent to raw[at]cis-india[dot]org with 'Civil Society Organisations and Internet Governance in India - Comments' as the subject line. This text is published under Creative Commons Attribution-NoDerivatives 4.0 International license.

You are most welcome to read the pre-publication drafts of other sections of the Asia Internet History Vol. 3, and share your comments: https://sites.google.com/site/internethistoryasia/book3.

Early Days

The overarching context of development interventions and rights-based approaches have shaped the space of civil society organizations working on the topics of information and communication technologies (ICTs) and Internet governance in India. Early members of this space came from diverse backgrounds. Satish Babu was working with the South Indian Federation of Fishermen Societies (SIFFS) in mid-1990s, when he set up a public mailing list called 'FishNet,' connected to Internet via the IndiaLink email network, (then) run by India Social Institute to inter-connect development practitioners in India. He went on to become the President of Computer Society of India during 2012-2013; and co-founded Society for Promotion of Alternative Computing and Employment (SPACE) in 2003, where he served as the Executive Secretary during 2003-2010 [Wikipedia 2015]. Anita Gurumurthy, Executive Director of IT for Change and one of the key actors from Indian civil society organizations to take part in the World Summit on the Information Society (WSIS) process, had previously worked extensively on topics related to public health and women's rights [ITfC b], which deeply shaped the perspectives she and IT for Change have brought into the Internet governance sphere, globally as well as nationally [Gurumurthy 2001]. Arun Mehta initiated a mailing list titled 'India-GII' in 2002 to discuss 'India's bumpy progress on the global infohighway' [India-GII 2005]. This list played a critical role in curating an early community of non-governmental actors interested in the topics of telecommunication policy, spectrum licensing, Internet governance, and consumer and communication rights. As Frederick Noronha documents, the mailing list culture grew slowly in India during the late 1990s and early 2000s. However, they had a great impact in organizing early online communities, sometimes grouped around a topical focus, sometimes functioning as a bridge among family members living abroad, and sometimes curating place-specific groups [Noronha 2002].

The inaugural conference of the Free Software Foundation of India [FSFI] in Thiruvananthapuram, on 20 July 2001, galvanized the Free/Libre and Open Source Software (FLOSS) community in India. The conference was titled 'Freedom First,' and Richard Stallman was invited as the chief guest. It was a vital gathering of actors from civil society organizations, software businesses, academia, and media, as well as the Secretary of the Department of Information Technology, Government of Kerala (the state where the conference was held). The conference laid the basis for sustained collaborations between the free software community, civil society organizations, emerging software firms in the state, and the Government of Kerala for the years to come. Two early initiatives that brought together free software developers and state government agencies were the Kerala Trasportation Project and the IT@School project, which not only were awarded to firms promoting use of FLOSS in electronic governance project, but facilitated a wider public dialogue regarding the need think critically about the making of information society in India [Kumar 2007]. The inter-connected communities and overlapping practices of the FLOSS groups, civil society organizations involved in ICT for Development initiatives, telecommunication policy analysts and advocates, and legal-administrative concerns regarding life in the information society – from digital security and privacy, to freedom of online expressions, to transparency in electronic governance infrastructures – have, hence, continued to shape the civil society space in India studying, discussing, responding, and co-shaping policies and practices around governance of Internet in India.

Key Organizations

IT for Change was established in 2000, in Bengaluru, as a non-governmental organization that 'works for the innovative and effective use of information and communication technologies (ICTs) to promote socio-economic change in the global South, from an equity, social justice and gender equality point of view' [ITfC]. It has since made important contributions in the field of ICTs for Development, especially in integrating earlier communication rights practices organised around old media forms with newer possibilities of production and distribution of electronic content using digital media and Internet [ITfC e], and in that of Internet governance, especially through their participation in the WSIS and Internet Governance Forum (IGF) processes and by co-shaping the global Souther discourse of the subject [ITfC d]. It has also done significant works in the area of women's rights in the information society, and have been a core partner in a multi-country feminist action research project on using digital media to enhance the citizenship rights and experiences of marginalized women in India, Brazil, and South Africa [ITfC c]. IT for Change has co-led the formation of Just Net Coalition in February 2014 [JNC].

Digital Empowerment Foundation (DEF) was founded by Osama Manzar, in New Delhi in 2002, with a 'deep understanding that marginalised communities living in socio-economic backwardness and information poverty can be empowered to improve their lives almost on their own, simply by providing them access to information and knowledge using digital tools' [DEF c]. DEF has contributed to setting up Community Information Resource Centres across 19 states and 53 districts in India, with computers, printers, scanners, and Internet connectivity [DEF]. DEF organises one of the biggest competitions in Asia to identify, foreground, and honour significant contributions in the area of ICT for Development [DEF d]. This annual competition series, titled 'Manthan Award' (Translation: 'manthan' means 'churning' in Sanskrit), started in 2004. It has alllowed DEF to create a detailed database of ICT for Development activities and actors in the South Asia and Asia Pacific region. Since 2011, DEF has started working with Association for Progressive Communications on a project titled 'Internet Rights' to take forward the agenda of 'internet access for all' in India [DEF b].

The Society for Knowledge Commons was formed in New Delhi 2007 by 'scientists, technologists, researchers, and activists to leverage the tremendous potential of the ‘collaborative innovation’ model for knowledge generation that has lead to the growth of the Free and Open Source Software community (FOSS) around the world' [Society for Knowledge Commons]. It has championed integration of FOSS into public sector operations in India – from electronic governance systems to use of softwares in educational institutes – and has made continuous interventions on Internet governance issues from the perspective of the critical importance of shared knowledge properties and practices for a more democratic information society. It is a part of the Free Software Movement of India [FSMI], an alliance of Indian organizations involved in advocating awareness and usage of FOSS, as well as a founding member of the Just Net Coalition [JNC].

The Centre for Internet and Society (CIS) was established in Bengaluru in 2008 with a research and advocacy focus on topics of accessibility of digital content for differently-abled persons, FOSS and policies on intellectual property rights, open knowledge and Indic Wikipedia projects, digital security and privacy, freedom of expression and Internet governance, and socio-cultural and historical studies of Internet in India [CIS]. In one of the key early projects, CIS contributed to the making of web accessibility policy for government websites in India, which was being drafted by the Department of Information Technology, Government of India [CIS 2008]. In the following years it took part in the Internet Governance Forum summits; submitted responses and suggestions to various policies being introduced by the government, especially the Information Technology (Amendment) Act, 2008, National Identification Authority of India (NIA) Bill, 2010, and the Approach Paper for a Legislation on Privacy, 2010; produced a report on the state of open government data in India [Prakash 2011b], and undertook an extensive study on the experiences of the young people in Asia with Internet, digital media, and social change [Shah 2011].

Software Freedom Law Centre has undertaken research and advocacy interventions, since 2011, in the topics digital privacy, software patents, and cyber-surveillance [SFLC]. The Internet Democracy Project, an initiative of Point of View, has organised online and offline discussions, participated in global summits, and produced reports on the topics of freedom of expression, cyber security and human rights, and global Internet governance architecture since 2012 [IDP].

The first Internet Society chapter to be established in India was in Delhi. The chapter began in 2002, but went through a period of no activity before being revived in 2008 [Delhi]. The Chennai chapter started in 2007 [Chennai], the Kolkata one in 2009 [Kolkata], and the Bengaluru chapter came into existence in 2010 [Bangalore]. Asia Internet Symposium have been organised in India twice: 1) the Kolkata one, held on on 1 December 2014, focused on 'Internet and Human Rights: Empowering the Users,' and 2) the Chennai symposium, held on 2 December 2014, discussed 'India in the Open and Global Internet.' The newest Internet Society chapter in India is in the process of formation in Trivandrum [Trivandrum], led by the efforts of Satish Babu (mentioned above).

Global and National Events

The first World Summit on the Information Society (WSIS) conference in Geneva, held on 10-12 December 2003, was not attended by many civil society organizations from India. Several Indian participants in the conference were part of the team of representatives from different global civil society organizations, like Digital Partners, Development Alternatives with Women for a New Era (DAWN), and International Centre for New Media [ITU 2003]. Between the first and the second conference, the engagement with the WSIS process increased among Indian civil society organizations increased of the WSIS process, which was especially led by IT for Change. In early 2005, before the second Preparatory Committee meeting of the Tunis conference, it organized a discussion event titled 'Gender Perspectives on the Information Society: South Asia Pre-WSIS Seminar' in partnership with DAWN and the Indian Institute of Management, Bangalore, which was supported by UNIFEM and the UNDP Asia-Pacific Development Information Programme [Gurumurthy 2006]. In a separate note, Anita Gurumurthy and Parminder Jeet Singh of IT for Change have noted their experience as a South Asian civil society organization engaging with the WSIS process [Gurumurthy 2005]. The second WSIS conference in Tunis, held on 16-18 November 2005, however, neither saw any significant participation from Indian civil society organizations, except for Ambedkar Centre for Justice and Peace, Childline India Foundation / Child Helpline International, and IT for Change [ITU 2005]. This contrasted sharply with the over 60 delegates from various Indian government agencies taking part in the conference [ITU 2005].

