Centre for Internet and Society

CIS and International Coalition Calls upon Governments to Protect Privacy

elonnai — 2013-09-25T07:21:09Z

The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.

On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.

The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.

A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.

Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:

"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:

"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."

Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion made clear the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:

"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."

Speaking at the event, the UN Special Rapporteur remarked that:

"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."

Representatives of the Centre for Internet and Society, Privacy International, the Electronic Frontier Foundation,Access,Human Rights Watch,Reporters Without Borders, Association for Progressive Communications, and theCenter for Democracy and Technology all are taking part in the event.

Find out more about the Principles at https://NecessaryandProportionate.org

Contacts

NGOs currently in Geneva for the 24^th Human Rights Council:

Access
Fabiola Carrion: fabiola@accessnow.org

Association for Progressive Communication
Shawna Finnegan: shawna@apc.org

Center for Democracy and Technology
Matthew Shears: mshears@cdt.org

Electronic Frontier Foundation
Katitza Rodriguez: katitza@eff.org - @txitua

Human Rights Watch
Cynthia Wong: wongc@hrw.org

Privacy International
Carly Nyst: carly@privacy.org

Reporters Without Borders
Lucie Morillon: lucie.morillon@rsf.org
Hélène Sackstein: helsack@gmail.com

Signatories

Argentina
Ramiro Alvarez: rugarte@adc.org.ar
Asociación por los Derechos Civiles

Argentina
Beatriz Busaniche: bea@vialibre.org.ar
Fundación Via Libre

Colombia
Carolina Botero: carobotero@gmail.com
Fundación Karisma

Egypt
Ahmed Ezzat: ahmed.ezzat@afteegypt.org
Afteegypt

Honduras
Hedme Sierra-Castro: hedme.sc@gmail.com
ACI-Participa

India
Elonnai Hickok: elonnai@cis-india.org
Center for Internet and Society

Korea
Prof. Park: kyungsinpark@korea.ac.kr
Open Net Korea

Macedonia
Bardhyl Jashari: info@metamorphosis.org.mk
Metamorphosis Foundation for Internet and Society

Mauritania, Senegal, Tanzania
Abadacar Diop: jonction_jonction@yahoo.fr
Jonction

Portugal
Andreia Martins: andreia@coolpolitics.pt
ASSOCIAÇÃO COOLPOLITICS

Peru
Miguel Morachimo: morachimo@gmail.com
Hiperderecho

Russia
Andrei Soldatov: soldatov@agentura.ru
Agentura.ru

Serbia
Djordje Krivokapic: krivokapic@gmail.com
SHARE Foundation

Western Balkans
Valentina Pellizer: valentina.pellizzer@oneworldsee.org
Oneworldsee

Brasil
Marcelo Saldanha: instituto@bemestarbrasil.org.br
IBEBrasil

For more details visit https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy

FOSS Poster

praskrishna — 2013-09-24T08:58:38Z

For more details visit https://cis-india.org/openness/blog-old/foss-poster.pdf

The Central Monitoring System: Some Questions to be Raised in Parliament

bhairav — 2013-09-25T10:30:10Z

The following are some model questions to be raised in the Parliament regarding the lack of transparency in the central monitoring system.

Preliminary

The Central Monitoring System (CMS) is a Central Government project to intercept communications, both voice and data, that is transmitted via telephones and the internet to, from and within India. Owing to the vast nature of this enterprise, the CMS cannot be succinctly described and the many issues surrounding this project are diverse. This Issue Brief will outline preliminary constitutional, legal and technical concerns that are presented by the CMS.
At the outset, it must be clearly understood that no public documentation exists to explain the scope, functions and technical architecture of the CMS. This lack of transparency is the single-largest obstacle to understanding the Central Government’s motives in conceptualising and operationalizing the CMS. This lack of public documentation is also the chief reason for the brevity of this Issue Note. Without making public the policy, law and technical abilities of the CMS, there cannot be an informed national debate on the primary concerns posed by the CMS, i.e the extent of envisaged state surveillance upon Indian citizens and the safeguards, if any, to protect the individual right to privacy.

Surveillance and Privacy

Surveillance is necessary to secure political organisation. Modern nation-states, which are theoretically organised on the basis of shared national and societal characteristics, require surveillance to detect threats to these characteristics. In democratic societies, beyond the immediate requirements of national integrity and security, surveillance must be targeted at securing the safety and rights of individual citizens. This Issue Brief does not dispute the fact that democratic countries, such as India, should conduct surveillance to secure legitimate ends. Concerns, however, arise when surveillance is conducted in a manner unrestricted and unregulated by law; these concerns are compounded when a lack of law is accompanied by a lack of transparency.
Technological advancement leads to more intrusive surveillance. The evolution of surveillance in the United States resulted, in 1967, in the first judicial recognition of the right to privacy. In Katz v. United States the US Supreme Court ruled that the privacy of communications had to be balanced with the need to conduct surveillance; and, therefore, wiretaps had to be warranted, judicially sanctioned and supported by probable cause. Katz expanded the scope of the Fourth Amendment of the US Constitution, which protected against unreasonable searches and seizures. Most subsequent US legal developments relating to the privacy of communications from surveillance originate in the Katz judgement. Other common law countries, such as the United Kingdom and Canada, have experienced similar judicial evolution to recognise that the right to privacy must be balanced with governance.

Right to Privacy in India

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around the homes of suspects. In the latter case, the Supreme Court found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011) that de-criminalised consensual homosexual acts; however, this judgment has been appealed to the Supreme Court.

Issues Pertaining to the CMS

While judicial protection from physical surveillance was cursorily dealt with in the Kharak Singh and Gobind cases, the Supreme Court of India directly considered the issue of wiretaps in the PUCL case. Wiretaps in India primarily occur on the strength of powers granted to certain authorities under section 5(2) of the Indian Telegraph Act, 1885. The Court found that the Telegraph Act, and Rules made thereunder, did not prescribe adequate procedural safeguards to create a “just and fair” mechanism to conduct wiretaps. Therefore, it laid down the following procedure to conduct wiretaps:

(a) the order should be issued by the relevant Home Secretary (this power is delegable to a Joint Secretary),
(b) the interception must be carried out exactly in terms of the order and not in excess of it,
(c) a determination of whether the information could be reasonably secured by other means,
(d) the interception shall cease after sixty (60) days.

Therefore, prima facie, any voice interception conducted through the CMS will be in violation of this Supreme Court judgement. The CMS will enforce blanket surveillance upon the entire country without regard for reasonable cause or necessity. This movement away from targeted surveillance to blanket surveillance without cause, conducted without statutory sanction and without transparency, is worrying.
Accordingly, the following questions may be raised, in Parliament, to learn more about the CMS project:

Which statutes, Government Orders, notifications etc deal with the establishment and maintenance of the CMS?
Which is the nodal agency in charge of implementing the CMS?
What are the powers and functions of the nodal agency?
What guarantees exist to protect ordinary Indian citizens from intrusive surveillance without cause?
What are the technical parameters of the CMS?
What are the consequences for misuse or abuse of powers by any person working in the CMS project?
What recourse is available to Indian citizens against whom there is unnecessary surveillance or against whom there has been a misuse or abuse of power?

For more details visit https://cis-india.org/internet-governance/blog/central-monitoring-system-questions-to-be-asked-in-parliament

The National Privacy Roundtable Meetings

bhairav — 2014-03-21T10:03:44Z

The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Background: The Roundtable Meetings and Organisers

CIS is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. FICCI is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. DSCI is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. Privacy International is a London-based non-profit organisation that defends and promotes the right to privacy across the world.

Privacy in the Common Law and in India

Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.[1]

The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons inter se demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.

Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.[2] In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.[3]

The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of Kharak Singh (1964)[4] and Gobind (1975)[5] considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the Rajagopal case (1994),[6] the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, Rajagopal dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case (1996)[7] and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.[8] A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011)[9] that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.

Attempts to Create a Statutory Regime

The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.[10]

Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.

Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")[11] — were subsequently reviewed by the Committee on Subordinate Legislation of the 15^th Lok Sabha.[12] The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.[13]

In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.

Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the Naz Foundation case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.[14] These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.

Criminal Procedure and Special Laws Relating to Privacy

While the Kharak Singh and Gobind cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.

The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007[15] to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the PUCL case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.[16] Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.

In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.[17]

The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings

In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:

New Delhi: April 13, 2013 (http://bit.ly/17REl0W) with 45 participants;
Bangalore: April 20, 2013 (http://bit.ly/162t8rU) with 45 participants;
Chennai: May 18, 2013 (http://bit.ly/12ICGYD) with 25 participants.
Mumbai, June 15, 2013 (http://bit.ly/12fJSvZ) with 20 participants;
Kolkata: July 13, 2013 (http://bit.ly/11dgINZ) with 25 participants; and
New Delhi: August 24, 2013 (http://bit.ly/195cWIf) with 40 participants.

The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.

[1]. See generally, Dan Solove, “A Taxonomy of Privacy” University of Pennsylvania Law Review (Vol. 154, No. 3, January 2006).

[2]. Wainwright v. Home Office [2003] UKHL 53.

[3]. See A v. B plc [2003] QB 195; Wainwright v. Home Office [2001] EWCA Civ 2081; R (Ellis) v. Chief Constable of Essex Police [2003] EWHC 1321 (Admin).

[4]. Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295.

[5]. Gobind v. State of Madhya Pradesh AIR 1975 SC 1378.

[6]. R. Rajagopal v. State of Tamil Nadu AIR 1995 SC 264.

[7]. People’s Union for Civil Liberties v. Union of India (1997) 1 SCC 30.

[8]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in Maneka Gandhi v. Union of India AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.

[9]. Naz Foundation v. Government of NCT Delhi (2009) 160 DLT 277.

[10]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law" International Data Privacy Law (47-69, Vol. 1, No. 1, March 2011).

[11]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.

[12]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14^th edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.

[13]. See the 31^st Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.

[14]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.

[15]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect vide Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.

[16]. See, inter alia, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.

[17]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.

For more details visit https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

e - DIRAP Google+ Hangout: Open Government

Christine Apikul — 2013-09-18T10:43:30Z

The e-DIRAP Hangout on Open Government was held on Thursday, 25 July 2013. It brought together nine professionals from Australia, India, Indonesia, Japan, Malaysia and the Philippines to discuss the wide spectrum of issues surrounding open government.

See the original published in Digital Review Asia here

The idea of open government has been around for hundreds of years but the contemporary use of the term is influenced by the rapid advancement of ICTs and by the open source movement. "Just as open source software allows users to change and contribute to the source code of their software, open government now means government where citizens not only have access to information, documents and proceedings, but can also become participants in a meaningful way."[1] There is now increasing pressure for governments to be more open with their digital documents and processes, and to interact with citizens.

To assess whether your government is open, a good starting point is the Open Government Partnership minimum eligibility criteria that has four key areas:[2]

Fiscal transparency related to open budget system
Access to information, e.g. an access to information law that guarantees the public’s right to information and access to government data.
Disclosures related to elected or senior public officials, e.g. public disclosure of their income and assets.
Citizen engagement.

The panelists discussed open government initiatives in their respective countries, the challenges they face, and open source tools for open government.

Open Government Initiatives

India
The Government of India has decided to use royalty free open standards for all e-government data. The government has also shortlisted a number of open standards. India’s data portal, data.gov.in was recently launched and the number of datasets has been increasing. In January 2013 there were 89 datasets and in half a year,this has increased to over 3,000 datasets. Forty-five government departments are involved in this initiative and six apps have been created. The Planning Commission recently had a hackathon participated by about 1,900 people.

Indonesia
Indonesia is one of the founding governments of the Open Government Partnership.[3] along with the Philippines and six other countries. The emphasis of open government in Indonesia is not only the "supply side" (i.e. government providing access to data and information). It is also looking at generating demand for open government by empowering citizens to access and analyse data and information, voice their concerns and advocate for openness in government. To empower citizens, the Government of Indonesia has a number of projects such as "Satu Layanan"[4] or "One Service", a web portal where citizens can find government information and services; “One Map”, to promote collaboration between different government ministries and agencies, and also civil society in integrating datasets; and "Lapor"[5] that allow citizens to report wrongdoings in public services using SMS, Twitter or through the website.

According to a research study conducted by the World Wide Web Foundation,[6] the Government of Indonesia is working on making public data available. Public data includes social - economic data, development data and census data held by the National Statistic Bureau, as well as information on how the data is obtained and measured.

The research report also found that that there is a low demand from civil society and citizens for open government and open data. Moreover, cooperation between civil society and government in the implementation of open government is not strong enough. Several donors in Indonesia have provided support to develop the capacity of civil society groups that are part of the Steering Committee of the Open Government Partnership. Hivos’ Southeast Asia Technology and Transparency Initiative[7] is working with both civil society and government in Indonesia and the Philippines to promote transparency and accountability in public institutions.

Japan
In Japan, the major focus is in the creation and launch of the open data portal this year. How much impact it will make and how it can be measured is a concern, and this is a worldwide challenge.

Malaysia
The Sinar Project[8] in Malaysia promotes transparency, governance and citizen involvement, and uses open source technology to make information accessible to Malaysian citizens. The project has learned that for countries with poor democracy like Malaysia, basic information about government is available but not easily accessible to the public. The government is not familiar with interacting with citizens especially online. Unlike places with advanced statistics and open data, open government in Malaysia is at a nascent stage and is about having information about government representatives online and what bills are being passed in parliament.

Philippines
In the Philippines, President Aquino announced that the Freedom of Information Bill will be a priority bill for Congress this year, but citizens are cynical about the passing of this bill because it has been under consideration for three years. The Office of the President has received support from the World Bank last year for an Open Data Project using CKAN and the open data portal will be at http://data.gov.ph. The Philippine Government Interoperability Framework was convened last week.

PhilHealth or the Philippine Health Insurance Corporation[9] attempted to open up data, however even though there was political will to open up data, this was insufficient. A clear policy framework and change management (particularly, removing the fear of openness among employees) was needed.

Moreover, PhilHealth did not have the capacity and competency to ensure that the health data released, that includes diagnosis and treatment procedures, will not be reverse engineered to identify people. Health data is particularly sensitive due to the social stigma of certain health disorders, for example, those with tuberculosis may be assumed to have HIV/AIDS. When data is opened up, there are security and privacy implications. Developing countries need help and it is important to work together to come up with policies, protocols and algorithms to protect the health privacy of citizens.

Melbourne, Australia
In Melbourne, Australia, local government efforts to engage with citizens more fully through online and offline platforms include experimenting with wiki-based policy development, smart cities initiatives and digital strategies. Through conversations with policymakers, some key themes were identified. First, openness is not the same as participation, and encouraging effective participation is a challenge. Public spaces need to be “programmed” to support participation, and opening up data is not sufficient. It is necessary to develop strategies for outreach to a diverse group and encourage substantive participation particularly from those who are not online and not as competent in data management.

Secondly, because many telecommunications platforms that make data available are privately owned, there is a tension between commercial interest for secrecy and public demand to make data open. It is also a challenge for government to engage with citizens over an infrastructure that is privately owned, e.g. Facebook, Twitter and Google that place constraints on how citizens can be engaged.

