Centre for Internet and Society

The freedom of expression debate: The State must mend fences with The Web

praskrishna — 2013-01-07T10:30:21Z

A fortnight after her arrest, Renu Srinivasan spends her free time singing Ashley Tisdale's number Suddenly. The lyrics - Suddenly people know my name, suddenly, everything has changed - resonate with the story of her life ever since she 'liked' and 'shared' her friend, Shaheen Dhada's, 21, controversial post regarding Shiv Sena chief Bal Thackeray's funeral on Facebook on November 18 and got arrested for it.

The article by Rahul Jayaram was published in India Today on December 18, 2012. Pranesh Prakash is quoted.

She's now flooded with "hundreds" of messages on FB; some congratulatory, others abusive and gets at least a dozen friend requests on the social networking site. When Renu went to the doctor last week, two constables accompanied her.

"All of a sudden, there's too much attention on me," says the Botany graduate from Dandekar College and a budding singer who is making new friends in the virtual world. There's, however, a word from caution from her father P.A. Srinivasan: "Don't comment on controversial issues you don't understand."

Bloggers are careful. Krish Ashok, a well-known blogger is disappointed with the government's lack of engagement with India's surging online community. In a blog post in August 2010, he made fun of the Ramayana and the fact that women couldn't enter the Sabarimala temple in Kerala. A group called Hindu Janajagruti Samiti threatened to take him to court. Ashok spoke to his lawyer.

"I was amazed. She said no individual could take action against me. But a group or organisation could," he says. Since then, he has become more aware of his Internet rights.

Gursimran Khamba, who has over 30,000 followers on Twitter, kept his cool during Thackeray's death and funeral. When all the media went gaga over him, televising his family photo albums, Khamba, re-tweeted reports and accounts of the Shiv Sena's role during the Mumbai riots of 1992-93. "In my head, I am not courageous to say anything about it myself," he says. He didn't want to incite. He'd rather help his followers get a more nuanced picture of a venerated leader.

Palghar and after, has made Ashok think. "I would reduce the number of provocative posts I might make," he says. Khamba says he will stick to comedy and doesn't believe in offence for the sake of offending although "taking offence is our national sport."

It is a shame, for the Internet is growing in India like nobody's business. It's the medium of the age.

According to comScore, a company that measures Internet trends, India is the fastest growing online market in the last 12 months among BRIC nations. There were 44.5 million unique visitors in July 2011 and in July 2012 there were 62.6 million unique visitors. That is, a growth of 44 per cent in one year. The total Internet usage of 124.7 million users in July 2012, that is, a 41 per cent growth from last year (July 2011).

With 124 million users as of July 2012, India has an Internet penetration of 10 per cent. 75 per cent of India's online users are below the age of 35 making it one of the youngest Net-connected populations. 39.3 per cent of India's Internet population consists of females. It has the highest growth seen among 15 to 24 male and female segments. India has 56.2 million Facebook users and 4.1 million Twitter users. Facebook had 35.3 million users in July 2011 and it jumped to 52.1 million in July 2012. That's a growth of 47% in just one year!

Growth of the Internet is one thing. Freedom of the Internet is another. Freedom House, an American organisation that tracks political and civil liberties worldwide, is blunt in its assessment. India is third in terms of Internet penetration, after the United States and China. Before November 2008, government control over the Internet was limited. All that changed after the November 2008 Mumbai attacks.

Since then it says, "The need, desire, and ability of the Indian government to monitor, censor, and control the communication sector have grown. Given the range of security threats facing the country, many Indians feel that the government should be allowed to monitor personal communications such as telephone calls, email messages, and financial transactions. It is in this context that Parliament passed amendments to the Information Technology Act (ITA) in 2008, expanding censorship and monitoring capabilities. This trend continued in 2011 with the adoption of regulations increasing surveillance in cyber cafes. Meanwhile, the government and non-state actors have intensified pressure on intermediaries, including social media applications, to remove upon request a wide range of content vaguely defined as "offensive" and potentially pre-screen user-generated content. Despite new comprehensive data protection regulations adopted in 2011, the legal framework and oversight surrounding surveillance and interception remains weak, and several instances of abuse have emerged in recent years."

Over this year we have had the cases of cartoonist Aseem Trivedi being put in jail and later released in September. In April, Ambikesh Mahaptra of Jadavpur University in Kolkata was arrested for a cartoon poking fun at West Bengal chief minister Mamta Banerjee and Railway Minister Mukul Roy. In October, Ravi, owner of plastic packaging material factory was arrested and let off on bail for joking about Finance Minister P. Chidambaram's son, Karti. The list gets longer. The Web and the State are at loggerheads. Why?

Lawyers and bloggers haul up Internet laws. And for such a community, we have laws like Section 66 (A) of the Information Technology Act of 2000. The law states that "any person who sends by means of a computer resource or a communication device, any information that is grossly offensive or has menacing character," can be booked for online crime.

Legal experts think Section 66 (A) and the whole of the IT Act of 2000, needs revisiting. According to cyber lawyer Pavan Duggal, Section 66 (A) "is a vanilla provision that can be used for anything online."

Section 66(A) seeks to empower the police and the complainant. "The words 'grossly offensive' and 'menacing character' of Section 66 (A) have no definition given. Normal, legitimate bona fide conversation between boyfriend and girlfriend at noble times online is fine. Once relationship sours, and they are gone."

"It's not clear what the purpose of Section 66A is. It's like having a single provision covering murder, assault, intimidation, and nuisance, and prescribing the same penalty for all of them," says Pranesh Prakash of the Center for Internet and Society, Bangalore. Terminology and the law's purpose are massive concerns.

"The extent of the ambiguity of Section 66A is worrying. Laws need to be very clear about what they want to achieve. If it is murder, then it must say murder. If its attempted murder, it must be clear it is attempted murder. Section 66 A is trying to do too many things at the same time. Its canvas is too vast," says Rajeev Chandrasekar.

As a country, we look to imitate the West, and often copy it badly. Some wonder if we need to mime the West. Pranesh Prakash thinks the Indian Constitution is stronger on free speech grounds than the (unwritten) UK Constitution, and the judiciary has wide powers of judicial review of statutes (i.e., the ability of a court to strike down a law passed by Parliament as 'unconstitutional').

Judicial review of statutes does not exist in the UK (with review under its EU obligations being the exception) as they believe that Parliament is supreme, unlike India. Putting those two aspects together, a law that is valid in the UK might well be unconstitutional in India for failing to fall within the eight octagonal walls of the reasonable restrictions allowed under Article 19(2).

Rajeev Chandrasekar thinks the Brits got it right. During the London riots of June 2011, "the UK government kept a tab on social media networking sites so as to check incitement, he says. It was a good example of clear legislation and effective execution, in an extreme scenario." To defuse online paranoia he wants the government to have a multi-stakeholder arrangement in fixing IT laws. This must involve users, IT companies, cyber cafe owners and the government. The State must mend fences with the Web.

For more details visit https://cis-india.org/news/india-today-rahul-jayaram-december-18-2012-the-freedom-of-expression-debate

The Four Parts of Privacy in India

bhairav — 2015-08-23T13:02:28Z

For more details visit https://cis-india.org/internet-governance/blog/four-parts-of-privacy.pdf

The Four Parts of Privacy in India

bhairav — 2015-08-23T13:04:50Z

Privacy enjoys an abundance of meanings. It is claimed in diverse situations every day by everyone against other people, society and the state.

Traditionally traced to classical liberalism’s public/private divide, there are now several theoretical conceptions of privacy that collaborate and sometimes contend. Indian privacy law is evolving in response to four types of privacy claims: against the press, against state surveillance, for decisional autonomy, and in relation to personal information. The Indian Supreme Court has selectively borrowed competing foreign privacy norms, primarily American, to create an unconvincing pastiche of privacy law in India. These developments are undermined by a lack of theoretical clarity and the continuing tension between individual freedoms and communitarian values.

This was published in Economic & Political Weekly, 50(22), 30 May 2015. Download the full article here.

For more details visit https://cis-india.org/internet-governance/blog/economic-and-political-weekly-bhairav-acharya-may-30-2015-four-parts-of-privacy-in-india

The Five Monkeys & Ice-cold Water

sunil — 2012-10-30T10:43:38Z

The Indian government provides leadership, both domestically and internationally, when it comes to access to knowledge.

This article by Sunil Abraham was published in Deccan Chronicle on September 16, 2012.

Our domestic patent policy ensures that generic medicines are available and largely affordable not only within India but also in Africa and elsewhere. It also allows Indians to consume a wide range of technological innovations without worrying about legal bans that are an otherwise common feature in the developed countries, thanks to phenomena such as the ongoing mobile phone patent wars.

Copyright policy, including the last amendment of the copyright act, has ensured that fair dealing and the rights of students, researchers, disabled, etc., are protected. Texts, audio and video for education and entertainment are relatively affordable, especially in comparison to other countries in the Asia-Pacific.

Even at the World Intellectual Property Organisation, other developing countries look to India for guidance. The interventions of the copyright registrar G.R. Raghavender and the Indian team won praise during the most recent round of negotiations for the Treaty for the Visually Impaired. An excellent example of India's soft power protecting public interest at home and abroad.

In diametrical contrast, India has a terrible track record when it comes to freedom of expression, especially expression mediated by networked technologies such as telecommunications and the Internet.

Our policy-makers seem determined to extinguish the privacy of communications and also anonymous/pseudonymous speech through such devices as Know Your Customer (KYC) and data retention requirements for accessing the Internet through cyber-cafes, mobile phones, dial-up or broadband, ban on open wi-fi networks, plans to tie together Aadhaar and NATGRID and Central Monitoring System (CMS) to track a citizen using his/her UID across devices, networks and intermediaries, and requiring real-time interception equipment to be installed at all network and data centres.

All these without any horizontal privacy law or a data protection law that is compliant with international best practices. Security hawks argue that this pervasive, multi-tiered surveillance regime helps thwart criminal and terrorist attacks, but its poor design extracts a terrible price in terms of freedom of expression.

Citizens who cannot express themselves anonymously and privately begin to censor themselves, seriously undermining our democracy, which is most importantly founded on an anonymous expression, the electoral ballot.

In addition, in April 2011, rules under the amended IT Act were notified for intermediaries that have a chilling effect on free speech via unclear and unconstitutional limits on freedom of expression, encouragement of private censorship without any notice to those impacted, missing procedure for redress, and lack of penalties for those who abuse the rules to target legitimate speech. This was followed by calls for proactive censorship of social media, which caused much outrage amongst the twitterati.

Even when the government had legitimate grounds (the recent exodus of North-East Indians) to censor free speech, it overreached and acted incompetently, cracking down on parody accounts on social media rather than carefully configuring the text message ban. As if that weren't enough, the government beats up a cartoonist and jails him for sedition.

There’s a plan behind such attacks on free speech. The powerful in India, with their fragile egos, can afford expensive lawyers who can ensure that for those who dare to speak their mind, “the process is the punishment”, as Lawrence Liang of the Alternative Law Forum put it. Needless to say, cartoonists and others that dare to speak their mind cannot usually afford the time and expense of courts.

An experiment featuring monkeys, bananas and ice-cold water, commonly attributed to the late American psychologist Harry Harlow, explains what’s being attempted by those who attack free speech. First, five monkeys are put in a cage with bananas hanging from the top that can be reached by climbing a ladder. Every time one of the monkeys try to climb the ladder, ice-cold water is thrown on all of them. Soon, the monkeys learn not to climb the ladder.