Two important events took place in India in early 2005 that substantially contributed to the civil society discourses in India around information technology and its socio-legal implications and possibilities. The former is the conference titled 'Contested Commons, Trespassing Publics' organized by the Sarai programme at the Centre for the Study of Developing Societies, Alternative Law Forum, and Public Service Broadcasting Trust, in Delhi on 6-8 January 2005. The conference attempted to look into the terms of intellectual property rights (IPR) debates from the perspectives of experiences in countries in Asia, Latin America, and Africa. It was based on the research carried out by the Sarai programme and Alternative Law Forum on contemporary realities of media production and distribution, and the ways in which law and legal instruments enter into the most intimate spheres of social and cultural life to operationalise the IPRs. The conference combined academic discussions with parallel demonstrations by media practitioners, and knowledge sharing by FLOSS communities [Sarai 2005]. The latter event is the first of the Asia Source workshop that took place in Bengaluru during 28 January - 4 February 2005 . It brought together more than 100 representatives from South and South-East Asian civil society organizations and technology practitioners working with them, along with several leading practitioners from Africa, Europe, North America, and Latin America, to promote adoption and usage of FLOSS across the developmental sector in the region. The workshop was organized by Mahiti (Bengaluru) and Tactical Technology Collective (Amsterdam), with intellectual and practical support from an advisory group of representatives from FLOSS communities and civil society organizations, and financial support from Hivos, the Open Society Institute, and International Open Source Network [Asia Source].

While the participation of representatives from Indian civil society organizations at the IGFs in Athens (2006) and Rio de Janeiro (2007) was minimal, the IGF Hyderabad, held on 3-6 December 2008, provided a great opportunity for Indian civil society actors to participate in and familiarize themselves with the global Internet governance process. Apart from various professionals, especially lawyers, who attended the Hyderabad conference as individuals, the leading civil society organizations participating in the event included: Ambedkar Center for Justice and Peace, Centre for Internet and Society, Centre for Science, Development and Media Studies, Digital Empowerment Foundation, Internet Society Chennai chapter, IT for Change, and Mahiti. The non-governmental participants from India at the event, however, were predominantly from private companies and academic institutes [IGF 2008].

IT for Change made a critical intervention into the discourse of global Internet governance during the Hyderabad conference by bringing back the term 'enhanced cooperation,' as mentioned in the Tunis Agenda for the Information Society [ITU 2005 b]. At IGF Sharm El Sheikh, held during 15-18 November 2009, Parminder Jeet Singh of IT for Change explained:

[E]nhanced cooperation consists of two parts. One part is dedicated to creating globally applicable policy principles, and there is an injunction to the relevant organizations to create the conditions for doing that. And I have a feeling that the two parts of that process have been conflated into one. And getting reports from the relevant organizations is going on, but we are not able to go forward to create a process which addresses the primary purpose of enhanced cooperation, which was to create globally applicable public policy principles and the proof of that is that I don't see any development of globally applicable public policy principles, which remains a very important need. [IGF 2009]

This foregrounding of the principle of 'enhanced cooperation' have since substantially contributed to rethinking not only the global Internet governance mechanisms and its reconfigurations, but also the Indian government's perspectives towards the same. It eventually led to the proposal made by a representative of Government of India at the UN General Assembly session on 26 October 2011 regarding the establishment of a UN Committee for Internet-Related Policies [Singh 2011].

Internet Policies and Censorship

One of the earliest instances of censorship of online content in India is the blocking of several websites offering Voice over IP (VoIP) softwares, which can be downloaded to make low-cost international calls, during late 1990s. The India-GII mailing list initiated by Arun Mehta, as mentioned above, started almost as a response to this blocking move by Videsh Sanchar Nigam Limited (VSNL), the government-owned Internet Service Provider (ISP). Additionally, Mehta filed a case against VSNL for blocking these e-commerce websites, which might be identified as the first case of legal activism for Internet-related rights in India [India-GII 2001]. During the war between India and Pakistan during 1999, the Indian government instructed VSNL to block various Pakistani media websites, including that of Dawn. Like in the case of websites offering VoIP services, this blocking did not involve direct intervention with the websites concerned but only the ability of Indian users to access them [Tanna 2004]. The first well-known case of the Government of India blocking digital content for political reasons occurred in 2003, when a mailing list titled 'Kynhun' was banned. Department of Telecommunications instructed all the But the previously deployed URL-blocking strategy did not work in the new situation of mailing lists. Blocking the URL of the group did not stop it from being used by members of the group to continue sharing email through it. Government of India then approached Yahoo directly to ensure that the mailing list is closed down, which Yahoo declined to implement. This resulted in imposing of a blanket blocking of all Yahoo Groups pages across ISPs in India during September 2003. By November, Yahoo decided to close down the mailing list, and the blanket blocking was repealed [Tanna 2004]. Further blocking of several blogs and websites continued through 2006 and 2007, where the government decided to work in collaboration with various platforms offering hosted blog and personal webpage services to remove access to specific sub-domains. In resistance to this series of blocking orders by the government, there emerged an important civil society campaign titled 'Bloggers Against Censorship' led by Bloggers Collective Group, a distributed network of bloggers from all across India [Bloggers 2006].

A few weeks after the IGF Hyderabad, the Government of India passed the Information Technology (Amendment) Act 2008 on 22 December 2008 [MoLaJ 2009], although it was notified and enforced much later on 27 October 2009 [MoCaIT 2009]. This amendment attempted to clarify various topics left under-defined in the Information Technology Act of 2000. However, as Pranesh Prakash of the Centre for Internet and Society noted, the casual usage of the term 'offensive content' in the amendment opened up serious threats of broad curbing of freedom of online expression under the justification that it caused 'annoyance' or 'inconvenience' [Prakash 2009]. The sections 66 and 67 of the amended Information Technology Act, which respectively address limits to online freedom of expression and legally acceptable monitoring of digital communication by government agencies, have since been severely protested against by civil society organizations across India for enabling a broad-brushed censorship and surveillance of the Internet in India. The section 66A has especially allowed the government to make a series of arrests of Internet users for posting and sharing 'offensive content' [Pahwa 2015].

In 2011, the Government of India introduced another critical piece of policy instrument for controlling online expressions – the Information Technology (Intermediary Guidelines) Rules, 2011 [MoCaIT 2011] – targeted at defining the functions of the intermediaries associated with Internet-related services and communication, and how they are to respond to government's directives towards taking down and temporary blocking of digital content. The draft Rules were published in early 2011 and comments were invited from the general public. One of the responses, submitted by Privacy India and the Centre for Internet and Society, explicitly highlighted the draconian implications of the (then) proposed rules:

This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked. [Prakash 2011]

The policy apparatus of controlling online expression in India took its full form by the beginning of the decade under study here. The 'chilling effect' of this apparatus was made insightfully evident by a study conducted by Rishabh Dara at the Centre for Internet and Society, where fake takedown notices (regarding existing digital content) were sent to 7 important Internet intermediaries operating in India, and their responses were studied. The results of this experiment demonstrated that:

[T]he Rules create uncertainty in the criteria and procedure for administering the takedown thereby inducing the intermediaries to err on the side of caution and over-comply with takedown notices in order to limit their liability; and as a result suppress legitimate expressions. Additionally, the Rules do not establish sufficient safeguards to prevent misuse and abuse of the takedown process to suppress legitimate expressions. [Dara 2012]

Reference

[Bloggers 2006] Bloggers Collective Group, Bloggers Against Censorship. Last updated on April 30, 2009‎. Accessed on July 08, 2015, from http://censorship.wikia.com/wiki/Bloggers_Against_Censorship.

[Dara 2012] Dara, Rishabh, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet. The Centre for Internet and Society. April 27. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/chilling-effects-on-free-expression-on-internet.

[DEF] Digital Empowerment Foundation (DEF). Community Information Resource Centre. Accessed on July 08, 2015, from http://defindia.org/circ-2/.

[DEF b] Digital Empowerment Foundation (DEF). Internet Rights. Accessed on July 08, 2015, from http://internetrights.in/.

[DEF c] Digital Empowerment Foundation (DEF). Our Story. Accessed on July 08, 2015, from http://defindia.org/about-def/.

[DEF d] Digital Empowerment Foundation (DEF). Manthan Awards. Accessed on July 08, 2015, from http://defindia.org/manthan-award-south-asia-masa/.

[FSFI] Free Software Foundation of India. Accessed on July 08, 2015, from http://fsf.org.in/.

