Centre for Internet and Society

Big Democracy: Big Surveillance - A talk by Maria Xynou

maria — 2013-12-12T10:23:21Z

Next Tuesday, Maria Xynou will be presenting her latest research on surveillance in India. Come and engage in a discussion on India's controversial surveillance schemes, surveillance industry and much much more!

And so we've heard a lot about the Edward Snowden leaks and about the NSA's controversial mass surveillance projects. But what's happening in India?

It turns out that the world's largest democracy has some of the most controversial surveillance schemes in the world! Some of India's laws, schemes, projects and technologies are unbeatable when it comes to mass surveillance, censorship and control. While India may be a developing country with issues ranging from poverty to corruption, it nonetheless appears to be at the forefront of surveillance on an international level.

Join us at the Centre for Internet and Society (CIS) on 3rd December 2013 to hear about India's surveillance laws, schemes and technologies and to engage in a discussion on the potential implications. All that is required is an open mind, critical thought and a will to challenge that which has not been challenged!

We look forward to seeing you all and to hearing your thoughts, ideas and opinions!

VIDEO

For more details visit https://cis-india.org/internet-governance/events/big-democracy-big-surveillance-a-talk-by-maria-xynou

Panel on Privacy, Surveillance & the UID in the post-Snowden era

praskrishna — 2013-11-26T19:05:54Z

The Centre for Internet and Society (CIS) and the Say No to UID campaign invite you to a discussion on the UID and on the implications of the world's largest biometric data collection scheme in a post-Snowden era. The panel will take place on November 30th at the Institution of Agricultural Technologists in Bangalore.

Probably one of the most important things that we learnt following the Edward Snowden revelations is that our data has value. In fact, what we learnt is that our data has immense value...since it is clearly worth billions of dollars — to say the least.

However, not only does India lack privacy legislation which could safeguard our data from potential abuse, but it is also currently implementing some of the most controversial surveillance schemes in the world, in addition to the world's largest biometric data collection scheme. What's probably more alarming is that such schemes, such as the UID, lack legal backing, as well as public and parliamentary debate!

We aim to change that. As such, the Centre for Internet and Society (CIS) and the Say No to UID campaign jointly invite you to attend a panel which will discuss all of these crucial topics.

Schedule of panel:

3.30pm - 4pm: Tea/Coffee/Refreshments & Registration

4pm - 5.30pm: Panel on Privacy, Surveillance & the UID in the post-Snowden era

5.30pm - 6pm: Q&A and Open Discussion

Panelists:

- Dr. Usha Ramanathan: Academic, Jurist and Activist

- K V Narendra: Director of Rezorce Research Foundation

- Vinay Baindur: Researcher on Urban Local Government & Decentralisation

- Maria Xynou: Policy Associate on the Privacy Project at the Centre for Internet & Society

For more details visit https://cis-india.org/events/panel-on-privacy-surveillance-uid-in-the-post-snowden-era

Seventh Privacy Round-table

elonnai — 2013-11-20T09:58:39Z

On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.

The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.

Previous Privacy Round-tables were held in:

New Delhi: (April 13, 2013) with 45 participants;
Bangalore: (April 20, 2013) with 45 participants;
Chennai: (May 18, 2013) with 25 participants;
Mumbai, (June 15, 2013) with 20 participants;
Kolkata: (July 13, 2013) with 25 participants; and
New Delhi: (August 24, 2013) with 40 participants.

Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.

The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, the Privacy Protection Bill, 2013, drafted by the Centre for Internet and Society, Strengthening Privacy through Co-regulation by the Data Security Council of India, and the Report of the Group of Experts on Privacy by the Justice A.P. Shah committee were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.

The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under section 43A of the Information Technology Act, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.

Presentation: Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Group

Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded.

Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.

In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.

Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.

Key Points:

Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.
Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data.
India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.

Discussion: National Security, Surveillance and Privacy

Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.

Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.

While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.

Key Points:

The Indian surveillance regime currently does not have strong enough safeguards.
The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.
A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.

Presentation: Chantal Bernier, Deputy Privacy Commissioner, Canada

In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.

Bernier described three main characteristics of the Canadian privacy regime including:

It is comprehensive and applies to both the public and the private sectors.
The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.
The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing.

Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.

Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.

Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:

The importance of having strong regulators.
Privacy regulators must work and cooperate together.
Privacy has become a condition of trade.
In today’s age, issues around surveillance cannot be underestimated.
Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.
Privacy frameworks must be clear and flexible.
Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments.

Key Points:

The Right to Privacy is a fundamental right in Canada.
The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.
The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest.

Discussion: The Data Protection Authority

Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.

When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.

Key Points:

The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.
The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.
The Data Protection Authority could be established as a small regulator with an appellate body attached.

Presentation: Christopher Graham, Information Commissioner, United Kingdom

Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the UK Data Protection Act and the Freedom of Information Act. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.

Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.

Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.

Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.

Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.

Key Points:

The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.
Penalties must be proportionate and scalable to the offense.
Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective.

Discussion: Collection of Data with Consent and Collection of Data without Consent

Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.

Key Points:

There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.
The Privacy Protection Bill should explicitly address transfer of information to other countries.
The Privacy Protection Bill should address consent in the context of changing terms of service.

Discussion: Penalties and Offences

The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.

The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.

Key Points:

Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.
Instead of levying penalties, the Bill should include incentives to ensure compliance.
Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach.

Discussion: Cultural Aspects of Privacy

The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.

Key Points:

India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.
Given India’s diversity, a principle based model might not be adequate.
Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India.

Conclusion

The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.

For more details visit https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table

Consilience 2013 Report

praskrishna — 2013-11-20T06:14:01Z

For more details visit https://cis-india.org/internet-governance/blog/consilience-2013.pdf

Why 'Facebook' is More Dangerous than the Government Spying on You

maria — 2013-11-23T08:38:30Z

In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook.

Do you have a profile on Facebook? Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:

“Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”

The Indian Surveillance State

Following Snowden ’s revelations, there’s finally been more talk about surveillance. But what is surveillance?

David Lyon - who directs the Surveillance Studies Centre - defines surveillance as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”. Surveillance can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.

State Surveillance

The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a real issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!

The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:

1. They create surveillance schemes, such as the Central Monitoring System (CMS ), which carry out targeted and/or mass surveillance

2. They create laws, guidelines and license agreements, such as the Information Technology (Amendment ) Act 2008, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply

3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance

While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.

In particular, surveillance in India is regulated under five laws: the Indian Telegraph Act 1885, the Indian Post Office Act 1898, the Indian Wireless Telegraphy Act 1933, section 91 of the 1973 Code of Criminal Procedure (CrPc ) and the Information Technology (Amendment ) Act 2008. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.

While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the Information Technology (Amendment ) Act 2008 allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.

Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in “1984”. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The arrest of two Indian women last November over a Facebook post reminds us of this.

Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the UAS License Agreement regarding the Central Monitoring System (CMS ) not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued numerous guidelines and license agreements for ISPs and telecom operators, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new National Cyber Security Policy, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.

As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, India ’s Computer Emergency Response Team (CERT ) is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.

The Crime and Criminal Tracking and Network & Systems (CCTNS ) is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.

Similarly, the National Intelligence Grid (NATGRID ) is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.

However, the most controversial surveillance scheme being implemented in India is probably the Central Monitoring System (CMS). While several states, such as Assam, already have Internet Monitoring Systems in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.

And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the surveillance industry in India is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to CIS ’ India Privacy Monitor Map - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the DRDO ’s “Netra ” - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.

But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, ClearTrail Technologies is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with surveillance software which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the ISS surveillance trade shows, otherwise known as “the wiretappers’ ball”.

Corporate Surveillance

When I ask people about corporate surveillance, the answer I usually get is: “Corporations only care about their profit - they don’t do surveillance per se”. And while that may be true, David Lyon ’s definition of surveillance - as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” - may indicate otherwise.

Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, allow law enforcement to tap into their servers. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.

So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that surveillance involves the collection of personal data - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, is surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, “if the product is free , you are the product ”.

Now if we look at online corporations more closely, we can probably identify three categories:

1. Websites through which we buy products and hand over our personal details - e.g. Amazon

2. Websites through which we use services and hand over our personal details - e.g. flight ticket

3. Websites through which we communicate and hand over our personal details - e.g. Facebook

And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:

- Disclose such data to law enforcement agencies

- Allow law enforcement agencies to tap into their servers

- Sell such data to “third parties”

What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we consent to the handing over of our personal information. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of “choice”. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.

State Surveillance vs. Corporate Surveillance

Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, collects 20 times more data per day than the NSA in total. In addition, Facebook has claimed that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.

Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the analysis of data, which in turn involves pattern matching and profiling, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because we “choose” to hand over our data!

Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: convenience. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.

The irony in all of this is that, while many people reacted to Snowden ’s revelations on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.

In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a direct threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas they rarely react to what does not directly affect them. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.

University students have protested on the streets against the installation of CCTV cameras, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:

- Personal photos

- Biometrics (possibly through photos)

- Family members

- Friends and acquaintances

- Habits, hobbies and interests

- Location (through IP address)

- Places visited

- Economic standing (based on pictures, comments, etc.)

- Educational background

- Ideas and opinions (which may be political, religious, etc.)

- Activities

- Affiliations

The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that we can never really know how much data we are disclosing, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. It all really comes down to who is looking at our data, when and why.

For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is “Anarchism and other Essays ” by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.

In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.

Today, governments don’t judge us and take decisions based on our version of our data, but based on what our data says about us. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.

Most companies retain data indefinitely or for a long period of time, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, every bit of data may potentially entails various other bits of data that we are not even aware of. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an illusionary sense of control over their personal data.

Social network analysis software is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to match patterns. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.

In data mining, behavioural statistics are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we voluntarily disclose massive amounts of data about ourselves - is that it appears to come down to public control.

According to security expert Bruce Schneier, data today is a byproduct of the Information Society. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an indirect threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.

Hannah Arendt argued that a main prerequisite and component of totalitarian power is support by the masses. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, CCTV cameras are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as Spy Coca Cola cans - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the Central Monitoring System in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access choose to share their personal data through the use of social networking sites.

Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just convenient to be on Facebook. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.

In the long term, what does this mean? Well, it seems like we will probably be more acceptive towards more authoritarian power, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.

What’s particularly interesting though about surveillance today is that it is fueled and enabled through our freedom of speech and general Internet freedom. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the Chinese versions of Facebook and Twitter - it’s probably no coincidence.

While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t choose to hand over our personal data to begin with, none of the above would have been possible.

The real danger in the Digital Age is not necessarily surveillance per se, but our choice to voluntarily disclose our personal data.

For more details visit https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you

Spy agencies, IB and RAW, put spanner in proposed privacy law

praskrishna — 2013-11-19T09:50:05Z

The country’s intelligence agencies are out to scuttle a law that’s being drafted to protect your privacy.

The article by Nagender Sharma and Aloke Tikku was published in the Hindustan Times on November 2, 2013. Sunil Abraham is quoted.

The Intelligence Bureau and the Research and Analysis Wing (RAW) have told the government to water down the proposed law that makes it a crime to leak sensitive personal information collected by government departments and the private sector.

The agencies conveyed their views to national security adviser Shivshankar Menon at a recent meeting at the prime minister’s office. With home secretary Anil Goswami backing the spooks, even arguing that “the very need for such a bill” should be reviewed, Menon has called for revisiting the provisions the agencies have objected to.

The Right to Privacy Bill 2013 lays down privacy principles and standards, and stipulates jail terms and fines for leak of sensitive personal data.

“If such a bill was to be considered, intelligence agencies should be exempted from its purview,” Goswami argued at the meeting.

The intelligence agencies also spoke about how the bill would “adversely affect or compromise” the functioning of many agencies and projects, such as the Central Monitoring System that is used to intercept phone calls and internet communication, and the National Intelligence Grid that would give law enforcement agencies access to information combat terror threats.

The proposed privacy law was initially conceptualised to address data privacy, particularly in the context of data handled by the Indian IT industry for foreign clients.

But the Department of Personnel and Training – that drew up the bill – expanded its scope to cover information collected by the government and interception by intelligence agencies.

Sunil Abraham of the Centre for Internet and Society, a Bangalore-headquartered advocacy group, said the security establishment’s attempts to scuttle the privacy law were a step back.

“Civil society isn’t against surveillance by security agencies. All that we ask for is due process and oversight,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-november-2-2013-nagender-sharma-alok-tikku-spy-agencies-ib-and-raw-put-spanner-in-proposed-privacy-law

India must support UN's e-snooping move: Human rights activists

praskrishna — 2013-11-19T09:10:02Z

India is facing pressure from internet and human rights activists to support a United Nations resolution that calls for an end to electronic spying after revelations of mass illegal surveillance by the United States.

The article by Indu Nandakumar was published in the Economic Times on November 11, 2013. Sunil Abraham is quoted.

The resolution, jointly submitted by Brazil and Germany - vocal opponents of US cyber spying - urged UN member states to act against excessive surveillance. Records leaked by whistleblower Edward Snowden had exposed US eavesdropping on Brazil's President Dilma Rousseff and German Chancellor Angela Merkel.

Internet activists and experts said the world's largest democracy must join the resolution as a reaction to unfair surveillance by the US. Confidential documents from Snowden, a former US National Security Agency contractor showed India was one of the victims of US snooping.

"Decision-makers in India haven't made a principled stand on the issue. They are still debating and deliberating," said Oleg Demidov, program director for international information security and global internet governance at the Russian Center for Policy Studies.

Demidov said India was unlikely to join the resolution as it has strong language and measures that need to be implemented immediately. "Joining this would mean a big political step." The resolution, while not legally binding, can still be a formal vote against US spying. A senior government official in New Delhi said Brazil and Germany on Friday held consultations with all UN member states including India on the draft resolution.

India will take 'detailed' look

He said India will take a "detailed look" at the resolution over the coming days before deciding whether it wants to be part of it. Revelations about US government snooping on communication between governments and individuals has caused global outrage over the past few months.

Popular email and internet service providers locating their servers in the US makes tapping into communication lines easier for that country. Brazil is considering legislation that would require internet companies to store data locally.

Latest documents revealed by Snowden showed that NSA had been monitoring data that travels between servers of Yahoo and Google, thus accessing personal data of millions of internet users across the world, including Indian users. It had prompted strong reaction from Google, whose executive chairman Eric Schimdt called such snooping "outrageous."

A representative for the German federal foreign office said the resolution was submitted to "protect human rights in the digital age more effectively" and that all member states are invited to co-sponsor the resolution.

"Indians should press their own government to forcefully object to the United States' surveillance policies and demand that those policies be brought into conformity with international law," said Jameel Jaffer, deputy legal director of the American Civil Liberties Union, an influential civil rights union based in New York. Jaffer said while no one questions the US government's right to engage judicially supervised surveillance, "dragnet surveillance of entire populations is a severe and unnecessary infringement on the privacy of millions."

He said that reforming the policies of NSA would require pressure from outside the US, especially foreign governments.

The pushback against mass surveillance is taking place in the backdrop of India and US looking to strengthen their economic relationship. Issues such as the US immigration reform bill which is seen as detrimental by India's $75 billion softw are export industry, and India's nuclear liability law, which US companies find unreasonable, have been irritants in bilateral relations.

Another senior government official said India's stance on US surveillance has been soft as any discussion on the subject would bring India's Central Monitoring System into the spotlight. The system, similar to the US government's PRISM project, gives the government access to phone calls, text messages and even social media conversations of individuals.

Sunil Abraham, executive director of Bangalore based think-tank Centre for Internet and Society, said India must be a part of the efforts by Brazil and Germany.

"Surveillance needs to be addressed both at technological as well as policy levels." Former diplomat and foreign affairs expert G Parthasarathy acknowledged the need for international consensus to protect individual privacy but doubted whether snooping by governments will ever end.

"Yes, the Americans are over-doing it, but India cannot condemn it because we have been doing the same thing. India monitored conversations between (Pakistan army chief) Pervez Musharraf and his chief of general staff (Mohammed Aziz) during the Kargil conflict. The point is everyone does it, but Americans got caught."

For more details visit https://cis-india.org/news/economic-times-november-11-2013-indu-nandakumar-india-must-support-un-e-snooping-move

Human rights, freedom of expression and free flow of information on the Internet

praskrishna — 2013-11-09T03:38:59Z

This session will offer a multistakeholder overview of the current status of human rights, freedom of expression and free flow of information on the Internet. Pranesh Prakash was a speaker at this event.

Click to read the details posted on IGF website here.

The interactive discussion will touch upon many of the key issues that will be discussed in related workshops prior to the session and will give all stakeholders an equal platform to address issues related to human rights and the Internet to find points of consensus, points of convergence and points of further action/research/referral to other institutions or actors if appropriate.

Policy related questions that this session will address include:

What are/have been the main themes at the nexus of the Internet and human rights in 2013? What have been the policy responses? What are the key strategies and actions for responding to these themes?
What is working well to promote human rights, freedom of expression and the free flow of information on the Internet? What are areas for concern?
What HR standards can be applied in the digital environment?
The HRC adopted a milestone resolution in 2012, in which governments agreed that the same HR apply online as offline (Res 20/8). Do all stakeholders agree with this core concept? What is the relevance of this resolution to Internet public policy making? What has been the impact of the revelations of wide-spread mass surveillance been on taking the implications of this resolution forward?
How can all stakeholders, taking their different roles and responsibilities into account, respect, protect and promote human rights on the Internet nationally, regionally and globally?

Speakers:

Host Country Chair: Prof. Dr. Harkristuti Harkrisnowo (Director General of Human Right, Ministry of Law and Human Right)
Moderators: Anja Kovacs, Internet Democracy Project, New Delhi and Johan Hallenborg, Ministry of Foreign Affairs, Stockholm, supported by Anriette Esterhuysen, APC, Johannesburg.
Remote Moderator: TBC
Rapporteur: Joy Liddicoat, APC, Wellington (The rapporteur will summarise the session at the end and report into 'Taking Stock')

PART 1: Regional perspectives on human rights on the Internet [45 minutes]

To get the discussion going, the moderators will ask the following people to respond, from a regional perspective, to the question: What are/have been the main themes at the nexus of the Internet and human rights in 2013 in your region?

Eduardo Bertoni, CELE, University of Palermo, Buenos Aires
Fadlah Adams, South African Human Rights Commission, Cape Town
Gayathry Venkiteswaran, Executive Director, Southeast Asian Press Alliance, Bangkok
Jochai Ben-Avie, Access, New York
Moez Chakchouk, ATI, Tunis
Lee Hibbard, Council of Europe, Strasbourg

PART 2: Delving into specific issues [45 minutes]

What is working well to promote human rights, freedom of expression and the free flow of information on the Internet? What are areas for concern? What HR standards can be applied in the digital environment?
Potential Speakers from the Audience:

Freedom of expression: Guy Berger, UNESCO, Paris; Cynthia Wong, Human Rights Watch, Washington DC; Beryl Aidi, Kenyan Human Rights Commission, Nairobi; Ramiro Alvarez Ugarte, Association for Civil Rights, Buenos Aires.
Internet intermediary liability: Gbenga Sesan, Paradigm Initiative, Lagos; Zahid Jamil, Barrister-at-law, Karachi; Malcolm Hutty, LINX, London.
Sexual rights (rights of LGBT communities): Bishakha Datta, Point of View, New Delhi; Nadine Mouawad, EROTICS, Beirut.
Free flow of information, access to knowledge and IP issues: Stuart Hamilton, International Federation of Library Associations, The Hague; Nick Aston Hart, International Digital Economy Alliance (IDEA), Geneva; Pranesh Prakash, CIS, Bangalore; Claudio Ruiz, Derechos Digitales, Santiago.