Then, one of them is replaced with a monkey that has never been drenched with ice-cold water. When the new monkey tries to climb the ladder, the other four monkeys attack it and prevent it from reaching the banana. This is continued till all the original monkeys are replaced with new ones.

When that’s done, although none of the monkeys left in the cage has ever been drenched with ice-cold water, they continue to enforce the regulation on themselves. This is what has happened in China. This is what is being attempted here – to social engineer the Indian netizen.

For more details visit https://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-2012-sunil-abraham-the-five-monkeys-and-ice-cold-water

The Fight for Digital Sovereignty

sunil — 2013-10-25T07:29:22Z

It is time to incorporate free software principles to address the issue of privacy. Thanks to the revelations of Edward Snowden, a former contractor to the United States (US) National Security Agency (NSA) who leaked secrets about the agency’s surveillance programmes, a 24-year-old movement aimed at protecting the rights of software users and developers has got some fresh attention from policymakers.

The article was published in the Economic & Political Weekly, Vol-XLVIII No. 42, October 19, 2013

The free and open source software movement (often collectively labelled as FOSS or sometimes FLOSS, with the “l” standing for “libre”) guarantees four freedoms through a copyright licence – the freedom to use for any purpose, the freedom to study the code, the freedom to modify it and the freedom to distribute the modified code gratis or for a fee. Free software principles have permeated the world in the form of movements around open standards, open content, open access and open data. The second freedom is the most critical in an open society. Privacy, security and integrity are best achieved through the transparency guaranteed by free software rather than the opacity of proprietary software.

Free software is directly useful in deciding on the software required for your device operating system and applications. NSA’s surveillance programme covered operating system vendors like Microsoft and Apple, and application vendors like Skype. The concerns raised by such surveillance programmes are best addressed by shifting to free software. Increasingly, this is possible on mobile devices because of the availability of Android derivatives that keep Google’s nose out of your business and on other personal computing devices through GNU/Linux distributions such as Ubuntu. Ideally, this should be accomplished by a mandate for government and public infrastructure in specific areas where free software alternatives are on par with proprietary competitors. Two other policy options remain outside procurement policies for hardware – code escrow and independent audits. Firms that are willing to share code with the government should be preferred over those that do not, thereby encouraging proprietary software companies to provide for the second freedom in free software within a limited context. Code escrow could improve the quality of the independent audit.

Unfortunately, open hardware based on free software principles is still a fringe phenomenon in terms of market share. The Indian government cannot afford bans on foreign products, unlike the intelligence and military of Australia, the US, Britain, Canada and New Zealand, which recently prohibited the use of Lenovo machines in “secret” and “top secret” networks. Last October, the US government banned US telecos from using equipment from Huawei and ZTE. Both these bans are not based on any credible public evidence regarding back doors in any of the products manufactured by these Chinese companies. The Indian government, using funds like the Universal Service Obligation Fund, should support competitive research to reverse-engineer and analyse all foreign and indigenous hardware to ensure that there is no national security threat or infringement on the individual’s right to privacy. One example would be a research project to determine whether China-manufactured phones call home when they are used on Indian telecom networks.

Cloud and other online services run by corporations could also completely undermine privacy and security. This again can be partially addressed through the transparency enabled by free software and open standards. To begin with, the government must ban the use of Google, Yahoo, Hotmail, etc, for official purposes by those in public office, law enforcement and the military, while simultaneously mandating the use of cryptography for all sensitive material and communication. It should not, however, mandate the use of National Informatics Centre (NIC) infrastructure as it may be a single point of failure; instead, a variety of open-standards-compliant and free-software-based infrastructure for all public sector information communication technology (ICT) requirements should be encouraged. This procurement bias will result in the growth of domestic server administration and security competence, thus creating and contributing towards the establishment of a market for affordable privacy and security-enhanced services that ordinary citizens and private sector organisations can access.

The end objective through means such as free software, open hardware, code escrow and independent audits is sovereignty over software, hardware, cloud and network infrastructure. However, the state, the private sector, the consumer and the citizen may disagree on the details. Apart from law enforcement and national security concerns that may require targeted surveillance, there are other occasions when technological possibilities may have to be curtailed through policy to protect human rights and the public interest. For example, to implement the internationally accepted privacy principle of notice on electronic recording devices, some jurisdictions may require that video recorders display a blinking red light and that digital cameras make an audible click sound just like analog cameras. This was first initiated in South Korea to reduce the incidence of “upskirt photography”. This type of law may become more commonplace when technologies like Google Glass become more popular. In other words, absolute digital sovereignty may need to be curtailed in order to protect human rights in certain circumstances. But code could be used to resist regulation through law, thereby converting both the software and hardware layers of devices and networks into a battleground for sovereignty between the free software hacker and the state.

For more details visit https://cis-india.org/a2k/blogs/epw-vol-xlviii-42-october-19-2013-sunil-abraham-the-fight-for-digital-sovereignty

The Embodiment of the Right to Privacy within Domestic Legislation

tanvi — 2014-09-08T02:37:39Z

The Right to Privacy is a pivotal construct, essential to the actualization of justice, fairness and equity within any democratic society. It is an instrument used to secure the boundaries of an individual’s personal space, in his interaction with not only the rest of society but also the State.

It is within this realm of the social transaction that there exists an unending conflict between the Right to Privacy of an individual and the overbearing hand of the State as a facilitator of public interest. This right thus acts as a safety valve providing individuals with a sacred space within which their interactions in their personal capacity have no bearing on their conduct in the public sphere. The preservation of this space is incredibly important in order to ensure a willingness of individuals to engage and cooperate with the State in its fulfillment of public welfare measures that would otherwise be deemed as intrusive. It is in this regard that the Right to Privacy, one of the last sustaining rights that an individual holds against a larger State interest, ought to be protected by the law.

There are numerous dimensions to the idea of the Right to Privacy. These include but are not limited to the privacy of person, privacy of communication, personal privacy, transactional privacy, privacy of information and the privacy of personal data.

The Supreme Court of India has come to the rescue of individuals, time and again by construing "Right to Privacy" as an extension of the Fundamental Right to “Protection of Life and Personal liberty” under Article 21 of the Constitution. This has been reflected in the adjudicatory jurisprudence of the Constitutional courts in the country. However, there exists no Constitutional remedy to redress the breach of privacy by a nongovernmental actor, except under tortuous liability. The power and authority of public and private institutions to use an individual’s personal data for larger interests of national security or effectuation of socio-economic policies is still under extensive scrutiny. It is in this regard that we have compiled a number of sectoral legislations, regulating domains ranging from Finance and Telecom to Healthcare, Freedom of Expression, Consumer rights and Procedural codes. The highlighted provisions under each Act pertain to the mechanisms embodied within the legislation for the regulation of privacy within their respective sectors. Through this we aim to determine the threshold for permissible collection of confidential data and regulatory surveillance, provided a sufficient need for the same has been established. The determination of such a threshold is imperative to formulating a consistent and effective regime of privacy protection in India.

Click to download the below resources:

Legislations
Master Circulars
Finance and Privacy
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

Case Laws
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

For more details visit https://cis-india.org/internet-governance/blog/the-embodiment-of-right-to-privacy-within-domestic-legislation

The Digital Identification Parade

Aayush Rathi and Ambika Tandon — 2019-07-30T00:19:25Z

NCRB’s proposed Automated Facial Recognition System impinges on right to privacy, is likely to target certain groups.

The article by Aayush Rathi and Ambika Tandon was published in the Indian Express on July 29, 2019. The authors acknowledge Sumandro Chattapadhyay, Amber Sinha and Arindrajit Basu for their edits and Karan Saini for his inputs.

The National Crime Records Bureau recently issued a request for proposals for the procurement of an Automated Facial Recognition System (AFRS). The stated objective of the AFRS is to “identify criminals, missing persons/children, unidentified dead bodies and unknown traced children/persons”. It will be designed to compare images against a “watchlist” curated using images from “any […] image database available with police/other entity”, and “newspapers, raids, sent by people, sketches, etc.” The integration of diverse databases indicates the lack of a specific purpose, with potential for ad hoc use at later stages. Data sharing arrangements with the vendor are unclear, raising privacy concerns around corporate access to sensitive information of crores of individuals.

While a senior government official clarified that the AFRS will only be used against the integrated police database in India — the Crime and Criminal Tracking Network and Systems (CCTNS) — the tender explicitly states the integration of several other databases, including the passport database, and the National Automated Fingerprint Identification System. This is hardly reassuring. Even a targeted database like the CCTNS risks over-representation of marginalised communities, as has already been witnessed in other countries. The databases that the CCTNS links together have racial and colonial origins, recording details of unconvicted persons if they are found to be “suspicious”, based on their tribe, caste or appearance. However, including other databases puts millions of innocent individuals on the AFRS’s watchlist. The objective then becomes to identify “potential criminals” — instead of being “presumed innocent”, we are all persons-who-haven’t-been-convicted-yet.

The AFRS may allow indiscriminate searching by tapping into publicly and privately installed CCTVs pan-India. While facial recognition technology (FRT) has proliferated globally, only a few countries have systems that use footage from CCTVs installed in public areas. This is the most excessive use of FRT, building on its more common implementation as border technology. CCTV cameras are already rife with cybersecurity issues, and integration with the AFRS will expand the “attack surface” for exploiting vulnerabilities in the AFRS. Additionally, the AFRS will allow real-time querying, enabling “continuous” mass surveillance. Misuse of continuous surveillance has been seen in China, with the Uighurs being persecuted as an ethnic minority.

FRT differs from other biometric forms of identification (such as fingerprints, DNA samples) in the degree and pervasiveness of surveillance that it enables. It is designed to operate at a distance, without any knowledge of the targeted individual(s). It is far more difficult to prevent an image of one’s face from being captured, and allows for the targeting of multiple persons at a time. By its very nature, it is a non-consensual and covert surveillance technology.

Potential infringements on the right to privacy, a fundamental right, could be enormous as FRT allows for continuous and ongoing identification. Further, the AFRS violates the legal test of proportionality that was articulated in the landmark Puttaswamy judgment, with constant surveillance being used as a strategy for crime detection. Other civil liberties such as free speech and the right to assemble peacefully could be implicated as well, as specific groups of people such as dissidents and protests can be targeted.

Moreover, facial recognition technology has not performed well as a crime detection technology. Challenges arise at the stage of input itself. Variations in pose, illumination, and expression, among other factors, adversely impact the accuracy of automated facial analysis. In the US, law enforcement has been using images from low-quality surveillance feed as probe photos, leading to erroneous matches. A matter of concern is that several arrests have been made solely on the basis of likely matches returned by FRT.

Research indicates that default camera settings better expose light skin than dark, which affects results for FRT across racial groups. Moreover, the software could be tested on certain groups more often than others, and could consequently be more accurate in identifying individuals from that group. The AFRS is envisioned as having both functionalities of an FRT — identification of an individual, and social classification — with the latter holding significant potential to misclassify minority communities.

In the UK, after accounting for a host of the issues outlined above, the Science and Technology Committee, comprising 14 sitting MPs, recently called for a moratorium on deploying live FRT. It will be prudent to pay heed to this directive in India, in the absence of any framework around data protection, or the use of biometric technologies by law enforcement.