[FSMI] Free Software Movement of India. Accessed on July 08, 2015, from http://www.fsmi.in/node.

[Gurumurthy 2001] Gurumurthy, Anita, A Gender Perspective to ICTs and Development: Reflections towards Tunis. January 15. Accessed on July 08, 2015, from http://www.worldsummit2003.de/en/web/701.htm.

[Gurumurthy 2005] Gurumurthy, Anita, and Parminder Jeet Singh, WSIS PrepCom 2: A South Asian Perspective. Association for Progressive Communications. April 01. Accessed on July 08, 2015, from https://www.apc.org/en/news/hr/world/wsis-prepcom-2-south-asian-perspective.

[Gurumurthy 2006] Gurumuthy, Anita et al (eds.), Gender in the Information Society: Emerging Issues. UNDP Asia-Pacific Development Information Programme. Accessed on July 08, 2015, from http://www.genderit.org/sites/default/upload/GenderIS.pdf.

[India-GII 2001] India-GII, Status of VSNL Censorship of IP-Telephony Sites. Accessed on July 08, 2015, from http://members.tripod.com/~india_gii/statusof.htm.

[India-GII 2005] India-GII. 2005. Last modified on May 24. Accessed on July 08, 2015, from http://india-gii.org/.

[IDP] Internet Democracy Project. Accessed on July 08, 2015, from http://internetdemocracy.in/.

[ITU 2003] International Telecommunication Union (ITU), Geneva Phase of the WSIS: List of Participants. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/summit_participants.pdf.

[ITU 2005] International Telecommunication Union (ITU), List of Participants (WSIS) – Update 5 Dec 2005. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs2/tunis/final-list-participants.pdf.

[ITU 2005 b] International Telecommunication Union (ITU), Tunis Agenda for the Information Society. November 18. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs2/tunis/off/6rev1.pdf.

[IGF 2008] Internet Governance Forum, Hyderabad Provisional List of Participants. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/index.php/component/content/article/385-hyderabad-provisional-list-of-participants.

[IGF 2009] Internet Governance Forum, Managing Critical Resources. IGF Sharm El Sheikh, Egypt . November 16. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/2009/sharm_el_Sheikh/Transcripts/Sharm%20El%20Sheikh%2016%20November%202009%20Managing%20Critical%20Internet%20Resources.pdf.

[Bangalore] Internet Society Bangalore Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org/.

[Delhi] Internet Society Delhi Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org.

[Chennai] Internet Society Chennai Chapter. Accessed on July 08, 2015, from http://www.isocbangalore.org.

[Kolkata] Internet Society Kolkata Chapter. Accessed on July 08, 2015, from http://isockolkata.in/.

[Trivandrum] Internet Society Trivandrum Chapter. Accessed on July 08, 2015, from http://www.internetsociety.org/what-we-do/where-we-work/chapters/india-trivandrum-chapter.

[ITfC] IT for Change, About IT for Change. Accessed on July 08, 2015, from http://www.itforchange.net/aboutus.

[ITfC b] IT for Change, Anita Gurumurthy. Accessed on July 08, 2015, from http://www.itforchange.net/Anita.

[ITfC c] IT for Change, Gender and Citizenship in the Information Society: Southern Feminist Dialogues in Practice and Theory. Accessed on July 08, 2015, from http://www.gender-is-citizenship.net/.

[ITfC d] IT for Change, Internet Governance. Accessed on July 08, 2015, from http://www.itforchange.net/Techgovernance.

[ITfC e] IT for Change, Our Field Centre. Accessed on July 08, 2015, from http://www.itforchange.net/field_centre.

[JNC] Just Net Coalition (JNC). Accessed on July 08, 2015, from http://justnetcoalition.org/.

[Kumar 2007] Kumar, Sasi V. 2007. The Story of Free Software in Kerala, India. Accessed on July 08, 2015, from http://swatantryam.blogspot.in/2007/08/story-of-free-software-in-kerala-india.html.

[MoLaJ 2009] Ministry of Law and Justice (MoLaJ), The Information Technology (Amendment) Act, 2008. The Gazette of India. February 05. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf.

[MoCaIT 2009] Ministry of Communications and Information Technology (MoCaIT), Notification. The Gazette of India. October 27. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/act301009.pdf.

[MoCaIT 2011] Ministry of Communications and Information Technology (MoCaIT), Information Technology (Intermediaries Guidelines) Rules, 2011. The Gazette of India. April 11. Accessed on July 08, 2015, from http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.

[Noronha 2002] Noronha, Frederick, Linking a Diverse Country: Mailing Lists in India. The Digital Development Network. May 22. Accessed on July 08, 2015, from http://www.comminit.com/ict-4-development/content/linking-diverse-country-mailing-lists-india.

[Pahwa 2015] Pahwa, Nikhil, A List of Section 66A Arrests in India through the Years. Medianama. March 24. Accessed on July 08, 2015, from http://www.medianama.com/2015/03/223-section-66a-arrests-in-india/.

[Prakash 2009] Prakash, Pranesh, Short Note on IT Amendment Act, 2008 . The Centre for Internet and Society. February. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/publications/it-act/short-note-on-amendment-act-2008/.

[Prakash 2011] Prakash, Pranesh, CIS Para-wise Comments on Intermediary Due Diligence Rules, 2011. The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/internet-governance/blog/intermediary-due-diligence.

[Prakash 2011 b] Prakash, Pranesh, et al, Open Government Data Study. The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/openness/blog/open-government-data-study.

[SFLC] Software Freedom Law Centre (SFLC). Accessed on July 08, 2015, from http://sflc.in/.

[Shah 2011] Shah, Nishant. 2011. Digital AlterNatives with a Cause? The Centre for Internet and Society. Accessed on July 08, 2015, from http://cis-india.org/digital-natives/blog/dnbook.

[Singh 2011] Singh, Dushyant, India's Proposal for a United Nations Committee for Internet-Related Policies. Sixty Sixth Session of the UN General Assembly, New York. October 26. Accessed on July 08, 2015, from http://www.itforchange.net/sites/default/files/ItfC/india_un_cirp_proposal_20111026.pdf.

[SKC] Society for Knowledge Commons. About Us. Accessed on July 08, 2015, from http://www.knowledgecommons.in/about-us/.

[Asia Source] Tactical Technology Collective, Asia Source. Accessed on July 08, 2015, from https://tacticaltech.org/asiasource.

[Tanna 2004] Tanna, Ketan, Internet Censorship in India: Is It Necessary and Does It Work?. Sarai-CSDS Independent Fellowship. Accessed on July 08, 2015, from http://www.ketan.net/INTERNET_CENSORSHIP_IN_INDIA.html.

[CIS] The Centre for Internet and Society. About Us. Accessed on July 08, 2015, from http://cis-india.org/about/.

[CIS 2008] The Centre for Internet and Society. 2008. Annual Report. Accessed on July 08, 2015, from http://cis-india.org/accessibility/annual-report-2008.pdf.

[Sarai 2005] The Sarai Programme, Contested Commons, Trespassing Publics. January 12. Accessed on July 08, 2015, from http://sarai.net/contested-commons-trespassing-publics/.

[Wikipedia 2015] Satish Babu. Wikipedia. Last modified on June 25. Accessed on July 08, 2015, from https://en.wikipedia.org/wiki/Satish_Babu.

For more details visit https://cis-india.org/raw/civil-society-organisations-and-internet-governance-in-india-open-review

Civil Society Organisations and Internet Governance in Asia - Open Review

sumandro — 2015-11-13T05:54:33Z

This is a book section written for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon. The pre-publication text of the section is being shared here to invite suggestions for addition and modification. Please share your comments via email sent to raw[at]cis-india[dot]org with 'Civil Society Organisations and Internet Governance in Asia - Comments' as the subject line. This text is published under Creative Commons Attribution-NoDerivatives 4.0 International license.

You are most welcome to read the pre-publication drafts of other sections of the Asia Internet History Vol. 3, and share your comments: https://sites.google.com/site/internethistoryasia/book3.