Malaysia, Singapore and Thailand with high levels of digital broadband penetration and online users are not part of the Open Government Partnership despite the fact that most of the government departments and data are online. This is because these countries do not meet the minimum eligibility criteria for Open Government Partnership. For instance, they do not have freedom of the press and without it media and civil society cannot make use of the data for reporting for fear of prosecution.

There is also a lack of political will to disclose assets of public officials and procurement decisions.

Challenges
Open data is often associated with open government, but opening up data does not make a government open. Making data open has a set of challenges, but open government also has an important civil society component to create demand for open government and make meaningful use of the open data. There is also a private sector component that needs to be considered, particularly related to the mechanisms public participation over privately owned telecommunications infrastructure.

Challenges are faced at both the supply and demand sides. From the government side, many countries do not have the capacity to interact effectively with citizens. From the citizens’ side, many countries face the low demand for open government. Yet, in the case of Malaysia, even if public demand for open government is high, the missing component is a strong and large enough civil society base that can handle and analyse data independently and question policy. Dealing with the demand when data is open is another challenge. The challenges of opening up data If the original data is not digitized, how do we ensure that it becomes part of open data as defined by the Open Knowledge Foundation.[10] For countries such as Iraq that are simultaneously introducing e-government systems and open government, implementation is hampered by the lack of e-government data standards for specific domains such as human resources management or financial management.

Privacy

Privacy is one of the biggest concerns that the open data and open government movements faces.

Lack of exposure to privacy issues: Some open data activists are not aware that privacy should be an exception in disclosure requirement of government open data policies. If no public interest is served through disclosing personal information then there is no need to infringe upon the rights of individuals.

Privacy only for the individual: There is often a western notion of what constitutes privacy in which people worry about privacy infringement only at the level of the individual. But in India, if the open dataset showed HIV/AIDS prevalence at the village level that could result in stigma and discrimination of particular villages. The privacy problem exists not only at the individual level, but also at the level of family, community and geographical unit.

Underestimating re-identification research: Today we deal with the privacy challenge by using techniques like anonymization and obfuscation, but the problem is that re-identification research is getting more sophisticated and the more datasets that people have access to and are able to overlay upon one another, the more likely it is to re-identify anonymous or obfuscated data. This is an issue that the open data movement should take seriously.

Conflict with the transparency movement: The open data movement has not fully adopted principles from the transparency movement. This can be clearly seen in some countries where freedom of information activists are being killed or assaulted, but open data activists are usually safe because they are focused on analyzing the data that the governments have opened up. The provision of large quantities of data by government may be a distraction strategy that takes away what is important for civil society and democracy. Moreover, open data should not be the means to legitimize and increase the levels of surveillance occurring at the bottom of the pyramid. Instead, we need to encourage more eyes to watch the top of the pyramid because single actions there can have dramatic consequences for public interest.

For public participation in local government, FixMyStreet[11] is an open source software first developed by MySociety in the UK that allows the public to report on issues on a map. MySociety has also developed a number of other tools to help with government’s engagement with citizens.

OpenSpending[12] is used to visualize budget data and how tax money is being spent. This is a useful tool for transparency developed by the Open Knowledge Foundation.

CKAN[13] is an open source data portal platform that many countries have used for their open data portal. This is also an Open Knowledge Foundation project.

The Sunlight Foundation[14] and Code for America[15] are organizations that develop a number of open source tools that can be re-used and adapted by countries in Asia and the Pacific.

A free de-identification software for automated location and removal of protected health information in free text from medical records has been developed by PhysioNet.[16]

The Strategic Alliance Against Impoverishment (SAPA) provides poverty data on their website and maps the location of their projects.[17]

Final Words for the Way Forward

Make open government an election issue and elect officials that are open.

Demands for engagement may conflict with political goals of representatives in terms of the election cycle. Perhaps these open government issues need a third space to insulate them from political forces.

For people interested in implementing technical solutions, it is important to also look into non-technical issues raised by the Open Government Partnership and the Declaration on Parliamentary Openness.[18]

Make data available based on the needs of citizens and provide a platform for citizens’ feedback to inform the kinds of data to open up.

Open government should be relevant to citizens and result in improving the welfare of citizens.

Improve citizens’ data literacy and use open data in decision-making.

Openness is only a means and in the end we need governments that are accountable, that protect the public interest, that protect the weakest members of society, and they are not automatically guaranteed through open government. We should not fetishize the means and forget the ends.

At the top we need political leadership with strong inclination and will, and on the ground we need close coordination between civil society and government so that government does understand what is needed and sense what impact they can make by opening themselves up to their society or to their own operations. In the long term the key is how much the government can transform itself in terms of its own operations, and how much data they can produce in a reusable format and how much data they can use from other agencies to improve their operations.

The core of open government is about partnership between government, civil society and the private sector, and this is not easy.

Panelists

Danny Butt, Research Fellow in Participatory Public Space, University of Melbourne, Australia
Sunil Abraham, Executive Director, Centre for Internet and Society, India
Venkatesh Hariharan, Director, Knowledge Commons, India (previously, Head of Public Policy at Google India)
Maryati Abdullah, National Coordinator, Publish What You Pay, Indonesia (also Steering Committee Member of Open Government Partnership)
Yanuar Nugroho, Director and Expert Adviser to the Head of the President's Delivery Unit for Development Monitoring and Oversight (UKP4), Indonesia – to be confirmed
Tomoaki Watanabe, Executive Research Fellow, Centre for Global Communications, International University of Japan (also Executive Director of Common Sphere - the host of Creative Commons Japan, and Co-founder of Open Knowledge Foundation Japan)
Shita Laksmi, Program Manager, Southeast Asia Technology and Transparency Initiative, Hivos Regional Office Southeast Asia
Alvin B. Marcelo, Co-chair, Asia eHealth Information Network

Moderator: Khairil Yusof, Co-founder, Sinar Project, Malaysia (also e-DIRAP team member)

e-DIRAP Hangout Coordinator: Christine Apikul

[1]. See 20 Basics of Open Government, http://basics.open4m.org/

[2]. http://www.opengovpartnership.org/eligibility

[3]. http://www.opengovpartnership.org

[4]. http://satulayanan.net

[5]. http://lapor.ukp.go.id; See also http://www.techinasia.com/lapor-deeper-indonesias-newest-anticorruption-weapon/

[6]. “Even though the Law on Freedom of Information has been in place for five years and while some ministries and agencies have made data available online, it is often difficult to obtain and make use of the data due to bureaucratic procedures, charging requirements, copyright restrictions or a general reluctance to provide access to government data to external users.” World Wide Web Foundation, Open Government Data: Readiness Assessment Indonesia, 28 June 2013, http://www.webfoundation.org/2013/06/new-research-open-data-in-indonesia/

[7]. http://seatti.org

[8]. http://sinarproject.org

[9]. http://www.philhealth.gov.ph

[10]. http://okfn.org/opendata/

[11]. http://www.fixmystreet.com

[12]. http://openspending.org

[13]. http://ckan.org

[14]. http://sunlightfoundation.com/tools

[15]. http://codeforamerica.org/apps/

[16]. http://www.physionet.org/physiotools/deid/

[17]. http://www.sapa.or.id/

[18]. http://www.openingparliament.org/declaration

For more details visit https://cis-india.org/openness/blog-old/digital-review-asia-pacific-christine-apikul-e-dirap-google-hangout-open-government

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit https://cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india

Privacy and Surveillance Talk by Sunil Abraham

praskrishna — 2013-09-13T09:47:09Z

For more details visit https://cis-india.org/internet-governance/blog/privacy-surveillance.pdf

Transparency Reports — A Glance on What Google and Facebook Tell about Government Data Requests

prachi — 2013-09-13T09:44:53Z

Transparency Reports are a step towards greater accountability but how efficacious are they really?