The experience of law enforcement’s use of FRT globally, and the unique challenges posed by the usage of live FRT demand closer scrutiny into how it can be regulated. One approach may be to use a technology-neutral regulatory framework that identifies gradations of harms. However, given the history of political surveillance by the Indian state, a complete prohibition on FRT may not be too far-fetched.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-ambika-tandon-indian-express-july-29-2019-the-digital-identification-parade

The Digital Humanities from Father Busa to Edward Snowden

sneha-pp — 2017-10-04T11:02:10Z

What do Edward Snowden, the whistle-blower behind the NSA surveillance revelations, and Father Roberto Busa, an Italian Jesuit, who worked for almost his entire life on Saint Thomas Aquinas, have in common? The simple answer would be: the computer. Things however are a bit more complex than that, and the reason for choosing these two people to explain what the Digital Humanities are, is that in some sense they represent the origins and the present consequences of a certain way of thinking about computers. This essay by Dr. Domenico Fiormonte, lecturer in the Sociology of Communication and Culture in the Department of Political Sciences at University Roma Tre, was originally published in the Media Development journal.

Cross-posted from Media Development, Vol. LXIV 2/2017. Published on May 13, 2017.

Although it is true that computer science was born from the needs of calculation (i.e. computing), in other cultures and languages the usual term is “informatics”, or the science of information. The difference is not trivial, and in fact the encounter between the computer and words, or rather with language, can be considered a cultural watershed. Father Busa himself was one of the protagonists of this meeting which came about in 1949 when he visited New York to ask Thomas J. Watson Sr, the president of IBM, for permission to use computers to study the vocabulary of Saint Thomas Aquinas (Jones, 2016). That endeavour is considered by many to have signalled the birth of computer-based “Natural Language Processing”, the inter-disciplinary field behind many of the digital tools that we use in our everyday life: from the technologies of T9 on our smartphone to voice recognition and synthesis, etc.

But these tools, although fundamental, are not the most striking (or perhaps disturbing) results of this age of transformation. Through the gesture of entering words in a computer, Busa framed the basis of a new concept of hermeneutics that was no longer based solely on purely subjective interpretation, but also on automatic processing of linguistic data, and hence in some sense “objective”. Busa’s undertaking founded the discipline of Humanities Computing (although years later it was renamed Digital Humanities), but above all it laid the groundwork for a profound epistemological and cultural transformation. And at the heart of this revolution was the “written document”, the text, understood as an alphanumeric sequence. In an effort to best explain this revolution, I will concentrate on one aspect, the representation of the document, and return to the hermeneutical aspects in the final part.

The epistemological revolution of the digital document

My own association with Digital Humanities (DH), as for many humanists of my generation, came from philology and textual criticism. My first foray into electronic textuality was in 1990, when it became clear that the confluence of informatics and the humanities would revive an inherent, almost arcane dualism: in the beginning was the data… But I was unprepared to tackle the conflict between information retrieval and interface, or between a textual paradigm based on the idea of information (text=data) and a vision of the textual document as a stratified historical-material reality, visualized not only as information, but also as an object (or series of objects), to be ultimately used and enjoyed. This dualism certainly did not only come about as a result of the encounter between informatics and text, but what we can say is that the process of digitization from this point on would “enhance” certain characteristics of the document at the expense of others.

The problem of the digital document in fact cannot be understood unless one first understands what digitization is and how it works: that is to say, the process of translating what we who undertake the work call “encoding” or more generally “representation”. The pioneers of informatica umanistica in Italy (Tito Orlandi, Raul Mordenti, Giuseppe Gigliozzi, etc.) taught the students of my generation two key concepts: 1) the passage from the analogue to the digital implies a process that formalizes the object of research (from the single character to the more complex structures of the historical artefact); 2) each act of encoding, or rather each act of representation of the specific “object” via a formal language involves a selection from a set of possibilities and is therefore an interpretative act (Orlandi, 2010).

The fundamental difference is that the human language and its writing systems were always many and various, whereas formal computer languages are based on a codex universalis, an Esperanto derived for the most part from the English language. As George Steiner wrote in After Babel, “the meta-linguistic codes and algorithms of electronic communication are founded on a sub-text, on a linguistic ‘pre-history’, which is fundamentally Anglo-American” (Steiner, 1998: xvii). Digital “standards” always reflect a cultural bias, and the act of encoding is never neutral, but tends to assume (and overlap with) universalizing discourses that on the surface are hard to see.

An important standard for character representation with ASCII, the American Standard Code for Information Interchange created in the 1960s. That technology is continued today by Unicode, an industrial standard, which purports to represent the characters of all written languages. Beside the fact that it is directed by the usual mega-corporations, Google, Apple, IBM, Microsoft, etc., Unicode is underpinned by an alphabet-centric logic that penalizes non-Western systems of writing. Given this weakness, it should come as no surprise that it has attracted criticism on several fronts, including the charge of ethnocentrism (Perri, 2009; Pressman, 2014: 151), and also because it ignores the difficulties faced by languages of low commercial value in their efforts to be properly represented (and therefore at risk of extinction). To paraphrase Alexander Galloway, “technical is always [geo]political” (Galloway, 2004: 243).

Even if our lack of awareness as humanists might have deceived us into thinking that the translation from the analogue to the digital was a neutral and painless process, we would soon have realized that, as with any change of format, digital representation can change and influence both the life of the original object and its digital future. And we would have discovered the “multiple biases” inherent in the digitization process. So in one respect we have entered in a post-Busa phase where interpretation is not something you can have without defining both the object and the source of your knowledge.

Busa never showed much interest in theoretical questions or in the link between hermeneutics and epistemology (and even less between semiotics and politics), or between the interpretation of the object and the nature of its representation. Perhaps this was because the question “What do I want to represent, and how?” would have provoked a series of more disturbing questions: “What is knowledge? Who produces it, how, and for what purpose?” These questions probably would have threatened to paralyze his pragmatic approach. On the other hand, it cannot have been easy to ignore the problem, since many philosophers, starting with Plato when discussing the transition from orality to writing, kept asking questions about the formats and systems of knowledge representation (Stiegler, 2006).

As humanists we then begin to understand that the problems information technology appeared able to resolve, soon created new problems which were not limited to a single discipline, like philology or textual criticism. To ignore the epistemological (and also ethical or political) problems generated by the confluence of the humanities and information science was certainly possible: but at what price? The more pragmatic among us would have been content to use machines for what they could immediately offer: the tremendous possibilities and tools for representing, archiving and automatic analysis of humanistic objects and artefacts. This approach seemed prevalent in the first historical phase of DH, reflected in canonical definitions like “the application of computational methods to humanities research and teaching” or “researching the Humanities through digital perspectives, researching digital technologies from the perspective of the Humanities” [1].

But what are the effects of these methods and technologies? The answer to this question coincides with the new phase that DH is actually in at the moment, a phase that forces us to consider the costs of all of the above, the ethical, social, and political implications of the instruments, resources and infrastructure, and the cultural biases inherent in their conception and design.

The social and political implications of DH

Fr Busa’s “hermeneutic” approach has been the main focus of the past 20 years of DH, while the methodological and epistemological concerns have been pushed to one side. The reason for this is fairly simple. Since the overwhelming majority of evidence on which the memory of people is based (particularly in the West) is the written text, the computer, a manipulator of alphanumeric symbols, has been shown to be a powerful agent of their preservation and management. This need to unravel the concept of the “text as data”, as mentioned above, has pushed aside for the moment the question of interface, that is, ways for the text to be used and read.

The materiality of written documents, given their incredible linguistic and cultural diversity, their visual and pragmatic dimensions, etc. (especially holographs and manuscripts) does not marry all that well with the limited possibilities offered by information science – or at least doesn’t fit with what has been produced by those who have guided its development thus far. Therefore, up until the early 2000s, the Digital Humanities focused especially on the design of tools and resources for the analysis and preservation of written documents. The spread of the Web from the mid-1990s, despite the first rumblings on the theme of user interface development (which Busa always considered to be a minor problem), ended by confirming this tendency.

There was in my view a precise moment when this concept of “text as data” reached a point of crisis, by showing its dark side. As humanists we would probably have preferred to continue our work quietly as if nothing had changed, but at a certain point something monumental happened, an event which has changed our relation with the digital dimension of knowledge, and hence of research. And this moment was the 6th of June 2013, when the Washington Post and the Guardian began publishing the documents supplied by Edward Snowden about mass surveillance by the NSA. The immensity of this event was immediately clear: a document published by the US National Security Agency and its British twin (GCHQ), said that in one month alone over 181 million records had been collected, including metadata and content (text, audio and video [Gellman and Soltani, 2013]).

The news that in July 2016 half of Silicon Valley, from Amazon to Google, had been co-opted by the Pentagon (Collins, 2016), and the dynamics of the last presidential elections in the USA confirmed, that the Net has become the field on which the geopolitical balances of the planet are played out. And at the centre of this “new world” is the idea of the “universal archive” where all data (past, present, and future) are stored. It is here that both the hermeneutical and epistemological questions fall down. In modern times, knowledge and interpretation depended on history, which we conceived as a linear process, i.e. based on space and time. But the dynamics of digital data seem to escape the logics of space and time, because the digital archive is ubiquitous and eternally present.

In my opinion, the heritage of Busa is reflected by the obsession with control (collection) and the analysis (interpretation) of data by government agencies and high-tech multinationals. Both have committed to the “hermeneutic” vision (although of the bare bones variety), or rather to the analysis of huge amounts of our data as the basis of their interpretation of the world. Welcome to the fantastic world of Big Data...

The question is no longer what the document is or how it is represented (an epistemological question) or how it is to be interpreted (a hermeneutical question). Even if the better forces of DH have insisted on this point and on the necessity of proceeding in this order (because interpretation of the object is inseparable from the circumstance of its representation), these “humanistic” scruples appear suddenly irrelevant. The actual question is in fact “who are we really?” Or rather not us, but the creation through our digital footprint of an alter ego that the algorithms of Google or Facebook decree is more “true” than the other (which we mistakenly believe still to exist). But who will be able to decipher or take apart these stories (data + algorithms) which we daily write and re-write? And does it still make sense to investigate the instruments of production and preservation of memories and knowledge when we no longer have any control over them?

Geoffrey Rockwell and I recently tried to analyze a commercial surveillance package, Palantir, from the point of view of DH (Rockwell and Fiormonte, 2017). Palantir scans and combines data from “documents, websites, social media and databases, turning that information into people, places, events, things, displaying those connections on your computer screen, and allowing you to probe and analyze the links between them” (Anyadike, 2016). But these kinds of software can be also seen as story-telling tools, because they allow someone to build stories about us and through us. So there seems to be a “literary” and rhetorical side to surveillance software, which the digital humanist seems particularly well-equipped to analyze. After all, the story of Big Data is also our story. There seems to be an “original sin” present in Big Data, i.e. the information retrieval paradigm that treats stories as data and data as a resource to be mined. And this approach is clearly reflected in Busa’s original idea of computational hermeneutics: digitize your texts, get your data, then build an interpretation upon them.