Network neutrality (in terms of free flow of information): Lisl Brunner, GNI, US/Europe; Luca Belli, Dynamic Coalition on Net Neutrality, Tech and academic community, Europe; Paul Mitchell, Microsoft, US.

Surveillance and transborder access to data: global and national dimensions: Nicolas Seidler, ISOC, Geneva, Ross LaJeunesse, Global Head of Free Expression and International Relations, Google, Mountain View; Seth Bouvier, US Dept. of State, Government, Washington DC; Meryem Merzouki, EDRI (European Digital Rights), Paris.

PART 3: Input from IGF workshops, dynamic coalitions, open forums and other focus sessions [45 minutes]

Organisers of workshops etc. related to Human Rights will be asked to respond to further questions from the moderators, from the perspective of the outcome of their workshop/event.

How can all stakeholders, taking their different roles and responsibilities into account, respect, protect and promote human rights in Internet related public policy making nationally, regionally and globally?

What are some points of consensus; points of convergence; points of further action/research/referral to other institutions or actors that emerged from their sessions?

PART 4: Discussion and going forward [45 minutes]

The following questions will be addressed:

The Human Rights Council adopted a milestone resolution in which governments agreed that the same HR apply online as offline. Do all stakeholders agree with this core concept? What is the relevance of this resolution to Internet public policy making? What has been the impact of the revelations of wide-spread mass surveillance been on taking the implications of this resolution forward?

What do you think we should do next and what is the role of the IGF?

The rapporteur will be given 6 minutes at the end to summarise.

For more details visit https://cis-india.org/news/igf-2013-october-24-human-rights-freedom-of-expression-free-flow-of-information-on-internet

Interview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft

maria — 2013-11-06T08:16:05Z

Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!

Caspar Bowden is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.

From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.

The Centre for Internet and Society interviewed Caspar Bowden on the following questions:

1. Do you think India needs privacy legislation? Why / Why not?

Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state.

2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?

Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about.

3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.

Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.

Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.

4. Should people have the right to give up their right to privacy? Why / Why not?

In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!”

But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. There's no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.

5. Do you agree with India's UID scheme? Why / Why not?

There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way.

Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived.

There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds.

And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual.

Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.

6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?

Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy.

There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory.

We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term.

7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?

Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are software. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!

In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient.

8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?

In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies.

After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure.

It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today.

9. How would you advise young people working in the surveillance industry?

Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate

NSA leaks helping India become 'Big Brother' state?

praskrishna — 2013-11-19T09:45:13Z

While the US and Britain fend off accusations of Big Brother-style spying, other countries are learning lessons from fugitive ex-US intelligence contractor Edward Snowden's leaks and, critics say, developing the same kind of mass-surveillance.

This post was published in BBC on October 31, 2013. Sunil Abraham is quoted.

India is one of those in the frame.

Its authorities are bringing in new measures against foreign cyber-snooping, including a plan to move internet traffic inside its borders and banning officials from using Gmail and other external email services.

Simultaneously, campaigners say the Indian government is loosening controls on electronic snooping by its own spies.

It is also stepping up efforts to build its own mass-surveillance system, which critics have dubbed "India's PRISM" - a reference to one of the US spy programmes revealed by Mr Snowden.

This is the downside of Mr Snowden's leaks, says Sunil Abraham of the Centre for Internet and Society, an Indian advocacy group.

"Governments like India are now cherry-picking the worst practices, in a race for the bottom in terms of human rights".

Documents released by Mr Snowden to journalist Glenn Greenwald showed America's National Security Agency (NSA) was hoovering up billions of chunks of Indian data, making the country its fifth most important target worldwide.

'Not actually snooping'

But unlike other states that have discovered the US is siphoning off their secrets, India has conspicuously avoided joining the chorus of criticism. That may be because it doesn't want to draw attention to its own activities.

Its foreign minister Salman Khurshid even appeared to excuse American monitoring, saying it "was not actually snooping".

When the German chancellor Angela Merkel erupted over reports the NSA had been bugging her mobile phone, the Indian prime minister's office was untroubled by the possibility he too had been targeted.


Indian PM Manmohan Singh does not use a mobile phone or Gmail, his spokesman says

"There are no concerns", a spokesman for Manmohan Singh told the BBC, because "he does not use a mobile phone or Gmail".

Many Indian officials do. But from this December the government is planning to bar them from using their private email accounts for any official business - in direct response to evidence of US prying. Instead, they will have to use government email.

The latest reports of even deeper NSA penetration of Google is likely to further spur such moves.

It won't be an easy change to make though, judging from the BBC's own experiences dealing with Indian officials. Many prefer to use Gmail or Yahoo rather than their official accounts because the government email system so often crashes.

More ambitious still is a plan to bring all internal Indian internet traffic inside its borders. Currently, an email sent from say Delhi to Calcutta is more likely to travel via the US or Europe, partly because of the way the internet is designed but also because of a lack of Indian capacity.

But at a summer meeting to assess Mr Snowden's leaks, one of India's security chiefs called for "100%" of emails and files sent between Indians to stay in the country to limit snooping by "foreign elements".

As other governments take similar measures, these changes may not just mean a tougher job for spies but also a more fragmented internet under tighter state control.

Critics say India was already on the road to creating a Big Brother state, long before anyone had heard of Edward Snowden.

Their biggest concern is a secret mass-surveillance project the government has reportedly been building for the past few years. The Central Monitoring System (CMS) is supposed to give security agencies the ability to listen or record all communications nationwide and track individuals, in real time - like some of the US programmes that have been revealed.

If the few details that have emerged are correct, Indian cyber-spies would have even more freedom, bypassing internet and telecom companies and tapping straight into the cables and servers carrying the traffic.

Mirroring America's defence of its spying programmes, the government says the monitoring system is to protect against terrorists and other national security threats. But a lack of concrete information has only heightened fears about its intentions.

A draft privacy bill which was supposed to allay some concerns has been watered down in the light of Mr Snowden's revelations.

According to Sunil Abraham, "India's intelligence agencies argued: Look at what the US can do. Why curtail what we can do?"

In any case, India's spies are not troubled by any parliamentary or judicial oversight. In the world's largest democracy, the intelligence agencies still report straight to the prime minister and the home minister.

India needs to "protect its sovereign rights", says Pavan Duggal, a Supreme Court advocate and cyber-law specialist. But these are "unprecedented powers".

Right now, these are minority concerns in India, which is far more consumed with the early political sparring before next year's elections.

Meanwhile, the Indian government is learning many lessons from the NSA's troubles. But Mr Duggal says, "Sooner or later it will have to address the issue of greater accountability."

For more details visit https://cis-india.org/news/bbc-october-31-2013-nsa-leaks-helping-india-become-big-brother-state

October 2013 Bulletin

praskrishna — 2014-01-04T04:31:01Z

Our newsletter for the month of October 2013 can be accessed below.

Highlights

The National Resource Kit team is pleased to bring you its research for the states of Delhi, Madhya Pradesh and Arunachal Pradesh, and the Union Territory of Daman and Diu.
The Department of Electronics and Information Technology invited comments on the Framework on the proposed adoption of Open Source Software in E-Governance Systems. CIS gave its feedback.
The Access to Knowledge team in collaboration with the Goa University re-released the Konkani Vishwakosh under Creative Commons License CC-BY-SA-3.0.
Sunil Abraham, Pranesh Prakash and Chinmayi Arun participated in the Internet Governance Forum held in Bali, Indonesia from October 21 to 25. Overall CIS spoke in 7 panels.
In an article on Spy Files, Maria Xynou examines the legality of India’s surveillance technologies and their potential connection to India’s central monitoring system.
A clause-by-clause comments on the Working draft version of the Human DNA Profiling Bill, 2012 was sent to the Ministry of Science and Technology.
CIS started the first Privacy Watch in India. The map includes data on the UID, NPR and CCTNS schemes, installation of CCTV cameras and the use of drones throughout the country.

Accessibility

As part of our project (under a grant from the Hans Foundation) on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India, we bring you draft chapters for the states of Madhya Pradesh and Arunachal Pradesh, and the union territory of Daman and Diu. With this we have completed compilation of draft chapters for 24 states and 5 union territories. Feedback and comments are invited from readers for the following chapters:

National Resource Kit

The Daman and Diu Chapter (by Anandhi Viswanathan, October 28, 2013).
The Arunachal Pradesh Chapter (by CLPR, October 29, 2013).
The Madhya Pradesh Chapter (by Anandhi Viswanathan, October 30, 2013).
The Delhi Chapter (by Anandhi Viswanathan, October 31, 2013).

Note: All of these are early drafts and will be reviewed and updated.

Survey (Other Organisation)

Accessibility of Banks and Financial Services Institutions: A Global Survey (posted by Nilofar Ansher, October 20, 2013). G3ict and Scotiabank, requests senior managers, COO / CEOs, Managing Directors, IT Directors, HR Directors, and accessibility professionals from banks and financial services companies to participate.

Blog Entry

Bengali eSpeak Aids in Disaster Management (by Anirudh Sridhar, October 15, 2013).

Access to Knowledge

The Access to Knowledge programme addresses the harms caused to consumers and human rights, and critically examines Open Government Data, Open Access to Scholarly Literature, and Open Access to Law, Open Content, Open Standards, and Free/Libre/Open Source Software. We produced a column in the Economic and Political Weekly, submitted our feedback on Framework on Open Source Software Adoption in E-Governance Systems, and conducted 3 Wikipedia workshops:

Article

The Fight for Digital Sovereignty (by Sunil Abraham, Economic and Political Weekly, Vol-XLVIII No. 42, October 19, 2013).

Blog Entries

Mobile Phone Patents: Prior Art Survey (by Nehaa Chaudhari, October 23, 2013).
Ambiguity in the App Store: Understanding India’s emerging IT sector in light of IP (by Samantha Cassar, October 24, 2013).

Submission

Feedback on the Framework on OSS Adoption in E-Governance Systems (by Nehaa Chaudhari, October 26, 2013). In September, 2013, the DeitY invited comments on the Framework on the proposed adoption of Open Source Software in E-Governance Systems. CIS gave its feedback.

Events Participated In

OSOD 2013: International Workshop on Open Science and Open Data (organised by Indian Statistical Institute, Bangalore, October 7, 2013). Nehaa Chaudhari participated as a panelist and gave a presentation on Government Accessibility and Copyright Conundrum.

National Conference on Opening up by Closing the Circle: Strengthening Open Access in India (co-organised by UNESCO, Central Library, Jawaharlal Nehru University and the Commonwealth Educational Media Centre for Asia, October 21, 2013). Nehaa Chaudhari was a panelist in the discussion on "Why Open Access?". She gave a presentation on 'Pondering Copyright and Recasting Openness'.

Note: The following has been done under grant from the Wikimedia Foundation (http://bit.ly/SPqFOl). As part this project (http://bit.ly/X80ELd), we held 3 Wikipedia workshops in October:

Event Co-organised

Re-release of Konkani Vishwakosh under CC-BY-SA 3.0 (organised by Goa University and CIS-A2K, Goa University Conference Hall, September 26, 2013). Nitika Tandon has blogged about the event.

Events Organised

Workshop on Wikipedia in the Indian Undergraduate Language Classrooms (October 1, 203, Christ University, Bangalore). Dr. U.B. Pavanaja conducted the workshop.
Train the Trainer — Four-day long Residential Programme (October 3 – 6, 2013, CEO Center, Gubbi, Bangalore. CIS-A2K Team conducted the workshop. Seventeen people participated in the event.
Konkani Vishwakosh Digitization (Goa University, October 19-20, 2013). CIS-A2K team conducted the workshop. Thirty-seven people participated in the event.

Events Participated In

Re-sourcing Indian Cinema: Humanities Research, New Archives and Collaborative Knowledge Production (organised by the Centre for Contemporary Studies and the Centre for Study of Culture and Society, October 29, 2013). T. Vishnu Vardhan gave a talk on “Let Cinephiles Collaborate: Pleasures and Perils of Indian Film History on Wikipedia”.

Media Coverage

CIS gave its inputs for the following media coverage:

Mangalore: Konkani writers resolve to form all-India forum at JKS conference (Daijiworld, October 1, 2013).
Wikipedia in Indian Languages on Mobile Phones (by Megha Prakash, Sci Dev Net, October 15, 2013).
कोंकणी विश्‍वकोश ‘विकिपीडिया’वर (Navprabha Daily, October 22, 2013). A detailed article about the digitalization of Konkani Vishwakosh.

Internet Governance

CIS is doing a project (under a grant from Privacy International and International Development Research Centre (IDRC)) on conducting research on surveillance and freedom of expression (SAFEGUARDS). So far we have organised seven privacy round-tables and drafted the Privacy (Protection) Bill. This month we bring you clause-by-clause comments on the Human DNA Profiling Bill, 2012, and a map monitoring privacy in India. As part of its project (funded by Citizen Lab, Munk School of Global Affairs, University of Toronto and support from the IDRC) on mapping cyber security actors in South Asia and South East Asia we did an interview with Anja Kovacs on cyber security. With this we have completed a total of 10 video interviews:

Internet Governance Forum

Sunil Abraham, Pranesh Prakash and Chinmayi Arun participated in the Internet Governance Forum held in Bali, Indonesia in the month of October. Overall, CIS spoke in 7 panels:

Charting the Charter: Internet Rights and Principles Online (organised by IRP Coalition, October 22, 2013). Pranesh Prakash was a panelist.
Fair process frameworks for cross-border online spaces (organised by the Internet & Jurisdiction Project, Civil Society of France, Western Europe and Others Group and Internet & Jurisdiction Project, Civil Society of Germany, Western Europe and Others Group, October 22, 2013). Sunil Abraham and Chinmayi Arun were panelists for this workshop.
Removing Barriers to Connectivity: Connecting the Unconnected (organised by Internet Society and ETNO, October 23, 2013). Pranesh Prakash was a panelist.
FOSS: Smart Choice for Developing Countries (organised by TechNation and Open Source Alliance of Central Asia, October 23, 2013). Sunil Abraham spoke on FOSS and IT Growth Policies in South Asia.
Privacy: from regional regulations to global connections? (organised by Internet Society, Bali, October 24, 2013). Sunil Abraham was one of the panelists.
Human rights, freedom of expression and free flow of information on the Internet (a Focus Session on Openness, October 24, 2013). Pranesh Prakash was a speaker at this event.
Taking Stock: Emerging Issues - Internet Surveillance (a session on Internet Surveillance, October 25, 2013). Pranesh Prakash made intervention in this session.
Tweets from Bali IGF 2013: To enable research by those who didn't want to mess around with Twitter's APIs, CIS has made available tweets from the IGF as downloadable .CSV files.

Privacy

Magazine Article

What India can Learn from the Snowden Revelations (by Elonnai Hickok, Yahoo, October 23, 2013). The title of the article was changed in the version published by Yahoo.

Blog Entries

Concerns Regarding DNA Law (by Bhairav Acharya, October 9, 2013): http://bit.ly/1aoxXM9.
Interview with Big Brother Watch on Privacy and Surveillance (by Maria Xynou, October 15, 2013): http://bit.ly/1cRDMbV.
Interview with Bruce Schneier (by Maria Xynou, October 17, 2013): http://bit.ly/GS6oDX.
An Interview with the Tactical Technology Collective (by Maria Xynou, October 18, 2013): http://bit.ly/1i1lVNo.
Interview with Dr. Alexander Dix (by Maria Xynou, October 23, 2013): http://bit.ly/1a7dgtQ.
Open Letter to Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee (by Elonnai Hickok, October 23, 2013): http://bit.ly/17eZntz.
An Interview with Jacob Kohnstamm (by Elonnai Hickok, October 25, 2013): http://bit.ly/17NcQmD.
Spy Files 3: WikiLeaks Sheds More Light on the Global Surveillance Industry (by Maria Xynou, October 25, 2013): http://bit.ly/1d6EmjD.

Comments

Re: The Human DNA Profiling Bill, 2012 (by Bhairav Acharya, October 9, 2013). CIS provided clause-by-clause comments on the on the Working Draft version of the Human DNA Profiling Bill: http://bit.ly/17Jpp63.

Announcement

The India Privacy Monitor Map (by Maria Xynou with assistance from Srinivas Atreya, October 9, 2013). CIS has started a first of its kind Privacy Watch in India. The map includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country: http://bit.ly/19A5mCZ.

Event Organised

Privacy Round-table, New Delhi (organised by FICCI, DSCI and CIS, FICCI, Federation House, Tansen Marg, New Delhi, October 19, 2013): http://bit.ly/GAsStr.

Event Participated In

'Free Speech and Media in South Asia: Human Rights Concerns in a Globalizing World (organised by the Programme in Comparative Media Law and Policy, Centre for Socio-Legal Studies, University of Oxford, in collaboration with the Centre for Media and Governance, National Law University, Delhi, Oxford University, October 25, 2013). Chinmayi Arun spoke about “Privacy and Surveillance in India” in a panel discussion: http://bit.ly/18bRGi5.

Cyber Security

Laird Brown, a strategic planner and writer with core competencies on brand analysis, public relations and resource management and Purba Sarkar who in the past worked as a strategic advisor in the field of SAP Retail are working in this project:

Part 11: An Interview with Anja Kovacs (October 15, 2013): http://bit.ly/15EAZOE.

Other IG Updates
Event Organised

Mapping Digital Media: Broadcasting, Journalism and Activism in India (co-organised by Alternative Law Forum, Maraa and CIS, Bangalore International Centre, October 27, 2013). Samantha Cassar has blogged about the event: http://bit.ly/17EVtdw. It was covered by the New Indian Express (http://bit.ly/1dGENE6) and Hindu (http://bit.ly/1bcVUIU) on October 28.

Events Participated In

Religious Pluralism and the Tensions between Freedom of Expression and Respect for the 'Other’ (organised by Reset-Dialogues on Civilizations project, in cooperation with Jamia Millia Islamia, India Habitat Centre, New Delhi, October 10, 2013). Chinmayi Arun was a speaker at the session on “Democracy and the Tension between Freedom of Speech and Respect for the Other’s Religion, Culture, Identity, India and Europe”: http://bit.ly/194dtI7.
Fragmentation in a Democracy: The Role of Social Movements and the Media (organised by the Observer Research Foundation, Delhi and Rosa Luxemburg Stiftung, Berlin at Observer Research Foundation, New Delhi, October 16, 2013). Sunil Abraham was a panelist in the session on “Impact of Media, Social Media & Technology on Democracy / Governance”: http://bit.ly/17e3PZ9.
Internet, Mobile & Digital Economy Conference (IMDEC) 2013 (organised by FICCI, in association with the Ministry of Communications & IT, Government of India, New Delhi, October 25, 2013). Sunil Abraham participated as a speaker in the session on "The Internet We Want: A Multistakeholder Approach": http://bit.ly/1b8QHDD.

