Centre for Internet and Society

Development Informatics

Aayush Rathi and Ambika Tandon — 2019-09-27T15:12:01Z

For more details visit https://cis-india.org/internet-governance/files/development-informatics

Why having more CCTV cameras does not translate to crime prevention

manasa — 2019-09-25T02:13:28Z

Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

The article by Manasa Rao published by the News Minute quotes Pranav M. Bidare of CIS.

In August, a couple from Tamil Nadu’s Tirunelveli district made national headlines for their bravery. True to the Tamil adage ‘vallavanukku pullum aayudham’ (for the strong man, even a blade of grass is a weapon), when thieves entered their home, they fought them with chairs, slippers and even a bucket. Despite being armed with sickles, the masked miscreants fled the scene unable to match the counter-attack mounted by 70-year-old Shanmugavel and 65-year-old Senthamarai. The incident was caught on CCTV camera and the couple, whose video quickly went viral, was celebrated for their valour and made for the perfect social media feel-good story. However, as the news cycle was focused on them, senior police officers from the state and many commentators pointed to the importance of the CCTV camera footage. After all, the whole world watched their courage thanks to the CCTV camera affixed on the couple's front yard.

Since 2017, the Tamil Nadu Police has been aggressively pushing for citizens to install CCTV cameras. A techno-futuristic awareness campaign video released last year even roped in popular Kollywood star Vikram to help the police force. “If there are CCTV cameras, crimes are prevented, evidenced and importantly, it provides evidence in court. So, each of us will compulsorily fix a CCTV camera wherever we are,” says Vikram. In a bold declaration, the motto of the campaign affirms, “With CCTV everywhere, Tamil Nadu has become a place without crime.” At the end of the video Vikram suggests Big Brother is watching, stating, “Everything. Everywhere. We're watching.”

But do more CCTV cameras necessarily translate to crime prevention and deterrence? Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

What the numbers say

A study released in August by tech research group Comparitech ranked Chennai as 32nd out of 50 of the most surveilled cities in the world. The research group, with the use of government reports, police websites and news articles, puts the total number of cameras in the city at 50,000. With a 2016 estimated population of 1.07 crore in Chennai, that is 4.67 cameras per 1,000 people.

With the help of Numbeo, a crowd-sourced database of perceived crime rates, the study puts Chennai’s crime index at 40.39. On a scale of 0 to 100, this is an estimation of overall level of crime in a given city. This score means Chennai’s crime index is ranked ‘moderate’. Similarly, on a 100 point scale, the city's safety index— quite the opposite of crime index— is at 59.61. The higher the safety index, the safer a city is considered to be.

The two other Indian cities on the list of 50 are New Delhi ranked No. 20 with 1,79,000 cameras for 1.86 crore people (9.62 cameras per 1,000 people) and Lucknow ranked at No. 40 with 9,300 cameras for 35.89 lakh people (2.59 cameras per 1,000 people). The capital's crime index is at 58.77 while its safety index is 41.23. The UP city on the other hand has a crime index of 45.30 and a safety index of 54.70.

Stating that the higher number of cameras ‘just barely correlates’ with a higher safety index and lower crime index, the study concludes, “Broadly speaking, more cameras doesn’t necessarily result in people feeling safer.” While the presence of CCTV cameras may not inherently be bad, experts say that they cannot become a substitute for tackling crime and its causes which transcend the realm of technology. These involve tailored and specific approaches which stem from community building.

The infallible CCTV myth

Pranav MB, policy officer at the Centre for Internet and Society in Bengaluru observes that in the long run, over-reliance on CCTV cameras would merely propel criminals to innovate, as opposed to helping deter the crime from taking place. He says, “While it seems intuitive that the presence of a CCTV camera will have a deterring effect on criminal activity, numerous studies over the past decade have concluded that this is not really the case. The idea of a deterring effect also relies on the assumption that the actors are making educated intelligent choices about their future, which is often not the case with persons that commit criminal acts. So the deterring effect of CCTV cameras is not likely to be much more than the already deterring effect that exists because of criminal law and law enforcement.”

Busting the myth that CCTV cameras are foolproof, Pranav adds that public infrastructure as simple as a streetlight could aid in safer neighbourhoods. “The fact remains, however, that if you are not using advanced technology, a simple mask will render you unidentifiable by most basic CCTV cameras. As more advanced and more expensive technology is used, you are only necessitating the need for innovation among criminals to identify new loopholes that they can exploit in the technology. This is not an argument that generally holds against the use of technology, but in the case of CCTV cameras, it has been seen that simple street lights much better serve the goal of deterrence of crimes,” he says.