A posteriori we can ask ourselves what happened on that distant morning in 1949 in the heads of Thomas J. Watson Sr. and Father Busa. Was the founder and owner of IBM conscious of what the vision of Father Busa would lead to? And could the Jesuit father have ever expected that his intuition would change not only our means of reading and interpreting history, but also how we construct it? No one can ever know. But history reaffirms once again the great responsibility of science – in this case the responsibility of the “ignorant” humanities. If anyone believes that the humanities do not have a future, it is good to read again how 70 years ago a meeting between Thomas Aquinas and computers formed the basis of a revolution in digital communication. But from now on, the role and responsibility of the humanist will not only be to preserve and interpret the signs of the past, but to engage critically with, and where necessary unmask, the technological, political and social discourses that are shaping our knowledge, memories, and consciousness.

This article was translated by Desmond Schmidt.

Note

[1] Selected responses to the question “How do you define DH?” from Day of DH 2012. Accessed from http://archive.artsrn.ualberta.ca/Day-of-DH-2012/dh/index.html.

References

Anyadike, Obi (2016). Spies Sans Frontières? How CIA-linked Palantir is gaining ground in the aid industry (and why some humanitarians are worried). IRIN, March 7, 2016. Accessed from https://www.irinnews.org/investigations/2016/03/07/spies-sans-fronti%C3%A8res.

Collins, Terry (2016). Amazon CEO Jeff Bezos joins Pentagon innovation board. CNet, July 28, 2016. Accessed from https://www.cnet.com/news/jeff-bezos-amazon-blue-origin-pentagon-ash-carter-eric-schmidt-google/.

Galloway, Alexander R. (2004). Protocol: How Control Exists after Decentralization. Cambridge (MA), MIT Press.

Gellman, Barton – Soltani, Ashkan (2013). NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say. The Washington Post, October 30, 2013. Accessed from https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.

Jones, Steven E. (2016). Roberto Busa, S. J., and the Emergence of Humanities Computing. The Priest and the Punched Cards. London, Routledge.

Orlandi, Tito (2010). Informatica testuale. Teoria e prassi. Roma-Bari, Laterza.

Perri, Antonio (2009). Al di là della tecnologia, la scrittura. Il caso Unicode. Annali dell’Università degli Studi Suor Orsola Benincasa, Vol. II, pp. 725-748.

Pressman, Jessica (2014). Digital Modernism: Making It New in New Media. Oxford, Oxford University Press.

Rockwell, Geoffrey and Fiormonte, Domenico (2017). Palantir: Reading the Surveillance Thing. Critical Software Stories as a Way of the Digital Humanities. Paper presented at the AIUCD 2017 Conference, University of La Sapienza, Rome, January 26-28, 2017.

Steiner, George (1998). After Babel. Aspects of Language and Translation. Oxford, Oxford University Press.

Stiegler, Bernard (2006). Anamnesis and Hypomnesis. The Memories of Desire. In Armand, L. and Bradley, A. ed., Technicity. Prague, Litteraria Pragensia, pp. 15-41. Online version. Accessed from http://arsindustrialis.org/anamnesis-and-hypomnesis.

Author

Domenico Fiormonte (PhD University of Edinburgh) is currently a lecturer in the Sociology of Communication and Culture in the Department of Political Sciences at University Roma Tre. In 1996 he created one of the first online resources on textual variation (www.digitalvariants.org). He has edited and co-edited a number of collections of digital humanities texts, and has published books and articles on digital philology, new media writing, text encoding, and cultural criticism of DH. His latest publication is The Digital Humanist. A critical inquiry (Punctum 2015) with Teresa Numerico and Francesca Tomasi. His current research interests are moving towards the creation of new tools and methodologies for promoting interdisciplinary dialogue in the humanities (http://www.newhumanities.org).

For more details visit https://cis-india.org/raw/the-digital-humanities-from-father-busa-to-edward-snowden

The Digital Divide: pros and cons of Modi's latest big initiative

praskrishna — 2015-07-06T02:11:56Z

Prime Minister Narendra Modi inaugurated the Digital India (DI) initiative on 1 July, at an event attended by scores of government officials as well as industry leaders.

The blog post by Suhas Munshi was published in Catch News on July 2, 2015. Sunil Abraham is quoted.

The initiative

Digital India aims to make all citizens digitally literate. Bring e-governance to every doorstep.

Corporates have promised to invest Rs 4.5 lakh crore in the initiative.

This is greater than the total spend on all govt schemes. It is equivalent to 1/4th of the national budget.

The positives

It will be a boost to industry; both large and small enterprises.

It will ostensibly create a lot of jobs.

It's ideal if citizens can connect directly with the government.

The negatives

Will the initiative be genuinely inclusive?

How will corporates recover their costs? Will the promised investments end up as bad loans from banks?

Who will handle the personal data of so many citizens; will it be efficient?

Who will the vendors be?

Will the proposed digital lockers for official documentation be reliable?

Will the initiative give the govt a tool to conduct mass surveillance?

The alternative focus

Some experts feel the govt should concentrate on giving people access to basic necessities like water, power and sewage.

The backbone of the project, the National Optical Fibre Network, has already run into massive infrastructure issues.

The programme aims to make all citizens digitally literate and bring the internet and e-governance to all sections of the society.

Like Modi's past initiatives, this too has polarised opinion, in this case on the government's aggressive push for e-governance.

While some advise patience before arriving at a verdict, others think it isn't too early to begin celebrations.

Astronomical budget

Most of the funds for this initiative are expected to come from the private sector. The total investments promised by big corporates, according to Modi, is Rs 4.5 lakh crore.

That is an astonishing number - it is equivalent to a quarter of the country's budget.

If true, then the amount spent on this project will be way over the total money spent on all of the government's 66 central sponsored schemes.

However, India hasn't been able to deliver on the last big welfare scheme promised - the Food Security Act, two years after it was passed in Parliament.

Investments promised by corporates add up to Rs 4.5 lakh crore, which is one-fourth of India's total budget

This scheme, which is set to cost the country Rs 1.25 lakh crore, aims to provide subsidised food grains to two-thirds of the populace.

The immediate concern experts have expressed with the budget is the possible intervention of the private sector.

The big corporate houses that have promised these staggering investments, would also be looking to recover them.

"As I see it, effectively a new sector is being created for this initiative. While it is good, when the private sector comes in to support big government projects, we also have to examine what the recovery model for those investments are. Hopefully, more details about investments will be made available," said Subrata Das, Executive Director, Centre for Budget and Governance Accountability.

Boost to industry

The initiative has already received a massive thumbs up from the industry. Corporate leaders made a beeline to praise the initiative.

RIL chairman Mukesh Ambani said that with Digital India, the government has moved faster than industry. He added that Reliance Jio Infocomm will invest Rs 2,50,000 crore as part of the Digital India programme.

"Tata Consultancy Services (TCS) has partnered with the government for projects like Passport Seva and income tax e-filing, as well as state-level projects," said Cyrus Mistry, chairman of Tata Group, at the event.

Azim Premji, Wipro chairman, was quoted as saying the initiative will democratise the nation and "break down the digital divide in India".

He added that the level of skills of India's people will have to be significantly improved in order to make full use of the new initiative.

Kumar Mangalam Birla, chairman of the Aditya Birla Group, said it would leverage its Idea Cellular network of 165 million subscribers across 3,50,000 towns and villages in India to provide mobile-based healthcare and education services, as well as weather forecasting advisories and 'mandi' prices to over one million farmers.

The company will also launch a mobile wallet and payment bank as well as invest over $2 billion in the next five years in various internet-based sectors.

There seems to be a consensus on the kind of platform DI will provide to small entrepreneurs and the massive job opportunities it will create.

"Who has not heard about their computer engineer friends trying to develop a product in their spare time? These small entrepreneurs will get a lot of help if they are brought to a common platform with big companies and if lack of resources don't impede their work. Besides, as government starts to spend, there will be a severe need for hardware technicians, network operators, data entry operators," said Manish Sabharwal, chairman, Teamlease.

Rajeev Chandrasekhar, independent lawmaker in the Rajya Sabha, says DI is not only essential for the idea of 'minimum government, maximum governance', it is a big boost for the Indian IT industry.

"It is absolutely essential for good governance that as many people as possible are put directly in touch with their government. One of the biggest achievements, I think, will be in connecting 700 million people, so far sequestered, with the rest of the country. This obviously helps small entrepreneurs with launching their startups and bringing in a healthy workforce into the folds of this scheme," he said.

Many sunrise sectors before have similarly promised job growth that has not materialised. It remains to be seen how much of this euphoria plays out in concrete terms.

Privacy concerns

Therefore, while there's been a lot of positive buzz, not everyone is sold on the initiative.

Concerns are being raised about the handling of personal data of so many citizens.

There is a question about the reliability of the digital lockers in which all citizens will have their official documentation, and the anxiety of the data falling into the wrong hands.

"Of course, the concern with respect to privacy is legitimate and urgent.

Since the data the government will collect will be very large in terms of volume and can be misused, the reliability of the government's systems will have to be quite high.

So let's wait to see the nuts and bolts of the programme," said Apar Gupta, a senior lawyer specialising in information technology.

According to Reetika Khera, associate professor, economics at IIT Delhi, applications like digital lockers will make it easier for government to conduct mass surveillance.

There are questions over the reliability of digital lockers and about data falling into the wrong hands

"Programmes like Aadhar, digi-locker, central monitoring system (of mobile calls) etc are creating and enabling a massive surveillance infrastructure in India that will put NSA's PRISM, XKeyScore etc to shame.

"For instance, if Aadhaar is linked to your mobile number, bank account, travel details, the government can build a profile of each person at the click of a mouse. This is especially worrying because data protection and privacy laws are weak or non-existent," she said.

Sunil Abraham, executive director of Bangalore-based research organisation Centre for Internet and Society, also agrees with the concerns but is optimistic about the safeguards being put in place.

"There is a very mature draft of the Privacy Bill at the Department of Personnel and Training which will hopefully be introduced into Parliament after some rounds of public consultation and feedback.

"This, along with appropriate architectural and technological changes to e-governance services, will mitigate privacy concerns," said Abraham.

Misplaced priorities?

Then there is an argument that the less-privileged sections of society may need basic social services before they're considered for internet inclusion.

"What is true at the ground is that many people still don't have access to basic services, so while I think this is a good initiative, it should be part of our medium-term strategy.

"To begin with, we should focus on setting up basic infrastructure and extending water, power and sewer lines to most of the country," said Amitabh Kundu, retired JNU professor, who's advising the government on various projects.

Apar Gupta wonders how the government intends to bring people who are semi-literate, with no access to internet, within the fold of this e-governance project.

"Extending social welfare schemes to this section of people solely through digital medium is not viable," he said.

Some feel that the whole DI initiative is a mass-scale feel-good exercise. The argument is that using technology to 'uplift' the masses isn't a new idea, and is introduced periodically, and turns out to be largely ineffective.

"From the looks of it, this initiative seems to be nothing but techno-optimism. There is a belief that new technologies will, by themselves, transform the social world, but this doesn't happen.

"Techno-optimism, which we have seen before, is no different to traditional forms of governance, and over time, turns out to be nothing but a public relations exercises. An exercise to make governance visible to masses," said Ravi Sundaram, professor at the Centre for the Study of Developing Societies (CSDS).

Infrastructure issues

A project of this ambition and magnitude is bound to run into difficulties and, just a day after the launch, The Indian Express reported that the National Optical Fibre Network, the backbone of the initiative, is way behind schedule.