New and Media Coverage

CIS gave its inputs to the following media coverage:

Decline in web freedom steepest in India: Report (by Javed Anwer, The Times of India, October 3, 2013): http://bit.ly/1cVOJ99.
Google survey: 37% of urban Indian voters are online (by Anuja and Moulishree Srivastava, Livemint, October 8, 2013): http://bit.ly/1gtqqDY.
The quest for genuine clout on the internet (by Karthik Subramanian, October 13, 2013): http://bit.ly/1b8TdKa.
India believes in Complete Freedom of Cyber Space: Kapil Sibal (by Elizabeth Roche, Livemint, October 14, 2013): http://bit.ly/1fZgwd1.
Location Tracking: Why the Govt-Mobile Manufacturer War Won’t End Soon (by Danish Raza, FirstPost, October 15, 2013): http://bit.ly/HkIvF7.
Bouquets & brickbats for Google's new privacy policy (by Indu Nandakumar, Economic Times, October 18, 2013): http://bit.ly/18Rzkqm.
Bali meet to discuss Internet governance issues (by Moulishree Srivastava, October 22, 2013): http://bit.ly/17I4r3M.
Indian politicians yet to tap voters online: CIS’s Abraham (by Venkatesh Upadhyay, Livemint, October 22, 2013): http://bit.ly/17HRV4s.
Beyond the Searchlight (by Debarshi Dasgupta, October 23, 2013): http://bit.ly/17IitlZ.
Nowhere to hide: Govt making your personal details public (by FirstPost editors, FirstPost, October 28, 2013): http://bit.ly/1dGE6KJ.
Your private data may be online, courtesy govt (by Somesh Jha and Surabhi Agarwal, Business Standard, October 29, 2013): http://bit.ly/HpQRMp.
Saving privacy as we knew it (by Somesh Jha and Surabhi Agarwal, Business Standard, October 29, 2013): http://bit.ly/16HNYwu.
E-governance hopes rise as India crosses 1 billion transactions (by J Srikant, Economic Times, October 29, 2013): http://bit.ly/1cnJIKd.

Digital Humanities

CIS is building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia:

Events Participated In

GFM 2013 (organized by the University of Luneberg, Germany, October 3 – 5, 2013). Dr. Nishant Shah participated in a panel discussion with Wendy Chun, Tom Levine and Geert Lovink, around 'The End of Bibliographies: New Media and Research'. Nishant also participated as a panelist in a panel discussion on 'Open Up: Pragmatism and Politics of Open Access': http://bit.ly/1f9LCOH.
Digitalization of Culture (organized by Leuphana University, Luneberg, October 8, 2013). Dr. Nishant Shah did an introduction keynote to 1600 undergraduate students. A video of the lecture can be accessed here: http://bit.ly/1enWQPv.
RENEW: The 5th International Conference on the Histories of Media Art, Science and Technology (hosted by RIXC Centre for New Media Culture in Riga in partnership with the Art Academy of Latvia, Stockholm School of Economics in Riga and Danube University’s Center for Image Science, October 8 - 11, 2013). Dr. Nishant Shah was a part of the selection committee for the conference and chaired a session on Network Art on October 9: http://bit.ly/17e41aJ.

Blog Entry

A Hitchhikers Guide to the Cyberspace (by Anirudh Sridhar, October 4, 2013): http://bit.ly/1ga8yfH.

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project to create a knowledge repository on Internet and society. This repository will comprise content targeted primarily at civil society with a view to enabling their informed participation in the Indian Internet and ICT policy space. The repository is available at the Internet Institute website: http://bit.ly/1iQT2UB.

Modules

World Intellectual Property Organisation (by Anirudh Sridhar and Snehashish Ghosh, October 31, 2013). WIPO is a specialized agency of the United Nations which deals with issues related to intellectual property rights throughout the world. Find out more at http://bit.ly/17a8WEk.
An Interview on Internet Governance with Professor Milton Mueller and Jeremy Malcolm (by Anirudh Sridhar, October 31, 2013). Professor Milton Mueller from the Syracuse University School of Information and Jeremy Malcolm, an Information Technology and Intellectual Property Lawyer, spoke about current issues and debates surrounding internet governance: http://bit.ly/17ix3Ro.

About CIS
The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

Follow us elsewhere

Twitter: https://twitter.com/CISA2K

Facebook group: https://www.facebook.com/cisa2k

Visit us at: https://meta.wikimedia.org/wiki/India_Access_To_Knowledge

E-mail: a2k@cis-india.org

Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration:
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org. To discuss collaborations on Indic language wikipedia, write to T. Vishnu Vardhan, Programme Director, A2K, at vishnu@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/october-2013-bulletin

Civil society and Internet Governance: practices from Southeast Asia and beyond

praskrishna — 2013-11-19T09:29:44Z

On 21 October, the day before the opening of the 2013 Internet Governance Forum in Indonesia, Hivos’ Southeast Asia Regional Office co-organised a pre-event workshop with ID-CONFIG, “Civil Society and Internet Governance: Multi-Stakeholder Engagement Practices from Southeast Asia and Beyond,” at the Bali Nusa Dua Convention Centre.

Click to read the original published by Hivos on October 31.

Recognising that the IGF has been a global project for the past eight years, the workshop provided a critical perspective to the forum’s impact on local civil society organisations. In the past, the IGF has been criticised for focusing on policy-level IG debates that lack grassroots, on-the-ground applications. Additionally, it is has been challenged to demonstrate the relevance of IG policies for civil society organisations, which frequently have limited understanding of and involvement in the issue.

By drawing empirical case studies from different regions of Asia, the aim of the workshop was to help civil society organisations find a relevant role in IG and explore how IG frameworks with a focus on the role of civil society can be applied in developing regions to uphold the right of citizens to express themselves through the Internet.

Five speakers discussed the intersections between Internet Freedom and Internet Governance: Arthit Suriyawongkul (Thai Netizen Network, Thailand), Shahzad Ahmad (Bytes 4 All, Pakistan), Donny Budhi Utoyo (ICTWatch, Indonesia), Lobsang Gyatso Sither (Tibet Action Institute), and Pranesh Prakash (Center for Internet and Society, India). Attended by approximately 70 participants, the discussions revolved around the varying feasibility of a multi-stakeholder platform in different political contexts.

The speakers represent civil society organisations in vastly different political environments in South Asia, Southeast Asia and East Asia. They all continuously pointed out how emerging democratic movements are often counterbalanced by political power concentrated in existing state institutions. In such state-centric Internet Governance contexts, civil society organisations are often pitted against official censorship and filtering attempts. While speakers from relatively more democratic countries, namely India and Indonesia, showcased examples of how civil society organisations have engaged the government in Internet policy-making, those from Thailand and Pakistan illustrated the need for a strong litigation capacity for public interests in order to defend citizens from state infringement of their rights. At the other end of the spectrum, Gyatso Sither emphasised the importance of safeguarding Tibetan activists in the homeland and in the diaspora from surveillance by the Chinese state, whose latest strategies have included interceptions, targeted malware, and cyber attacks.

Nonetheless, civil society organisations are uniquely placed to engage both government agencies, as providers of regulatory frameworks, and the private sector, as the primary provider of ICT infrastructure, to demand equitable access to the Internet and maintain the freedom to expression online. Through an ideal multi-stakeholder framework, civil society organisations can empower communities by strategically using ICT to uphold transparency and accountability.

For more details visit https://cis-india.org/news/hivos-october-31-2013-civil-society-and-internet-governance-practices-southeast-asia-and-beyond

Taking Stock: Emerging Issues - Internet Surveillance

praskrishna — 2013-11-09T06:31:57Z

This session was held at the IGF in Bali on October 25. Pranesh Prakash made intervention in this session.

Read the original transcript published on the IGF website here.

The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

>> MARKUS KUMMER: Good morning, ladies and gentlemen. Please take your seat. We are about to start our session on surveillance. We are organising ourselves a bit on the fly. The room is already set for the Closing Ceremony this afternoon, but this makes a little bit of a distant feeling. We're up here and you're far away and there are not that many people in the room so what we intend to do is to move down from the podium for the discussion. We've already set up the Chairs on the first row where the panelists will sit and interact with the audience to make it a little bit more often interactive and positive atmosphere for discussion.

We have originally we have reserved 90 minutes for this session but then we thought maybe more time will be needed so we can move on. We have 3 hours at our disposal but we don't need to fill the three hours. If we run out of steam we can conclude earlier, as some people have indicated already that they have to be leaving, so we take it improvise a little bit. But please leave free the very first, as we intend to move down there.

Before asking our Session Chair to introduce the meeting, I'll make a few preliminary remarks, and I would also like to ask the Secretariat to put up the policy questions.

We have had a process when the mandate of the IGF was renewed to look at IGF improvements. There was a special Working Group set up and the Working Group made recommendations and one of the recommendations was that each situation should address some policy questions that would help shape the discussion, and we would also ask to reach out to the community and we did so. We asked for public input and we got the input and these policy questions we received are available on the IGF website, and they will be made available on the screen.

But for better comprehension, I will read them out and our moderators will bear them in mind.

Okay. On Internet surveillance, the first question was the need to prevent mass surveillance carried out in the guise of targeted surveillance. The second question was balancing cybersecurity and privacy. The third question, principles of open Internet/net neutrality.

Fourth question: One of the emerging issues is on Internet regulation. Regulation versus self‑regulation where the Internet is concerned. How can countries that have questions on Internet regulation versus self‑regulation be aided to work on a level playing field that assist the best industry practices being adopted, best practices that make the Internet and thus countries and institutions safer from harm.

Fifth question: Better channels of cooperation between stakeholders especially in areas such as cybersecurity. 6, agreement on fundamental minimum principles for Internet Governance and multistakeholder cooperation.

7, priorities for the IGF, the Internet community, and multistakeholder governance post‑2015.

And with that I hand over to our session Chair, Dr. Setyanto Santosa, you have the Chair.

>> SETYANTO SANTOSA: Thank you. Good morning, everybody. I hope you enjoy the dinner last night. You can also look at the Balinese dancers, the modern dancer and also the original Balinese dancers.

10 years ago I was the permanent Secretary of the Ministry of Tourism and culture. At that time we had Indonesian tourism. The result was at the time surprise me when a question to the foreign tourists deliver most of them said that what actually the question is what actually was is the strength of Indonesian tourism?

They said, the people. And then following the second question, which part of the people that make you attractive? They say the smile. So at the time, I just realized that Indonesia is a country with the highest smile per capita in the world. And you prove already the last 6 days and you can find the Indonesian people with a smile.

So with this introduction, I don't take much time and the issue also very attractive is as Markus just mentioned, regarding the emerging issues.

So I look to deliver the floor to our moderator. So please, Madam.

>> MARKUS KUMMER: Please introduce yourself.

>> ANNE-RACHEL INNE: Thank you, Markus. Thank you, Mr. Chairman. Good morning, ladies and gentlemen. My name is Anne‑Rachel Inne, the Chief Operations Officer the AfriNIC, the Internet registry for the African region, so we're happy to be here. I will let Jovan introduce himself later on when he takes the floor.

We're happy to be here with you today to moderate this session on emerging issues. As panelists we will have this morning Scott Busby, the Director of Office of Multilateral and Global Affairs in the Bureau of Democracy, Rights and Labor at the United States State Department. Then we will have Ross LaJeunesse. He's the global head, free expression and international policy. The then we're having Jari Arkko, who is an expert on Internet architecture with Ericsson Research, and also the Chair of the Internet Engineering Task Force, which is IETF.

And then we have Johann Hallenborg from the Swedish Government. And our last and not least panelist will be Joana Varon. I'll pass to Jovan now. We actually will have commentators. When we finish presentations here, we'll come down to the floor so that everybody will be seated and we'll hopefully have a more convivial atmosphere than talking down to you there.

We'll have commenters from the floor, Bertrand de La Chapelle, the head of Internet and jurisdiction process in France. We will have Megi Margioyono from Civil Society. Nick Ashton‑Hart from CCIA from Switzerland, and Ambassador Fonseca from Brazil. So thank you very much for joining us all, and I'll pass on to Jovan now.

>> JOVAN KURBALIJA: Thank you, Anne‑Rachel. I'm the Director of DiploFoundation, a Swiss Foundation working on inclusive and effective diplomacy and global governance. First of all, I would like to thank Raul Echeberria and the group that he led which propose this topic to be discussed at the emerging session. And as we know, this topic has already emerged on the various diplomatic agendas worldwide. Therefore it is quite important issues to be addressed during the Internet Governance Forum.

It also is the proof of the relevance of the Internet Governance Forum in talking about issues which are of high importance for international community in general and Internet community in particular. Markus already outlined the main questions that were discussed in the preparation for the session and they will be some sort of architecture of our session.

We will tackle these questions in five main baskets and we'll organise five main baskets in 20 minutes time slot. The first basket will be on the question of infrastructure and basic functionality of the Internet, and we'll have expertise in each basket, both on the floor and in the room.

The second basket will deal with the Human Rights issues, question of privacy protection and the other Human Rights issues related to the Internet surveillance.

The third basket will focus on security, and the situations when surveillance is justified and under what conditions.

Fourth basket will deal with Data Protection and the economic model.

And fifth, the last basket, will wrap up the discussion within the general framework of Internet Governance Forum which is ethics. We will address the question of trust on the Internet and impact of Internet surveillance on trust.

The underlying issues which will be appearing in our discussion are issues of the law enforcement procedures and international law. Therefore, this is a general infrastructure and we plan to proceed with 20 minutes dedicated to each basket after we hear from our panelists introductory remarks, which they will also relate to these five main issues.

I think this is the general entry I would like to invite Scott Busby to provide his introductory remarks on the question of Internet surveillance. Scott, please.

>> SCOTT BUSBY: Thank you, Jovan. Well, I'm very happy to be here as all of us from the United States Government are. We had some drama in our country with our Government shutdown, which put in doubt whether or not we would be able to come here. And I'm pleased to say that even had the shutdown continued through this week, we had approval from the White House and other senior officials in our Government for us to attend the IGF because we recognize how important this Forum is to our own policy, as well as the overall policies relating to the Internet.

The United States comes to the Internet Governance Forum every year to stand by our commitment to an open, interoperable and secure Internet. We recognize the importance of the issue of surveillance to the international community, and are grateful for this opportunity to engage with all of you here today on it.

As President Obama has said, the United States welcomes a discussion about privacy and security, and we are right now intensively having that discussion in the United States, as well with all of you in the international community.

We know that many of you, as well as many people in the world, have questions and concerns stemming from the recent reports about alleged U.S. intelligence practices, and we look forward to engaging with you today on them.

When it comes to those practices, I can say that the United States gathers intelligence of the type gathered by all nations. All Governments are involved in efforts to protect their countries from real threats and harm, and all Governments collect information concerning such threats. As we undertake those practices, we remain committed to protecting the American people, as well as our friends in the international community, and those friends include not only Governments, but the private sector and Civil Society.

This commitment relies on robust intelligence capabilities to identify threats to our National interests, and to advance our foreign policy, which includes our commitment to Human Rights. At the same time, we also acknowledge that such intelligence efforts must be fully informed by our international commitments, our Democratic principles, our respect for Human Rights, and the privacy concerns of people around the world.

Consistent with the terms of open debate and the democratic process, President Obama has initiated an effort to review and reform our intelligence practices, and ensure that they are appropriate in light of our commitments and our principles. In terms of reform, the President has already ordered the Director of National intelligence to declassify and make public as much information as possible about certain sensitive intelligence collection programmes undertaken under the authority of the Foreign Intelligence Surveillance Act, otherwise known as FISA. Numerous documents including decisions if the Foreign Intelligence Surveillance Court have been released as part of this effort.

Furthermore, the President has appointed a group of outside experts to advise him on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our National Security, and advances our foreign policy, while taking into account other policy considerations, such as our commitment to privacy and to Civil Liberties.

This group has begun its work and is expected to produce its recommendations by the end of this year. We look forward to those recommendations.

Consistent with our normal practice of not commenting on specific allegations of intelligence activities, I cannot say more than this about such allegations. But I can say a few things generally about our commitment to Human Rights and to an open Internet.

First, I would like to emphasize that the United States does not use intelligence collection for the purpose of repressing the citizens of any country for any reason, including their political, religious, or other beliefs. Thus, for instance, we do not use our intelligence capabilities to persecute anyone for ideas that they express online.

Let me also assure you that the United States takes privacy seriously, both that of Americans and of individuals around the world. That commitment to privacy is reaffirmed in the President's international strategy for cyberspace, which states that, quote, individuals should be protected from arbitrary or unlawful State interference with their privacy when they use the Internet, close quote.

As President Obama has recently said, America's not interested in spying on ordinary people. Our intelligence is focused, above all, on finding the information that's necessary to protect our people, and in many cases protect our allies, close quote.

Furthermore, the United States will continue to uphold its longstanding commitments to defend and advance Human Rights in our diplomacy. This includes preserving the consensus reflected in Human Rights Council Resolution 20/8, that the same rights people have online also apply offline. Sorry, rights that apply offline also apply online.

United States will also stay actively engaged in the Freedom Online Coalition, a group of 21 Governments that works with Civil Society and the private sector in a multistakeholder approach to support the ability of individuals to exercise their Human Rights and fundamental freedoms online. As several people have suggested over the course of this week, this Coalition may be a very good Forum in which to continue the discussion on balancing the need for security with Human Rights, and to identify an appropriate way ahead on these tough issues.

I will be hosting the next Ministerial meeting of the Coalition on April 28th and 29th in Tallinn. We will also continue to advance Internet freedom through our programmes. Since 2008, the United States has committed over $100 million to Internet freedom programmes around the world. We intend to maintain that robust level of support for such programmes. On Internet Governance, the United States remains steadfast in our support for a multistakeholder model that supports international trade and commerce, strengthens International security and fosters free expression and innovation. We strongly believe that proposals to centralize control over the Internet through a top‑down intergovernmental approach which is slow the pace of innovation and economic development and could lead to unprecedented control over what people say and do online. Such proposals play into the hands of repressive regimes that wish to legitimize inappropriate state control of content.

We also believe the current multistakeholder system should be strengthened and sustained, particularly through broader multistakeholder participation from the developing world. Through our programmes, we have sought to make such participation possible.

We are aware that some Governments seek to take advantage of the debate initiated by the recent disclosures to draw attention away from their repression of their citizens, or the need for democratic reforms in their countries. The acts of these Governments include for example arresting opponents for what they say or intimidating them into silence and stealing intellectual property for the benefit of their economies. We therefore want to emphasize how important it is not to let Governments that do not share a commitment to Human Rights and fairness to exploit the current debate to their benefit. We should not allow them to gloss over the very important differences between their Internet monitoring activities and those of countries like the United States that conduct intelligence activities to enable responsible state craft. We hope that the discussion today will reflect the fact that the issue of surveillance is a global one and will take into account the views and practices of everyone around the world. We intend to listen closely so that we can take account the many comments and recommendations from you and ensure that they are incorporated into our own Governmental deliberations. Thank you.

>> JOVAN KURBALIJA: Thank you, Scott. Our discussions will result in useful insights for the process that you indicated started in the United States and I will say reflections are going on all over the world as we will hear from the other interventions. Our next speaker is Ross LaJeunesse from Google, and we'll hear something more about the business perspective.

>> ROSS LaJEUNESSE: Thank you very much. It's a pleasure to be here. Am I all set to go? Oh, sorry.