Prachi Arya examines the transparency reports released by tech giants with a special focus on user data requests made to Google and Facebook by Indian law enforcement agencies.

The research was conducted as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC.

According to a recent comScore Report India has now become the third largest internet user with nearly 74 million citizens on the Internet, falling just behind China and the United States. The report also reveals that Google is the preferred search engine for Indians and Facebook is the most popular social media website followed by LinkedIn and Twitter. While users posting their photos on Facebook can limit viewership through privacy settings, there isn’t much they can do against government seeking information on their profiles. All that can be said for sure in the post-Snowden world is that large-scale surveillance is a reality and the government wants it on their citizen’s online existence. In this Orwellian scenario, transparency reports provide a trickle of information on how much our government finds out about us.

The first transparency report was released by Google three years ago to provide an insight into ‘the scale and scope of government requests for censorship and data around the globe’. Since then the issuance of such reports is increasingly becoming a standard practice for tech giants. An Electronic Frontier Foundation Report reveals that major companies that have followed Google’s lead include Dropbox, LinkedIn, Microsoft and Twitter with Facebook and Yahoo! being the latest additions . Requests to Twitter and Microsoft from Indian law enforcement agencies were significantly less than requests to Facebook and Google. Twitter revealed that Indian law enforcement agencies made less than 10 requests, none of which resulted in sharing of user information. Out of the 418 requests made to Microsoft by India (excluding Skype), 88.5 per cent were complied with for non-content user data. The Yahoo! Transparency Report revealed that 6 countries surpassed India in terms of the number of user data requests. Indian agencies requested user data 1490 times from 2704 accounts for both content and non-content data and over 50 per cent of these requests were complied with.

The following is a compilation of what the latest transparency reports issued by Facebook and Google.

Google

"The information we share on the Transparency Report is just a sliver of what happens on the internet"
Susan Infantino, Legal Director for Google

Beginning from December 2009, Google has published several biannual transparency reports:

It discloses traffic data of Google services globally and statistics on removal requests received from copyright owners or governments as well as user data requests received from government agencies and courts. It also lays down the legal process required to be followed by government agencies seeking data.

There was a 90 per cent increment in the number of content removal requests received by Google from India. The requests complied with included:
- Restricting videos containing clips from the controversial movie “Innocence of Muslims” from view.
- Many YouTube videos and comments as well as some Blogger blog posts being restricted from local view for disrupting public order in relation to instability in North East India.
For User Data requests, the Google report details the number of user data requests and users/accounts as well as percentage of requests which were partially or completely complied with. In India the user data requests more than doubled from 1,061 in the July-December 2009 period to 2,431 in the July-December 2012 period. The compliance rate decreased from 79 per cent in the July-December 2010 period to 66 per cent in the last report.
Jurisdictions outside the United States can seek disclosure using Mutual Legal Assistance Treaties or any ‘other diplomatic and cooperative arrangement’. Google also provides information on a voluntary basis if requested following a valid legal process if the requests are in consonance with international norms, U.S. and the requesting countries' laws and Google’s policies.

Facebook

"We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations."
Colin Stretch, Facebook General Counsel

Facebook inaugurated its first ever transparency report last Tuesday with a promise to continue releasing these reports.

The ‘Global Government Requests Report’ provides information on the number of requests received by the social media giant for user/account information by country and the percentage of requests it complied with. It also includes operational guidelines for law enforcement authorities.

The report covers the first six months of 2013, specifically till June 30. In this period India made 3,245 requests from 4,144 users/accounts and half of these requests were complied with.

Jurisdictions outside the United States can seek disclosure by way of mutual legal assistance treaties requests or letter rogatory. Legal requests can be in the form of search warrants, court orders or subpoena. The requests are usually made in furtherance of criminal investigations but no details about the nature of such investigations are provided.

Broad or vague requests are not processed. The requests are expected to include details of the law enforcement authority issuing the request and the identity of the user whose details are sought.

The Indian Regime

Section 69 and 69 B of the Information Technology (Amended) Act, 2008 prescribes the procedure and sets safeguards for the Indian Government to request user data from corporates. According to section 69, authorized officers can issue directions to intercept, monitor or decrypt information for the following reasons:

Sovereignty or integrity of India,
Defence of India,
Security of the state,
Friendly relations with foreign states,
Maintenance of public order,
Preventing incitement to the commission of any cognizable offence relating to the above, or
For investigation of any offence.

Section 69 B empowers authorized agencies to monitor and collect information for cyber security purposes, including ‘for identification, analysis and prevention of intrusion and spread of computer contaminants’. Additionally, there are rules under section 69 and 69 B that regulate interception under these provisions.

Information can also be requested through the Controller of Certifying Authority under section 28 of the IT Act which circumvents the stipulated procedure. If the request is not complied with then the intermediary may be penalized under section 44.

The Indian Government has been increasingly leaning towards greater control over online communications. In 2011, Yahoo! was slapped with a penalty of Rs. 11 lakh for not complying with a section 28 request, which called for email information of a person on the grounds of national security although the court subsequently stayed the Controller of Certifying Authorities' order. In the same year the government called for pre-screening user content by internet companies and social media sites to ensure deletion of ‘objectionable content’ before it was published. Similarly, the government has increasingly sought greater online censorship, using the Information Technology Act to arrest citizens for social media posts and comments and even emails criticizing the government.

What does this mean for Privacy?

The Google Transparency Report has thrown light on an increasing trend of governmental data requests on a yearly basis. The reports published by Google and Facebook reveal that the number of government requests from India is second only to the United States. Further, more than 50 per cent of the requests from India have led to disclosure by nearly all the companies surveyed in this post, with Twitter being the single exception.

Undeniably, transparency reports are important accountability mechanisms which reaffirm the company’s dedication towards protecting its user’s privacy. However, basic statistics and vague information cannot lift the veil on the full scope of surveillance. Even though Google’s report has steadily moved towards a more nuanced disclosure, it would only be meaningful if, inter alia, it included a break-up of the purpose behind the requests. Similarly, although Google has also included a general understanding of the legal process, more specifics need to be disclosed. For example, the report could provide statistics for notifications to indicate how often user’s under scrutiny are not notified. Such disclosures are important to enhance user understanding of when their data may be accessed and for what purposes, particularly without prior or retrospective intimation of the same. Till such time the report can provide comprehensive details about the kind of surveillance websites and internet services are subjected to, it will be of very limited use. Its greatest limitation, however, may lie beyond its scope.

The monitoring regime envisioned under the Information Technology Act effectively lays down an overly broad system which may easily lead to abuse of power. Further, the Indian Government has become infamous for their need to control websites and social media sites. Now, with the Indian Government’s plan for establishing the Central Monitoring System the need for intermediaries to conduct the interception may be done away with, giving the government unfettered access to user data, potentially rendering corporate transparency of data requests obsolete.

For more details visit https://cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests

Privacy Law Must Fit the Bill

sunil — 2013-09-12T06:25:35Z

The process of updating Indian privacy policy has gained momentum ever since the launch of the UID project and also the leak of the Radia tapes. The Department of Personnel and Training has lead the drafting of privacy bill for the last three years. This bill will ideally articulate privacy principles and establish the office of the privacy commissioner and most importantly have an over-riding effect over 50 odd existing laws, rules and policies with privacy implications.

The article was published in the Deccan Chronicle on September 9, 2013.

Given the harmonizing impact of the proposed privacy bill, we must ensure that rigorous debate and discussion happens before the bill is finalized otherwise there may be terrible consequences.