Preparations for the World Summit on the Information Society

The World Summit on the Information Society (WSIS) conferences organized by the United Nations in Geneva (2003) and Tunis (2005) initiated crucial platforms and networks, some temporary and some continued, for various non-governmental actors to intensively and periodically take part in the discussions of governance of Internet and various related activities towards the goals of inclusive development and human rights. Many of the civil society organizations taking part in the WSIS conferences, as well as the various regional and thematic preparatory meetings and seminars, had little prior experience in the topic of Internet governance. They were entering these conversations from various perspectives, such as local developmental interventions, human and cultural rights activism, freedom and diversity of media, and gender and social justice. With backgrounds in such forms of applied practice and theoretical frameworks, members of these civil society organizations often faced a difficult challenge in articulating their experiences, insights, positions, and suggestions in terms of the (then) emerging global discourse of Internet governance and that of information and communication technologies (ICTs) as instruments of development. At the WSIS: An Asian Response Meeting in 2002, Susanna George, (then) Executive Director of Isis International, Manila, succinctly expressed this challenge being faced by the members of civil society organizations:

For some feminist activists however, including myself, it has felt like trying to squeeze my concerns into a narrow definition of what gender concerns in ICTs are. I would like it to Cinderella’s ugly sister cutting off her toe to fit into the dainty slipper of gender concerns in ICTs. The development ball, it seems, can only accommodate some elements of what NGO activists, particularly those from the South, are concerned about in relation to new information and communications technologies. (George 2002)

The above mentioned seminar, held in Bangkok, Thailand, on November 22-24, 2002, was a crucial early meeting for the representatives from Asian civil society organizations to share and shape their understanding and positions before taking part in the global conversations during the following years. The meeting was organised by Bread for All (Switzerland), Communication Rights in the Information Society Campaign (Netherlands), Forum-Asia (Thailand), and World Association for Christian Communication (United Kingdom), as a preparatory meeting before the Asia-Pacific Regional Conference of WSIS, with 34 organizations from 16 Asian countries taking part in it. The Final Document produced at the end of this seminar was quite a remarkable one. It highlighted the simultaneity of Asia as one of the global centres of the information economy and the everyday reality of wide-spread poverty across the Asian countries, and went on to state that the first principle for the emerging global information society should be that the '[c]ommunication rights are fundamental to democracy and human development' (The World Summit on the Information Society: An Asian Response 2002). It proposed the following action items for the efforts towards a global inclusive information society: 1) strengthen community, 2) ensure access, 3) enhance the creation of appropriate content, 4) invigorate global governance, 5) uphold human rights, 6) extend the public domain, 7) protect and promote cultural and linguistic diversity, and 8) ensure public investment in infrastructure (ibid.).

Immediately after this Conference, several Asian civil society organizations attended the Asian Civil Society Forum, organised as part of the Conference of Non-governmental Organizations in Consultative Relations with the United Nations (CONGO), held in Bangkok, Thailand, during December 9-13, 2002. Representatives of Dhaka Ahsania Mission (Bangladesh), OneWorld South Asia (India), GLOCOM (Japan), Foundation for Media Alternative (Philippines), Korean Progressive Network – JINBONET (Republic of Korea), Friedrich Naumann Foundation (Singapore), International Federation of University Women (Switzerland), and Forum Asia (Regional) drafted a Joint Statement emphasising that a 'broad-based participation of civil society, especially from those communities which are excluded, marginalized and severely deprived, is critical in defining and building such a [true communicative, just and peaceful] society' (Aizu 2002). In the very next month, the Asia-Pacific Regional Conference was held in Tokyo during January 13-15, 2003, 'to develop a shared vision and common strategies for the “Information Society' (WSIS Executive Secretariat 2003: 2). The conference saw participation of representatives from 47 national governments, 22 international organizations, 54 private sector agencies, and 116 civil society organizations across the Asia-Pacific region. The Tokyo Declaration, the final document prepared at the conclusion of the Conference, recognized that:

[T]he Information Society must ... facilitate full utilization of information and communication technologies (ICT) at all levels in society and hence enable the sharing of social and economic benefits by all, by means of ubiquitous access to information networks, while preserving diversity and cultural heritage. (Ibid.: 2)

Further, it highlighted the following priority areas of action: 1) infrastructure development, 2) securing affordable, universal access to ICTs, 3) preserving linguistic and cultural diversity and promoting local content, 4) developing human resources, 5) establishing legal, regulatory and policy frameworks, 6) ensuring balance between intellectual property rights (IPR) and public interest, 7) ensuring the security of ICTs, and 8) fostering partnerships and mobilizing resources. It is not difficult to see how the focus of necessary actions shifted from an emphasis on concerns of community and human rights, and public investments and commons, towards those of legal and policy mechanisms, multi-partner delivery of services, and intellectual property rights. Civil society organizations, expectedly, felt sidelined in this Conference, and decided to issue a join statement of Asian civil society organizations to ensure that their positions are effectively presented. The first two topics mentioned in this document were: 1) '[c]ommunication rights should be fully recognized as a fundamental and universal human right to be protected and promoted in the information society,' and 2) '[t]he participation of civil society in the information society at all levels should be ensured and sustained, from policy planning to implementation, monitoring and evaluation' (UNSAJ et al 2003). The joint statement was endorsed by 30 civil society organizations: UDDIPAN (Bangladesh); COMFREL (Cambodia); ETDA (East Timor); The Hong Kong Council of Social Services (Hong Kong); Food India, IT for Change (India); Indonesian Infocom Society (Indonesia); Active Learning, CPSR, Forum for Citizens' Television and Media, JTEC, Kyoto Journal, Ritsumeikan University Media Literacy Project, UNSAJ (Japan); Computer Association Nepal, Rural Area Development Programme (Nepal); APC Women's Networking Support Programme, Foundation for Media Alternatives, ISIS International (Philippines); Citizens' Action Network, Korean Progressive Network – Jinbonet, Labor News Production, ZAK (Republic of Korea); e-Pacificka Consulting (Samoa); National University of Singapore (Singapore); Public Television Service, Taiwan Association for Human Rights (Taiwan); Asian-South Pacific Bureau for Adult Education, FORUM ASIA, and TVE Asia Pacific (Regional) (Ibid.).

Participation in the WSIS Process

The first WSIS conference was held in Geneva in December 2003. Through the processes of organizing this conference, and the second one in Tunis in November 2005, United Nations expressed a clear intention of great participation of actors from the private companies, civil society, academia, and media, along with the governmental organizations. During the first meeting of the WSIS Preparatory Committee (PrepCom-1) in Geneva, during July 1-5, 2002, the civil society organizations demanded that they should be allowed to co-shape the key topics to be discussed during the first conference (2003). There was already an Inter-Governmental Subcommittee on Contents and Themes, but no equivalent platform for the civil society organizations was available. With the approval of the Civil Society Plenary (CSP), the Civil Society Subcommittee on Content and Themes (WSIS-SCT) was instituted during PrepCom-1 (WSIS-SCT 2003b). At the second WSIS Preparatory Committee meeting (PrepCom-2) in Geneva, during February 17-28, 2003, the WSIS-SCT produced a summary of the views of its members titled 'Vision and Principles of Information and Communication Societies,' and also a one page brief titled 'Seven Musts: Priority Principles Proposed by Civil Society' to be used for lobbying purposes (Ibid.). This brief mentioned seven key principles of Internet governance identified by the civil society organization taking part in the WSIS process: (1) sustainable development, (2) democratic governance, (3) literacy, education, and research, (4) human rights, (5) global knowledge commons, (6) cultural and linguistic diversity, and (7) information security (WSIS-SCT 2003a).

Asian civil society organizations that took part in the PrepCom-2 meeting included United Nations Association of China (China); CASP - Centre for Adivasee Studies and Peace, C2N - Community Communications Network (India); ICSORC - Iranian Civil Society Organizations Resource Center (Iran); GAWF - General Arab Women Federation (Iraq); Daisy Consortium, GLOCOM - Center for Global Communications (Japan); Association for Progressive Communication, Global Knowledge Partnership (Malaysia); Pakistan Christian Peace Foundation (Pakistan); WFEO - World Federation of Engineering Organization (Palestine); Asian South Pacific Bureau of Adult Education, Foundation for Media Alternatives, ISIS International – Manila (Philippines); Korean Progressive Network - Jinbonet (Republic of Korea); IIROSA - International Islamic Relief Organization (Saudi Arabia); and Taking IT Global (India, Indonesia, Malaysia, Philippines, and Turkey) (ITU 2003a).