Hi, I'm Ross LaJeunesse from Google, and it is a sincere pleasure to be here. There's been obviously a lot of discussion and debate about this issue, and that is of course a very good thing, and it's very necessary. But in order to have a discussion about this, a discussion based on reality and based on facts, I just want to start by providing a few clarifications so that we're all operating from the same understanding.

The first is that Google does not provide direct access for any Government to our data, our servers, our infrastructure and it never has. And you can use any term you like to try and describe that accusation, a back door, a side door, a trap door, anything like it, but the fact of the matter is that we simply don't do it.

We also don't accept large, blanket‑like Government requests for user data. We are subject to the law, so when we receive a Government request for user data, we look at each and every one of them very carefully. We have a team of lawyers at Google whose sole purpose is to do exactly that. They ensure that the request is valid, is legal, follows due process, and is as limited in scope as possible. And very often, we push back, and we sometimes refuse to comply. And you can see this if you go to our transparency report online, which lists the number of Government requests we receive, how many of them we comply with, and we do that around the world wherever we have services.

Now, on the issue of transparency, we believe this is a critical element to the debate. And we're not newcomers to this issue. We've published our first transparency report. We're the first country, first company, in the world to do so about three years ago, because we recognized long before the Snowden revelations that this is a critical part of our responsibility to our users.

Every 6 months we release an updated transparency report that is better and more granular and I'm glad to see that now many companies are doing the same. We're continuing this work by working with NGOs around the world to publish National transparency reports and we've released one in Estonia this year and we've highlighted another in Hong Kong and that work will continue.

So transparency of course isn't a cure‑all but we really believe you can't have a meaningful debate on the path forward, you can't have a debate on this issue, if you don't have the facts, which is why we're suing the U.S. Government right now to get them to reveal more information about the number of National Security requests and demands that they make on companies, and we're also on a separate track supporting key legislation in the United States Congress sponsored by Senator Franken and another Bill by Representative Lofgren to do the same thing.

Now, I want to emphasize that it would be much easier for us and much easier for any company to simply comply with Government requests for user data. But we don't. And we don't do that because we're a company built on the idea that if you put your user first, everything else will follow. We don't do that because we take our responsibility to our users very seriously, and that's both a matter of principle and a matter of good business.

We're very aware that if our users don't trust us, they won't use our products, and they'll go somewhere else. So again, this debate is good and absolutely necessary, but I also want to echo a point made by Scott and made by Mike Harris at the Index on Censorship, which is this: I'm all for holding the United States Government and Western countries to the highest of standards. We need to do that. But I don't want us to do that at the expense of not focusing on other countries, countries where their surveillance programmes are just as bad or worse. Countries where journalists are beaten, bloggers are imprisoned and activists are killed.

The Expression Online Initiative just released a very important report on Azerbaijan where we held last year's IGF and how horrible things have gotten there over the past year. So I'm all for this discussion about the alleged hypocrisy of the United States and Western Governments but let's not do so in a way that discounts or damages the ability of those Governments to continue their otherwise excellent work which they've long done in supporting Internet and journalist freedom, in supporting Human Rights around the world, and let's not attack them to the point where it undercuts their very important support for the multistakeholder model of Internet Governance. Thanks very much.

>> JOVAN KURBALIJA: Thank you, Ross. Our next speaker is Jari Arkko from IETF from Finland but currently Chairing IETF. Jari, please.

>> JARI ARKKO: Thank you. And thank you for the opportunity to talk, and also this is my first IGF and I really enjoyed all the discussions this week so thank you all for that, on this topic and many other topics.

And then onto this topic so obviously, the Internet community, all of us here, care deeply about how much we trust the commonly used Internet services and products that all these services are based on so the reports about large scale monitoring obviously disturb us.

Interception of targeted individuals and intelligence activities have of course been well known but I think many people are concerned about the scale. And if Internet technology itself is vulnerable to wholesale monitoring, that is also a big concern, and we take that very seriously at the IETF, as the people at least partially in charge of technical aspects of the Internet.

But I wanted to put these events in perspective. Maybe you can consider this talk as the "do not panic" message. These are hard times but we can also work on the problem, and we should.

The first observation that I would make is that surveillance is probably a wider problem in the world than what you would believe just by reading the most recent newspaper headlines. If you live in a glass house, be careful of throwing stones, and if it weren't true before, I'm sure there are many intelligence agencies in the world who have a bad case of NSA envy today.

Secondly, surveillance is not a new issue. Even we at the IETF have had to deal with some issues around that historically. In 1994, we articulated the view that encryption is an important tool to protect the privacy of communications, but at the time, big parts of the world considered encryption a dangerous tool and wanted to limit its availability.

In 2002 we decided that the IETF standard protocols must include appropriate strong security mechanisms. At the time various nations wanted to employ weaker security mechanisms. Now we are facing a new situation and once again Internet technology needs to evolve to match today's challenges.

We need to deprecate the encryptions that are considered weak and that is by the way something we do all the time with new information from research community and others. We also need to consider a bigger update to the security of the Internet. On Tuesday I talked about the by default security model. Maybe that's something we can pursue but technology alone is obviously not a solution. Even if we had a perfect communications security system, you would still need to trust the entity you're communicating with.

If the peer leaks your conversation it was not helpful. So let me talk a little bit about some of the other areas of work where some things might be useful.

First, network operations and buildout. We've seen some proposals to build more Internet exchange points and add more connectivity. Those are excellent things for many reasons. They will keep traffic more local. They will increase speed, lower costs and enable local Internet businesses to grow but an Internet that is more densely connected is a good thing.

Second, the open source community. Open source solutions are useful to assure ourselves about the reliability of our tools, whatever they might be. On some areas it may be that we should actually consider doing more than we have than so far so let us all support additional efforts in this area.

And there's more. Research community and analysis of security vulnerabilities, the attention on the matter will surely make it possible to have political and legal discussions. Maybe the transparency we just talked about, that's a good thing.

Finally, I wanted to say that I really do wish that we keep the ideals of the Internet clear in all of our minds, and not compromise them. We still need a global and open Internet, one where we can all work together across borders, with us not fragmenting the Internet and we still need an Internet that is open to innovation and new applications without asking for anybody's permission to create those conversations. And we still need an Internet that is managed and expanded. Thank you.

>> JOVAN KURBALIJA: Thank you, Jari, for this brief introduction. You give us more time for discussion later on. And our next speaker is Johann Hallenborg from the Swedish Government. Johann, please.

>> JOHANN HALLENBORG: Thank you very much. My name is Johann. I work with the Department of International law and Human Rights at the Foreign Ministry in Stockholm. Thank you very much for inviting us and me to this panel. We're happy to accept. We've been engaging with the IGF for many years, and we continue to really support this important institution.

And the reason why we're engaging is partly because we believe that the integration of a Human Rights perspective in the discussions on Internet and Internet's future is crucial. So that is part of the reasons why we're engaging so much in the IGF.

So the ultimate goal is actually to make sure that the promise on securing Human Rights online as well as offline is realized. We cannot forget that last year, we had an affirmation by consensus in the UN in the Resolution 28 that Human Rights, they do apply in the offline environment ‑‑ online environment, as well as offline.

This was also something that the entire community agreed to. The Resolution was put forward by Sweden, the U.S., Brazil, Tunisia, Turkey, and Nigeria, and it received support by 87 co‑sponsors, and then adoption by consensus. We need to remember that this is a great success, and we need to make this reality.

Governments have a duty to respect and protect Human Rights. This is a central part of our obligations. And security is needed to secure individuals' rights and freedoms and also ultimately it is to protect the open and democratic societies in which we live.

But it's important to remember that there is no tradeoff between Human Rights and security. It is not about balancing. It is about securing the respect for Human Rights, but doing it in a way that is secure.

In providing security, the Government will address several aspects. One important aspect is certainly to protect rights and freedoms of individuals from abuse of others. But equally important is to ensure the State itself does not violate rights and freedoms, in other words setting the limits for State power.

This is why the rule of law is so critically important. The Constitutional framework includes rules on legality, transparency and accountability and provides the fundamentals for what the State can do, to what extent it can utilize its powers in order to secure the well being of people.

In providing security, access to electronic communication has become an important tool for law enforcement agencies to combat crime, and for security agencies to improve security to the public. Swedish legislation makes a distinct separation between surveillance of electronic communication by law enforcement agencies on the one hand, and intelligence collection by security agencies on the other.

This separation is critical since the operational mandates and objectives for law enforcement and security agencies are indeed very different. We are now at the point in time where trust in the Internet is challenged. Therefore, to Governments all over the world, it's crucial to strengthen the relationship with Civil Society and the trust with people. Governments simply cannot afford to lose legitimacy.

But to strengthen trust, we must reinforce the principles of rule of law, transparency, and also respect for Human Rights. This is done through a deeper dialogue with all stakeholders. Therefore, initiatives that come out of the Civil Society are important, and should be taken seriously.

The necessary and proportionate principles, they represent such an important initiative, and it deserves attention from us. Therefore, in recent months, we have arranged two consultations in Geneva and in New York with the International Civil Society Steering Committee and other Governments on these issues and principles. And as a result, foreign Minister Carl Bildt at the recent Seoul Conference on Cyberspace last week presented several fundamental principles that should apply to maintain respect for Human Rights when carrying out surveillance of electronic communications and these 7 principles, they are about legality, legitimate aim, necessity and adequacy, proportionality, judicial authority, transparency, and public oversight.

This is now the foundation where we would like to continue the discussions with all. We welcome a continued deeper dialogue with all stakeholders, and we're willing to engage with you. One such example is the work in the Freedom Online Coalition in which we will continue to engage deeply.

I conclude here, Mr. Chairman. Thank you very much for giving me the word.

>> JOVAN KURBALIJA: Thank you, Johann. I just realized we breached the diplomatic protocol by putting Joana at the end of the table. Joana Varon from Brazil, please go on.

>> JOANA VARON: Thank you for the invitation. Thank you all of you for being here, hearing us and discussing. What I want to highlight here is that the emerging details of the U.S. National Security Agency, mass surveillance programmes have painted a picture of pervasive mass cross‑border surveillance of unprecedented reach and scope, and a scope that's far wider than any reason that could be related to the enforcement of National Security, nothing to do with real threats or harms.

The scope of approved surveillance was broad as it involved tapping communications of the President of countries like Brazil, which could be considered a friendly nation, and as wide as it assessed sensitive strategic business communications, such as communications from our Royal company. This scenario is not only unacceptable for leaders of states but for all Human Rights defenders. It doesn't matter if this data was used or not. The simple collection of our data and our metadata already represents a complete disrespect to the privacy rights from citizens from all over the world and a disrespect of the provisions internationally agreed on international conventions and Treaties addressing fundamental Human Rights.

And it's also a bit hypocritical as all this surveillance was performed by countries that used to pose themselves as defenders for an open and free Internet, and I'm not saying that in order to promote any polarization between different countries that could be posed as good or evil, but I'm saying that to highlight the need that every country shall assume that we still need to work a lot in order to ensure that Human Rights are protected online and offline.

Significant changes are indeed needed. The scenario that we live now is the scenario in which trust among Governments and in the major ICT and Telecom companies is completely broken but it's time to move forward and I agree with the table here, and we need to think about solutions and engage on how to implement them.

As a response to this scenario, I'm happy to see that Brazil has been proactive and has been taking actions in many different levels, as a Brazilian, I'm happy with that. International scenario we have declared urgency to approve Marco Civil, our Civil Rights based framework for the Internet. Inspired by principles suggested through a multistakeholder mechanism incorporated by or promoted by our Internet Steering Committee, Marco Civil, as it's written today, became a model in terms of both content and process, as it was developed through a wide inclusive process of online and offline consultations and resulted in a draft that protects privacy, freedom of expression, and other digital rights. I think we could all learn about this process to think in international scenario, as well.

Also in the National scenario thinking about long‑term solutions, Brazil is now promoting incentives for research, development, and innovation of our ICT Sector. And particularly for building a mail service with encryption by design. But of course, the Internet is global and is meant to remain global, and we would not address this issue only with National policies.

So what I want to highlight here is that the actions taken at the international scenario. So besides delivering a very strong statement at the UN General Assembly, which highlighted all the principles from CGI.br and all the principles that are now drafted in Marco Civil and which are committed to Human Rights, our President now has proposed for us to engage in a multistakeholder fashion, and to develop a Summit, a Summit that in my view shall be bounded by the principles addressed by the President in her statement at the UN General Assembly.

And this could be an opportunity to address all those issues, and I believe that these issues on surveillance should be addressed in both ways, changing the way the companies are operating in order to ensure transparency, but also protection of these users, for instance, by promoting encryption by design, but on the other hand, states should review their practices.

It's good that the U.S. is willing to reform its intelligence practices, so I take this opportunity to ask the U.S. Government to refer and analyze the International Principles on the Application of Human Rights to Communications Surveillance which have been endorsed to date by over 280 international organisations, and represent an attempt to highlight and address some of these concerns.

These principles provide a framework in which to assess whether surveillance laws and practices are consistent with Human Rights standards in the current digital environment. As Johann has related, they focus on legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, and due process. They also consider user notification, transparency, and public oversight.

I welcome the initiative from the Swedish Government to consider these principles, and invite other Governments from all over the world to do the same. As I've mentioned, it's time to reassess our practices in order to be sure they're drawing respect for Human Rights with a deep dialogue with all the States that care for the Internet. Thank you.

>> JOVAN KURBALIJA: Thank you, Joana. Thank you panelists for the initial intervention and I think the underlying point is that we can recognize and all panelists recognize the severity of the problem and the need for some action and solution as soon as possible, because it is affecting activities of Governments, business Sector and all Internet users, and there were a few underlying and interesting points that could trigger some discussion in your reflections.

As Scott mentioned, there is a need to observe international law and the existing rules. There is a need to achieve certain balancing acts between the security and Human Rights but we had later on slightly different view from Johann had it's possible to have win‑win solution and not necessarily to create the balancing act and that could be an interesting point of discussion between about balancing act between security and Human Rights.

Ross rightly indicated the need for evidence based policy making, moving from the general reflections to evidence based on the concrete issues, and transparency. Jari highlighted the importance of not only technological but also policy solutions. Technology is not enough.

Johann also indicated the importance of rule of law, institutional separation between electronic communication agency, if I'm correct, and intelligence agencies. Therefore, this is one aspect that we should tackle today, procedural checks and balances as a structural design that could help us to avoid this situation in the future.

And Joana listed an excellent summary on Human Rights, question of necessity ‑‑ necessary and proportional reaction, and the question of using existing international legal tools. And this is important. We have existing international tool that could be applied to this field, including International Covenant on the Civil and Political Rights, and it was clearly indicated throughout the discussion and it is position of all major players, including the United States, that existing international rules should be observed.

With this quick wrapup and ideas for discussion I pass the floor to Anne‑Rachel.

>> ANNE-RACHEL INNE: Thank you very much, Jovan. I think we're going to go directly to our commenters from the floor, so I am going to give the floor to Ambassador Benedicto Fonseca Filho from Brazil to respond to some of the ‑‑ do we have microphones somewhere?

>> JOVAN KURBALIJA: A microphone is coming, yes.

>> ANNE-RACHEL INNE: Thank you.

>> BENEDICTO FONSECA FILHO: Thank you very much. I'd like to start by doing something that usually we do in intergovernmental setting at the UN. For example, I served at the UN a few years ago, and we used to initiate our talk by saying we align our statement with the statement that was delivered before by some Regional Group or some larger setting so I'd like maybe to innovate in the context of IGF, and say that I'd like to align my statement with the one that was delivered by Joana Varon on behalf of Civil Society because I think she expressed in a very clear way most of the things I was prepared to say, and so she made my life much easier, so I'd like to align my statement to what she has expressed and also to a large extent as well to what has been stated by the representative of Sweden, we share also the view that it is not inconsistent to pursue Human Rights dimension and examine the surveillance context and the disclosures in the context of enhancing the Human Rights dimension. It's not inconsistent with the fact that we all and some of us we are very firmly committed to Human Rights.

We are not diverting the discussion. We are not ignoring that this discussion could serve the purposes which are not our own, but at the same time, we do not think it is ‑‑ it would be a good thing to, because of this, to ignore the situation, try to improve on the situation we have.

So the 7 principles that were spelled out by Minister Carl Bildt at the Seoul Conference also I'd say very much express the kind of approach we'd like to take in that regard.

Having said that, and referring to the speech that was delivered by our President at the United Nations, at the opening of the general debate of this year's United Nations General Assembly, I'd like to highlight that the protection of Human Rights, privacy, freedom of expression ‑‑ women's rights, and it's those two specific manifestations, are at the core of the concern of President Dilma. She has clearly indicated that from the Brazilian perspective, there is a clear need that at the international level we should devise and launch a process that would lead us as international community to achieve principles and norms that would guide use and operation of Internet. And these should be guided by a vision inspired by the multistakeholderism approach, and also be firmly grounded on Human Rights and other principles she spelled out.

So we see no inconsistency in pursuing these, and not taking into account the larger picture that we want to be very careful about.

And in that sense, it is very important as has been highlighted by Joana, that we view the Summit, we intend to hold in Brazil, as a follow‑up of the speech that was presented by President Dilma and of course we came to this setting, our Minister of Communication came here, and he was mandated by the President to further discussion and collect views, and I would say that without deviating from our main subject, that the Summit in Brazil today will also incorporate other dimensions of discussion, not only focusing on principles and norms, but this is indeed one of the very clear parameters for us for the meeting that will enable to engage in other aspects of the discussion as a result of the consultations we have held here.

But the clear focus on the necessity as international community working in a multistakeholder environment to develop principles and norms is clearly one of the main objectives we have in mind.

And if I can just clarify one point that has been the object of some misunderstanding in the course of this meeting, when President Dilma delivered her speech at the UN, she referred to a multilateral framework, civil framework, with the support, full support and full involvement of Civil Society, private sector and other stakeholders, and later on when we came to this meeting, our Minister was in contact with her, and as a result of the information he provided, she made clear that she meant what she really meant was referring to multistakeholder, not only multilateral.

And I was just reviewing the news from Brazil, and I saw that yesterday, President Dilma referred again to this, and again she used the word "multilateral," so I know this in the heads of Many people will maybe lead to a confusing reflection on the situation, and say: Well, Brazil is a swing state. Doesn't know if it wants to be multilateral, multistakeholder, or what is the situation.

What I would say, that even, first of all, President Dilma, she has interpreted what she has said, and we maintain there's no contradiction what she said in those circumstances. From the point of your Government, and this is a very important thing that has been discussed here in some panels, that we should be very careful about the concept, the language we use.

Sometimes from the point of view of Government, when the word "multilateral" is used, what is meant primarily is that this is, we use in opposition to unilateral, more than meaning it's something to be done on a purely intergovernmental setting. I think this was the meaning she wanted to convey when she delivered the speech at the UN, that we want a framework that would be indeed done by many parties, not only reflecting the view of one single party or a restricted group of parties.

And she explained that this certainly does not convey the idea of excluding any stakeholder, so I would just maybe, and I apologize for taking so much time, but to clarify that we need maybe not to pay too much attention to particular statement on a particular setting, responding to a journalist that made some question, but having into account the larger picture, and the larger picture, the President interpreted as meaning "multistakeholder."