Here is a short list of what can possibly go wrong:

One, the privacy bill ignores the massive power asymmetry in Indian societies undermining the right to information – in other jurisdictions referred to as freedom of information and access to information. The power asymmetry is addressed via a public interest test. The right to privacy would be the same for everyone except when public interest is at stake. This enables protection of the right to privacy to be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power. In other words, the poor would have greater privacy than a middle-class citizens who in turn would have greater privacy than political and economic elites. And transparency requirements would be greatest for economic and political elites and lower for middle-class citizens and lowest for the poor. If this is not properly addressed in the language of the bill – privacy activists would have undone the significant accomplishments of the right to information or transparency movement in India over the last decade.

Two, the privacy bill has chilling effect on free speech. This can happen either by denying the speaker privacy, or by affording those who are spoken about too much privacy. For the speaker - Know Your Customer (KYC) and data retention requirements for telecom and internet infrastructure necessary to participate in the networked public sphere can result in the death of anonymous and pseudonymous speech. Anonymous and pseudonymous speech must be protected as it is a necessary for good governance, free media, robust civil society, and vibrant art and culture in a democracy. For those spoken about - privacy is clearly required in certain cases to protect the victims of certain categories of crimes. However, the right to privacy could be abused by those occupying public office and those in public life to censor speech that is in the public interest. If for example a sport person does not publicly drink the aerated drink that he or she endorses in advertisements then the public has a right to know.

Three, the privacy bill has a limited scope. Jurisprudence in India derives the right to privacy from the right to life and liberty through several key judgments including Naz Foundation v. Govt. of NCT of Delhi decided by the Delhi High Court. The right to life and liberty or Article 21 unlike other constitutionally guaranteed fundamental rights does not distinguish between citizens and non-citizens. As a consequence the privacy bill must also protect residents, visitors and other persons who may never visit India, but whose personal information may travel to India as part of the global outsourcing phenomena. Also the obligations and safeguards under the privacy bill must equally apply to both the state and the private sector entities that could potentially infringe upon the individual's right to privacy. Different levels of protection may be afforded to citizens, residents, visitors and everybody else. Government and private sector data controllers may be subject to different regulations – for ex. an intelligence agency may not require 'consent' of the data subject to collect personal information and may only provide 'notice' after the investigation has cleared the suspect of all charges.

Four, the privacy bill is expected to fix poorly designed technology. There are two diametrically opposite definitions of projects like NATGRID, CMS and UID. The government definition is that all these systems will allow only for targeted interception and surveillance, however the majority of civil society believes that these system will be used for blanket surveillance. If these systems are indeed built in a manner that supports blanket surveillance then legal band-aid in the form of a new law or provision that prohibits blanket surveillance will be a complete failure. The principle of 'privacy by design' is the only way to address this. For ex. shutters of digital cameras are silent and this allows for a particular form of voyeurism called upskirt. Almost a decade ago, the Korean government enacted a law that requires camera and mobile phone manufacturers to ensure that audio recording of a mechanical shutter is played every time the camera function is used. It is also illegal for the user to circumvent or disable this feature. In this example, the principle of notice is hardwired within the technology itself. To remix Spiderman's motto – with great power comes great temptation. We know that a rogue NTRO official installed a spy camera in the office toilet to make recording female colleagues and most recently that NSA officers confessed to spying on their love interests. If the technology can be abused it will be abused. Therefore legal safeguards are a poor substitute for technological safeguards. We need both simultaneously.

Five, the bill does not require compliance with internationally accepted privacy principles including the ones discussed so far 'consent', 'notice' and 'privacy by design'. Apart from human rights considerations – the most important imperative to modernize India privacy laws is trade. We have a vibrant ITES, BPO and KPO sector which handles personal information of foreigners mostly from the North American and European continents. The Justice AP Shah committee in October 2012 identified privacy principle that required for India - notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. A privacy bill that does include all these principles will increase the regulatory compliance overhead for Indian enterprise with foreign clients and for multinationals operating in India. There is also the risk that privacy regulators in these jurisdictions will ban outsourcing to Indian firms because our privacy laws are not adequate by their standards.

To conclude, it is not sufficient for India to enact a privacy law it is essential that we get it right so that there are no unintended consequences on other equally important rights and dimensions of our democracy.

For more details visit https://cis-india.org/internet-governance/blog/deccan-chronicle-september-9-2013-sunil-abraham-privacy-law-must-fit-the-bill

An Interview with Suresh Ramasubramanian

elonnai — 2013-09-06T09:37:47Z

Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud.

You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?
a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.

In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.

This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.

There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.
In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?
a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.

The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.

It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.

Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.

There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.
What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?
a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.

Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.

Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.

The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.
How is the jurisdiction of the data on the cloud determined?
This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.

However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.

The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.

In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.

In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.
Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?
a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].

A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.
What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?
a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.

Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html). Some standards you absolutely have to comply with for legal reasons.

Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.

The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.
What do you see as the big challenges for privacy in the cloud in the coming years?
a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.
Do you think encryption the answer to the private and public institutions snooping?
a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.

There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.

As a very popular XKCD cartoon that has been shared around social media and has been cited in multiple security papers says -

“A crypto nerd’s imagination”

“His laptop’s encrypted. Let us build a million dollar cluster to crack it”
“No good! It is 4096 bit RSA”
“Blast, our evil plan is foiled”

“What would actually happen”
“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”
“Got it”
Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?
a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.

The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.

Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.

Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.

Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.
There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?
a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.

Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.

Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.

This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.

User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian

Syllabus: “Policy and regulation conducive to rapid ICT sector growth in Myanmar: An introductory course”

praskrishna — 2013-10-24T03:56:31Z

A five-day course is being offered by LIRNEasia in collaboration with Myanmar ICT Development Organization, with support from the Open Society Foundation and the International Development Research Centre of Canada in Myanmar from September 28 to October 5, 2013.

Sunil Abraham will be supporting Prof. Samarajiva on the last optional day of this course in Yangon. Read about the Introductory course on “Policy and regulation conducive to rapid ICT sector growth in Myanmar”

Goal

To enable members of Myanmar civil-society groups (including academics and those from the media) to marshal available research and evidence for effective participation in policy and regulatory processes, thereby improving policy processes and helping achieve the government’s objective of providing ICT access to all.

Outcomes

The objective of the course is to produce discerning and knowledgeable consumers of research who are able to engage in an informed manner in ICT policy and regulatory processes in Myanmar. The course will benefit those working in government and operators as well.

At the end of the course attendees will:

Have an understanding of telecom policy and regulatory processes
Be able to find and assess relevant research & evidence
Be able to summarize the research in a coherent and comprehensive manner
Have the necessary tools to improve their communication skills

- Have some understanding of how media functions and how to effectively interact with media

Assignments

Participants will be formed into teams on Day1. Each group will work on an assignment that addresses both substantive and procedural aspects of law, policy and regulation. Teams will be assigned topic areas that are being developed into regulations under the new Act. They will have to make presentations on what the desirable provisions should be. We will emphasize the procedural aspects as well as the substantive. Disciplined and focused team presentations, preferably using slides, are required.

It is necessary to use the Internet for the assignments. All who have laptops are encouraged to bring them. Arrangements will be made for Internet connectivity at the hotel.