All these efforts led to development of the Civil Society Declaration to the World Summit on the Information Society, which was prepared and published by the Civil Society Plenary at the Geneva conference, on December 08, 2003. The Declaration was titled 'Shaping Information Societies for Human Needs' (WSIS Civil Society Plenary 2003). The Asian civil society organization that took part in the Geneva conference were BFES - Bangladesh Friendship Education Society, Drik, ICTDPB - Information & Communication Technology Development Program, Proshika - A Center for Human Development (Bangladesh); China Society for Promotion of the Guangcai Programme, Chinese People's Association for Friendship with Foreign Countries, United Nations Association of China (China); The Hong Kong Council of Social Service (Hong Kong); CASP - Centre for Adivasee Studies and Peace, Childline India Foundation / Child Helpline International, DAWN - Development Alternatives with Women for a New Era (India); Communication Network of Women's NGOs in Iran, Green front of Iran, ICTRC - Iranian Civil Society Organizations Training and Research Center, Islamic Women's Institute of Iran, Institute for Women's Studies and Research, Organization for Defending Victims of Violence (Iran); ILAM - Center for Arab Palestinians in Israel (Israel); Citizen Digital Solutions, Forum for Citizens' Television and Media, GLOCOM - Center for Global Communications, JCAFE - Japan Computer Access for Empowerment, Soka Gakkai International (Japan); LAD-Nepal - Literary Academy for Dalit of Nepal (Nepal); Asia-Pacific Broadcasting Union, Global Knowledge Partnership (Malaysia); PAK Educational Society / Pakistan Development Network, SMEDA - Small & Medium Enterprise Development Authority (Pakistan); Palestine IT Association of Companies (Palestine); Isis International – Manila, Ugnayan ng Kababaihan sa Pulitika / Philippine Women's Network in Politics and Governance (Philippines); Citizen's Alliance for Consumer Protection of Korea, Korean Civil Society Network for WSIS (Republic of Korea); Youth Challenge (Singapore); Association for Progressive Communications (India and Philippines), CITYNET - Regional Network of Local Authorities for the Management of Human Settlements (India. Mongolia, and Philippines), Taking IT Global (India and Philippines) (ITU 2003b).

As the preparatory meetings and consultations towards the second WSIS conference advanced during the next year, the Asian civil society organizations attempted to engage more directly with the global Internet governance processes on one hand, and the national Internet and ICT policy situations on the other. Writing about their encounters at and before the second Preparatory Committee meeting of the Tunis conference, held in Geneva during February 17-25, 2005, Anita Gurumurthy and Parminder Jeet Singh made several early observations that have continued to resonate with the experiences of Asian civil society organizations throughout the decade (Gurumurthy & Singh 2005). Firstly, they indicated that the government agencies present in the dialogues tend to take diverging positions in international events and domestic contexts. Secondly, there was a marked absence of formal and informal discussions between the governmental and the civil society representatives of the same country present at the meeting. The government agencies were clearly disinterested in involving civil society organizations in the process. Thirdly, the civil society actors present in the meeting were mostly from the ICT for Development sector, and the organizations working in more 'traditional' sectors – such as education, health, governance reform, etc. – remained absent from the conversations. This is especially problematic in the case of such developing countries where there does not exist strategic linkages between civil society organizaions focusing on topics of technologized developmental interventions, and those involved in more 'traditional' development practices. Rekha Jain, in a separate report on the Indian experience of participating in the WSIS process, re-iterates some of these points (Jain 2006). She notes that '[w]hile the Secretary, [Department of Telecommunications, Government of India] was involved in (PrepCom-1) drafting the initial processes for involvement of NGOs, at the national level, this mechanism was not translated in to a process for involving the civil society or media' (Ibid.: 14).

The frequent lack of interest of national governments, especially in the Asian countries, to engage with civil society organizations on matters of policies and projects in Internet governance and ICTs for development (Souter 2007), further encouraged these organization to utilise the global discussion space opened up by the WSIS process to drive the agendas of democratisation of Internet governance processes, and protection and advancement of human rights and social justice. The second WSIS conference held in Tunis, during November 16-18, 2005, however, did not end in a positive note for the civil society organizations as a whole. The sentiment is aptly captured in the title of the Civil Society Statement issued after the Tunis Conference: 'Much more could have been achieved' (WSIS Civil Society Plenary 2005). Apart from producing this very important critical response to the WSIS process, within a month of its conclusions, the civil society organization contributed effectively in one of the more longer-term impacts of the process – the establishment of the Internet Governance Forums (IGFs). Immediately after the publication of the Report of the Working Group on Internet Governance (Desai et al) in June 2005, the Center for Global Communications (GLOCOM), Japan, acting on behalf of the Civil Society Internet Governance Caucus, came forward with public support for 'the establishment of a new forum to address the broad agenda of Internet governance issues, provided it is truly global, inclusive, and multi-stakeholder in composition allowing all stakeholders from all sectors to participate as equal peers' (WSIS Civil Society Internet Governance Caucus 2005: 3).

Asian Civil Society Organizations at the IGFs

In 2006, the WSIS Civil Society Internet Governance Caucus was reformed and established as a permanent 'forum for discussion, advocacy, action, and for representation of civil society contributions in Internet governance processes' (Civil Society Internet Government Caucus 2006). Representatives from Asian civil society organizations have consistently played critical roles in the functionings of this Caucus. Youn Jung Park of the Department of Technology and Society, SUNY Korea, co-founded and co-coordined the original Caucus in 2003. Adam Peake of the Center for Global Communications (GLOCOM), International University of Japan, was co-coordinator of the original Caucus from 2003 to 2006. Parminder Jeet Sing of IT for Change, India, was elected as one of the co-cordinators of the newly reformed Caucus in 2006, with the term ending in 2008. Izumi Aizu of the Institute for HyperNetwork Society and the Institute for InfoSocinomics, Tama University, Japan served as the co-coordinator of the Caucus during 2010-2012.

The first Internet Governance Forum organized in Athens, October 30 – November 2, 2006, saw participation from a very few Asian civil society organizations, mostly from Bangladesh and Japan (IGF 2006). The second Internet Governance Forum in Rio de Janeiro, November 12-15, 2007 had a wider representation from Asian civil society organizations: Bangladesh NGOs Network for Radio and Communication, BFES - Bangladesh Friendship Education Society, VOICE – Voices for Interactive Choice and Empowerment (Bangladesh); China Association for Science and Technology, Internet Society of China (China); University of Hong Kong (Hong Kong); Alternative Law Forum (via Association for Progressive Communications - Women's Networking Support Programme), Indian Institute of Technology in Delhi, IT for Change (India); GLOCOM, Kumon Center, Tama University (Japan); Sustainable Development Networking Programme (Jordan); Kuwait Information Technology Society (Kuwait); Assocation of Computer Engineers – Nepal, Rural Area Development Programme, Nepal Rural Information Technology Development Society (Nepal); Bytesforall – APC / Pakistan, Pakistan Christian Peace Foundation (Pakistan); Foundation for Media Alternatives, Philippine Resources for Sustainable Development Inc. (Philippines); and LIRNEasia (Sri Lanka). At the Open IGF Consultations in Geneva, on February 26 2008, the Internet Governance Caucus made two significant submissions: 1) that, although structuring the IGF sessions in Athens and Rio de Janeiro around the large themes of access, openness, diversity, and security have been useful to open up the multi-stakeholder dialogues, it is necessary to begin focused discussions of specific public policy issues to take the IGF process forward (Civil Society Internet Governance Caucus 2008a), and 2) that the Multi-Stakeholder Advisory Group (MAG), which drives the IGF process and events, should be made more proactive and transparent, and expanded in size so as to better include the different stakeholder groups who may self-identify their representatives for the MAG (Civil Society Internet Governance Caucus 2008b).

On one hand, the IGF Hyderabad, December 3-6, 2008, experienced a decline in the percentage of participants from civil society organizations and a rather modest increase in the percentage of participants from Asian countries (see: 6.1.5. Annexe – Tables), especially since this was the first major international Internet governance summit held in an Asian country. On the other hand, the Civil Society Internet Governance Caucus succeeded to bring forth the term 'enhanced cooperation,' as mentioned in the Tunis Agenda, to be addressed and discussed in one of the main sessions of the Forum (IGF 2008). The next IGF held in Sharm El Sheikh, November 15-18, 2009, saw further decline of participation from both the representatives of civil society organizations, and the attendees from Asian countries (see: 6.1.5. Annexe – Tables). In this context, Youn Jung Park made the following statement in the Stock Taking session of the summit:

As a cofounder of WSIS Civil Society Internet Governance Caucus in 2003, I would like to remind you ... [that] Internet Governance Forum was created as a compromise between those who supported the status quo Internet governance institution under one nation's status provision, and those who requested for more balanced roles for governments under international supervision of the Internet. While IGF has achieved a great success of diluting of such political tension between those who have different views of how to institutionalize Internet governance, ironically Internet governance forum became a forum without governance... [We] have to admit [that] IGF failed to deliver another mandate of the U.N. WSIS: Continuing discussion of how to design Internet governance institutions... The current IGF continues to function as knowledge transfer of ICANN's values to other stakeholders, while those who want to discuss and negotiate on how to design Internet governance institutions should have another platform for that specific U.N. WSIS mandate. (IGF 2009)