And when she mentioned the civil framework as a reference for her speech at the United Nations, she used the word, as Joana has spelled out, this was developed in a multistakeholder setting. The principles developed by the Commission are a multistakeholder way are clearly inspired President Dilma's speech, so when she was referring that we need international level such an instrument, clearly there is a linkage to the multistakeholder dimension, even if there is not the word there.

So I just want to caution that sometimes from the part of Government, at that level of leaders maybe we should not be too much vigilant about any particular word, but see the larger picture and what is the real intent.

So I just wanted to take this opportunity to thank all stakeholders we have been meeting in the course of this IGF on the part of Government, Civil Society, private sector. We have seen an overwhelming support for the idea to develop, to go in the direction that was indicated by ‑‑ proposed by President Dilma, but also building on contributions that will add to the process, and it was very stimulating for us to see that there is a willingness to mobilize different stakeholders, to come forward with proposals, to be involved in the preparation for this meeting that we intend to be truly multistakeholder from its outset from the agenda setting, from the kind of outcomes. And we see it as a contribution to the processes that are existing processes.

We wanted to be respectful of the existing process and not compete or overlap or supersede any of the existing processes that exist. And maybe a final word, that is Brazil is a very firm defendant of Human Rights. We have been as was spelled out at the core group that drafted these landmark Human Rights Council Resolution, that gave this very clear message that Human Rights offline should be also respected online.

We are ready to uphold Human Rights in many settings, and in settings that would be global, that would be constructive, that would lead to stimulate countries and provide for positive incentives for Human Rights to be upheld on a worldwide basis. Thank you. Thank you very much.

>> ANNE-RACHEL INNE: Thank you very much, Ambassador Fonseca. I'll go directly now to Bertrand.

We have remote interventions.

>> Yes, there are ‑‑

>> ANNE-RACHEL INNE: Hold on a second Bertrand. We're going to start with remote questions. Go ahead.

>> SUBI CHATURVEDI: Thank you, Anne. There are two questions from Peter Hellman, and we have interaction as well, so that's a wonderful thing. Peter has a question for the U.S. representative, and he wants to know: Does defending U.S. foreign policy interests include surveillance of the phones of heads of Governments, of countries that are friends of the USA?

And there is a question for the representative from Google: There have been reports that U.S. cloud business can expect loss of business from non‑U.S. customers in the coming 3 years to the tune of about 30 billion U.S. dollars and that the overall negative impact for the IT industry over the next three years could be up to 180 billion U.S. dollars because of a loss of trust. What do you intend to do to restore that trust so that people feel that they can trust cloud providers to keep their data private and secure?

The Tweet also relates to the same theme of proportionate and necessary steps that governments can take on the theme of surveillance vis‑a‑vis security.

>> ANNE-RACHEL INNE: Thanks so much, Subi. So now we'll go to Bertrand while our panelists can reflect on what they want to say later. Thank you.

>> BERTRAND DE LA CHAPELLE: Thank you, Anne‑Rachel. Again I'm Bertrand de la Chapelle, the Director of the Internet and Jurisdiction Project. And following the discussion before, I wanted to highlight that this debate on surveillance actually can be placed in a larger framework of issues and I'd like to tackle quickly three. The first word is "sovereignty."

What we're talking about here among others things is the exercise of sovereignty in the digital age. The traditional exercise of sovereignty is on the National territory. And the advent of the Internet is introducing an incredible new capacity for National decisions for better or worse to have a transboundary impact on other ‑‑ on citizens of other countries. The fact that operators are based in one country allows by definition in any country the authorities of that country to exercise sovereignty on those operators and impact decisions that have consequences for actors on another territory.

This is a potential extraterritorial extension of sovereignty, and it reduces and balances among the different countries depending on the number of actors located on their soil.

But the reverse is true, as well. Following what has been named the recent events and the revelation of the Snowden affair, a large number of actors and countries in particular have taken positions in reaction in order to defend their sovereignty and have pushed forward for instance the notion of data sovereignty, requiring or intending to require the location of the data regarding their citizens on the territory.

This is a reintroduction potentially of physical frontiers in a certain way, in a technical infrastructure that was intended from the onset as a cross‑border architecture, not necessarily a completely borderless but a cross‑border architecture.

This is a challenge because the traditional notion of the international system is based on the separation of sovereignties and most international organisations are based on the principle of non‑interference in the affairs of some other country. The current situation is challenging this, and is putting in front of Governments an incredible challenge, which is: How do you cooperate to manage shared online spaces? That's the first point. This is a new type of challenge.

The second word that I would like to highlight, and this goes to what Joana was mentioning, is the notion of due process, of fair process, or any kind of element that ensures that the procedures for issues related to surveillance but also to law enforcement related to freedom of expression, privacy and so on, any kind of process that deals with Human Rights and the rights of citizens and Internet users have to be done according to a set of rules that are fair and en sure due process.

This is particularly difficult when you deal with transborder relations. When something is done in one country across the Internet and you have to obtain data, take down content, have to ask for the removal of a website. There is currently a lack of procedures to handle this and fair process mechanisms to handle the relationship between states, platforms, end users in a fair process manner across borders. And this question is reflection also of what happens here in this debate on surveillance because what we've been talking about is the implementation fair process, oversight, and that's the main issue. Because principles in themselves are not sufficient to ensure the protection of Human Rights. They are necessary but not sufficient.

If the procedures are not appropriate, if the National frameworks are not sufficiently protective, it is not enough. And even when the framework is present, the actual implementation of the framework may be faulty sometimes. And oversight is an important element.

Finally, the third word that I would like to use is the law of unintended consequences. The trend that we're seeing today, in reaction to the recent events and the debate on surveillance, is a very troublesome one for everybody. The notion that in reaction and by legitimate concern regarding the protection of their citizens, Governments are thinking about establishing rules regarding so‑called data sovereignty is something that we should explore with extreme caution. There are extreme technical challenges to do this, and there is a great likelihood that if you want to sort in the databases of large global corporations which users are from one given country or located in one given country, you might end up having to do a larger breach of privacy than the protection you want to establish, or the things you want to correct.

And the second element, and this was very present in a meeting that we organised in Delhi in the Internet jurisdiction project where the industry in India, not the foreign companies, the industry in India, was explicitly saying to the government, be careful what you wish for., because if the principle of data sovereignty is pushed too far you're harming the potential of the local industry to be an actor, a major actor, in the global cloud business.

So without elaborating, the challenge is we are in a situation where because there is no sufficient international frameworks for discussion, among the different stakeholders on those issues of sovereignty in the digital age, and due process, we run the risk of having a large number of uncoordinated actions by different Governments and different private actors that will look perfectly natural as a first step, but what was a communative effect will be harmful to everyone, which leads me to this my conclusion which is this meeting of the IGF has proved beyond doubt the benefit of addressing those issues in a multistakeholder format.

The fact that the whole environment has triggered an event that is likely to take place in Brazil is providing an opportunity to address some of those issues, and to probably hold a little on some of the National decisions that are under discussions until there is a certainty that the communative effect is not harmful. The Brazil meeting will be important. There are other processes. The meeting of the Freedom Online Coalition has been mentioned. There's been a great effort and I'm sure somebody in the audience will refer to on a set of principles called necessary and proportionate. There are not enough but that will certainly be part of the discussion.

And I want to highlight a final element regarding the Council of Europe recommendation two years ago that established the principle of no transboundary harm, i.e., the responsibility of States from the decisions at the National level that may have an impact across borders.

So those elements are aspects that require a lot of caution in the individual actions that the different Governments are contemplating to make sure that they're collectively for the benefit of an open and unified Internet.

>> JOVAN KURBALIJA: Thank you, Bertrand. Before we continue with the other commentators and remote participants I'd like to invite Jari who has to leave in about 10 minutes to reflect on the discussion so far especially from the point of view of the infrastructure and basic functionality of the Internet. Please, Jari.

>> JARI ARKKO: Thank you. Apologies for being forced to leave. I had another commitment in another room in a moment. And of course, much of the discussion has been at the different level not so much about the infrastructure perhaps or the technical things. I wanted to highlight a couple of things I've heard in the discussion so far. I really wholeheartedly agree with Ross about a fact based approach to this. This is really crucial.

The other thing that is important that was highlighted by many people, or almost everyone, is transparency, and the rule of law. Those are very good things, and worthwhile to work towards.

And then I kind of wanted to return also to the important principle question, and many of you had these points, as well, to look after Human Rights, multistakeholder model, decentralized nature of the Internet, in particular the multistakeholder model is really key for us to have an open, well‑functioning Internet that balances the different concerns, and I with pleasure noted the comments from Ambassador Fonseca Filho and others on how important the multistakeholder model is and there's consensus at least here on multistakeholder being the way forward. And I think it was Johann who commented also that the Internet needs to stay global. That really is true.

Sort of the only thing that I gathered from all of the discussions so far that kind of relates to infrastructure or technical things was this possible demand for keeping data local and I just wanted to raise an issue from the technical community perspective that sometimes we may have conflicting desires or requirements, and we need to be careful what we wish for.

I think a blanket requirement for data to be local within a country would probably harm innovation in the Internet. Because if I'm a small enterprise that comes up with a great idea, and I will invite users from all over the world, I don't necessarily immediately have an ability to build out facilities all over the place. I need to be able to innovate without too much burden.

And this is just one example of the kinds of things that we may run into, but we need to be careful about setting too many demands on how the network actually runs. The management and buildout needs to be possible still, and cheap. That's a key, and the innovation needs to continue.

So those were the short remarks that I have at the moment.

>> JOVAN KURBALIJA: Thank you, Jari. You gave us quite comprehensive overview of the infrastructure and technical aspects of the Internet, and a few warnings that we don't go too far with some prescriptions but more guiding principles, and nudging towards useful solution and leave everything as to develop more spontaneously.

>> ANNE-RACHEL INNE: Thanks, Jovan, and thanks very much Jari for joining us so far. I know that Joana had another commitment. You're still okay? Great. Fantastic.

So I'm first going to go to the remote participation people, and then I will come back to Nick Ashton‑Hart.

>> SUBI CHATURVEDI: Thank you, Anne. There's a question from Monika Arnett, who is a freelance reporter and a journalist from Germany. And her question is to U.S. and Sweden representatives. She wishes to know: do the more mighty technical tools oblige us to fundamentally reconsider intelligence legislation? Because we otherwise face a state within the State which blinds public trust, oversight, erodes democratic control, and starts to possibly blackmail those elected to govern. Thank you.

>> ANNE-RACHEL INNE: Thanks, Subi. So up to Nick now. Thank you.

>> NICK ASHTON-HART: Thank you very much. The Computer and Communications Industry Association is made up of many of the Internet's more successful business to consumer companies, so of course we have a strong interest in this, though I would say that our comments stand on their own and our members including Google, who are here, have made their own statements, and you shouldn't conflate the two.

I think fundamentally we're facing a problem that is not technical or an Internet problem even though the Internet has made ‑‑ the tools of the Internet has made it possible and many aspects cannot be solved by legislating, especially at the National level, about the Internet, such as Johann put on hosting. We have a paradigm where we're common digital citizens but also common digital foreigners, by which I mean that in the analog past, our nationally protected rights of privacy were protected because each country could only post, frankly, so many cultural attaches in their foreign embassies before countries would say: No, that's too many spies. You have to get out.

So you could only spy in the analog world frankly on a fairly limited number of non‑nationals. Unfortunately now that situation is inverted and it is now ‑‑ the lack of any legal prohibition on countries spying on other countries' nationals means that we're all in some way fair game for an almost unlimited amount of surveillance by countries, except the one we live in.

And so in previous debates about ACTA in Europe, SOPA, PIPA in the United States, we saw a strong reaction against using the Internet in a way that was harmful to the Internet itself, to solve a specific issue for the benefit for stakeholder or stakeholders, and in a way we can argue we have the same dynamic here where technology is being employed by security services to facilitate information gathering with few limits, especially on non‑nationals, thanks to technology, yet at the same time, the Internet relays on trust. Without trust, people simply will use services less. They will say less. They will fear more.

And right now, we have a debate that is largely focused I think on negative incentives, characterized by a lack of trust, an increase of suspicion, and a fairly continuous stream of revelations which I think we all realize will continue for quite some time. It's understandable that this would generate a lot of unhappiness.

But I think it also obscures a few fundamental things that we share in common, which is that we all would want to trust the online world more rather than less for social and for commercial purposes, that the further development and spread of the Internet, for those who have yet to go online, which is more than half the human family, is a shared goal, so efforts which make that more expensive or more difficult are not welcome.

That legitimate law enforcement efforts as relates to crime of whatever nature, that societies decide need to be interdicted, is a reasonable activity. That fundamental transparency in Government operations is important even if there is a tension about the relative level of transparency in some respects of Government activity.

We want our National Constitutional protections of rights to privacy and the like to have real meaning, online and offline. We want to enjoy the internationally protected Human Rights that are pretty universally accepted, even if they're not always universally observed as we would like.

These are profound common shared needs, and perhaps we can find a way to use them as a basis for a constructive conversation about the role of security services and law enforcement online as it relates in particular to the everyday lives of individuals especially those who are not employed by the Government or in Government service.

The debate we have right now, I don't think leads to a positive end for the Internet community, and especially for the Internet. But as a community, we have the knowledge and the incentive to work to change that debate. I hope that can be another shared interest that we can build on, recognizing of course that criticism of Government behavior is a fundamental right of all, and there must be room for such criticism.

But to return to my original point governments have a responsibility not to allow surveillance of their nationals to get out of control and ironically in a digital age, for those National protections to mean anything, that responsibility really cannot end at your National border because if it does, the result counter‑intuitively is that if everyone but you is spying on your nationals, how can you say that your National Constitutional protections have meaning name? They have even less meaning because you have no idea who knows what and is doing what in relation to you. In that vein I think the explanations we've heard from Ambassador Fonseca of the Brazilian initiative are welcome.

A conversation about what we share, the beliefs we share, is not something we should fear. It's I think essential if we're to meet this conundrum of an analog past meeting a digital future in terms of surveillance.

>> JOVAN KURBALIJA: Thank you very much for your excellent intervention. We'll try to tap this enormous expertise in the room, experience, expertise and knowledge and we will like to ask you for your comments and questions. I think there is one person in the room who comes from the organisation that can help us to address these balancing acts in the surveillance issues. We already heard about Human Rights aspect, security aspect, and Data Protection. And Council of Europe is organisation which has under its one roof three conventions and three institutional mechanisms for covering cybersecurity, Data Protection, Human Rights. I don't know if somebody from Council of Europe, Jan Malinowski, is here. Could you give us a quick remark, a few points, how to address this balancing act between different aspects? It has been underlying theme throughout the discussion, please.

>> JAN MALINOWSKI: The Council of Europe approach I think mirrors in many respects the different dimensions that have been mentioned here already, and I wouldn't go into that. I think that in substantive terms, what Johann Hallenborg has said is valid and it does exemplify the different responses of the Council of Europe.

But the Council of Europe approach I think can be described as multistakeholder. One has to listen in order to deliver good governance, one has to listen to the different voices and leave whoever is responsible for something to take the decisions, but taking into account everything that others have to say.

The Council of Europe response is multidisciplinary. There are different issues that need to be expressed in one topic and we see there are issues relating to National Security, to privacy, to freedom of expression, to crime, to rule of law. All of them need to be taken into account, and that requires a broad vision.

There are in the Council of Europe multiple responses. There are in addition to dialogue, there are responses that go through the intergovernmental negotiation line, with soft law, with recommendations, Bertrand de la Chapelle mentioned some of them. There are a host of others that would apply to this and there is hard law. There is international Treaty law as well. We have the cybercrime Convention that's been mentioned. We have the Data Protection Convention and above all we have the European Convention on Human Rights that encompasses all of it. It goes all the range from freedom of expression to others.

And we have multiple accountability responses, as well. We have political accountability. We have legal accountability in the court. We have discussions in the specialized Committees, in the Data Protection Committee, in the cybercrime Committee and so on.

In connection with the Snowden case in particular, the Council of Europe does not have a response or has not given or attempted to give a response at this stage but there are two things that I would like to draw your attention to in that respect.

Already from the '70s, the European Court of Human Rights has made it clear that a system of mass surveillance can undermine or destroy democracy under the cloak of protecting it. I think that's a very important statement. As I said, it relates to cases well before Snowden, well before the Internet.

And the other aspect which is very relevant to the Snowden affair is that the Council of Europe cares about whistleblowers. Whistleblowers who disclose information in the public interest should be protected, and I think that the discussions that we are having demonstrate that Snowden has made revelations and disclosures that are in the public interest. Thank you very much.

>> JOVAN KURBALIJA: Thank you for addressing this main dilemma if you have in the same room people from cyber security, data collection community and Human Rights community, what is the way to address the question of intersurveillance? And we will be facing it more and more, that interprofessional dialogue.

I saw some hands over there. Khaled, please. And over there, yes.

>> KHALED FATTAL: Thank you, Jovan. Can everybody hear me? Yes? Okay, thank you. My name is Khaled Fattal, Chairman of the Multilingual Internet Group. The issue that I see in front of us here is not about alleged or not alleged. It's really goes to the core and to the values of what multistakeholderism stands for.

Many who attend ICANN would remember that I took the lead on making this a topic that needs to be addressed by ICANN, by the international community during the ICANN Durban. Raising the issue that unless we deal squarely with the issue of surveillance, we are not giving the true value of how damaging it is to multistakeholderism.

This is like a cancer scare to the trust of the multistakeholderism we all believe in. We believe many of us believe in multistakeholderism from an altruistic point of view, and we believe in privacy, freedom online. I'm a Syrian American, and nobody needs to lecture me on the importance of democracy and privacy and freedom of expression. But when the values are being challenged of what this stands for, I think it's time to come to terms with greater acknowledgment of what damage has been done, and how to fix it is required.

In emerging markets, we're embarking on major events in emerging markets. This is the subject matter that people want to talk about at many levels of society. And unless we deal with it very, very squarely, very ‑‑ at a high priority level, we will not be able to diffuse the situation, because so far all I see is an attempt to diffuse, that people get it off their chest. The values of what we stand for is really what's at stake.

I'll just close with this one remark: The war against terror was angled at our values versus theirs. The war against terrorism is our values versus theirs.

What does it say that in pushing towards a free and open Internet, we discover we are spying on the rest of the world? It's again going back to the values. Please take note, a cancer scare does not get treated with an aspirin. It needs an acknowledgment of what had happened, and a desire and a genuine desire and process put in place to show this is being addressed and fixed, rather than just being an attempt to diffuse.

This is my recommendation, because all of us who believe in this do not want to see this multistakeholderism damaged. I will close with that remark. Thank you.

>> JOVAN KURBALIJA: Thank you, Khaled, contributing to the fifth basket on ethics and trust, importance of trust and values in addressing internet surveillance and we will try to organise our discussion along these main five lines. Please could you introduce yourself, Sir?

>> REN YISHENG: Thank you, Mr. Chairman. I believe we have ‑‑

>> JOVAN KURBALIJA: Could you introduce yourself?

>> REN YISHENG: Yes, okay. My name is Ren Yisheng. I'm from the Foreign Ministry of China. I was going to introduce myself in my mother tongue Chinese because I believe we have interpretation in the room so please put on your earphones.