However, cops disagree with the findings. One IPS officer who works with the police’s Law and Order department in Chennai tells TNM that the presence of CCTV cameras has helped them nab a range of criminals from chain-snatchers to stalkers who have hacked women to death. Praising the use of facial recognition software like FaceTagr that was introduced a few years ago, the officer says, “CCTV cameras have a dissuading effect on criminals. At the very least they serve as a warning but in most cases, we can easily match them to criminals on our existing local, station-wise database. Especially when it comes to areas like T Nagar, Purasawalkam or other crime-prone suburbs, CCTV cameras are an invaluable tool for law enforcement.”

“Even in cases of sexual abuse, street harassment or trafficking, private CCTV cameras have been helpful. Shop owners or residents have come forward with the footage in public interest,” he says, admitting that the Centre’s release of the long-pending National Crime Records Bureau (NCRB) statistics could show a correlation between the push to install CCTVs and crime rates.

With a lack of NCRB data, there are no statistical answers to whether indeed installation of CCTV cameras has helped lowering of crime rates. However, as per one report in The Hindu, the police report a 30% drop in the crime rate in the city following the installation of CCTV cameras. According to their estimate for chain snatching alone, the city police claims that the number of cases have dropped from 792 in 2012 to 538 following the installation of CCTV cameras in 2018.

Over-reliance on technology

Agreeing that law enforcement must be cautious while employing technology to solve crimes, Dr M Priyamvadha, associate professor at the Department of Criminology, University of Madras says her detailed interviews with over 200 incarcerated burglars across Tamil Nadu reveal that they are always on the lookout for a CCTV camera. “They simply use a jammer worth Rs 2,000 (a handy device that disrupts the signal range of a camera) to skirt the presence of a CCTV camera,” she reports. However, the professor cautions that one must not over-sell the capabilities of a CCTV camera in crime prevention.

“We must remember that CCTV cameras don't deter all crimes. If there is family or domestic violence, there won't be a CCTV camera inside the four walls of a house to reveal it. For burglaries, robberies and such offences, you can rely on CCTV cameras. How far it helps is a question mark. You can neither completely say it prevents crime nor that it is a waste,” she says.

The professor points out that even when deploying CCTV cameras across the city, law enforcement does not account for wear and tear and maintenance which forms an important part of monitoring security.

Echoing the sentiment, Pranav says that CCTV cameras primarily serve as sources of electronic evidence in criminal cases. “Their deterring effect has repeatedly been observed to not balance out the costs of installing and running them.”

Privacy, data protection concerns

Chennai-based independent tech researcher Srikanth points to the inherent surveillance dangers thanks to the centralised way in which the city police collects the CCTV data. “There is something concerning especially about Chennai City Traffic Police and other various city police’s approach to CCTV. The fundamental shift is that, at least in the city, these cameras are connected to the police control room. So data gets centrally collated. When centralization kicks in, power abuse isn't far away. This way it is far easier for police to destroy evidence,” he alleges.

Srikanth also points out, “CCTVs (especially connected ones) are usually funded by residents and/or merchants who spend their money in putting up the infrastructure, but freely give away the data to the police (often in good faith). There is no oversight on usage, storage, retention of this data and by sheer monopoly on law and order, the police is able to connect a vast number of private CCTVs on to its network.”

Significantly, he expresses concerns about there being no laws that govern the usage of CCTV footage by the police. “Even if one gives into the legitimate state aim to control crime, even if one can argue violation of privacy is proportional, there is no law around use of CCTV by police, let alone using them in investigations. That the state engages with private vendors (such as FaceTagr) and many others also provides these service providers access to data,” he explains.

Pranav also warns, “Furthermore, CCTV cameras also result in compromising the privacy of individuals, and if implemented by the state (as in the case of law enforcement), creates added surveillance risks. Compounding on this is the issue of the recorded video footage, which if stored/transmitted/managed in an non-secure manner creates data protection risks as well. This is especially true in India, where it is difficult to obtain the required infrastructure and expertise in running an effective and secure CCTV camera system.”

'Technology cannot replace interpersonal relationships'

Advising pragmatic thinking when it comes to crime prevention, professor Priyamvadha says that technology should complement what she calls the ‘human touch'. Junking the ‘holistic’ one-size-fits-all approach that is often paraded as a solution, the criminologist says that each crime requires a tailored method of tackling it. “For each and every crime, there is a different strategy. There maybe crimes committed by juveniles, crimes committed against women. For example, if female foeticide is rampant in a village, it is important to understand the village, the preferences of the people there and the caste practices present among them,” she observes.