The first Asia Pacific Regional Internet Governance Forum (APrIGF) was held in Hong Kong on June 14-16, 2010. The organising committee included three civil society / acadmic organizations – Center for Global Communications (GLOCOM), Internet Society Hong Kong, and National University of Singapore – and three indpendent experts – Kuo-Wei Wu (Taiwan), Norbert Klein (Cambodia), and Zahid Jamil (Pakistan). Though the Forum had dominant presence from government and private sector participants, several representatives from Asian civil society / academic organizations spoke at the sessions: Ang Peng Hwa (Singapore Internet Research Centre, Nanyang Technological University), Charles Mok (Internet Society Hong Kong), Christine Loh (Civic Exchange), Chong Chan Yau (Hong Kong Blind Union), Clarence Tsang (Christian Action), Ilya Eric Lee (Taiwan E-Learning and Digital Archives Program, and Research Center for Information Technology Innovation), Izumi Aizu (Institute for HyperNetwork Society, and Institute for InfoSocinomics, Kumon Center, Tama University), Oliver “Blogie” Robillo (Mindanao Bloggers Community), Parminder Jeet Singh (IT for Change), Priscilla Lui (Against Child Abuse in Hong Kong), Tan Tin Wee (Centre for Internet Research, National University of Singapore), and Yap Swee Seng (Asian Forum for Human Rights and Development). As Ang Peng Hwa noted at the beginning of the summit, its key objective was to provide a formal space for various stakeholders from the Asia-Pacific region to discuss and provide inputs to the IGF process (APrIGF 2010). The regional forum was successful in enabling newer civil society entrants from the Asia-Pacific region to familiarize themselves with the IGF process, and to contribute to it. Oliver “Blogie” Robillo, represented and submit recommendations from Southeast Asian civil society organizations at IGF Vilnius, September 14-17, 2010, which was the first time he took part in the summit series. He emphasised the following topics: 1) openness and freedom of expression are the basis of democracy, and state-driven censorship of Internet in the region is an immediate threat to such global rights, 2) coordinated international efforts need to address and resolve not only global digital divides, but also the divides at regional, national, and sub-nationals scales, 3) the right to privacy is an integral part of cybersecurity, as well as a necessary condition for exercising human rights, 4) global Internet governance efforts must ensure that national governments do not control and restrict abilities of citizens to express through digital means, and it should be aligned with the universal human rights agenda, and 5) even after 5 years of the IGF process, a wider participation of civil society organizations, especially from the Asia-Pacific regions, remains an unachieved goal, which can only be achived if specific resources are allocated and processes are implemented (IGF 2010).

Internet Censorship and Civil Society Responses

Throughout the decade of 2000-2010, censorship of Internet and restriction of digital expression remained a crucial Internet rights concern across the world, and especially the Asian countries. One of the earliest global reports on the matter was brought out by the Reporters without Borders. In 2006, it published a list of countries marked as 'Internet Enemies' that featured 16 countries, out of which 11 were from Asia: China, Iran, Maldives, Myanmar (then, Burma), Nepal, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan, and Vietnam (Reporters without Borders 2006). The list was updated in 2007, and three of these countries – Libya, Maldives, and Nepal – were taken off (Ibid.). The unique contradictions of the Asian region were sharply foregrounded in the 2006-07 report on Internet censorship by OpenNet Initiative, which noted:

Some of the most and least connected countries in the world are located in Asia: Japan, South Korea, and Singapore all have Internet penetration rates of over 65 percent, while Afghanistan, Myanmar, and Nepal remain three of thirty countries with less than 1 percent of its citizens online. Among the countries in the world with the most restricted access, North Korea allows only a small community of elites and foreigners online. Most users must rely on Chinese service providers for connectivity, while the limited number North Korean–sponsored Web sites are hosted abroad... [T]hough India’s Internet community is the fifth largest in the world, users amounted to only about 4 percent of the country’s population in 2005. Afghanistan, Myanmar, and Nepal are among the world’s least-developed countries. Despite the constraints on resources and serious developmental and political challenges, however, citizens are showing steadily increasing demand for Internet services such as Voice-over Internet Protocol (VoIP), blogging, and chat. (Wang 2007)

The report further described the strategy used by various Asian governments of 'delegation of policing and monitoring responsibilities to ISPs, content providers, private corporations, and users themselves' (Ibid.) These mechanisms enforce self-surveillance and self-censorship in the face of threats of loss of commercial license, denial of services, and even criminal liability. Defamation suits and related civil and criminal liability have also been used by several Asian governments to silence influential critics and protesters. Direct technical filtering of Internet traffic (especially inwards traffic) and blocking of URLS via government directives sent to Internet Service Providers (ISPs) have also been common practice in key Asian countries (Ibid.). Expectedly, such experiences of oppression led to widespread campaigns and communications by the Asian civil society organizations, as can be sensed from the above mentioned submission by Oliver “Blogie” Robillo at IGF Vilnius.

Among the Asian countries, the comprehensive technologies of censorship developed and deployed by China has been studied most extensively. The Golden Shield Project was initiated by the Ministry of Public Security of China in 1998 to undertake blanket blocking of incoming Internet traffic based on specific URLs and terms. Evidences of the project getting operationalised became available in 2003 (Garden Networks for Freedom of Information 2004). Censorship of Internet in China, however, has not only been dependent on such sophisticated systems. In 2003, it was made mandatory for all residents of Lhasa, Tibet, to use a specific combination and password to access Internet, which was directly linked to their names and address. An Internet ID Card was issued by the government to implement this (International Campaign for Tibet. 2004). Tibet Action Institute has been a key civil society organization at the forefront of cyber-offensive of the Chinese government. A recent documentary by the Institute, titled 'Tibet: Frontline of the New Cyberwar,' has narrated how it has worked closely with the Citizen Lab, Munk School of Global Affairs, University of Toronto, to identify, trace, and resist the malware- and other cyber-attacks experienced by the civil society actors and websites in favor of independence of Tibet (Tibet Action Institute 2015). Not only activists supporting the Tibetan cause, digital security training emerged as an important aspect of the life of civil society organizations during the decade. Asian organizations like Bytes for All (Pakistan) and Myanmar ICT for Development Organization (Mynamar), as well as international organizations like Front Line Defenders and Citizen Lab have educated and supported civil society activities much beyond the Internet governance sphere with tools and techniques for effectively using digital channels of communications, and defending themselves for cyber-threats.

Combination of traditional forms of civil society mobilizations and digital techniques have often been used resist attempts by Asian governments to control the online communication space. Huma Yusuf has extensively studied the emergence of hybrid media strategies, using both old media channels like newspapers and new media channels like blogs and video sharing platforms, among citizen journalists and civil society activists in Pakistan as the government took harsh steps towards control of both traditional and online media during 2007-2008 (Yusuf 2009). She has carefully traced how possibilities of new forms of information and media sharing enabled by Internet were initially identified and implemented by citizen journalists and student activists, which was quickly learned and re-deployed by more formal organisation, such as print and electronic news companies, and civil society organizations like those involved in election monitoring (Ibid.). Malaysia also experienced fast-accelerating face-off between the government and the civil society during 2007-2010, as the former started intervening directly into censoring blogs and newspaper websites. On one hand, the government took legal actions against critical bloggers, either directly or indirectly, and on the other it instructed ISPs to block 'offensive content.' It also borrowed the 'Singapore-model' to mandate registration of bloggers with government authorities, if they are identifed as writing on socio-political topics. The civil society actors responded to these oppressive steps by setting up a new blog dedicated to coverage of the defamation cases (filed against prominent bloggers), and publicly sharing instructions for circumvention of the blocks imposed by ISPs. The National Alliance of Bloggers was soon formed, which organised the “Blogs and Digital Democracy” forum on October 3, 2007 (Thien 2011: 46-47). Similarly, Bloggers Against Censorship campaign took shape in India in 2006 as the government first directed ISPs to block specific blogs hosted on Blogspot, TypePad, and Yahoo! Geocities, and then went for complete blocking of Yahoo! Geocities as the ISPs failed to block specific sub-domains of the platform (Bloggers Collective Group 2006). Learning from this experience, the following year Indian government decided to work directly with Orkut to take down 'defamatory content' about a politician (The Economic Times 2007). This is common for other Asian governments too, as they have continued to develop more legally binding and technically sophisticated measures to monitor and control online expression.

In the 'Internet Enemies Report 2012,' Reporters without Borders listed 12 countries as 'enemies of the Internet,' out of which 10 were from Asia – Bahrain, China, Iran, Myanmar, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan, and Vietnam – and it named 14 countries that are conducting surveillance on its citizens, out of which 7 were from Asia – India, Kazakhstan, Malaysia, South Korea, Sri Lanka, Thailand, and United Arab Emirates (Reporters without Borders 2012). At the APrIGF held in Tokyo, July 18-20, 2012, a group of delegates from civil society organizations working in the South-East Asian region issued a joint statement with a clear call for global action against the shrinking space for freedom of (digital) expression in the region (Thai Netizen Network et al 2012). They specifically noted the following national acts as examples of the legislative mechanisms being used by different Asian governments to criminalize online speech and/or to harass public dissenters:

Burma – The 2004 Electronic Transactions Act
Cambodia – The 2012 Draft Cyber-Law, the 1995 Press Law, and the 2010 Penal Code
Malaysia – The 2012 Amendment to the Evidence Act and the 2011 Computing Professionals Bill
Indonesia – The 2008 Law on Information and Electronic Transaction and the 2008 Law on Pornography
The Philippines – The 2012 Data Privacy Act
Thailand – The 2007 Computer Crimes Act, the Article 112 of the Penal Code, and the 2004 Special Case Investigation Act
Vietnam – The 1999 Penal Code, the 2004 Publishing Law, the 2000 State Secrets Protection Ordinance, and the 2012 Draft Decree on Internet Management. (Ibid.)