Let me start by making my intervention in English while you are getting your earphones. I have a couple of points to make. Number one, we all have consensus on the common values of the universality or universal value of Human Rights. On the other hand, that we would also like to stress that Human Rights concept is an integral concept, it's a whole concept that we should not neglect the other parts or elements of Human Rights, which is to say that we have two sets of rights, civil political rights, economic, social and cultural rights, and in fact the right to development.

On the other hand, also there is a check and balance of rights. We have rights. On the other hand, we have our obligations, responsibilities. Our obligation, our responsibilities to the society, to respect the rights of others. This is the first point I want to make.

The second point is on Internet. I think that we have so many elements, so many factors that we need to look at. There is at least in my view that we have many elements that we need to look at. For example, the right to access. I think this is a very important issue for many countries, the developing countries in particular.

I'm glad that you're getting your earphones so that I can switch back to my mother tongue language, Chinese.

Since all of you have earphones right now, I'm going to switch back to my mother tongue. Over the past two days, few days, IGF discussed many important issues in relation to Internet development including the stability of Internet, the resource allocation issues of the Internet, and the Internet crime issues, spam e‑mails, as well as how to enhance the trust of the public to Internet.

Meanwhile today, the issues we're discussing and issues we discuss over the past few days is that some individual country carrying out largescale surveillance over other countries, like other Delegations of other countries, we are very surprised, very much concerned over this issue. We believe massive surveillance no matter over the individual citizens or other politicians of other countries is a infringement of sovereignty, National interest, and privacies of other countries, and also it poses as a threat to the safe operation, secure operation, of Internet operation.

Meanwhile, this conduct seriously damaged the public trust of Internet. Last but not least, I'd like to say to discuss the principle of Internet Governance, several points are extremely important, such as transparency, inclusiveness, participatory principles, and cooperation. And so on and so forth. Therefore, we're very much in favor of the points made by the Brazilian Ambassador, the governance of Internet is something that we have to work very hard on the basis of multistakeholder, no matter be it the Government or Internet companies, academic circle, Civil Society, no part should be excluded from this process.

We believe all people should participate. If you exclude any stakeholder in the course of Internet Governance, it's not good. Thank you very much, Mr. Chairman.

>> JOVAN KURBALIJA: Thank you for your patience with our technical facilities and readiness to address us in English, and I think you reiterated quite a few important principles for our discussion, and elements of trust, Human Rights, in comprehensive way, question of sovereignty and I think we have quite a few interesting points. We have intervention here.

>> SUBI CHATURVEDI: Thank you. Am I on? Hi. Is the mic working? Okay. My name is Subi Chaturvedi, and I teach communication and new media technology at a University in India. It's a women's college, and we run a Foundation called media for change. The issues that we primarily look at is how the Internet and new media technologies can empower developing countries. I thank Raul once again for organising this session because we're looking at some of the most important questions that go to the heart of the matter. At the core of the Internet is trust.

The fact that we can trust this wonderful empowering technology which data which is immensely and increasingly private, personal and confidential. I do want to raise a couple of points here. When we start talking about situations such as these, I'm reminded of a story and we all grew up reading Sherlock Holmes and one of the stories was about why the dog didn't bark.

And this was about how we've decided to keep quiet at moments such as these, and when we are faced with uncomfortable situations, we decide to take positions. This is an important moment, and I can't agree more with what Khaled had to say. This is about trust but this is also about working in a space which is collaborative and I do not believe that cybersecurity and concerns around sovereignty can exist in isolation without the consideration for individual rights of States and citizens.

And I do want to reiterate that this journey from being the slave to the citizen has been a long one, and when we come to this point, of data collection by Governments for what purpose, by whom, and for how long, and where is it going to be kept? When we create honey pots such as these, these are questions that we worry about, not just from the Human Rights perspective. And I come from India. We have laws to protect children and women, and vulnerable communities in particular and we have just had two 18‑year‑old girls go to jail for updating a status, because they decided to voice their dissent.

And this is all for our own good, which is what I hear increasingly more often from Governments across the world, but I do want to say that two wrongs don't make a right, but what we have with us is a wonderful process which is bottoms‑up, inclusive and multistakeholder. Yes, there might be problems in the current system but that does not mean that we privilege one stakeholder which is largely the Government and most of us do not know then when these conversations take place, whether our voices would be heard.

Democracy is a wonderful thing and a participatory democracy is an even better one but it's not the same as multistakeholderism. I think we've got a solution. We have a platform. Let's acknowledge this, let's take it from here, and let's keep working with this platform. But let us work to reinforce the system that we have in multistakeholderism.

I think that is the only way forward. Thank you, Chair. Thank you for giving me this opportunity.

>> JOVAN KURBALIJA: Thank you for bringing Sherlock Holmes into our discussion, as well.

>> May I? My very brief question is for Mr. Scott Busby. I was really pleased to hear a changed statement or a changed tone from the U.S. Government, and I would hope and I believe that it is a reflection of the changed mindset within the U.S. Government towards surveillance, and Human Rights and privacy.

And if that's indeed the case, I would like to ask you that at the center of this whole ‑‑ at the center of these developments is a man called Snowden, whom Mr. Obama has referred to as a traitor. Is that still the position? Or has that position changed? Is this changed tone from the U.S. reflective also of the position on Snowden?

Because it's an important Human Rights issue. Snowden as a cause and Snowden as an individual, I'm talking about Snowden as an individual, what does the U.S. Government want to do with him? That's my very brief question and I would like that answer. Thank you.

>> JIMMY SCHULZ: May I? Okay. My name is Jimmy Schulz and I was a member of the German Parliament until Tuesday and the Committee for Internal Affairs and Home. And I've been taking care of the issue since it occurred.

It was said the whole thing of surveillance is not new. It was said that others do that, too. That's true. That doesn't make it better, and that's no excuse.

A question to Google: You said you don't give direct access, which sounds a little bit like Keith Alexander said in last year's Defcon, we don't spy on every American. That doesn't mean we don't give direct access. Is there any indirect access?

Because you've talked about legal interception, are you forced by any law not to tell us everything? That's a question to Google.

To the U.S. Representative: Keith Alexander said earlier this year those who encrypt are treated as potential terrorists, wherefore I am a potential terrorist. Do you think I am a potential terrorist?

And you also said some countries are taking advantage of the situation. Does this apply to Germany? Because I think the whole thing is an earthquake in our relationship. Friends don't do that.

And you said you're taking recommendations. I give you something that is not a recommendation: Stop surveillance now. But to be more coming to the point, I think we have to take three steps. First of all, I expect and I think we need complete transparency, complete transparency which means you have to tell us everything, and everyone has to be open on that issue.

Second, what we need are international contracts that friends don't spy on friends. And, third ‑‑ and this is a thing we really should do ‑‑ is encrypt all our communication so surveillance won't work. Thank you.

[ Applause ]

>> Thank you very much. Yes?

>> EVERTON LUCERO: Hello. So I'm with the Brazilian Government. I think we are dealing with a situation now that requires clarity in terms of what we need to address in the future, so as we avoid that it will ever happen again.

I mean, the unprecedented mass surveillance and un authorized monitoring of communications of millions of citizens worldwide by one intelligence Agency of one single country has naturally revealed something. First, I agree that it reveals we do not have a technological gap to fill in. This is an ethical and a political question. We have an institutional gap clearly. Because the only way that we will avoid there to happen again is if we agree in a set of principles and norms, and an institutional framework that would on the one hand recognize legitimate multistakeholder processes, and on the other hand, create an ethical ground for every actor to behave in the future in a way that will not damage Human Rights and privacy of any citizen in the world based on any grounds.

In particular, when it comes to National Security, I believe this argument does not stand for it any longer since you may hardly conceive a situation in which normal Brazilian citizens or companies or authorities are violated in their privacy. Is that done in the name of National Security? And how come? Does that mean that there is a suspicion that millions of Brazilian citizens and Brazilian companies and authorities are somehow involved with terrorism or any other activity that may be harmful to National Security of other countries?

As a Brazilian citizen and as a Brazilian public servant, to me, these are questions that are still to be answered. And the only thing we can proceed with this in order to create a new vision is to get together all the stakeholders and think deeply about how to make sure that we will agree on a minimum core set of rules and principles that will become the norm, and that will be observed from now on, so that this situation will not repeat itself. Thank you.

>> ANNE-RACHEL INNE: Thank you very much, Mr. Lucero. I'm going to ask for you forgiveness for a few minutes. Given what Everton said I would like to call on our commenter, Megi. Megi is a special consultant with the right of Internet users so we'd like to hear from him now. Thank you.

>> MEGI MARGIYONO: Thank you, moderators and Chairman. As I am an Information Technology lawyer, so my comments will be on the legal aspects. I think our discussions should move forward, not just track a debate whether the surveillance are accepted or not accepted, but on how to make Internet still free and open despite surveillance activities. One of the issues is striking the balance of rights, the rights of security and the rights of privacy and freedom of expressions.

However, to make globally accepted set of standards, principles, and rule to striking the balance of those rights seems difficult, because despite Human Rights is accepted as universal rights, but the applications of Human Rights differs from places to places.

Also on the threat of security issues also different from countries to countries. Freedom of expression in the U.S. is regarded as quote, unquote, the most important right, because protected under First Amendment, but privacy in the U.S. is not clearly whether it's protected under U.S. Constitution. At least it's not written on the U.S. Constitution, despite there are some interpretations that privacy is Constitutional right in the U.S.

On the contrary, in European countries, privacy is most important and there are some sets of limitations of the applications of freedom of expression. We know there are margins of appreciations that apply and applications of the freedom of expressions in European countries.

In Asia, privacy and freedom of expression seems not a strong right, and not strongly protected. Government of Asia like Indonesia pay more attention on security than freedom of expression, also privacy. Some say that privacy don't have cultural rules in Asia like Indonesia.

So regarding to the matter of facts, it seems difficult to set up a globally accepted rule to striking the balance of these rights.

Sorry. However, democratic on the surveillance activity is very important. Maybe the surveillance activity have to be commissioned by Parliament to make sure the surveillance technology is not abused by Government. It's important because technology of surveillance has been proved to be abused by some Governments of Emirates Arab Union and Bahrain. According to a report, surveillance technology provided by United Kingdom company named Gamma Group International is misused to monitor journalists, bloggers and activists in those countries. That is also a report that militia use surveillance technology to monitor the activities of opposition parties prior to the general election last year.

And Indonesia just signed a contract with Gamma Group International on September this year and we should make sure that Indonesian Government don't use this surveillance technology to monitor the opposition activities on the election next year.

>> JOVAN KURBALIJA: Thank you. For our next speakers while they're queuing, a few ideas I can think of. One is this question of balancing act ‑‑ and we just heard that balancing act is not the same in Europe, Asia, United States and other places ‑‑ between security and privacy. Second point, we have the rules on privacy protection and international Government on civil and political rules, and as I've already indicated, there is a question how to apply it, what are the mechanisms.

>> One more point, please.

>> JOVAN KURBALIJA: How we can make the next ‑‑ while you're waiting in the queues think about these two issues: Balancing act in different regions and how we can move from applying the general rules to the problem that exists. Thank you.

>> RAUL ECHEBERRIA: My name is Raul Echeberria. I'm the CEO of LACNIC. I think that some consensus seems to be emerging from the discussion. One thing is that it seems that all of us agree that massive surveillance is something bad. It is something that should not be done, no matter who does it and no matter what are the motivations for doing it. There is also a kind of consensus that some kind of investigations should be permitted using technology but that this kind of use of technology should be done based on the respect of Human Rights given the due process warranted to everybody.

And I have heard many people speaking, using almost the same words about principles, and that any use of technologies for this kind of purpose should be done in the framework of certain principles so here is my question for all of the panelists, because it seems that the speech of the representative of the Swedish Government was very interesting, and it seems to me that they are applying this concept. So my question for all the panelists is: Could be what the Swedish Government is doing a basis for continuing to develop this concept and trying to get a solution in the future? I'm not expecting to have a full agreement today about the principles.

But probably we can get a kind of common view in this session about that this is the path forward. Thank you.

>> MATTHEW SHEARS: Thank you. My name is Matthew Shears with the Center for Technology and Democracy. A couple of comments on what we've heard so far. Let's not trivialize this discussion. I've heard others are worse, NSA envy, alleged hypocrisy. When we use the sentence "others are worse," that's no justification for our own mass surveillance. When we say NSA envy, that's pretty serious stuff, because there are countries out there who are exactly saying that, this is not a joke.

And it is hypocrisy. It's not alleged so let's be clear on this.

Second, thank you to the representative from the Government of Sweden for saying there is no balancing act. We've waited a long time for someone to say, there is no balancing act. Respecting Human Rights increases security, diminishing Human Rights diminishes security.

Three, Frank La Rue, to paraphrase him ‑‑ I'm sure very poorly ‑‑ says that mass surveillance not only makes a mockery of Human Rights, but threatens the very foundations of our societies and the rule of law. Let's remember that. It's very important.

And finally, I don't know about everybody else here, but I have not lost my trust in the Internet. Let's stop saying that. I've lost my trust in the institutions that use the Internet for the purposes of undermining my fundamental rights. Thank you.

[ Applause ]

>> PINDAR WONG: Good morning. I am Pindar Wong from Hong Kong. Hong Kong has been where Snowden chose to make his revelations. My question really was a question is about forgiveness. Partly because as a long time Internet participant, I think what's been demonstrated is spying on an open network or surveillance on a network are low hanging fruit. We really shouldn't be surprised. What we are surprised on about is the scale. So I'll echo what Jimmy Schulz's intervention in terms of full disclosure.

Those of us who have kids know that kids make mistakes, and although the Internet is in its adolescence, looking forward clearly there's been a mistake that has been made. So a starting point really is that full disclosure. It may be naive to ask it. I'm not saying who discloses to whom, but it is a basis of recognizing that you've made a mistake, coming clean, and then going forward.

But what is that going forward? What is that vision? I don't agree with the previous intervention by the CTD guy. There is no balancing act. At least I have a very clear vision of the future that we wish to build, and I think I would suggest that whilst there's a temptation to fall within our National boundaries, to go back to what I would call a pre‑internet era, let's not forget the opportunity before us, the opportunity to really build trade.

And let us view things in positive terms. The next 1.5 billion people perhaps will be coming on the Internet through their mobile phones, making payment over that mobile network. So let's not also look at the issue of routing money over the Internet.

So trade, money, these are all very important issues and those issues if we have a vision of our future, I would hope we can find forgiveness because I'm not surprised of the surveillance, I'm surprised about the scale but let's find mechanisms to reestablish trust and let's look at how we can do so through the old '70s concept: Peace through trade. Thank you.

>> MARKUS KUMMER: Just a quick correction to the scribes. Please correct in the final version the name of the gentleman who just spoke as Pindar Wong. Thank you.

>> MIKE GURSTEIN: Mike Gurstein from the Community Informatics Network from Canada. It's a global network. About a month ago I wrote a blog post arguing or pointing out that the Internet was in fact a two‑way system, and that the National Security Agency while drawing information from the Internet, was also fully capable of putting information into the Internet, and having significant impacts in many of the places, if not most of the places, where it was drawing information from.

In the meantime, we've had confirmation of that, direct confirmation, one being the fact that Mr. Cheney's heart pacer was made hacker‑proof because of fears that using the Internet, it was possible to interfere with his pacemaker and assassinate him in that way. That came out recently.

The second was the use of the Internet and Internet surveillance as a direct input into the drone wars that's being conducted in various parts of the world as guidance systems and as direction systems for these drone wars.

I guess my observation, it's not really a question, is that I think we're dealing with something far more serious than simply surveillance. I think we're dealing with the potential for the active intervention in spurious and potentially dangerous ways into whatever elements of the Internet that we use for whatever purposes that we choose to in our daily lives, including our banking, our health records, our internal organisational communications, our financial communications, and so on and so forth, so that whatever response that's developed into the issues of surveillance also have to take into account the issues of aggressive and offensive actions by those who are in a position to undertake this kind of surveillance. Thank you.

>> And the speaker's name was Michael Gurstein. Thank you.

>> WOUT DE NATRIS: Good morning. I'm here on behalf of NLIGF and reporting back on discussions we had which were relevant. I think one of the main things that came up in the two panels that we did is that Internet is becoming more and more a part of our lives and isn't it time to start acting towards the Internet as if it is normal and not something which is far away from us and unseeable. So in other words if that is true, then what goes on in regular life also goes for Internet life so that would mean there's a triangle of economic development on the one side and the other side is security and the last part is freedom. So in other words, if you treat it like that, then economic development becomes possible, and the Internet becomes safer because there are so many best practices we heard of that it's about time that we stop talking and start to act upon those best practices.

And I won't recall which ones they are but they're in the transcripts. You heard some excellent ones.

And some things that really came forward is that would if Governments want the Internet to be safer, then start showing leadership through showing the best practice. So we did a head count saying who actually orders software off the shelf, or who says, I wanted to have this, this or these qualities before you can sell it to me? And only the commercial parties showed their hands saying, we're doing these sort of demands on software and all the Governments were looking, what are we talking about?

So in other words if you want leadership on security for the Internet, then start showing it yourself by demanding security before you buy something from the Internet.

And the last comment I would like to make is that we tried to envision how large this table should be if you want to have all parties discussing Internet Governance, and we probably have a table as long as this hall up and down and still not enough. And about 50% of the people know each other and still they're responsible for making the same products. So how do you get these sort of people at the table? Maybe never. But let's start with software developers, because they're hardly here in the IGF discussion, they're hardly ever there so Governments can show leadership in security by bringing the right people to the room in your country or regionally or internationally, and start discussing security with the right people, because that's the only way to make the Internet more secure.

And that was one of the comments made by the IETF, which I think made some excellent comments during this IGF, and I was happy to hear them.

>> JOVAN KURBALIJA: The last two presentations brought the broader context for this issue and importance of this issue of surveillance also for individuals, and the way they use the Internet. Now we have the next speaker.

>> JOHN LAPRISE: Good morning. My name is John Laprise. I'm a Professor at Northwestern University. As a scholar and historian, I'm surprised so many States are so surprised by the scope of the NSA surveillance, and I'd just like to offer to those States that perhaps you better take a better look at your intelligence‑gathering entities in your own countries, because they're either demonstrating incompetence in terms of not seeing the history of intelligence gathering or they know about it and are not saying anything, in which case they're guilty of collusion. Either way you have a few problems to remedy in your own countries for your own intelligence organisations. Thank you.

>> JOVAN KURBALIJA: Thank you. Nothing new under the sun.

>> NORBERT BOLLOW: Thank you. My name is Norbert Bollow, speaking in personal capacity right now as a human being who cares about my Human Rights. I start by echoing some remarks that have been made. We should not try to balance Human Rights and security. We need security that protects our Human Rights, our ability to fully experience our Human Rights.

We already have a good set of international Human Rights standards. What we need is the ability to effectively enforce them. This requires, as it has been said, full transparency. And I think it requires an international Treaty of sorts to deal with these widespread transborder Human Rights violations that we have experienced.

And perhaps most importantly, we need to get serious about looking at the technical side of metadata encryption. This is much more difficult technically than encrypting communications content. I am absolutely convinced it can be done, but it requires a fundamental rethinking of the architecture that we use for communicating via the Internet, so I propose the creation of a Dynamic Coalition of metadata privacy protection. Thank you.

>> JOVAN KURBALIJA: Thank you. We have the last two comments and then we'll pass the floor to the panelists, last three comments, I'm sorry.