The project was supposed to be completed by December 2016. Initially, the 2014-15 target was to execute the work for one lakh gram panchayats, which was later halved to 50,000.

However, up until March 2015, only about 20,000 gram panchayats have been covered.

The primary problem is the cascading delays faced by central agencies, and when the active intervention of states was sought, 'right of way' charges have become the bone of contention.

Lack of contractors to do specialised work is also turning out to be an issue.

Thus, it won't be a stretch to say that while the initiative sounds like a great thing, doubts over its proper execution will continue till there is some concrete success to show for it.

For more details visit https://cis-india.org/internet-governance/news/catch-news-july-2-2015-the-digital-divide-pros-and-cons-of-modi-s-latest-big-initiative

The Difficult Balance of Transparent Surveillance

kovey — 2013-07-15T04:23:35Z

Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.

So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”[1]

So we must unpack the idea of transparency.

First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?

Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.[2]

But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.

Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.” [a] Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.[3]

Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook [a], Apple [b], Microsoft[c], and Google [d]) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14^th, “We have not received any national security orders of the type that Verizon was reported to have received.” [c] Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.

Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.

But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS[4] but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.[5]

Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the petition as an Indian agency is not involved.”[5][6]

The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.

For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.[7] India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.[8] It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.

The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.[5] If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.

Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of who citizens prefer spying over them.

Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.[9] Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”[c]

[1]. http://digitaldueprocess.org/

[2]. http://bit.ly/151Ue1H

[3]. http://bit.ly/12XDb1Z

[4]. http://ti.me/11Xh08V

[5]. Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh [attached]

[6]. http://bit.ly/1aXWdbU

[7]. http://1.usa.gov/qafcXe

[8]. http://bit.ly/114hcCX

[9]. http://bit.ly/156wspI

[a]. Facebook Statement: http://bit.ly/ZQDcn6

[b]. Apple Statement: http://bit.ly/1akaBuN

[c]. Microsoft Statement:http://bit.ly/1bFIt31

[d]. Google Statement: http://bit.ly/16QlaqB

For more details visit https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance

The Design & Technology behind India’s Surveillance Programmes

udbhav — 2017-01-20T15:56:44Z

There has been an exponential growth in the pervasive presence of technology in the daily lives of an average Indian citizen over the past few years. While leading to manifold increase in convenience and connectivity, these technologies also allow for far greater potential for surveillance by state actors.

While the legal and policy avenues of state surveillance in India have been analysed by various organisations, there is very little available information about the technology and infrastructure used to carry out this surveillance. This appears to be largely, according to the government, due to reasons of national security and sovereignty.^[1] This blog post will attempt to paint a picture of the technological infrastructure being used to carry out state surveillance in India.

Background
The revelations by Edward Snowden about mass surveillance in mid-2013 led to an explosion of journalistic interest in surveillance and user privacy in India.^[2] The reports and coverage from this period, leading up to early 2015, serve as the main authority for the information presented in this blog post. The lack of information from official government sources as well as decreasing public spotlight on surveillance since that point of time generally have both led to little or no new information turning up about India’s surveillance regime since this period. However, given the long term nature of these programmes and the vast amounts of time it takes to set them up, it is fairly certain that the programmes detailed below are still the primary bedrock of state surveillance in the country, albeit having become operational and inter-connected only in the past 2 years.

The technology being used to carry out surveillance in India over the past 5 years is largely an upgraded, centralised and substantially more powerful version of the surveillance techniques followed in India since the advent of telegraph and telephone lines: the tapping & recording of information in transit.^[3] The fact that all the modern surveillance programmes detailed below have not required any new legislation, law, amendment or policy that was not already in force prior to 2008 is the most telling example of this fact. The legal and policy implication of the programmes illustrated below have been covered in previous articles by the Centre for Internet & Society which can be found here,^[4] here^[5] and here.^[6] Therefore, this post will solely concentrate on the technological design and infrastructure being used to carry out surveillance along with any new developments in this field that the three source mentioned would not have covered from a technological perspective.

The Technology Infrastructure behind State Surveillance in India

The programmes of the Indian Government (in public knowledge) that are being used to carry out state surveillance are broadly eight in number. These exclude specific surveillance technology being used by independent arms of the government, which will be covered in the next section of this post. Many of the programmes listed below have overlapping jurisdictions and in some instances are cross-linked with each other to provide greater coverage:

Central Monitoring System (CMS)
National Intelligence Grid (NAT-GRID)
Lawful Intercept And Monitoring Project (LIM)
Crime and Criminal Tracking Network & Systems (CCTNS)
Network Traffic Analysis System (NETRA)
New Media Wing (Bureau of New and Concurrent Media)

The post will look at the technological underpinning of each of these programmes and their operational capabilities, both in theory and practice.

Central Monitoring System (CMS)

The Central Monitoring System (CMS) is the premier mass surveillance programme of the Indian Government, which has been in the planning stages since 2008^[7] Its primary goal is to replace the current on-demand availability of analog and digital data from service providers with a “central and direct” access which involves no third party between the captured information and the government authorities.^[8] While the system is currently operated by the Centre for Development of Telematics, the unreleased three-stage plan envisages a centralised location (physically and legally) to govern the programme. The CMS is primarily operated by Telecom Enforcement and Resource Monitoring Cell (TERM) within the Department of Telecom, which also has a larger mandate of ensuring radiation safety and spectrum compliance.

The technological infrastructure behind the CMS largely consists of Telecom Service Providers (TSPs) and Internet Service Providers (ISPs) in India being mandated to integrate Interception Store & Forward (ISF) servers with their Lawful Interception Systems required by their licences. Once these ISF servers are installed they are then connected to the Regional Monitoring Centres (RMC) of the CMS, setup according to geographical locations and population. Finally, Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS) itself, essentially allowing the collection, storage, access and analysis of data collected from all across the country in a centralised manner. The data collected by the CMS includes voice calls, SMS, MMS, fax communications on landlines, CDMA, video calls, GSM and even general, unencrypted data travelling across the internet using the standard IP/TCP Protocol.^[9]

With regard to the analysis of this data, Call Details Records (CDR) analysis, data mining, machine learning and predictive algorithms have been allegedly implemented in various degrees across this network.^[10] This allows state actors to pre-emptively gather and collect a vast amount of information from across the country, perform analysis on this data and then possibly even take action on the basis of this information by directly approaching the entity (currently the TERM under C-DOT) operating the system. ^[11] The system has reached full functionality in mid 2016, with over 22 Regional Monitoring Centres functional and the system itself being ‘switched on’ post trials in gradual phases.^[12]

National Intelligence Grid (NATGRID)

The National Intelligence Grid (NATGRID) is a semi-functional^[13] integrated intelligence grid that links the stored records and databases of several government entities in order to collect data, decipher trends and provide real time (sometimes even predictive) analysis of data gathered across law enforcement, espionage and military agencies. The programme intends to provide 11 security agencies real-time access to 21 citizen data sources to track terror activities across the country. The citizen data sources include bank account details, telephone records, passport data and vehicle registration details, the National Population Register (NPR), the Immigration, Visa, Foreigners Registration and Tracking System (IVFRT), among other types of data, all of which are already present within various government records across the country.^[14]

Data mining and analytics are used to process the huge volumes of data generated from the 21 data sources so as to analyse events, match patterns and track suspects, with big data analytics^[15] being the primary tool to effectively utilise the project, which was founded to prevent another instance of the September, 2011 terrorist attacks in Mumbai. The list of agencies that will have access to this data collection and analytics platform are the Central Board of Direct Taxes (CBDT), Central Bureau of Investigation (CBI), Defense Intelligence Agency (DIA), Directorate of Revenue Intelligence (DRI), Enforcement Directorate (ED), Intelligence Bureau (IB), Narcotics Control Bureau (NCB), National Investigation Agency (NIA), Research and Analysis Wing (RAW), the Military Intelligence of Assam , Jammu and Kashmir regions and finally the Home Ministry itself.^[16]

As of late 2015, the project has remained stuck because of bureaucratic red tape, with even the first phase of the four stage project not complete. The primary reason for this is the change of governments in 2014, along with apprehensions about breach of security and misuse of information from agencies such as the IB, R&AW, CBI, and CBDT, etc.^[17] However, the office of the NATGRID is now under construction in South Delhi and while the agency claims an exemption under the RTI Act as a Schedule II Organisation, its scope and operational reach have only increased with each passing year.

Lawful Intercept And Monitoring Project

Lawful Intercept and Monitoring (LIM), is a secret mass electronic surveillance program operated by the Government of India for monitoring Internet traffic, communications, web-browsing and all other forms of Internet data. It is primarily run by the Centre for Development of Telematics (C-DoT) in the Ministry of Telecom since 2011.^[18]

The LIM Programme consists of installing interception, monitoring and storage programmes at international gateways, internet exchange hubs as well as ISP nodes across the country. This is done independent of ISPs, with the entire hardware and software apparatus being operated by the government. The hardware is installed between the Internet Edge Router (PE) and the core network, allowing for direct access to all traffic flowing through the ISP. It is the primary programme for internet traffic surveillance in India, allowing indiscriminate monitoring of all traffic passing through the ISP for as long as the government desires, without any oversight of courts and sometimes without the knowledge of ISPs.^[19] One of the most potent capabilities of the LIM Project are live, automated keyword searches which allow the government to track all the information passing through the internet pipe being surveilled for certain key phrases in both in text as well in audio. Once these key phrases are successfully matched to the data travelling through the pipe using advanced search algorithms developed uniquely for the project, the system has various automatic routines which range from targeted surveillance on the source of the data to raising an alarm with the appropriate authorities.

LIM systems are often also operated by the ISPs themselves, on behalf of the government. They operate the device, including hardware upkeep, only to provide direct access to government agencies upon requests. Reports have stated that the legal procedures laid down in law (including nodal officers and formal requests for information) are rarely followed^[20] in both these cases, allowing unfettered access to petabytes of user data on a daily basis through these programmes.

Crime and Criminal Tracking Network & Systems (CCTNS)

The Crime and Criminal Tracking Network & System (CCTNS) is a planned network that allows for the digital collection, storage, retrieval, analysis, transfer and sharing of information relating to crimes and criminals across India.^[21] It is supposed to primarily operate at two levels, one between police stations and the second being between the various governance structures around crime detection and solving around the country, with access also being provided to intelligence and national security agencies.^[22]

CCTNS aims to integrate all the necessary data and records surrounding a crime (including past records) into a Core Application Software (CAS) that has been developed by Wipro.^[23] The software includes the ability to digitise FIR registration, investigation and charge sheets along with the ability to set up a centralised citizen portal to interact with relevant information. This project aims to use this CAS interface across 15, 000 police stations in the country, with up to 5, 000 additional deployments. The project has been planned since 2009, with the first complete statewide implementation going live only in August 2016 in Maharashtra. ^[24]

While seemingly harmless at face value, the project’s true power lies in two main possible uses. The first being its ability to profile individuals using their past conduct, which now can include all stages of an investigation and not just a conviction by a court of law, which has massive privacy concerns. The second harm is the notion that the CCTNS database will not be an isolated one but will be connected to the NATGRID and other such databases operated by organisations such as the National Crime Records Bureau, which will allow the information present in the CCTNS to be leveraged into carrying out more invasive surveillance of the public at large.^[25]

Network Traffic Analysis System (NETRA)

NETRA (NEtwork TRaffic Analysis) is a real time surveillance software developed by the Centre for Artificial Intelligence and Robotics (CAIR) at the Defence Research and Development Organisation. (DRDO) The software has apparently been fully functional since early 2014 and is primarily used by Indian Spy agencies, the Intelligence Bureau (IB) and the Research and Analysis Wing (RAW) with some capacity being reserved for domestic agencies under the Home Ministry.