While technology often allows law enforcement to cover more ground in cases of limited manpower, there’s also a chance the cameras could be seen as a substitute for forging interpersonal relationships between police and the people they seek to protect. “With quick transferring of cops nowadays, the local police station doesn’t have an understanding of the ongoings. Interpersonal relationships are more important than technological advances,” she notes.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-september-3-2019-manasa-rao-why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

Chennai residents rue fuzzy CCTV surveillance

Vivek Narayanan and R. Srinivasan — 2019-09-19T14:35:51Z

Poor quality of footage, lack of maintenance and inadequate back-up reduce the gadgets’ deterrent value.

The article by Vivek Narayanan and R. Srinivasan was published in the Hindu on September 18, 2019. Pranav M.B. was quoted.

Last month, Sandeep (name changed), a cyclist, was hit by an ambulance on GST Road near the Madras Export Processing Zone (MEPZ) signal. He was rushed to hospital in the same ambulance. His hopes of finding out who hit him, via CCTV cameras, came crashing after he saw the poor quality of footage that was obtained to identify the vehicle.

“The police officers in Tambaram themselves told me that the quality of the CCTV cameras was poor and they were unable to trace the number,” said Mr. Sandeep.

While the police have been claiming a reduction in crime rates due to CCTV cameras in the city, residents and experts doubt if the equipment is indeed a deterrent, and want the police to install better quality cameras with the capacity to retain footage for a longer period, and to maintain the devices, too.

Extensive Coverage

Several high profile cases such as the 2016 Swathi murder case drove law enforcers to increase CCTV coverage of the city. Now, there are over 2 lakh cameras covering all of Chennai, its alleys and its fringes.

Cameras have also been installed at every major junction and at street corners. In many cases, they are linked to the control room of the nearest police station.

According to the police, there is one CCTV camera for every 50 m. They are meant to help the police crack cases and nab the accused. “Some DVRs (digital video recorders) are also in the house or premises of the sponsors. This is for safety purposes,” said a police officer.

The unique nature of the Traffic Police’s ‘third eye campaign’ is the involvement of the public, too. Apart from the police, MPs and MLAs, many resident welfare associations have also donated resources for the installation of CCTV cameras.

Residents, however, expressed concern. S. Kumara Raja, vice president, Annai Indira Nagar Residents Welfare Association said: “Though many CCTVs cameras are found on the street, it isn’t clear if they are working or not. We also don’t know if anyone is maintaining the cameras.”

P. Saravanakumar, founder of the South Madipakkam Residents’ Welfare Association, said that the equipment is not connected with the police control room and the data remains with those who have installed the CCTV system.

V. N. Subramaniyan, president, Mylapore Residents Welfare Association, felt that cameras installed on private properties were working properly.

“Cameras are obtained from private persons as a charitable activity, so the quality can be challenged. The police should give the maintenance of CCTV cameras to private companies. There should be proper back-up and monitoring,” he pointed out.

While the equipment is considered important for gathering evidence, policemen themselves complain that the quality of the footage from many cameras is poor.

“We cannot zoom into the footage obtained from every camera involved. Most of them are 1 or 2 megapixel cameras and the image is often blurred. Only in a few places do we find powerful cameras,” said a policeman.

'Not a deterrent'

Pranav M. B., researcher, Centre for Internet and Society, said that as according to global studies, CCTV cameras are not useful as deterrents. “But they come in handy for providing evidence after a crime,” said Mr. Pranav.

Though advanced cameras can provide footage with more clarity, it’s cost intensive to maintain them. “For deterrence, one need not invest in high-end cameras — quality street lights are sufficient. We cannot expect the perpetrator of a crime to make a decision over whether to commit a crime or not after looking at the camera,” he added.

However, there is a 30% higher chance of identifying an accused when a camera is deployed, than without. “Nevertheless, like any other technology or method, it is not entirely foolproof,” Mr. Pranav said.

Police officers disagree on the subject of CCTV systems not serving as deterrents. “From January to June 2018, a total of 258 chain snatching incidents were reported, but during the same period this year, the number plummeted to 137 — a fall of nearly 50%,” said a senior police officer.

'Needs improvement'

Similarly, the police claim that, this year, public nuisance cases have gone down by 41%, and burglary cases by 17%, compared with last year. Police officers agreed that the quality of some cameras needs to be improved.

“Initially, we did not know the type of quality [of cameras] needed. So, we fixed 1 and 2 megapixel cameras. Now, we are installing 4 megapixel cameras and have better clarity. Besides, we are now categorising the number and type of cameras available in different parts of the city, and will change the older ones,” said a senior police officer.