>> MALCOLM HUTTY: My name is Malcolm Hutty. I work for the London Internet Exchange, and my comments are informed by this, but I'm speaking entirely on my own behalf. I think we've heard a great deal of "can't" about the surveillance issue. It is plainly and always has been the proper purpose of intelligence agencies to gather information about foreign countries, and their activities, insofar as they affect the essential National business and the proper business of security services to identify and do something about those that would cause us harm.

What has changed however is that it is now being said that these proper purposes can only be purr sized if the intelligence and security agencies essentially know everything about everyone. This has never been previous approach of anything except totalitarian societies. And if the Heads of Intelligence and security services cannot be persuaded their mission can be pursued in other fashion I hope that the political leaders will understand that the reaction that's being built around the world here shows that it's worth more than the beliefs of the appropriate way to pursue their mission on the part of those authorities. It is undermining our friends and allies.

Secondly and finally, the activity that work to undermine the protective security mechanisms, in particular undermining fundamental encryption standards, do not merely help the intelligence and security agencies identify those that would do us harm, but generally advance the interests of those who would penetrate information systems and undermine those who would protect them. Fundamentally this is a poor tradeoff for the National Security interests. I would urge you to consider the consequences to business, as well as to citizens, of making flaws generally available as they are becoming generally available to those that would penetrate information systems whether they be states or not state actors. This is an owned goal. Thank you for your attention.

>> PRANESH PRAKASH: My name is Pranesh Prakash. I work with the Center for The Internet Society in India and with the Yale Information Society project. While issues of Human Rights privacy and surveillance will be dealt with at the National level, and there are some indications that in some cases they are being dealt and reforms are ‑‑ will be attempted at least, we need to agree that privacy is a right that belongs not just to the citizens of one country or another, but no one country should be able to deny me the right of being human that privacy is indeed a human right and a country can't escape its international Human Rights obligations by saying that we are safeguarding the privacy of our own citizens and only our own citizens.

Second point I wanted to make is that mass surveillance at the level of Internet infrastructure and architecture as is being done by countries like our friends in the West and India, are contrary to the UDHR and ICCPR and its non‑targeted, non‑proportionate, non‑reasonable nature makes it an arbitrary or unlawful interference in the enjoyment of privacy, that this is contained in itself in International Human Rights Doctrine that mass surveillance of the sort that we are seeing today, especially at the level of the Internet infrastructure, just is not legal. Thank you very much.

>> FURIYANI AMALIA: Thank you very much. My name is Furiani Amalia. I'm from Indonesia. During the last few days we have heard and listened to many challenges that portrayed by multistakeholders in the Internet field. However, we also come up with the common views that trust and cooperation are important issues that we should address. We have a problem of trust there but we cannot stop just right there.

So we need to think what IGF as one of maybe the most Forum that involve many various multistakeholder worldwide. That we need to think what IGF could offer in the future, what IGF can do in the future in leading the role of setting out the principles or norms that are agreeable by all stakeholders, because in this multistakeholder Forum, it's not only to speak up what your interests are. It's not only a Forum to tell everybody else what your concerns are but we need to understand what other interests are so therefore IGF should be a bridge for all stakeholders to be a Forum where everybody can understand each others. Thank you.

>> ANDRES AZPURUA: My name is Andres. I come from Venezuela as part of ISOC Ambassadors Programme. My country is a relatively small country with Human Rights problems makes completely no sense in making the decision if you have Human Rights problems or challenges as they like to be said here.

It doesn't make any sense distinguishing if they're online or offline so I would like to put my perspective on many of the subjects we've been talking in this IGF from the perspective of small countries that are not frequently represented in this Forum or that their issues are not usually commented too much. It's a little sad when Governments defend their actions by saying that they only target foreigners as if they were not subject to Human Rights, and the international Declaration of Human Rights.

I'm also really sad to see that the U.S. who had a very strong agenda in pushing it throughout the world now lacks the moral authority to keep doing that. I think it's time for other countries to step up if they decide not to change their policies.

Mass surveillance and other advanced persistent threats that are more targeted are being used not only by big Governments, also by small ones. In the case of these Governments, usually the controls and oversights are even more weak than in the famous case we've all been discussing. So it would be of much help for countries like mine to actually know what's getting into our countries, because most of this technology doesn't come from our own industries or our own tech industries. It comes from developed nations or nations with stronger IT industries.

So more controls and transparency in those important experts would definitely help activists like myself.

So as I said I'm not a lawyer. I'm just an activist with a tech background. And for me, it's obviously clear that mass surveillance should be treated as a huge Human Rights transgression. So I hope that in the meantime, we learn to use encryption correctly to protect ourselves, our colleagues, and our work. I hope that for next IGF or next meetings of this kind we'll see a lot more PGP fingerprint keys on business cards so that we could start to share the knowledge on how to communicate effectively and securely. Thank you.

>> ANNE-RACHEL INNE: Thanks very much. We're going to go to the online remote participation. Subi?

>> SUBI CHATURVEDI: Yes, we have a question, there's one from Twitter that talks about what Government can do another from the same team about ethics and trust, and this is a question to European Governments. Sweden, as a representative of Europe regarding the individual Snowden issue who has done a great service to the global public in making this information accessible, do European countries consider him to be a whistleblower who needs to be protected? Or is he to be considered a traitor who should not receive protection?

Would any European country, any member of the Council of Europe, now be willing to grant Snowden asylum?

>> ANNE-RACHEL INNE: That's very much. So I think we're going to wrap up a little bit Jovan and then we're going to give the floor to our panelists to respond to some of the questions that we've had. Jovan?

>> JOVAN KURBALIJA: There were ‑‑ I think there was quite high level of consensus of both problems and main issues and controversies, and here are a few points.

There is agreement about the severity of the problems. I think it was equaled in all intervention comments. And also highlighted that there is a question of trust, fundamental trust, as underlying element for the success in the future development of the Internet.

Second point, I think we agreed that there are existing rules in international law that cover this issue, and there is Article 17 of the International Covenant on Political and Civil Rights saying clearly that no one should be suggested to arbitrarily or unlawful interference with his privacy and so on. The international law exists. As we know, international law is sometimes not easily applicable and then we come to the next point which was raised in many comments from Bertrand, how to apply international law. What are the procedures? And here the key words were: Checks and balances, introduce checks and balances, careful transparency, use due process, observe the rule of the law, and have institutional division as Johann from Sweden mentioned between different players in this field.

That will be the main challenge, and one can argue that maybe some new reporting mechanism of existing conventions should be introduced, or it should be introduced in universal periodical review in the work of the UN Council of Human Rights. We're speaking about the way how to implement existing rules.

There was a bit of ‑‑ there are quite a few different views about possibility of having win‑win solution or balancing act. We should act and we should aim for win‑win solution by achieving Human Rights protection through more security. But we should be equally ready to have some balancing acts, because it is reality of political life.

What are the next steps? First, we are waiting for the results of the review process in the United States. In the meantime, there are quite a few international initiatives in the UN Human Rights Council, and it will be moving on especially on the issues on protection of privacy and Data Protection.

And we should start exploring some National models like Swedish model for tackling these issues and these delicate balances between security, Human Rights and Data Protection and it was clear from all interventions the topic is extremely important and the IGF should find ways and means to continue discussion including proposal to create Dynamic Coalition dealing with these issues.

I hope it reflected in a few Tweets what was ‑‑ were underlying messages. Please.

>> I think there is one important issue that I should address, it's the liability and responsibility of technology providers. Technology providers should ensure that technology, they provide not be misused by Government so there should be any legal remedy if the technology used to suppress or to monitor the activity of activists or journalists. So there is the contract between the technology providers and Government should be cover an Article saying that the Government only use this technology for legitimate purposes, not misuse et cetera.

>> JOVAN KURBALIJA: We'll start now with our panelists answering the questions and commenting on overall discussion and also this underlying elements for possible summary of our discussion.

I think we had the most questions addressed to Scott. Scott, could you start, please?

>> SCOTT BUSBY: Thank you, Jovan.

>> JOVAN KURBALIJA: It's not surprising.

>> SCOTT BUSBY: I'm not sure I'll be able to answer them all, but I'll do my best. First of all I want to thank my Fellow panelists, commentators as well as the audience for all of your many thoughtful comments and questions. The United States Government is here in force. There are over 10 of us here. On the heels of a Government shutdown, mind you, which there was travel restrictions on virtually every U.S. Government Agency, and I hope that demonstrates to all of you not only the seriousness with which we take the IGF, but the seriousness with which we take this issue.

We intend to take back your comments, your questions, to report back to our senior leadership on what we've heard here, with the goal of ensuring that those views are taken account of in the deliberations that are now taking place in the United States.

Second of all, to Khaled who first made this point but the woman from India, as well, about the seriousness or potential lack of seriousness with which we take this issue, I don't think that President Obama and the rest of the U.S. Government is not taking this issue seriously, is trying to deflect. The President has taken extraordinary action in setting up this review Board of independent experts to give him their best advice on how the U.S. should move ahead on this issue.

As I just mentioned, the U.S. Government has come here in force knowing this issue was going to be at the heart of the discussions at this IGF and willing to engage with you, to hear you out, on this issue. So we take very seriously this issue.

With regards to transparency, which several commentators mentioned, the President has already ordered that as much transparency about what the NSA has been doing, the judicial orders relating to the NSA activities, that those be released, and indeed, you can find those online. If anyone wants to know the site where they can be found, I'd be happy to send that to them.

On Edward Snowden, I don't have anything to say on that beyond what President Obama has already said, so I would refer the questioner to what President Obama has said.

On China, on our intervention from a colleague from China, I would simply ask anyone who has questions about the Human Rights situation in China and the Human Rights situation in the United States to look at any independent Human Rights report on these issues, and draw their own conclusions. One of the best reports I think is the Freedom on the Net report issued by Freedom House. We have Freedom House here. There are copies of that report here. That report is critical of the United States, I would mind you. It's not often that a Government official refers people to a report that's critical of the United States.

I would urge people to look at that report, and draw their own conclusions.

To the Indonesian representative, the lawyer here, who asked about privacy in the United States, so interesting story here in the United States, for good or worse, we have a very old Constitution in the United States, older than most countries, and the concept of privacy actually post‑dates the creation of our Constitution.

So, yes, the concept of privacy is covered by our Constitution, but it's covered through legal interpretations of that Constitution by our Supreme Court. And there are a slew of decisions in the last century that essentially create this concept of privacy and indeed it is now considered a Constitutional right.

And lastly, there were several questions about the NSA and sort of the NSA out of control, being a state within a state. I would just urge folks to look at what the President has said. The NSA and these activities are subject to judicial review. They are subject to legislative review, and the NSA finally is subject to the command and control of our Commander in Chief, namely, the President of the United States.

So the President has said what he intends to do in this area. He has empowered a review panel to look at these issues, and we will be considering the recommendations of that review panel going forward. Thank you.

>> ANNE-RACHEL INNE: Thank you very much, Scott. Now we go on to Ross.

>> ROSS LaJEUNESSE: Thanks very much. I want to echo Scott's sentiments that I've enjoyed today's panel, and particularly enjoy hearing questions from all of you. And so I've taken a couple notes. I don't think I was as thorough as you were, Scott.

But to Jimmy's question, I appreciated that very much, about direct access versus access. It's a very good point. When I meant we don't provide direct access, what I meant is that we really don't provide access to the infrastructure. I was trying to draw distinction between that and the process I outlined that when we get a legal request from the Government, we look at it thoroughly, and so it is possible for the U.S. Government to get user data, but only through that process that I outlined in my remarks. So thank you for that clarification.

There was a comment or question from a remote participant about user trust. And that is something that we are very focused on. It really is what drives everything we do at Google, so we're incredibly concerned about the impact of users' trust on us from the Snowden revelations. It drives everything we do. It's why we spend the resources that we do on our security infrastructure, on our encryption, with search encrypted by design and Gmail being encrypted and I would make the point that I feel the cloud is certainly more secure than alternative models as Bertrand characterized it, data sovereignty, data localization. The cloud is much more secure than that model.

But this issue of user trust drives much more than our security infrastructure and our technology. It drives the work we do on Internet Governance, our membership, our founding membership in GNI, which is a third party which audits the practices of companies. It drives our development of things like Project Shield, which allows independent news sites and similar sites to take advantage of Google's own security infrastructure for those sites that have been subject to DDoS attacks and the like, and it drives our sponsorship of Civil Society and our work which we do really in each and every country in which we have an office on free expression from issues like intermediary liability in Thailand and India, to even more challenging situations in parts of Southeast Asia.

Finally, to Matthew's intervention from CDT, as Matthew well knows, we are a strong partner of CDT for pushing for greater transparency in the United States, and we see I think very clearly eye to eye on that and so I wanted to clarify Matthew's point. When I said that others are doing it too I thought I made it fairly clear about five or six times in my comments but I'm happy to say it again, I'm not trying to excuse or trivialize in any way the revelations that have come about, about U.S. surveillance but I am making the point that this is not just a U.S. issue. That this is happening everywhere around the world and I think it would be unwise of us to focus solely on the U.S. surveillance programme, and not focus on the very real challenges that are occurring everywhere else around the world.

So that was may point and I thank Matthew for giving me the opportunity to clarify that. And I think as I'm checking my notes, that was it. But someone correct me if I'm wrong.

>> ANNE-RACHEL INNE: Thanks very much, Ross. Next on our panel is Johann.

>> JOHANN HALLENBORG: Okay. Thank you very much. A couple of points from me, as well. There was a question about the powerful tools and resources if that has prompted any change in our society and any legislation. And the answer in my country is: Yes, it certainly has because that has created an all‑new way of looking at this, of course.

And around 10 years ago, discussions intensified in my country on how to find the right legislative framework for this, an area which largely were unregulated before, and so after long negotiations, a draft law was presented. It was thrown out of Parliament, wasn't approved, back to Government. Again the second draft wasn't approved, because of the Parliament felt that the protections for privacy were not good enough.

And the third draft eventually was approved in 2009. This law applies equally to everyone, every citizen. There was a question about not making a difference between different nationalities. It applies equally to Swedes and non‑Swedes. And it includes a fair amount of special mechanisms to protect individuals' privacy. Amongst other things, it includes a special court which takes a decision in every case of signals surveillance.

This law is now being put to the test in the European court of Human Rights. It's being challenged, and we welcome this of course. We welcome to hear if the court in Strasbourg finds it lives up to the standards of the European Convention on Human Rights.

There was a comment on Article 17 of the ICCPR. It is true, it establishes the fundamental right to respect for private life, which is I believe the accurate wording. We believe there may very well be reasons to look at Article 17 and see how we can increase our understanding of how Article 17 should be interpreted.

There are a number of different ways to do that, and we're currently engaging in Geneva and in New York to find ways of promoting the best way forward.

Finally, a few comments were made on the Swedish model. I'm not sure I really know what that would be, but if it refers to the fundamental principles that my Minister outlined last week, we are more than happy to discuss on the basis of those the way to go forward. And indeed, those principles are integrated in our law and in our framework, so in a way, it will ‑‑ I suppose it does represent the Swedish model.

Finally, I am not representing any other country than may own country here on this panel, so I am not in a position to speak on behalf of Council of Europe Member States or European Union Member States when it comes to Edward Snowden. I can just conclude that his Human Rights should be respected, period, regardless of the label that you give him. Thank you very much.

>> ANNE-RACHEL INNE: Thank you, Johann. Joana, you've heard most of the comments. Would you like to say something more?

>> JOANA VARON: I just would like to make some remarks for us to include the comments on Mr. Bollow in this panel report because I believe it's an important Human Rights issue and we're only here debating surveillance because of them. And I'd like to ask Scott and the U.S. Government to give further thoughts about this. That it seems penalties for whistleblowers are getting worse and worse, and I'm not referring only to Snowden.

A person who leaked the information about the war in Iraq is in jail with a 35‑year sentence after remaining for three years without a sentence and according to notes from The Guardian that I quote here, "Manning’s three‑and‑a‑half‑decades jail term is unprecedentedly long for someone convicted of leaking U.S. government documents. Compare, for example, the ten years received by Charles Graner, the most severely punished of those held responsible for the Abu Ghraib torture in Iraq." So the jail is not only talking in Russia.

These people had normal importance for the countries we believe today are being severely punished and in a dilemma between being traitor to a nation and providing openness and important information to the world, I think that most of people here with good faith and will would go for traitor. So that's it.

>> ANNE-RACHEL INNE: Thanks, Joana. So we've heard quite a few things, and I think we're going to give a few seconds to ‑‑ minutes to our commenters to respond. And we're going to start with Ambassador Fonseca. Is the mic around?

>> BENEDICTO FONSECA FILHO: Thank you. And very briefly much has been said and I don't have much to add, just also in reaction to what was proposed and the question that was formulated by Raul Echeberria from LACNIC, I would like to comment that the Swedish model, not the Swedish model, but the points that were raised by your Minister of External Relations at the civil conference really provide a very good basis for our work in regard to the issue of privacy in relation to security, which is of course one of the focus areas and core areas of the speech our President delivered at the United Nations. So we'd be comfortable in working within this framework.

But just to recall that we have proposed and the President has proposed we should aim at having a larger set of principles, and taking into account a huge amount of work that has already been done in that regard within different contexts, it has been mentioned the Council of Europe, we could refer to our OECD so we have a different set of principles but of limited in scope of participation so we are aiming at something of global nature that would encapsulate the core norms and agreed principles that should guide us through.

And just reiterate the invitation and the call for participation in the Brazilian meeting to be held next year. And if you allow me just a very brief comment in regard to this, I was referring before to the kind of misunderstandings that sometimes occur, and the President has termed this meeting as a "Summit," and it must be understood that from the point of view of Government, what we are aiming at is at a very high‑level event that would wishfully be able to make kind of decision that could impact on the work we are doing.

So this is the meaning of saying a "Summit." It should not be interpreted as meaning it's something exclusively for Governments. I think this is the kind of conceptual difference that sometimes must be spelled out. When we say "Summit," we mean a meeting that will be ‑‑ will have authority enough to make decisions. And at the same time, the President clearly also spelled out that she would expect Civil Society, private society, all stakeholders to be represented, and I would dare to say on an equal level as regard any decision‑making process that might be ‑‑ might take place at that point, which we aim of course at some kind of consensus.

So this is just very briefly to reiterate something I said before, and to specify that as we go back, our President is due in the next few days to make an announcement on the basis of everything we heard and the very important inputs we have received and ideas that were presented here. I would not at this point like to anticipate anything the President will say. I think sometimes we like to interpret what she has meant. I think it's as a disciplined civil servant I would prefer the President herself to spell out.

Of course, this will not be a decision or anything made in isolation but fully taking into account the multistakeholder aspect we want. But as the host of the meeting, I think it would be the President's prerogative to decide for example on the Summit aspect or not and this is something we will invite all to be there, and again the announcement to be made in next few days. Thank you very much.

>> JOVAN KURBALIJA: We'll have a few treats if it is possible Nick and Bertrand and we have one comment. We're closing the Plenary Session and the comments, we're wrapping up and if it is of relevance for the wrapping up comments that we will hear.

Please.