The statement was co-signed by Thai Netizen Network, Thai Media Policy Centre, The Institute for Policy Research and Advocacy (ELSAM), Southeast Asian Press Alliance (SEAPA), Southeast Asian Centre for e-Media (SEACeM), Victorius (Ndaru) Eps, Community Legal Education Center (CLEC), Sovathana (Nana) Neang, Asian Forum for Human Rights and Development (FORUM-ASIA), and was endorsed by ICT Watch (Indonesian ICT Partnership Association).

Annexe – Tables

Table 1: Participation from Asian Countries and of representatives from Asian civil society organisations in IGFs, 2006-2010

Event	Participants from Asian Countries	Participants from Civil Society Organizations
IGF Athens 2006	11%	29%
IGF Rio de Janeiro 2007	13%	32%
IGF Hyderabad 2008	56% from India, and 15% from other Asian countries	25%
IGF Sharm El Sheikh 2009	17%	19%
IGF Vilnius 2010	Not Available	Not Available

Source: Reports available on Internet Governance Forum website (http://igf.wgig.org/cms).

Table 2: Internet Society Chapters in Asia

Chapter	Year of Establishment	URL
Afghanistan	In formation	Not available
Bahrain	2001	http://www.bis.org.bh/
Bangladesh	2011	http://www.isoc.org.bd/dhaka/
Hong Kong	2005	http://www.isoc.hk/
India (Bangalore)	2010	http://www.isocbangalore.org/
India (Chennai)	2007	http://www.isocindiachennai.org/
India (Delhi)	2002. Rejuvenated in 2008.	http://www.isocdelhi.in/
India (Kolkata)	2009	http://isockolkata.in/
India (Trivandrum)	2015	Not available
Indonesia	2014	http://www.isoc.or.id/
Israel	1995	http://www.isoc.org.il/
Japan	1994	http://www.isoc.jp/
Lebanon	2010	http://www.isoc.org.lb/
Malaysia	2010	http://www.isoc.my/
Nepal	2007	http://www.internetsociety.org.np/
Pakistan (Islamabad)	2013	http://www.isocibd.org.pk/
Palestine	2002	http://www.isoc.ps/
Philippines	1999. Rejuvenated in 2009.	https://www.facebook.com/isoc.ph/
Qatar	2011	http://www.isoc.qa/
Republic of Korea	2014	Not available
Singapore	2011	http://isoc.sg/
Sri Lanka	2010	http://www.isoc.lk/
Taipei	1996	http://www.isoc.org.tw/
Thailand	1996	http://www.isoc-th.org/
United Arab Emirates	2007	http://www.isocuae.com/
Yemen	2013	http://isoc.ye/

Source: Details of chapters available on Internet Society website (http://www.internetsociety.org/).

Reference

Aizu, Izumi et al. 2002. Joint Statement from Asia Civil Society Forum Participants on World Summit on the Information Society (WSIS). December 13. Accessed on July 08, 2015 from http://www.wsisasia.org/wsis-acsf2002/wsis-acsfdec13f.doc.

Asia Pacific Regional Internet Governance Forum (APrIGF). 2010. APrIGF Roundtable – June 15th, 2010: Session 1 – Welcome Remarks and Introduction – Real Time Transcript. Accessed on July 08, 2015 from http://2010.rigf.asia/aprigf-roundtable-june-15th-2010-session-1/.

Bloggers Collective Group. 2006. Bloggers Against Censorship. Last updated on April 30, 2009‎. Accessed on July 08, 2015, from http://censorship.wikia.com/wiki/Bloggers_Against_Censorship.

Civil Society Internet Governance Caucus. 2006. Internet Governance Caucus Charter. October 14. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC-charter_final-061014.html.

Civil Society Internet Governance Caucus. 2008a. Inputs for the Open IGF Consultation, Geneva, 26th February, 2008 – Statement II: Main Session Themes for IGF, Hyderabad. February 26. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC%20-%20Main%20themes%20for%20IGF%20Hyd.pdf.

Civil Society Internet Governance Caucus. 2008b. Inputs for the Open IGF Consultation, Geneva, 26th February, 2008 – Statement III: Renewal / Restructuring of Multi-stakeholder Advisory Group. February 26. Accessed on July 08, 2015, from http://igcaucus.org/old/IGC%20-%20MAG%20Rotation.pdf.

Desai, Nitin, et al. 2005. Report of the Working Group on Internet Governance. United June. Accessed on July 08, 2015 from http://www.wgig.org/docs/WGIGREPORT.pdf.

Garden Networks for Freedom of Information. 2004. Breaking through the “Golden Shield.” Open Society Institute. November 01. Accessed on July 08, 2015 from https://www.opensocietyfoundations.org/sites/default/files/china-internet-censorship-20041101.pdf.

George, Susanna. 2002. Women and New Information and Communications Technologies: The Promise of Empowerment. Presented at The World Summit on the Information Society: An Asian Response Meeting, November 22-24. Accessed on July 08, 2015 from http://www.wsisasia.org/materials/susanna.doc/.

Gurumurthy, Anita, & Parminder Jeet Singh. 2005. WSIS PrepCom 2: A South Asian Perspective. Association for Progressive Communications. April 01. Accessed on July 08, 2015, from https://www.apc.org/en/news/hr/world/wsis-prepcom-2-south-asian-perspective.

Internet Governance Forum (IGF). 2006. Athens 2006 – List of Participants. Accessed on July 08, 2015, from http://www.intgovforum.org/PLP.html.

Internet Governance Forum (IGF). 2008. Arrangements for Internet Governance, Global and National/Regional. IGF Hyderabad, India. December 5. Accessed on July 08, 2015, from https://web.archive.org/web/20130621205004/http://www.intgovforum.org/cms/hyderabad_prog/AfIGGN.html [Original URL: http://www.intgovforum.org/cms/hyderabad_prog/AfIGGN.html].

Internet Governance Forum (IGF). 2009. Taking Stock and Looking Forward – On the Desirability of the Continuation of the Forum, Part II. IGF Sharm El Sheikh, Egypt. November 18. Accessed on July 08, 2015, from http://www.intgovforum.org/cms/2009/sharm_el_Sheikh/Transcripts/Sharm%20El%20Sheikh%2018%20November%202009%20Stock%20Taking%20II.txt.

Internet Governance Forum (IGF). 2010. Taking Stock of Internet Governance and the Way Forward. IGF Vilnius, Lithuania. September 17. Accessed on July 08, 2015, from http://igf.wgig.org/cms/component/content/article/102-transcripts2010/687-taking-stock.

International Campaign for Tibet. 2004. Chinese Authorities Institute Internet ID Card System in Tibet for Online Surveillance. April 30. Accessed on July 08, 2015, from http://www.savetibet.org/chinese-authorities-institute-internet-id-card-system-in-tibet-for-online-surveillance/.

International Telecommunication Union (ITU). 2003a. PrepCom-2 / 17-28 February 2003 – Final List of Participants. February 28. Accessed on July 08, 2015, from http://www.itu.int/wsis/participation/prepcom2/prepcom2-cl.pdf.

International Telecommunication Union (ITU). 2003b. Geneva Phase of the WSIS: List of Participants. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/summit_participants.pdf.

Jain, Rekha. 2006. Participation of Developing Countries in the World Summit on the Information Society (WSIS) Process: India Case Study. Association for Progressive Communications. March. Accessed on July 08, 2015 from http://rights.apc.org/documents/wsis_india.pdf.

Reporters without Borders. 2006. List of the 13 Internet Enemies. Last updated on August 28, 2007. Accessed on July 08, 2015 from http://en.rsf.org/list-of-the-13-internet-enemies-07-11-2006,19603.

Reporters without Borders. 2012. Internet Enemies Report 2012. Accessed on July 08, 2015 from http://en.rsf.org/IMG/pdf/rapport-internet2012_ang.pdf.

Souter, David. 2007. WSIS and Civil Society. In: Whose Summit? Whose Information Society? Developing Countries and Civil Society at the World Summit on the Information Society. With additional research by Abiodun Jagun. Association for Progressive Communications. Pp. 72-89. Accessed on July 08, 2015 from http://rights.apc.org/documents/whose_summit_EN.pdf.