Tentative topic areas

Licensing and authorization regulations
Essential facilities and anti-competitive practices
Universal service policy
Price and quality regulation
Independence of regulatory agency

Course schedule

	Day 1 (September 28)	Day 2 (September 29)	Day 3 (September 30)	Day4 (October 1)	Day 5 (October 2) (optional)
09:00-10:30	S1 Introduction to course: What have been the results of reform & rationale for regulation. Rohan Samarajiva (RS)	S5 Regulatory legitimacy, including procedural legitimacy (RS)	S10 Challenges of monitoring complex license commitments (HG)	S14 How does the Internet work? (TBA)	S16 Internet governance The big picture. Sunil Abraham (SA)
10:30-11:00	Break	Break	Break	Break
11:00-12:00	S2 Interrogating supply-side indicators & research based on them. Helani Galpaya (HG)	S6 Current status of telecom law and policy in Myanmar (RS)	S11 How evidence is used in policy & regulation (panel discussion, KS, RS	S15 The art of media interaction (RS)	S17 Economic & technical interface with telecom industry (RS)
12:00-13:00	S3 Finding information on the web. Roshanthi Lucas Gunaratne (RLG)	S7 Presenting evidence in slides & written submissions (HG)	S12 Essential facilities and anti-competitive practices (RS)	A3 Mock public hearing (RS & panel)	S18 How Internet is governed within India (SA)
13:00-14:00	Lunch	Lunch	Lunch	Lunch
14:00-15:00	A1 Group formation; Assignment explained (HG and RLG)	S8 Licensing and authorization (RS)	A2 Midpoint check on assignment/group work (HG and RLG)	A4 Mock public hearing & critique (RS & panel)	S19 Content regulation (TBA)
15:00-15:30	Break	Break	Break
15:30-17:00	S4 Demand-side research (RS)	S9 Price and quality regulation (RS & HG)	S13 Universal service subsidies: Theory & practice (RS & KS)	Reflection on the course	S20 Surveillance & privacy (SA & RS)
17:00	Group work	Group work	Group work
19:00	Welcome dinner Speaker: TBA

Faculty

Sunil Abraham is the Executive Director of CIS. He is also a social entrepreneur and Free Software advocate. He founded Mahiti in 1998 which aims to reduce the cost and complexity of Information and Communication Technology for the Voluntary Sector by using Free Software. Today, Mahiti employs more than 50 engineers and Sunil continues to serve on the board as a board member. Sunil was elected an Ashoka fellow in 1999 to 'explore the democratic potential of the Internet' and was granted a Sarai FLOSS fellowship in 2003. Between June 2004 and June 2007, he managed the International Open Source Network, a project of the UNDP's Asia-Pacific Development Information Programme serving 42 countries in the Asia-Pacific region. Between September 2007 and June 2008, he also managed ENRAP, an electronic network of International Fund for Agricultural Development projects in the Asia-Pacific facilitated and co-funded by International Development Research Centre, Canada.

Helani Galpaya is LIRNEasia’s Chief Executive Officer. Helani leads LIRNEasia’s 2012-2014 IDRC funded research on improving customer life cycle management practices in the delivery of electricity and e-government services using ICTs. She recently completed an assessment of how the poor in Bangladesh and Sri Lanka use telecenters to access government services. For UNCTAD and GTZ she authored a report on how government procurement practices can be used to promote a country’s ICT sector and for the World Bank/InfoDev Broadband Toolkit, a report on broadband strategies in Sri Lanka. She has been an invited speaker at various international forums on topics ranging from m-Government to ICT indicators to communicating research to policy makers. Prior to LIRNEasia, Helani worked at the ICT Agency of Sri Lanka, implementing the World-Bank funded e-Sri Lanka initiative. Prior to her return to Sri Lanka, she worked in the United States at Booz & Co., Marengo Research, Citibank, and Merrill Lynch. Helani holds a Masters in Technology and Policy from the Massachusetts Institute of Technology, and a Bachelor’s in Computer Science from Mount Holyoke College, USA.

Roshanthi Lucas Gunaratne is a Research Manager at LIRNEasia and is currently managing the Ford Foundation Funded project on Giving Broadband Access to the Poor in India. She is also contributing to the IDRC Customer Lifecycle Management Practices Project by conducting research on customer lifecycle management practices in telecommunication sector in Bangladesh. Before joining LIRNEasia, Roshanthi worked at the Global Fund to fight AIDS, Tuberculosis and Malaria, Geneva, Switzerland as a Strategic Information Officer. She contributed to the process of defining the Global Fund Key Performance Indicators, and also worked on improving the performance measurements of their grants. Prior to that, she worked as a telecom project manager at Dialog Telecom, and Suntel Ltd in Sri Lanka. As Suntel she managed the design and implementation of corporate customer projects. She holds a MBA from the Judge Business School, University of Cambridge, UK and a BSc. Eng (Hons) specializing in Electronics and Telecommunication from the University of Moratuwa, Sri Lanka.

Rajat Kathuria, PhD

Rohan Samarajiva, PhD, is founding Chair of LIRNEasia, an ICT policy and regulation think tank active across emerging Asian and Pacific economies. He was Team Leader at the Sri Lanka Ministry for Economic Reform, Science and Technology (2002-04) responsible for infrastructure reforms, including participation in the design of the USD 83 million e-Sri Lanka Initiative. He was Director General of Telecommunications in Sri Lanka (1998-99), a founder director of the ICT Agency of Sri Lanka (2003-05), Honorary Professor at the University of Moratuwa in Sri Lanka (2003-04), Visiting Professor of Economics of Infrastructures at the Delft University of Technology in the Netherlands (2000-03) and Associate Professor of Communication and Public Policy at the Ohio State University in the US (1987-2000). Dr. Samarajiva was also Policy Advisor to the Ministry of Post and Telecom in Bangladesh (2007-09).

Koesmarihati Sugondo

Resource Material

infodev, ICT regulation toolkit. http://www.ictregulationtoolkit.org/en/Index.html

infoDev. Broadband strategies toolkit. http://broadbandtoolkit.org/en/toolkit/contents

infoDev (2011). Tenth anniversary telecom regulation handbook. http://www.infodev.org/En/Publication.1057.html

ITU (2011). The role of ICT in advancing growth in least developed countries: Trends, challenges and opportunities. Geneva: ITU. http://www.itu.int/ITU-D/ldc/turkey/docs/The_Role_of_ICT_in_Advancing_Growth_in_LDCs_Trends_Challenges_and_Opportunities.pdf

Samarajiva, Rohan (2000). The role of competition in institutional reform of telecommunications: Lessons from Sri Lanka, Telecommunications Policy, 24(8/9): 699-717. http://www.comunica.org/samarajiva.html

Samarajiva, Rohan (2002). Why regulate?, chapter 2 of Effective regulation: Trends in Telecommunication Reform 2002. Geneva: International Telecommunication Union.

Samarajiva, Rohan (2006). Preconditions for effective deployment of wireless technologies for development in the Asia-Pacific, Information Technology and International Development, 3(2): 57-71. http://itidjournal.org/itid/article/view/224/94

Samarajiva, Rohan & Zainudeen, Ayesha (2008). ICT infrastructure in emerging Asia: Policy and regulatory roadblocks, New Delhi & Ottawa: Sage & IDRC http://www.idrc.ca/en/ev-117916-201-1-DO_TOPIC.html

For more details visit https://cis-india.org/news/policy-and-regulation-conducive-to-rapid-ict-growth-in-myanmar

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit https://cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Indian government to bar politicians from using Gmail for official business

praskrishna — 2013-09-05T09:52:17Z

US-based email services seen as too risky.

This article by Neil McAllister was published in the Register on August 30, 2013. Sunil Abraham is quoted.

The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, told the Times of India. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."

The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the contact page for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.

Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the Times of India that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.

The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from United Nations headquarters in New York City.

No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory asserted that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.

But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®

For more details visit https://cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business

August 2013 Bulletin

praskrishna — 2013-09-13T06:26:30Z

Our newsletter for the month of August 2013 can be accessed below.