The software is meant to monitor Internet traffic on a real time basis using both voice and textual forms of data communication, especially social media, communication services and web browsing. Each agency was initially allocated 1000 nodes running NETRA, with each node having a capacity to analyse 300GB of information per second, giving each agency a capacity of around 300 TB of information processing per second.^[26] This capacity is largely available only to agencies dealing with External threats, with domestic agencies being allocated far lower capacities, depending on demand. The software itself is mobile and in the presence of sufficient hardware capacity, nothing prevents the software from being used in the CMS, the NATGRID or LIM operations.

There has been a sharp and sudden absence of public domain information regarding the software since 2014, making any statements about its current form or evolution mere conjecture.

Analysis of the Collective Data

Independent of the capacity of such programmes, their real world operations work in a largely similar manner to mass surveillance programmes in the rest of the world, with a majority of the capacity being focused on decryption and storage of data with basic rudimentary data analytics.^[27] Keyword searches for hot words like 'attack', 'bomb', 'blast' or 'kill' in the various communication stream in real time are the only real capabilities of the system that have been discussed in the public domain,^[28] which along with the limited capacity of such programmes^[29] (300 TB) is indicative of basic level of analysis that is carried on captured data. Any additional details about the technical details about how India’s surveillance programmes use their captured data is absent from the public domain but they can presumed, at best, to operate with similar standards as global practices.^[30]

Capacitative Global Comparison

As can be seen from the post so far, India’s surveillance programmes have remarkably little information about them in the public domain, from a technical operation or infrastructure perspective. In fact, post late 2014, there is a stark lack of information about any developments in the mass surveillance field. All of the information that is available about the technical capabilities of the CMS, NATGRID or LIM is either antiquated (pre 2014) or is about (comparatively) mundane details like headquarter construction clearances.^[31] Whether this is a result of the general reduction in the attention towards mass surveillance by the public and the media^[32] or is the result of actions taken by the government under the “national security” grounds under as the Official Secrets Act, 1923^[33] can only be conjecture.

However, given the information available (mentioned previously in this article) a comparative points to the rather lopsided position in comparison to international mass surveillance performance. While the legal provisions in India regarding surveillance programmes are among the most wide ranging, discretionary and opaque in the world^[34] their technical capabilities seem to be anarchic in comparison to modern standards. The only real comparative that can be used is public reporting surrounding the DRDO NETRA project around 2012 and 2013. The government held a competition between the DRDO’s internally developed software “Netra” and NTRO’s “Vishwarupal” which was developed in collaboration with Paladion Networks.^[35] The winning software, NETRA, was said to have a capacity of 300 GB per node, with a total of 1000 sanctioned nodes.^[36] This capacity of 300 TB for the entire system, while seemingly powerful, is a miniscule fragment of 83 Petabytes traffic that is predicted to generated in India per day.^[37] In comparison, the PRISM programme run by the National Security Agency in 2013 (the same time that the NETRA was tested) has a capacity of over 5 trillion gigabytes of storage^[38], many magnitudes greater than the capacity of the DRDO software. Similar statistics can be seen from the various other programmes of NSA and the Five Eyes alliance,^[39] all of which operated at far greater capacities^[40] and were held to be minimally effective.^[41] The questions this poses of the effectiveness, reliance and proportionality of the Indian surveillance programme can never truly be answered due to the lack of information surrounding capacity and technology of the Indian surveillance programmes, as highlighted in the article. With regard to criminal databases used in surveillance, such as the NATGRID, equivalent systems both domestically (especially in the USA) and internationally (such as the one run by the Interpol)^[42] are impossible due to the NATGRID not even being fully operational yet.^[43]

Conclusion

Even if we were to ignore the issues in principle with mass surveillance, the pervasive, largely unregulated and mass scale surveillance being carried in India using the tools and technologies detailed above have various technical and policy failings. It is imperative that transparency, accountability and legal scrutiny be made an integral part of the security apparatus in India. The risks of security breaches, politically motivated actions and foreign state hacking only increase with the absence of public accountability mechanisms. Further, opening up the technologies used for these operations to regular security audits will also improve their resilience to such attacks.

^[1] http://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law

^[2] http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/

^[3] https://www.privacyinternational.org/node/818

^[4] http://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in-india.pdf

^[5] http://cis-india.org/internet-governance/blog/security-surveillance-and-data-sharing.pdf

^[6] http://cis-india.org/internet-governance/blog/paper-thin-safeguards.pdf

^[7] http://pib.nic.in/newsite/PrintRelease.aspx?relid=54679 & http://www.dot.gov.in/sites/default/files/English%20annual%20report%202007-08_0.pdf

^[8] http://ijlt.in/wp-content/uploads/2015/08/IJLT-Volume-10.41-62.pdf

^[9] http://www.thehindu.com/scitech/technology/in-the-dark-about-indias-prism/article4817903.ece

^[10] http://cis-india.org/internet-governance/blog/india-centralmonitoring-system-something-to-worry-about

^[11] https://www.justice.gov/sites/default/files/pages/attachments/2016/07/08/ind195494.e.pdf

^[12] http://www.datacenterdynamics.com/content-tracks/security-risk/indian-lawful-interception-data-centers-are-complete/94053.fullarticle

^[13] http://natgrid.attendance.gov.in/ [Attendace records at the NATGRID Office!]

^[14] http://articles.economictimes.indiatimes.com/2013-09-10/news/41938113_1_executive-order-nationalintelligence-grid-databases

^[15] http://www.business-standard.com/article/current-affairs/natgrid-to-use-big-data-analytics-to-track-suspects-1

^[16] http://sflc.in/wp-content/uploads/2014/09/SFLC-FINAL-SURVEILLANCE-REPORT.pdf

^[17] http://indiatoday.intoday.in/story/natgrid-gets-green-nod-but-hurdles-remain/1/543087.html

^[18] http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece

^[19] ibid

^[20] http://www.thehoot.org/story_popup/no-escaping-the-surveillance-state-8742

^[21] http://ncrb.gov.in/BureauDivisions/CCTNS/cctns.htm

^[22] ibid

^[23] http://economictimes.indiatimes.com/news/politics-and-nation/ncrb-to-connect-police-stations-and-crime-data-across-country-in-6-months/articleshow/45029398.cms

^[24] http://indiatoday.intoday.in/education/story/crime-criminal-tracking-network-system/1/744164.html

^[25] http://www.dailypioneer.com/nation/govt-cctns-to-be-operational-by-2017.html

^[26] http://articles.economictimes.indiatimes.com/2012-03-10/news/31143069_1_scanning-internet-monitoring-system-internet-data

^[27] Surveillance, Snowden, and Big Data: Capacities, consequences, critique: http://journals.sagepub.com/doi/pdf/10.1177/2053951714541861

^[28] http://www.thehindubusinessline.com/industry-and-economy/info-tech/article2978636.ece

^[29] See previous section in the article “NTRO”

^[30] Van Dijck, José. "Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology." Surveillance & Society 12.2 (2014): 197.

^[31] http://www.dailymail.co.uk/indiahome/indianews/article-3353230/Nat-Grid-knots-India-s-delayed-counter-terror-programme-gets-approval-green-body-red-tape-stall-further.html

^[32] http://cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-after-snowden/fulltext

^[33] https://freedomhouse.org/report/freedom-press/2015/india

^[34] http://blogs.wsj.com/indiarealtime/2014/06/05/indias-snooping-and-snowden/

^[35] http://articles.economictimes.indiatimes.com/2012-03-10/news/31143069_1_scanning-internet-monitoring-system-internet-data

^[36] http://economictimes.indiatimes.com/tech/internet/government-to-launch-netra-for-internet-surveillance/articleshow/27438893.cms

^[37] http://trak.in/internet/indian-internet-traffic-8tbps-2017/

^[38] http://www.economist.com/news/briefing/21579473-americas-national-security-agency-collects-more-information-most-people-thought-will

^[39] http://www.washingtonsblog.com/2013/07/the-fact-that-mass-surveillance-doesnt-keep-us-safe-goes-mainstream.html

^[40] http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/

^[41] Supra Note 35

^[42] http://www.papillonfoundation.org/information/global-crime-database/

^[43] http://www.thehindu.com/opinion/editorial/Revive-NATGRID-with-safeguards/article13975243.ece

For more details visit https://cis-india.org/internet-governance/blog/the-design-technology-behind-india2019s-surveillance-programmes

The debate over internet governance and cyber crimes: West vs the rest?

Elizabeth Dominic — 2020-06-08T07:04:26Z

The post looks at the two models proposed for internet governance and the role of cyber crimes in shaping the debate. In this context, it will also critically analyze the Budapest Convention (the “convention”) and the recently proposed Russian Resolution (the “resolution”), and the strategies adopted in each to deal with the menace of cybercrimes. It will also briefly discuss India’s stances on these issues.

With Internet connectivity and use of technology rising exponentially, the tug of war over Internet governance continues. On one end are the states advocating for a global, open and free model of the Internet, dubbed as the ‘Western model’, spearheaded by the U.S. and its allies. On the other end are a cluster of states led by China and Russia, advocating for a sovereign and controlled version of the internet, a ‘Leviathan model’. Although the idea of an Internet embodying the principles of equality, openness and multistakeholderism sounds appealing, the rise of new trends including cyber crimes and online misinformation poses a challenge to this model making it arduous, if not impossible, to pick one model over the other.

The post will briefly explore the two models proposed for Internet governance and the role of cybercrimes in shaping the debate. In this context, it will also critically analyze the Budapest Convention (the “convention”) and the recently proposed Russian Resolution (the “resolution”), and the strategies adopted in each to deal with the menace of cybercrimes. It will also briefly discuss India’s stance on the convention.

Two Models and Three Parties

Since the evolution of the Internet, its stewards have been expounding a global internet embodying features such as statelessness, openness, interoperability, security, and multistakeholderism. Known as the Western model of internet governance, it has been embraced by many states including UK, France. The model is premised on the idea that the internet should be a space where there is free flow of content without filtering by any intervening party including the state, thereby upholding the freedom of speech and human rights. However since the potential to cause harm in cyberspace is real, the states cannot leave the domain ungoverned. Therefore, the proponents of the Western model do exercise some degree of sovereignty over cyberspace within their borders but it is largely in contrast to the tight control exercised by the statist and controlled model, spearheaded by China and Russia. The latter model advocates for a closed version of the internet bound by territorial borders along with authoritarian control over the flow of information.

Interestingly, not every state can be easily categorized into either of these groups. Some states either lack the capacity or an interest to implement one of the model. Tim Maurer et al. in a seminal paper identifies such states as the “swing states”. They are undecided on either of the models but have the capacity to influence global conversations due to their mixed political orientations and resources. Swing states and the influence they wield in shaping the trajectory of the international process is not the focus of this post but will be explored in a future blog post.