Thai Netizen Network et al. 2012. Southeast Asian Civil Society Groups Highlight Increasing Rights Violations Online, Call for Improvements to Internet Governance Processes in the Region. Statement of Civil Society Delegates from Southeast Asia to 2012 Asia-Pacific Regional Internet Governance Forum (APrIGF). July 31. Accessed on July 08, 2015 from https://freedomhouse.org/sites/default/files/AprIGF-Joint%20Statement-FINAL.pdf.

The Economic Times. 2007. Orkut's Tell-All Pact with Cops. May 01. Accessed on July 08, 2015 from http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson.

The World Summit on the Information Society: An Asian Response. 2002. Final Document. Accessed on July 08, 2015 from http://www.wsisasia.org/materials/finalversion.doc.

Thien, Vee Vian. 2011. The Struggle for Digital Freedom of Speech: The Malaysian Sociopolitical Blogosphere’s Experience. In: Ronald Deibert et al. (eds.) Access Contested. OpenNet Initiative. Pp. 43-63. Accessed on July 08, 2015 from http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-03.pdf.

Tibet Action Institute. 2015. Tibet: Frontline of the New Cyberwar. YouTube. January 27. Accessed on July 08, 2015 from https://www.youtube.com/watch?v=yE3AQqbGVkk.

UNSAJ et al. 2003. Civil Society Observations and Response to the Tokyo Declaration. Asia-Pacific Regional Conference on the World Summit on the Information Society. January 15. Accessed on July 08, 2015 from http://www.wsisasia.org/wsis-tokyo/tokyo-statement.html.

Wang, Stephanie. 2007. Internet Filtering in Asia in 2006-2007. OpenNet Initiative. Accessed on July 08, 2015, from https://opennet.net/studies/asia2007.

WSIS Civil Society Internet Governance Caucus. 2005. Initial Reactions to the WGIG Report. Contribution from GLOCOM on behalf of the WSIS Civil Society Internet Governance Caucus. July 19. Accessed on July 08, 2015, from www.itu.int/wsis/%20docs2/pc3/contributions/co23.doc.

WSIS Civil Society Plenary. 2003. “Shaping Information Societies for Human Needs” – Civil Society Declaration to the World Summit on the Information Society. December 8. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/geneva/civil-society-declaration.pdf.

WSIS Civil Society Plenary. 2005. “Much more could have been achieved” – Civil Society Statement on the World Summit on the Information Society. December 18. Accessed on July 08, 2015, from https://www.itu.int/wsis/docs2/tunis/contributions/co13.pdf.

WSIS Civil Society Subcommittee on Content and Themes. 2003a. “Seven Musts”: Priority Principles Proposed by Civil Society. February 25. Accessed on July 08, 2015, from http://www.movimientos.org/es/foro_comunicacion/show_text.php3%3Fkey%3D1484.

WSIS Civil Society Subcommittee on Content and Themes. 2003b. Final Report on Prepcom-2 Activities of the Civil Society on Content and Themes. March 27. Accessed on July 08, 2015, from http://www.itu.int/wsis/docs/pcip/misc/cs_sct.pdf.

WSIS Executive Secretariat. 2003. Report of the Asia-Pacific Regional Conference for WSIS (Tokyo, 13-15 January 2003). WSIS. Accessed on July 08, 2015, from http://www.itu.int/dms_pub/itu-s/md/03/wsispc2/doc/S03-WSISPC2-DOC-0006!!PDF-E.pdf.

Yusuf, Huma. 2009. Old and New Media: Converging during the Pakistan Emergency (March 2007 - February 2008). MIT Centre for Civic Media. January 12. Accessed on July 08, 2015, from https://civic.mit.edu/blog/humayusuf/old-and-new-media-converging-during-the-pakistan-emergency-march-2007-february-2008.

For more details visit https://cis-india.org/raw/civil-society-organisations-and-internet-governance-in-asia-open-review

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

A Review of the Policy Debate around Big Data and Internet of Things

elonnai — 2015-08-17T08:36:18Z

This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.

Defining and Connecting Big Data and Internet of Things

The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the velocity at which data is generated, the volume of data that is generated, and the variety of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.

General Implications of Big Data and Internet of Things

Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.

At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article "Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon" propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " The Societal Impact of the Internet of Things" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]

Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]

Regulation of Big Data and Internet of Things

The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article "Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article "Big Data's Disparate Impact" explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]

The Impact of Big Data and IoT on Data Protection Principles

In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:

Collection Limitation: As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]
Consent: As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]
Data Minimization: As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]
Notice: As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]
Purpose Limitation: As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]
Necessity: As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]
Access and Correction: As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]
Opt In and Opt Out Choices: Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]
PI: As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]
Data Controller: In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]

Possible Technical and Policy Solutions

In a Report titled "Internet of Things: Privacy & Security in a Connected World" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:

Automatically delete data after a specified period of time [21] (addressing concerns of data retention)
Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)
Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)
Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)
Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)
Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)
Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)
Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)

Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]

Experts have also suggested that more emphasis should be placed on the principles and practices of:

Transparency,
Access and correction,
Use/misuse
Breach notification
Remedy
Ability to withdraw consent

Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]

Possible Regulatory Frameworks

To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]

Conclusion

A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.

Answering the 'how do we regulate Big Data” question requires re-conceptualization of data ownership and realities. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of critical national infrastructure of a nation, and accorded the security, protections, and legal backing thereof to prevent the misuse of the resource by the private or public sectors, local or foreign governments. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.

In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a National Data Archive with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.

[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf

[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/

[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf. Accessed: July 2^nd 2015.

[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564

[5] Danah Boyd, Kate Crawford. CRITICAL QUESTIONS FOR BIG DATA. Information, Communication & Society Vol. 15, Iss. 5, 2012. Available at: http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878. Accessed: July 2^nd 2015.

[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[7] ARTICLE 29 Data Protection Working Party. (2014). Opinion 8/2014 on the on Recent Developments on the Internet of Things. European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784

[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.

[13] Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).

[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf

[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14^th 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2nd 2015.

[20] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[21] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[22] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[23] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[24] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[31] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[33] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1^st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2^nd 2015.

[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf

[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25^th 2015. Available at: http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/. Accessed: August 8^th 2015.

[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7^th 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415

[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10^th 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/

For more details visit https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things

Centre for Internet and Society

Indian PM Narendra Modi’s digital dream gets bad reception

Hits and Misses With the Draft Encryption Policy

Plain-text storage requirement

Regulatory design

And the good news is…

Open Governance and Privacy in a Post-Snowden World : Webinar

Govt presses 'undo' button on draft encryption policy

The Internet in the Indian Judicial Imagination

Introduction

The Internet and the Role of the Courts

The Early Internet and Judicial Perceptions

Private Actors and Public Interest

Shreya Singhal and Constitutionalizing the Internet

Conclusion

References

Data Flow in the Unique Identification Scheme of India

Data Capture

Document Storage, Back up and Sync

Transfer of Demographic and Biometric Data Collected to CIDR

Data De-duplication and Aadhar Generation at CIDR

August 2015 Bulletin

Highlights

Accessibility and Inclusion

NVDA and eSpeak

Access to Knowledge

Pervasive Technologies

Other (Copyright and Patent)

Wikipedia

FOSS

Internet Governance

Privacy

Big Data

Free Speech and Expression

Cyber Security

Telecom

Researchers at Work

News & Media Coverage

About CIS

Supreme Court Order is a Good Start, but is Seeding Necessary?

Introduction

What is Seeding?

How does the seeding process work?

What are the concerns with seeding?

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

Conclusion

Are we Throwing our Data Protection Regimes under the Bus?

Consent as a tool in Data Protection Regimes

The origins of consent in privacy and data protection

Consent, Big Data and Data protection

Consent places unrealistic and unfair expectations on the Individual

Secondary use, Aggregation and Superficial Consent

Other problems with the mechanism of consent in the context of Big Data

What can organisations do better to obtain more meaningful consent

Conclusion – how should regulation change

The Four Parts of Privacy in India

'We Need to Proactively Ensure that People Can't File Patents Representative of the Creativity of a FOSS Community'

Civil Society Organisations and Internet Governance in India - Open Review

Early Days

Key Organizations

Global and National Events

Internet Policies and Censorship

Reference

Civil Society Organisations and Internet Governance in Asia - Open Review

Preparations for the World Summit on the Information Society

Participation in the WSIS Process

Asian Civil Society Organizations at the IGFs

Internet Censorship and Civil Society Responses

Annexe – Tables

Table 1: Participation from Asian Countries and of representatives from Asian civil society organisations in IGFs, 2006-2010

Table 2: Internet Society Chapters in Asia

Reference

Security: Privacy, Transparency and Technology

Security and Privacy

Security and Transparency

Security and Technology

More Technology

Latest Technology

Complex Technology

Threat Scenarios and Possible Solutions