The Centre for Internet & Society (CIS) welcomes you to the eighth issue of its newsletter for the year 2013. In this issue we are glad to bring you the final report on banking and accessibility submitted to the Ministry of Finance, Government of India, a research paper on India’s obligations under bilateral investment treaties, a report from a Wikipedia workshop held at the Konkani Department in Goa University, a report on the sixth privacy roundtable held in New Delhi, recent news coverage, and updates on our upcoming events.

Archives of our newsletters are here. Our policies on Ethical Research Guidelines, Non-Discrimination and Equal Opportunities, Privacy, Terms of Website Use and Travel can be accessed here.

Jobs
CIS is inviting applications for the posts of Developer (NVDA Screen Reader Project). To apply for this post, send in your resume to Nirmita Narasimhan (nirmita@cis-india.org). CIS is also seeking applications for the post of Policy Associate (Internet Governance). To apply send your resume to Sunil Abraham (sunil@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org).

Accessibility

As part of its project on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India with the Hans Foundation, we bring you three new draft chapters on Assam, Manipur and Puducherry. With this we have completed compilation of draft chapters for 21 states and 3 union territories. Feedback and comments are invited from readers for the below chapters:

The Assam Chapter (by CLPR, August 28, 2013)
The Manipur Chapter (by CLPR, August 29, 2013)
The Puducherry Chapter (by Anandhi Viswanathan, August 31, 2013)

Note: All the chapters published on the website are early drafts and will be reviewed and updated.

Reports

Banking and Accessibility in India: A Report by CIS (by Vrinda Maheshwari, August 12, 2013). This is the final report submitted to the Ministry of Finance, Government of India.
Opening New Avenues for Empowerment (by UNESCO, August 31, 2013). UNESCO has published a global report on higher education titled “Opening New Avenues for Empowerment”. Nirmita Narasimhan was the coordinating author for the Asia Pacific region.

Access to Knowledge and Openness

As part of its project on developing the growth of Indic language communities with Wikimedia Foundation, CIS-A2K held six Wikipedia workshops. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Access to Knowledge
Research Paper

India's Obligations under Bilateral Investment Treaties (Part A): “Bilateral Inhibiting Treaty?” — Investigating the Challenges that Bilateral Investment Treaties pose to the Compulsory Licensing of Pervasive Technology Patent Pools (by Gavin Pereira, August 31, 2013).

Column

Copyrights and Copywrongs Why the Government Should Embrace the Public Domain (by Pranesh Prakash, Yojana, Issue: August 2013).

Media Coverage

Dictionary words in software patent guidelines puzzle industry (by C.H. Unnikrishnan, Livemint, August 26, 2013). CIS work on Access to Knowledge is mentioned.

Blog Entries

Are Indian Consumer Laws Ready for the Digital Age? (by Vipul Kharbanda, August 8, 2013).
Do You Have the Right to Unlock Your Smart Phone? (by Puneeth Nagaraj, August 7, 2013).

Access to Knowledge (Wikipedia)

The A2K team consists of four members based in Bangalore: T. Vishnu Vardhan, Dr. U.B. Pavanaja, Subhashish Panigrahi and Syed Muzammiluddin, and one team member Nitika Tandon who works from Delhi.

Event Reports

A Kannada Wikipedia Workshop at Krishnarajapet (by Dr. U.B. Pavanaja, August 14, 2013). The workshop was co-organized by the CIS-A2K team along with Kannada Sahitya Parishat of KR Pet.
An Odia Wikipedia Workshop at Sambalpur (by Gorvachove Pothal, August 27, 2013). This workshop was held at Veer Surendra Sai University of Technology, Burla, Sambalpur on July 26 and 27, 2013. Odia Wikipedian Gorvachove Pothal organized this workshop with financial support from the CIS-A2K programme.

Konkani Wikipedia — Climbing up the Indian Language Ladder? (by Subhashish Panigrahi, August 31, 2013). CIS-A2K team organized this event at the Konkani Department, Goa University from August 21 to 24, 2013.
Konkani Wikipedia Advances in 4 Days — From 90 Articles to 130 Articles! (by Nitika Tandon, August 31, 2013). CIS-A2K team organized this event at the Konkani Department, Goa University from August 21 to 24, 2013. Thirty-eight students took part in the wiki editing workshop.

Events Co-organised

Digitization of Books for Indic Language WikiSource (organised by Wikimedia India and CIS-A2K, CIS, Bangalore, August 18, 2013).
A Workshop on Editing Wikipedia in Mumbai (organised by the Centre for Indian Languages in Higher Education and CIS-A2K, Tata Institute of Social Sciences, Mumbai, August 24, 2013). The workshop was aimed at assisting students to take part in the Indian Languages Mela at the Tata Institute of Social Sciences (September 20-21, 2013) which is hosting a competition for best Indian language entries on Wikipedia.

Event Hosted

Mobile Training Workshop @ CIS (CIS, Bangalore, August 29, 2013). Rachita and Keerthana Chandrashekar gave a talk on mobile campaigns.

Events Participated

Wikimania 2013: The International Wikimedia Conference (organised by Wikimedia Foundation, Hong Kong Polytechnic University, August 7 – 11, 2013). T. Vishnu Vardhan and Subhashish Panigrahi participated in the event.
Wikimedia Asia Meeting (organised by Wikimedia community, Hong Kong, August 10, 2013). T. Vishnu Vardhan and Subhashish Panigrahi participated in the meeting. Unedited transcript of the entire conversation is posted online.
వికీపీడియా:సమావేశం/హైదరాబాద్/ఆగష్టు (Hyderabad, August 25, 2013). T.Vishnu Vardhan participated for the meeting through Skype.

Media Coverage

Wikipedia Gains Massive Traffic Thanks To Vernacular Languages (Before It’s News, August 1, 2013). T. Vishnu Vardhan is quoted.
Wikipedia boom in Marathi, Malayalam and other desi languages (by Sandhya Soman, The Times of India, August 1, 2013). T. Vishnu Vardhan is quoted.
Wikipedia boom in vernacular languages (by Divya Saboo, August 1, 2013). The Centre for Internet and Society is mentioned.
Stress on posting articles on Kannada Wikipedia (by R. Krishna Kumar, Hindu, August 2, 2013). Dr. U.B.Pavanaja is quoted.
India’s Indigenous Languages Drive Wikipedia’s Growth (by Mahesh Sharma, TechCrunch, August 6, 2013). T. Vishnu Vardhan is quoted.
Krishnarajapet Wikipedia Workshop Coverage (Prajavani, August 12, 2013).
Krishnarajapet Wikipedia Workshop Coverage (Vijaya Vani, August 12, 2013).
Krishnarajapet Wikipedia Workshop Coverage (Suvarna Times of Karnataka, August 12, 2013).
Wikipedia writes a new script (by Joyce Dias, August 24, 2013, The Goan). CIS-A2K workshop held in Goa is mentioned extensively. Nitika Tandon and Subhashish Panigrahi are quoted.
Konkani Wikipedia makes headway (by Diana Fernandes, OHeraldO, August 24, 2013). Nitika Tandon is quoted.
Konkani Wikipedians Speak (Goan Voice Daily Newsletter, September 4, 2013). Konkani Wikipedia workshop organized in Goa from August 21 – 24, 2013 is mentioned in this newsletter.

Ongoing / Upcoming Events

Wikipedia Training in Telugu for Dr. B.R. Ambedkar Open University, Hyderabad (Dr. B.R. Ambedkar Open University, Hyderabad, September 5-6, 2013). T. Vishnu Vardhan is teaching a module on "Knowledge and Openness in the Digital Era".
You too can write on Wikipedia! — Orientation Workshop (co-organised by CIS-A2K and the Centre for Contemporary Studies, Indian Institute of Science, Bangalore, September 15, 2013).