Cyber Crime: The Menace of Internet Era

While the internet has huge potential to enable development of states on many fronts, it can also be used for criminal purposes. Cybercrime is one of the most daunting challenges of the internet era. Technological advancements that enable unique features like anonymity in cyberspace make cybercrimes less risky with the potential to provide high returns, making it all the more appealing to various actors. The growing number of internet users and connected devices increases the number of possible targets. Examples include Stuxnet, a malware that targeted the Iranian nuclear facility, and Wannacry, a ransomware attack that affected computers worldwide. In 2018, the Chief of United Nations Office on Drugs and Crime (UNODC) pointed out that cyber crimes are estimated to generate revenue of approximately $1.5trillion per year. Despite cyber crimes proliferating rapidly, law enforcement agencies have not been able to keep up the pace resulting in an enforcement gap. The transnational nature of cyber crimes is one of the major difficulties faced by them. Due to its global nature, cyberspace provides a platform for criminals to commit crimes out of one state, which could have the potential to affect multiple victims in different states. This means investigations of such crimes involve questions of extra territorial jurisdictions and increased cooperation between authorities of different states, creating various complications. This, coupled with diverse types of actors such as states, non-state actors, and groups hired by either of the two further complicates the issue at hand.

The Convention on Cybercrime of the Council of Europe, known as the Budapest Convention, is the only international instrument currently in place that addresses the issue of cyber crime. Recognizing the paramount need for combating crimes, it criminalizes conduct that affects the “confidentiality, integrity, and availability of computer systems, networks, and computer data”. It covers a diverse rangeof issues ranging from illegal access, computer related fraud to child pornography. Furthermore, it serves as an instrument that facilitates greater cooperation among states to enable better detection, investigation, and prosecution of cyber crimes.

The wide division of opinions on internet governance is also mirrored in the debate on how to effectively tackle the issue of cybercrime. This led to a recent development in last year’s General Assembly in the form of a Russian-led resolution on cybercrime. The resolution proposes the establishment of a committee of experts to draft a new cybercrime treaty that would replace the convention. Considering the fact that Russia has been a strong advocate of a Leviathan model of internet, the proposed treaty would in most likelihood embrace principles of sovereignty and non-interference while dealing with cyber crimes.

With the resolution passing the final vote at the UN General Assembly, the proponents of the convention are met with a time bound challenge to come up with innovative approaches to convince more states to join their side.

The Budapest Convention v. The Russian Resolution

The Budapest Convention has met with multiple criticisms, the major one being that it is a West drafted treaty with hardly any involvement of the developing countries. It’s also argued that as the treaty is almost two decades old, its provisions are too outdated to deal with evolving crimes. Furthermore, it is criticized for the vagueness of some of its provisions, which allow governments to bifurcate their obligations, and thereby hinders the effective implementation of the treaty. For example, the MLA regime of the treaty is often cited as ineffective as it does not command firm cooperation from parties by providing them grounds to refuse the same.

Despite being imperfect, a realistic analysis of the convention would reveal that it is the best instrument at hand to deal with cyber crimes. The convention, establishing common standards for its signatories, along with the Cybercrime Convention Committee (the “Committee”) that oversees its implementation and Programme Office on Cyber Crime (the “C-PROC”) dedicated towards capacity building, provides a dynamic framework for effectively tackling cybercrimes. The Committee ensures that the convention is adapted to address evolving crimes such as denial of service attacks and identity thefts, which did not exist at the time the convention was adopted, by issuing guidance notes and draft protocols. Similarly on the issue of procedural law, despite new developments such as cloud servers, the Committee is actively working on addressing the complicated challenges posed by it. It has proposed an additional protocol to specifically deal with access to evidence in the cloud by facilitating more efficient mutual legal assistance amongst the signatories and direct cooperation with service providers, while striking a balance between rule of law and human rights. The protocol if adopted would not only aid in the law enforcement process but would also have a major impact on how the international community perceives sovereignty in cyberspace. Furthermore, The C-PROC through its various capacity building initiatives such as strengthening of the legislations along the lines of rule of law and human rights, training of relevant authorities, promotion of public-private partnerships and international cooperation strengthens the ability of states to deal with cyber crimes.

While the international community is unable to arrive at a consensus on internet governance, with neither conglomerate of states acceding to the demands of the other, renewing global diplomatic negotiations on it might seem to be the best step. However a look at Russia’s resolution and its draft cyber crime convention would indicate that it might not be the appropriate solution to the problem at hand. The resolution as well as the draft convention, which is supposed to serve as a framework for the treaty, are drafted without due regard for human rights concerns. A mere reference to human rights, requiring use of ICTs to be in compliance with human rights and fundamental freedoms, is insufficient to safeguard it while combating cyber crimes. Primarily, the language used in the resolution is vague.It fails to define “use of information and communication technologies for criminal purposes". It mentions both cyber enabled crimes such as use of ICTs for trafficking as well as cyber crimes that could detrimentally affect “critical infrastructures of states and enterprises” and “well-being of individuals”. Such broad wording is highly problematic as it vests immense powers at the hands of the state to criminalize even ordinary online behaviour that is detrimental to its interests. In fact, such practices are already in existence around the world where we see governments clamping down on human rights activists, journalists, and civil society for expressing their opinions that are critical of the government in the online space. Numerous examples of such authoritarian actions include internet shutdowns, blocking of websites, which have become the trend around the world. While legislations curbing cyber crimes are quintessential to ensure a safe and secure cyberspace, arbitrary use of it, as is widely observed, today can have chilling effects on exercising rights in the online domain. Furthermore, combating a complex issue like cyber crime, which involves questions of technicalities, laws, and human rights, requires concerted efforts from various stakeholders including civil society and private sector. It is only through such multistakeholder endeavors that we can curb the use of ICTs for criminal purposes without hindering human rights. Therefore an ad hoc intergovernmental group of experts, as proposed by the resolution, is not the appropriate body to develop an international treaty on cyber crimes.

In short, the resolution and the draft convention are proposing a Leviathan model vesting state with excessive control over the internet. In practice, it would bear resemblance to the “sovereign internet law” of Russia and the “Golden Shield Project” of China. Such models are widely criticized for eschewing democratic principles in the name of ensuring security of the state from cyber attacks. For instance, the “sovereign internet law” mandates installation of technical equipments for counteracting threats to stability, security, and functional integrity of the internet.” The law, therefore, allows the government to prevent any communication that challenges its interests. A past attempt by the Russian government to block Telegram, is an example of the same. Furthermore, in the event of a “threat”, the law provides for routing of traffic solely through networks located within Russia, thereby allowing isolation of the national network and centralized control over it by the state. It paves the way for creation of digital borders, premised on the principle of state sovereignty. The “Great Firewall of China”, a part of the “Golden Shield Project”, is the most appropriate depiction of internet sovereignty. The Firewall serves as a system of surveillance that vests the government with complete control over all incoming and outgoing information over the Chinese networks. Any new domain has to obtain prior approval from the government before becoming accessible on the Chinese internet. When it comes to the question of human rights, a mere search for the term “democracy” in a search engine is blocked. The resolution by leaving the question of what amounts to use of ICTs for criminal purposes open-ended creates the danger of exercising of similar excessive powers by the states that could impinge upon fundamental human rights. The draft convention already incorporates the principle of state sovereignty. If adopted, it comes with the risk of us seeing the likes of Chinese model of the internet in greater numbers.

The convention is not perfect but we should be realistic and not expect one treaty to solve all problems at a go. The convention, coupled with its follow-up and capacity-building mechanisms are making positive developments in addressing evolving cyber threats while promoting a global and open internet . With as many as 65 parties and many using it as the model for their national cyber crime legislation, a new treaty to address cyber crimes pose the risk of hindering the developments made by the convention so far especially in the international cooperation front. Concerted efforts to improvise the convention are more practical than developing a new international framework, especially when the probability of reaching a consensus is almost nil.

India and the Budapest Convention: To Ratify or Not

Despite cybersecurity being a major concern and occupying a central place in its overall internet governance policy, India has surprisingly not yet become a party to the convention. It has even amended its Informational Technology Act, 2008 along the lines of the convention. India’s reluctance to sign, notwithstanding the convention’s potential to aid it in addressing its concerns in the cyber front especially with regard to jurisdictional issues while tackling cyber crimes, warrants an analysis.

One of the widely cited reasons for the reluctance is the non-inclusion of India and other developing countries in the drafting stage. However choosing to stand on the sidelines merely because of non-inclusion in the initial negotiations might not be the wisest move especially since the convention addresses matters that are of extreme importance to India. Ratifying the treaty even at a later stage would still enable it to participate in further evolution of the convention, which could outweigh this concern. Another major concern for India is that terrorism, considering how cyberspace has enlarged its scope and reach, does not find any mention in the substantive law of the convention. However the procedural provisions of the convention apply to any criminal offence committed with the aid of a computer, including terrorism. But it is often argued that the MLA regime is not sufficiently firm to facilitate cooperation. While it is true that the process has to be made more efficient, the Committee along with the Cloud Evidence Group is actively working on addressing its shortcomings. Finally, controversial provision-Ar.32, on cross border access to data- is also a cause for concern for India. The Guidance Notes issued by the Committee, however, clarifies the limited scope of the article thereby addressing the privacy and data protection concerns raised against it.

The convention is still evolving and is constantly being reviewed to make it more effective. Therefore India has to ask itself the question whether it wants to stand on the sidelines and observe the developments or if it should partake in shaping its progress. Currently, it is the only instrument in place that provides a legal framework for facilitating cooperation on cyber crime investigations amongst various jurisdictions. Considering that India has already embarked on a “Digital India” initiative, which in most likelihood will be accompanied by a spike in cyber crimes, it is the need of the hour to ratify the convention.

Elizabeth Dominic is a lawyer and a tech-policy researcher. Her work focuses on the intersection of law and technology and human rights, particularly on the applicability of current international legal frameworks to cyberspace and emerging technologies. Previously, she has worked at the Centre for Communication Governance and at IT for Change.

This post was reviewed and edited by Aman Nair,Amber Sinha and Arindrajit Basu

For more details visit https://cis-india.org/internet-governance/blog/the-debate-over-internet-governance-and-cyber-crimes-west-vs-the-rest

The dark side of future tech: Where are we headed on privacy, security, truth?

Admin — 2018-12-30T09:24:40Z

#2018 Year-End Special: We now live in a time when devices listen, chips track your choices, and governments can watch from behind a barcode. How do we navigate this world?

The article by Dipanjan Sinha was published in the Hindustan Times on December 29, 2018. Pranesh Prakash was quoted.

“One of the definitions of sanity is the ability to tell real from unreal. Soon we’ll need a new definition,” Alvin Toffler, author of the 1970 bestseller Future Shock, once said.

Privacy. Security. Freedom. Democracy. History. News — the lines between the real and unreal are blurring in each of these fields.

Fake news is helping decide elections; history being rewritten as it happens; rumour has become identical in look, feel and distribution to the actual news.

Devices that listen, governments that watch you from behind a barcode, chips that track where you go, what you eat, how you feel — these used to be the stuff of dystopian novels.

In April, the world learnt of the Chinese government’s social credit system, a programme currently in the works that would employ private technology platforms and local councils to use personal data to assign a social score to every registered citizen.

Behave as the state wants you to, and you could get cheaper loans, easier access to education; it’s unclear what the consequences could be for those who do the opposite, but discredits are likely for bad behaviours that range from smoking in non-smoking zones to buying ‘too many’ video games, and being critical of the government.