>> BERTRAND DE LA CHAPELLE: Thank you, Jovan. I wanted to reaffirm one element that after this panel, it is clear that the answer to excessive surveillance cannot be the proliferation of National frameworks establishing data sovereignty but rather increased oversight and increased due process respect and assessment of the impact of transboundary action or impact assessment for any National measures that has a transboundary action. Thank you.

>> JOVAN KURBALIJA: Nick, please.

>> NICK ASHTON-HART: Thank you also for inviting me to speak in general. One thing that struck me here is that I think we have many different National approaches to surveillance and the protection of individuals in relation to it, but very little have I found published that actually spells out and contrasts the different choices countries have made, and the reasons why they have made them.

I know in Latin America, recent very serious Human Rights violations by security services in living memory have made this issue particularly sensitive in that region, for example, and in Switzerland I know we had a similar scandal in the '90s that has greatly changed the way surveillance is conducted by Switzerland and we've heard a bit about the Swedish protections.

Perhaps it would be useful to have more clarity and be able to compare different systems and understand the choices that they made, and I would say also, the interparliamentary Union in Geneva, the home of the world's Parliaments, perhaps should discuss this issue to see if the world's Parliaments can share information, understand each other better, and perhaps that would help.

>> JOVAN KURBALIJA: Thank you, Nick. We'll have a Chinese colleague, and after that we'll be closing discussion. Otherwise I will be declared persona non grata by the IGF Organising Committee. I just received a letter from Markus. Please.

>> REN YISHENG: Thank you very much, Mr. Chairman, for giving me the floor for the second time. I'll be very brief. First of all, I'd like to clarify. This morning we discussed issues on surveillance, so the Chinese Delegation while making the point quoted a well‑known case, but I don't know why the U.S. speaker is so sensitive to our intervention. He's not here. If he's here, he has to explain to us why he's so sensitive to that.

Secondly, the Human Rights condition situation in China is well known by the Chinese. The Chinese has every right to explain that. Other country has no right to comment on China's Human Rights. The universality of Internet in China, we have almost 600 million netizens in China, much more than the population of the U.S. We have more than 300 millions of users of social media. It's almost the same population of U.S.

Every day, people are posting things on microblogs, blogs. More than 200 million people doing that. Therefore, Chinese also enjoy a full freedom of speech, but any information shall not infringe the society. You have to abide the basic code of conduct, moral conduct, and also you are not allowed to spread any information that will harm National Security. Also, you are not allowed to spread groundless rumors online.

Last but not least, let me say one thing: Every year, U.S. Government publish Human Rights situation or status of more than 200 countries in the world. He recommend us to read that. However, he neglected one thing: The U.S. Government never published Human Rights status report of its own country, but the Chinese Government has done that for the U.S. Government, and for free.

China's state Council's information office publish annual report of U.S. Human Rights status. You're welcome to access. All the information are collected publicly from the U.S. media.

>> JOVAN KURBALIJA: ‑‑ periodical review which is useful mechanism to comparing various situations worldwide when it comes to the Human Rights as what we heard.

We are ‑‑ well, just a half Tweet.

>> ALEX COMNINOS: My name is Alex. I'm from the Internet. It seems people in this room are concerned about eaves dropping so I would just like to point out if you registered online to attend the IGF, you have leaked your personal information including date of birth, ID number or passport number, and residential address, e‑mail address, full name. So defenses against these type of things really do start at home. You can see it on the APC website, APC.org. Thank you kindly. Bye.

>> ANNE-RACHEL INNE: Thank you very much.

>> My name is Juan Carlos. I'm from Brazil. Everyone is still under the perplexity of the size and the rich of American intelligence and many are making decisions in the heart of emotion and it's this that worries me. Decisions that are taken so passionately, decisions under the scenario generally does not so passionate and generally are hurting our hearts. I'm definitely not wanting to give away any right in exchange for security. That's all.

>> JOVAN KURBALIJA: Closing the session with a poem, an artistic expression of overall discussion.

>> ANNE-RACHEL INNE: So what we're going to do right now, I think we're going to have Jovan remained us a little bit some of the points that were raised here in answering if you remember some of the questions that we had that Markus read that the session was also supposed to address.

And I would like to simply say that I think this session is one that is again Building Bridges. This is the start of discussions and I know that I've seen a few Tweets where people are saying we're not satisfied because there aren't really answers. And I don't think anybody expected really that we would have answers here this morning.

But at least conversations have started. You know, the start of a bridge is being built as Ambassador Fonseca said, one of our next meetings will be in Brazil, and that could be a place where at least some general principles could be agreed upon, and then it will be up to all of us to actually just like the other general and global principles that we have, to make sure that we adhere to those. Jovan?

>> JOVAN KURBALIJA: With the risk of confronting Twitter community which is not a wise thing to do, I have to admit that there were quite a few answers and quite a few useful insights. We heard about experiences within Brazil, quite a few suggestions.

There is agreement that there are international rules that cover these issues, and quite a few concrete suggestions how we can implement these rules, through due process checks and balances.

Therefore, I would say that I personally feel quite comfortable with advancement of our discussion, much more than expected before the session. And as you know, these problems are complex and they're so called big problems. You don't have a quick fix. There are many aspects, security, Human Rights, ethical, business that should be addressed. Markus gave us 7 questions at the beginning of the session which were questions posed through the public consultation.

And we answered all of those questions, and even added quite a few more questions. Therefore, we will be having an interesting discussion. And if I can conclude with one point with a famous quote, don't waste a crisis. It seems we're not going to waste this crisis and that at least based on your inputs and panelist inputs, there is a serious determination and responsibility to do something useful for Internet as a whole, and for humanity, first of all to avoid the situation like this one with NSA case, but also to prevent similar situations happening worldwide.

Therefore, there is an opportunity that we shouldn't miss, and I think quite a few players around the world are moving in that direction, to create space, ideas, and proposals that could make Internet even more powerful tool for enabling of the social and economic development worldwide.

Thank you.

>> MARKUS KUMMER: Let me just add a quick word: I think the discussion, A, was certainly very interesting. This is a sensitive issue on top of the agenda. And I think again, the IGF proved its value and its worth, and this kind of discussion clearly is best held in a multistakeholder setting.

And I think it will not be over and we will revisit it at the next IGF. With that, Mr. Chairman, over to you to close the meeting.

>> SETYANTO SANTOSA: Thank you, Markus. Thank you also, Madam Anne‑Rachel and Jovan, for moderating this opening discussion on emerging issues with focusing mainly on approaching the role of security, surveillance, transparency and privacy issues. If I may value this session, it's really the top of the top session of the IGF 2013. If you look at the response from the floor and also they say all the ideas.

As a piece of information that Indonesia also aware of positive impact of Internet as a means of economic development. However, it has become increasingly concerned over the impact of access of information and has demonstrated an interest in increasing its control of offensive online content, particularly pornographic and anti‑Islam online content. The government regulates such content through legal and regulatory framework and through partnership with the ISP, Internet service provider and also the Internet cafe. Meanwhile the telecommunication 99 also prohibit the wire tapping of communication necessary for obtaining evidence for criminal investigation. So ladies and gentlemen, this is my first IGF engagement, with more especially in Bali 2013 from 109 countries so let us wait for our next IGF 2014, wherever it will be held. I think we should come and really I enjoyed this familihood circumstances and it's really a kind of the spirit of multistakeholder cooperation of world community. With a statement I would like to conclude this meeting and again thank you for excellent moderating, and thank you also to our panelists and all participants for this valuable discussion. I hope you enjoy your stay in Bali, Indonesia. For those of you who will leave before the Closing Ceremony, I wish you have a pleasant and safe trip back home.

Please join me to give a big hand to all the panelists and moderators.

[ Applause ]

I return the floor to Mr. Markus Kummer.

>> MARKUS KUMMER: Nothing to add. We resume at 2:30 for the open microphone "Taking Stock" session.

[ End of session ]

For more details visit https://cis-india.org/news/igf-2013-october-25-taking-stock-emerging-issues

Spy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry

maria — 2013-11-14T16:21:00Z

In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights.

Last month, WikiLeaks released “Spy Files 3”, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.

So what do the latest Spy Files reveal about India?

When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, India is once again on the list with some of the most controversial spyware.

ISS World Surveillance Trade Shows

The latest Spy Files include a brochure of the ISS World 2013 -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. This years ’ ISS World Asia will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The leaked ISS World 2013 brochure entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.

The following table lists the Indian attendees at last years ’ ISS World:

Law Enforcement, Defense and Interior Security Attendees	Telecom Operators and Private Enterprises Attendees	ISS Vendors and Technology Integrators Attendees
Andhra Pradesh India Police	BT	AGC Networks
CBI Academy	Cogence Investment Bank	Aqsacom India
Government of India, Telecom Department	India Reliance Communications	ClearTrail Technologies
India Cabinet Secretariat	Span Telecom Pvt. Ldt.	Foundation Technologies
India Centre for Development of Telematics (C-DOT)		Kommlabs
India Chandigarh Police		Paladion Networks
India Defence Agency		Polaris Wireless
India General Police		Polixel Security Systems
India Intelligence Department		Pyramid Cyber Security
India National Institute of Criminology		Schleicher Group
India office LOKAYUKTA NCT DELHI		Span Technologies
India Police Department, A.P.		TATA India
India Tamil Nadu Police Department		Tata Consultancy Services
Indian Police Service, Vigilance		Telecommunications India
Indian Telecommunications Authority		Vehere Interactive
NTRO India
SAIC Indian Tamil Nadu Police

17 4 15

According to the above table - which is based on data from the WikiLeaks ’ ISS World 2013 brochure- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.

In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.

ClearTrail Technologies

ClearTrail Technologies is an Indian company based in Indore. The document titled “Internet Monitoring Suite ” from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:

1. ComTrail: Mass Monitoring of IP and Voice Networks

ComTrail is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.

ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.

Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.

In short, ComTrail’s key features include the following:

- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links

- Doubles up as Targeted Monitoring System

- On demand data retention, capacity exceeding several years

- Instant Analysis across thousands of Terabytes

- Correlates Identities across multiple networks

- Speaker Recognition and Target Location

2. xTrail: Targeted IP Monitoring

xTrail is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.

Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.

In short, xTrail’s key features include the following:

- Pure passive probe

- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways

- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic

- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location

- Huge data retention, rich analysis interface and tamper proof court evidence

- Easily integrates with any existing centralized monitoring system for extended coverage

3. QuickTrail: Tactical Wi-Fi Monitoring

Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.

QuickTrail is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.

According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.

In short, QuickTrail’s key features include the following:

- Conveniently housed in a laptop computer

- Intercepts Wi-Fi and wired LANs in five different ways

- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks

- Deploys spyware into a target’s machine

- Monitor’s Gmail, Yahoo and all other HTTPS-based communications

- Reconstructs webmails, chats, VoIP calls, news groups and social networks

4. mTrail: Off-The-Air Interception

mTrail offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.

The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.

Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.

In short, mTrail’s key features include the following:

- Designed for passive interception of GSM communications

- Intercepts Voice and SMS “off-the-air”

- Detects the location of the target

- Can be deployed as a fixed unit or mounted in a surveillance van

- No support required from GSM operator

5. Astra: Remote Monitoring and Infection framework

“Astra ” is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.

The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment without requiring any physical access to the target device.

In particular, Astra can push bot to any targeted machine sharing the same LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.

Astra’s key features include the following:

- Proactive intelligence gathering

- End-to-end remote infection and monitoring framework

- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots

- Designed for centralized management of thousands of targets

- A wide range of deployment mechanisms to optimize success ration

- Non-traceable, non-detectable delivery mechanism

- Intrusive yet stealthy

- Easy interface for handling most complex tasks

- Successfully tested over the current top 10 anti-virus available in the market

- No third party dependencies

- Free from any back-door intervention

ClearTrail Technologies argue that they meet lawful interception regulatory requirements across the globe. In particular, they claim that their products are compliant with ETSI and CALEA regulations and that they are efficient to cater to region specific requirements as well.

The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as Telesoft Technologies, AGT International and Verint Systems. In particular, Verint Systems has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:

- Impact 360 Speech Analytics

- Impact 360 Text Analytics

- Nextiva Video Management Software (VMS)

- Nextiva Physical Security Information Management (PSIM)

- Nextiva Network Video Recorders (NVRs)

- Nextiva Video Business Intelligence (VBI)

- Nextiva Surveillance Analytics

- Nextiva IP cameras

- CYBERVISION Network Security

- ENGAGE suite

- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)

- RELIANT

- STAR-GATE

- VANTAGE

While Verint Systems claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, Verint Systems has participated in ISS World Trade shows which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.

And what do the latest Spy Files mean for India?

Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3...and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS ). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UAS ) License Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs . 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systems , such as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

However, data monitored and collected through the CMS will be stored in a centralised database, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that the bigger the amount of data , the bigger the probability of an error in matching profiles, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The UAS License Agreement regarding the CMS mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.

Interestingly enough, Indian law enforcement agencies which attended last years ’ ISS World trade shows are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies which will have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years ’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides solutions for targeted and mass monitoring of IP and voice networks, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.

In fact, ClearTrail states in its brochure that its ComTrail product is equipped to handle millions of communications per day, while its xTrail product can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s “Astra ” is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is not equipping the CMS? And what are the odds that such technology is not being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?

Spy Files 3...and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.

India has five laws which regulate surveillance:

1. The Indian Telegraph Act, 1885

2. The Indian Post Office Act, 1898

3. The Indian Wireless Telegraphy Act, 1933

4. The Code of Criminal Procedure (CrPc ), 1973: Section 91

5. The Information Technology (Amendment ) Act, 2008

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology (Amendment ) Act cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a public emergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

The interception of Internet communications is mainly covered by the 2009 Rules under the Information Technology Act 2008 and Sections 69 and 69 B are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. In other words, ClearTrail’s products, such as ComTrail, which enable the mass interception of IP networks, lack legal backing. However, the Unified Access Services (UAS ) License Agreement regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.

Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content even without a warrant, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s mTrail product.

More importantly, following allegations that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a compete ban on use of such equipment and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it.

ClearTrail’s “Astra ” product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such licenses mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s QuickTrail is technically legal or not. The UAS License agreement mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.

The issue of data retention arises from ClearTrail ’s leaked brochure. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Section 7 of the Information Technology (Amendment) Act, 2008, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether ClearTrail ’s spy products are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the UAS License agreement regarding the Central Monitoring System.

In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the UAS License Agreement mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while India ’s Telegraph Act, Information Technology Act and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.

One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to Saikat Datta, an investigative journalist, a senior privacy telecom official stated:

“Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?”

Spy Files 3...and human rights in India

The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, ClearTrail, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.

In particular, ClearTrail’s ComTrail provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. xTrail enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well QuickTrail proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.

And indeed, carrying a mobile phone is like carrying a GPS device, especially since mTrail provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that we are all suspicious until proven innocent .

And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by Astra. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can remotely push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, we should all have something to hide !

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by ClearTrail ’s products - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, a UK student studying Islamic terrorism for his Masters dissertation was detained for six days . The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always “have something to hide ”, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by ClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

This article was cross-posted in Medianama on 6th November 2013.

For more details visit https://cis-india.org/internet-governance/blog/spy-files-three

The Fight for Digital Sovereignty

sunil — 2013-10-25T07:29:22Z

It is time to incorporate free software principles to address the issue of privacy. Thanks to the revelations of Edward Snowden, a former contractor to the United States (US) National Security Agency (NSA) who leaked secrets about the agency’s surveillance programmes, a 24-year-old movement aimed at protecting the rights of software users and developers has got some fresh attention from policymakers.

The article was published in the Economic & Political Weekly, Vol-XLVIII No. 42, October 19, 2013

The free and open source software movement (often collectively labelled as FOSS or sometimes FLOSS, with the “l” standing for “libre”) guarantees four freedoms through a copyright licence – the freedom to use for any purpose, the freedom to study the code, the freedom to modify it and the freedom to distribute the modified code gratis or for a fee. Free software principles have permeated the world in the form of movements around open standards, open content, open access and open data. The second freedom is the most critical in an open society. Privacy, security and integrity are best achieved through the transparency guaranteed by free software rather than the opacity of proprietary software.

Free software is directly useful in deciding on the software required for your device operating system and applications. NSA’s surveillance programme covered operating system vendors like Microsoft and Apple, and application vendors like Skype. The concerns raised by such surveillance programmes are best addressed by shifting to free software. Increasingly, this is possible on mobile devices because of the availability of Android derivatives that keep Google’s nose out of your business and on other personal computing devices through GNU/Linux distributions such as Ubuntu. Ideally, this should be accomplished by a mandate for government and public infrastructure in specific areas where free software alternatives are on par with proprietary competitors. Two other policy options remain outside procurement policies for hardware – code escrow and independent audits. Firms that are willing to share code with the government should be preferred over those that do not, thereby encouraging proprietary software companies to provide for the second freedom in free software within a limited context. Code escrow could improve the quality of the independent audit.

Unfortunately, open hardware based on free software principles is still a fringe phenomenon in terms of market share. The Indian government cannot afford bans on foreign products, unlike the intelligence and military of Australia, the US, Britain, Canada and New Zealand, which recently prohibited the use of Lenovo machines in “secret” and “top secret” networks. Last October, the US government banned US telecos from using equipment from Huawei and ZTE. Both these bans are not based on any credible public evidence regarding back doors in any of the products manufactured by these Chinese companies. The Indian government, using funds like the Universal Service Obligation Fund, should support competitive research to reverse-engineer and analyse all foreign and indigenous hardware to ensure that there is no national security threat or infringement on the individual’s right to privacy. One example would be a research project to determine whether China-manufactured phones call home when they are used on Indian telecom networks.

Cloud and other online services run by corporations could also completely undermine privacy and security. This again can be partially addressed through the transparency enabled by free software and open standards. To begin with, the government must ban the use of Google, Yahoo, Hotmail, etc, for official purposes by those in public office, law enforcement and the military, while simultaneously mandating the use of cryptography for all sensitive material and communication. It should not, however, mandate the use of National Informatics Centre (NIC) infrastructure as it may be a single point of failure; instead, a variety of open-standards-compliant and free-software-based infrastructure for all public sector information communication technology (ICT) requirements should be encouraged. This procurement bias will result in the growth of domestic server administration and security competence, thus creating and contributing towards the establishment of a market for affordable privacy and security-enhanced services that ordinary citizens and private sector organisations can access.

The end objective through means such as free software, open hardware, code escrow and independent audits is sovereignty over software, hardware, cloud and network infrastructure. However, the state, the private sector, the consumer and the citizen may disagree on the details. Apart from law enforcement and national security concerns that may require targeted surveillance, there are other occasions when technological possibilities may have to be curtailed through policy to protect human rights and the public interest. For example, to implement the internationally accepted privacy principle of notice on electronic recording devices, some jurisdictions may require that video recorders display a blinking red light and that digital cameras make an audible click sound just like analog cameras. This was first initiated in South Korea to reduce the incidence of “upskirt photography”. This type of law may become more commonplace when technologies like Google Glass become more popular. In other words, absolute digital sovereignty may need to be curtailed in order to protect human rights in certain circumstances. But code could be used to resist regulation through law, thereby converting both the software and hardware layers of devices and networks into a battleground for sovereignty between the free software hacker and the state.

For more details visit https://cis-india.org/a2k/blogs/epw-vol-xlviii-42-october-19-2013-sunil-abraham-the-fight-for-digital-sovereignty