Train the Trainer — Four-day long Residential Training Workshop in Bangalore (organised by CIS-A2K, Bangalore, October 1 – 5, 2013). The programme will be held in the first week of October.

Blog Entries

Voices from Goa: Frania Pereira tells Why She Writes Articles on Konkani Wikipedia (by Subhashish Panigrahi, August 27, 2013).
Voices from Goa: Wikipedia Editor Rusita Paryekar (by Subhashish Panigrahi, August 27, 2013).

Openness

Event Hosted

Open Hardware Lab: Play & Invent + Bonus Film Screening (CIS, Bangalore, August 4, 2013). A hangout was done with CIS Lab Community and with members of the Computer Club of India and Arduino enthusiasts.

Event Participated

e-DIRAP Google+ Hangout on Open Government (organised by Google, July 25, 2013). Sunil Abraham was a panelist.

Media Coverage

Beyond Property Rights: Thinking About Moral Definitions of Openness (by David Eaves, Tech President, August 6, 2013). Sunil Abraham is quoted.
Extending The Spectrum Of Openness To Include The Moral Right To Share (by Glyn Moody, Techdirt, August 19, 2013). Sunil Abraham is quoted.

Internet Governance

CIS began two projects earlier this year. The first one on facilitating research and events on surveillance and freedom of expression is with Privacy International and support from the International Development Research Centre, Canada. The second one on mapping cyber security actors in South Asia and South East Asia is with the Citizen Lab, Munk School of Global Affairs, University of Toronto and support from the International Development Research Centre, Canada:

SAFEGUARDS Project

Event Report

Sixth Privacy Roundtable (co-organised by CIS, FICCI and DSCI, New Delhi, August 24, 2013). Bhairav Acharya and Prachi Arya participated in this event. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

Newspaper / Magazine Columns

Freedom from Monitoring: India Inc Should Push For Privacy Laws (by Sunil Abraham, Forbes India Magazine, August 21, 2013).
Out of the Bedroom (by Nishant Shah, Indian Express, August 25, 2013).

Blog Entries

'Ethical Hacker' Saket Modi Calls for Stronger Cyber Security Discussions (by Kovey Coles, August 5, 2013).
Ethical Issues in Open Data (by Kovey Coles, August 7, 2013).
FinFisher in India and the Myth of Harmless Metadata (by Maria Xynou, August 13, 2013).

Events Organised

The Hackers Way of Reshaping Policies (CIS, Bangalore, August 2, 2013). Bernadette Langle gave a talk on different ways to reshape policies.
Chennai: Learn to Protect your Online Activities! (Asian College of Journalism, Taramani, Chennai, August 7, 2013). A Crypto Party was organised.
The Phishing Society: Why 'Facebook' is more dangerous than the Government Spying on You - A Talk by Maria Xynou (CIS, Bangalore, August 7, 2013). Maria Xynou gave a talk on phishing society.
Learn to Protect your Online Activities! (ACJ - Asian College of Journalism, Second Main Road (Behind M.S. Swaminathan Research Foundation), Taramani, Chennai, August 7, 2013).
Privacy Meeting: Brussels – Bangalore (CIS, Bangalore, August 14, 2013). Gertjan Boulet and Dariusz Kloza gave a talk on privacy.
Learn to Protect your Online Activities! (CIS, Bangalore, August 17, 2013). A Crypto Party was held at CIS.

Events Participated In

Summer School 2013 (organized by the Research Center of Media and Communication at the University of Hamburg, Germany, July 29 – August 2, 2013). Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".
Meeting of a Sub-committee on DNA Profiling Bill (Hyderabad, August 6, 2013). Sunil Abraham participated in this meeting for discussing the draft bill.
Surveillance: Privacy Vs Security (organized by the Foundation for Media Professionals, India International Centre, New Delhi, August 17, 2013). Pranesh Prakash was a panelist.

Media Coverage

Crypto Night (by Rahul M., Caravan, August 1, 2013). Pranesh Prakash and Bernadette Langle are quoted.
Facebook: Limiting access to social media can restrict freedom of speech (by Kim Arora, The Times of India, August 1, 2013). Sunil Abraham is quoted.
Token disclosures? (by Deepa Kurup, The Hindu, August 4, 2013). Sunil Abraham is quoted.
Memeâ€™s the word now (by Padmaparna Ghosh, The Times of India, August 4, 2013). Nishant Shah is quoted.
Chinese hackers baiting Indian govt, corporate employees: report (by Moulishree Srivastava and Anirban Sen, Livemint, August 9, 2013). Sunil Abraham is quoted.
Mixed signals? Supreme Court notices to states on Facebook arrests (NDTV, August 16, 2013). Pranesh Prakash, Shreya Singhal and Faizal Farooqui discussed the grey areas of the IT Act.
Balancing vigilance and privacy (by Prashant Jha, The Hindu, August 18, 2013). Pranesh Prakash is quoted.
How Next-Gen Smartphone Users are Being Bought and Sold (by Rohin Dharmakumar, Forbes India Magazine, August 13, 2013, and IBN Live, August 19, 2013). Sunil Abraham is quoted.
Dear Milind Deora, Prakash Javadekar Deserved The Truth (by Rohin Dharmakumar, Forbes India, August 22, 2013). Sunil Abraham is quoted.
Election campaign: parties draw battle lines on media platforms (by Venkatesh Upadhyay, Livemint, August 26, 2013). Sunil Abraham is quoted.
India's Internet Privacy Woes (by Rohin Dharmakumar, Forbes India Magazine, August 26, 2013). Pranesh Prakash is quoted.
Cyberspying: Government may ban Gmail for official communication (The Times of India, August 30, 2013). Sunil Abraham is quoted.
Indian government to bar politicians from using Gmail for official business (by Neil McAllister, The Register, August 30, 2013). Sunil Abraham is quoted.

Cyber Stewards Project
Laird Brown, a strategic planner and writer with core competencies on brand analysis, public relations and resource management and Purba Sarkar who in the past worked as a strategic advisor in the field of SAP Retail are working in this project.

Video Interview

Part 9: Interview with Saikat Datta (August 5, 2013).

Telecom

CIS has published one newspaper column in the Business Standard and also made a submission to TRAI:

Newspaper Column

Breaking into the Closed Circle: Domestic High-Tech Manufacturing Needs Access To Markets (by Shyam Ponappa, originally published in the Business Standard, July 31, 2013 and also mirrored in Organizing India Blogspot, August 1, 2013).

Submission

TRAI Consultation Paper on Spectrum (by Shyam Ponappa and A.B. Beliappa, August 31, 2013). The submission was made to the Telecom Regulatory Authority of India on August 21, 2013.

Digital Humanities

We are building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia.

Blog Entries

Digital Humanities Talk (by Sara Morais, August 1, 2013). Sara wrote about her talk in this blog entry.
Theorizing the Digital Subaltern (by Sara Morais, August 2, 2013).

Event Organised

Digital Humanities for Indian Higher Education (co-organised by CIS-A2K, HEIRA, CSCS, Tumkur University, Tata Institute of Social Sciences, Mumbai and CCS-Indian Institute of Science, Bangalore, July 13, 2013). Errata: We had got the name of one of the co-organisers wrong in our previous newsletter. We have corrected this now.

Event Participated In

South Asia Conference on Higher Education (organised by the Centre for Study of Culture and Society, Ford Foundation Office, New Delhi, August 5 – 7, 2013). Sunil Abraham participated in this conference.

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.
Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

*Support Us*

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/august-2013-bulletin

The Personal Data (Protection) Bill, 2013

prachi — 2013-08-30T14:53:11Z

Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013. Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.

For more details visit https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013