We’ve seen this before — totalitarian governments where the individual is under constant surveillance by a state that pretends this is for the greater good. But the last time we came across it, it was fiction — George Orwell’s 1984, set in a superstate where thought police took their orders from a totalitarian leader with a friendly name, Big Brother.

CATCH-22

“Just because you’re paranoid doesn’t mean they aren’t out to get you,” Joseph Heller said, in Catch-22, a novel so layered that you’re never sure which bits are true. Who gets access to the data your phone collects? What is the government watching for, after they’ve assigned citizens unique IDs?

It feels good to be able to criticise China, still something of an anomaly in a global community that is largely democratic and free-market, but the UK had a National Identity Cards Act from 2006 to 2010; India has the Aadhar project; Brazil has had the National Civil Identification document since 2017; Germany, a national identity card since 2010, and Colombia has had one since 2013.

They’re collecting biometric data, assigning numbers to citizens and building national registers — with not much word on what’s in them, who has access, or how secure they are.

“To ask what the risk is with accumulating such big data is like asking what the risk is with computers. They are both embedded in our lives,” says Pranesh Prakash, a fellow at the thinktank Centre for Internet and Society.

Security is just the base layer in the pyramid if risks. There is also the risk of discrimination — whether in terms of benefits, employment, or something like marriage, Prakash says. There is the risk of bad data leading to worse discrimination; there is the risk of public profiling.

“The question here is about transparency,” Prakash says. “The questions of what the data contains, who it is accessed by or sold do, how much of it there is, and what the purpose is of collecting it — need to be clearly answered.”

OPERATION THEATRE

New questions are being asked in the field of medicine as well. Where do you draw the line on designer babies? Should parents get to edit the genes of their child-to-be? How much ought we to tinker — do you stop at mutations, or go on to decide hair colour and intellect?

As it becomes cheaper and easier to sequence DNA, the questions over the next steps — of interpreting and analysing the data — will become more complex, says K VijayRaghavan, principal scientific adviser to the government of India, and former director of the National Centre for Biological Sciences. “From here on, with the data deluge, deciding what and how to do it will become fiendishly complex. Especially as commercial interests become involved.”

We have rules and laws for the use of DNA information in research, but corresponding laws that regulate how one can use personal whole genome information in the public space are still being framed. “The data-privacy discussion will soon get to the genomic-data space,” VijayRaghavan says. “Data sharing is needed for patients to benefit. Yet data privacy is needed to prevent exploitative use. It’s a conundrum, and there are no easy answers.”

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-dipanjan-sinha-december-29-2018-the-dark-side-of-future-tech

The Dangers Of Birdsong

praskrishna — 2014-02-12T10:29:10Z

Instant gratification? Social media can quickly turn the game into checkmate if you don’t keep your emotions in check.

Namrata Joshi's article was published in Outlook on January 25, 2014. Sunil Abraham is quoted.

“Woke up from a dream in which I had just learned that I was going to keep wickets for India. In my dream, I thought, let me share this news on Twitter. I didn’t, fearing I would be made a laughing stock.” These are few of a series of stream of consciousness tweets about a dream posted this Monday by author-academician Amitava Kumar. Tweets that don’t just have to do with dreaming of a personal achievement, but also about tweeting it. “Twitter has invaded even our sleeping life,” says Amitava on an e-mail but also admits that he didn’t think for a moment that he was sharing something private in a public place while tweeting his reverie. “Instead, perhaps, I was seeking a private connection with a lot of readers.” Which he did rustle up in good measure. He followed it up by tweeting a picture of his son with him, taken by his 10-year-old daughter Ila, as a homage to a similar photostream by author- photographer-art historian Teju Cole.

Amitava’s unfussy and creative candidness about tweeting things personal, which he prefers to see as “grappling with a form of writing” came in the wake of a weekend of vigorous debate on how social media platforms were bringing the private under unblinking public scrutiny—the immediate hook being the sudden, tragic death of Sunanda Pushkar after her no-holds-barred Twitter war with Pakistani journalist Mehr Tarar (over the latter’s alleged liaison with her husband Shashi Tharoor, which was consumed with much amusement by their vicarious, at times vicious, followers). The Tharoor incident is not a stand-alone case. Be it a confidentiality clause or diplomatic tact, a professional decision or personal affair or even a death of someone close to you, social media has become a stage to play out the classified and the confidential (see infographic) by the celebrities and the aam aadmi alike. The payback? Spats, comebacks, breakdowns, meltdowns, resignations, embarrassments, humiliations, kerfuffles....

And it’s not something confined to India alone. “US Congressman Anthony Weiner’s tweet of his, let’s call it, torso, to a young woman in Seattle is perhaps the most egregious example of a US politician behaving badly online,” says Amitava. No surprise then that Weiner became a butt of late-night comedy shows.

But the larger question here is why. Why this urge and urgency to share it all? What is it about a platform like Twitter or Facebook that makes people bare and dare? Is it that the immediacy, speed and reach allows them the easiest way to extend the boundaries of their secluded, lonely lives, get instant attention and fan the curiosity of someone out there who they don’t even know? And why is propriety and moderation getting thrown out of the window in the world of virtual exchanges? Adman-columnist Santosh Desai calls Twitter a “broadcast system to the universe”. The tweets are often “thought bubbles”, “something you mutter” without a full sense of what public means. “The spur of the moment opinion or feeling acquires public currency,” he says. “The unraveling of the human being, the opening up of the closed box then becomes a new source of stimulation and pleasure,” he says. “I sometimes wonder how we shared before Twitter. We talk about what we like, don’t like at the drop of a hat. At times you are vulnerable and vent things out without an agenda and without knowing the repercussions. We creative bunch are like that,” says popular actress Divya Dutta.

According to Sunil Abraham, executive director of the Centre for Internet and Society, Bangalore, private information is a currency in the global attention economy. “One of the many ways of climbing the attention economy is to divulge private information. Those in public life like filmstars and socialites understand this completely and exploit all traditional broadcast channels and contemporary multicast channels like social media to amass public attention,” he says. Look closely and the online space is no different from the real. There are as many exceptions as there are rules. So for every exhibitionist handle that exploits our latent voyeurism, there is a Natasha Badhwar, one of the most life-affirming presences on Twitter. For her, like Amitava, sharing is a mode of expression. “Sharing gives us agency. We take back the power to tell our story, express our views, share our version in our own words,” she says. According to her, “honest” sharing fuels empathy. “It is contagious, it makes the reader want to share too,” she says. And from that sharing could emerge a new pool of acquaintances, friends and well-wishers. It may not be a virtual escape from the real but a journey and connect back to the actual, an expansion of the human circle than a depletion of it.

But not all our friends and followers need necessarily be sympathetic. Often they are also brutally savage. “The anonymity allows people to say exactly what they want without considering the implications. They don’t realise that it’s not just a handle but a human being they are talking to,” says Nikhil Pahwa, founder of medianama.com. Amitava compares it to drone warfare. “The technology of remote destruction has introduced a new experience of war, and a new logic of killing. You can kill with greater abandon; you can strike in unexpected places; you are confronted with few consequences of your fatal mistakes. Similarly, Twitter allows a mode of social exchange with less culpability. There are very few consequences for trolls, but disastrous ones for their victims,” he says.

But surely that doesn’t mean that you blur all the lines between the private and the public? How to exercise caution? How much to open up (or not) and how much of your core to keep to yourself? Life, after all, is too complex and fragile for blame games and finger-pointing at social media alone. It’s those using it who need to own up. “People need to take responsibility for what they say. It’s like someone telling me how he was abused for 15 minutes on the phone when he could have easily cut the call,” says Nikhil Pahwa. “It’s a modern form of communication which you have to embrace but there’s a line you must draw. For instance, my wife and I never interact on FB or Twitter. I keep the family to myself. Jokes are fine but I don’t abuse or use swear words,” says actor Ashwin Mushran. “There has to be a sense of decorum. I won’t put out what I gossip about with my friends. I have no strategy but am guarded by my own belief system,” says actor Rajat Kapoor.

“It’s normal human nature to express. Be it anger or frustration, as a counsellor I tell people to not suppress emotions but some moderation and etiquette need to apply in cyber space,” says Mukta Puntambekar deputy director of Pune-based Muktangan Rehabilitation Centre. “You have to accept that your followers and friends will have access to details about you. You have to exercise discretion in saving something of yourself for yourself. There are areas that need not be opened up for all,” says actor-comedian Vir Das, who recently posted an open letter on FB—‘Twitter Bad? Facebook Evil? or We Stupid?’—on the pointlessness of blaming social media for the Tharoor family tragedy. To extend the argument further, and add another layer to it, aren’t we also living in times when privacy itself is evolving, asks Rajesh Lalwani, CEO of blogworks and a self-confessed people-watcher. “My grandmother would not even eat in public. But we eat in restaurants, on the streets,” he says.

Privacy is also becoming an ambiguous, vague and complex entity. Getting tagged in a friend’s photo compromises your privacy without your involvement or participation. “The line between private and public has mostly dissolved because of the temporal persistence of digital traces in cyberspace, the global nature of the network and the ubiquitous and pervasive surveillance state,” says Abraham. “On Twitter and FB, things get circulated...what we put up, whether it’s a tweet, an update or a picture, is permanent unlike memory,” says Desai. The digital trail stays online. “We are leaving our digital footprints behind. What we post might be easy but the implications of it are complicated,” says writer, filmmaker and media observer Amit Khanna.

According to him, there is a gap between the progression of technology and society. “There are newer windows but our minds are not growing apace to handle the connected world in a mature way,” he says. So one needs to be additionally circumspect about what we do online, how much of us we put out there. The ‘creative minds’ don’t see it as cut and dried. Natasha thinks that sharing can make people vulnerable to ridicule. “Confronting and embracing that vulnerability is the only way forward. These are not real fears to cling to, these are fears to shed as we grow and realise the extent of our individual power.” Amitava says he has seen several careers destroyed because of a single tweet. But he’d hate to back down and be cautious. As he puts it, “You’ve got to push the envelope and experiment with expression. I hope that when my wrong moment comes, people will be forgiving.” Amen to that.

For more details visit https://cis-india.org/news/outlook-namrata-joshi-january-25-2014-dangers-of-birdsong

The Curious Incident of the People at the Mall

nishant — 2008-12-14T12:13:09Z

The first flash mob in India, in 2003, though short-lived and quickly declared illegal, brought to fore the idea that technology is constructing new sites of defining public participation and citizenship rights, forcing the State to recognise them as political collectives. As India emerges as an ICT enabled emerging economy, new questions of citizenship, participatory politics, social networking, citizenship, and governance are being posed. In the telling of the story of the flash-mob, doing a historical review of technology and access, and doing a symptomatic reading of the subsequent events that followed the ban, this paper evaluates the different ways in which the techno-narratives of an ‘India Shining’ campaign of prosperity and economic growth, are accompanied by various spaces of political contestation, mobilisation and engagement that determine the new public spheres of exclusion, marked by the aesthetics of cyberspatial matrices and technology enabled conditions of governance.

For more details visit https://cis-india.org/publications-automated/cis/nishant/the%20curious%20incident%20of%20the%20people%20at%20the%20mall%20%20ACS%20Crossroads.pdf