For more details visit https://cis-india.org/internet-governance/news/vivek-narayanan-and-r-sivaraman-the-hindu-september-18-2019-chennai-residents-rue-fuzzy-cctv-surveillance

GCSC Response

Admin — 2019-09-11T01:30:47Z

For more details visit https://cis-india.org/internet-governance/files/gcsc-response

August 2019 Newsletter

praskrishna — 2019-12-06T04:54:20Z

Centre for Internet & Society newsletter for the month of August 2019.

Highlights for August 2019
The Oxford Internet Institute and CIS are creating a State of the Internet’s Languages report, as baseline research with both numbers and stories, to demonstrate how far we are from making the internet multilingual. The call is available in Arabic, Brazilian Portuguese, English, IsiZulu, Spanish, and Tamil. CIS invites friends and communities to translate the call into other languages. CIS's Access to Knowledge (A2K) team is conducting a free knowledge movement and as part of this initiative it is inviting contributions from the Wikipedia community. Photos, media, content or archives donated by community members would be used worldwide to disseminate information. The content you are donating must be under Creative Commons Share-like content. You must have the copyright of the content under CC licenses. Over the last few years, several digital identity schemes have been initiated in different countries across the world. There has been significant momentum on digital ID, especially after the adoption of UN Sustainable Development Goal 16.9, which calls for legal identity for all by 2030. Authors, Amber Sinha and Pooja Saxena, explore about the uses and design of digital identity systems and ask two core questions a) What are appropriate uses of ID?, and b) How should we think about the technological design of ID? Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law(CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. A report of the event is published here. As governments across the globe implement new, foundational, digital identification systems (“Digital ID”), or modernize existing ID programs, there is dire need for greater research and discussion about appropriate uses of Digital ID systems. At RightsCon 2019 in Tunis, we presented working drafts on appropriate use of Digital ID by the partner organisations of this three-region research alliance - ITS from Brazil, CIPIT from Kenya, and CIS from India. CIS gave its comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. The submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. The Ministry of Health and Family Welfare had released the National Digital Health Blueprint on 15 July 2019 for comments. CIS submitted its comments. CIS notes that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, one which is currently absent. Accordingly, it urges the ministry to cease the implementation of the framework until the Personal Data Protection Bill is passed by the Parliament. Aayush Rathi , Vedika Pareek , Divij Joshi and Pranav Bidare co-authored a research paper 'Future of Work in the ASEAN'. The authors reveal that the future of work will be mediated through region and country specific factors such as socioeconomic,geopolitical and demographic change. The report was edited by Elonnai Hickok and Ambika Tandon with research assistance by Sankalp Srivastava and Anjanaa Aravindan. The research is supported by Tides Foundation.

CIS and the News

The following articles were authored by CIS secretariat during the month:

The Knowledge Base is Liberated (Subodh Kulkarni and Madhav Gadgil; Loksatta; August 3, 2019).
Private Sector and the cultivation of cyber norms in India (Arindrajit Basu; Nextrends India; August 5, 2019).
Rethinking the intermediary liability regime in India (Torsha Sarkar; CyberBRICS; August 16, 2019).
Digital Native: How free is the internet? (Nishant Shah; Indian Express; August 18, 2019).
Linking Aadhaar with social media or ending encryption is counterproductive (Sunil Abraham; Prime Time; August 26, 2019).
A judicial overreach into matters of regulation (Gurshabad Grover; The Hindu; August 28, 2019).
Kashmir’s information vacuum (Aayush Rathi and Akriti Bopanna; The Hindu; August 29, 2019).

CIS in the News

CIS secretariat was consulted for the following articles published during the month in various publications:

Will Modi govt move on Kashmir’s Article 370 stand the scrutiny of Supreme Court? (The Print; August 6, 2019).
‘I’m just helpless’: Concern about Kashmir mounts as communication blackout continues (Niha Masih; Washington Post; August 6, 2019).
Why the Madras HC case on WhatsApp traceability could have wider ramifications (Haripriya Suresh; The News Minute; August 8, 2019).
Ministry of Health's public consultation on National Digital Health Blueprint: Legal issues around telemedicine, consent, and 'egosystems' in healthcare (Trisha Jalan; Medianama; August 8, 2019).
Abuse linked to Net fixation (Nina C. George; Deccan Herald; August 13, 2019).
India Shut Down Kashmir’s Internet Access. Now, ‘We Cannot Do Anything.’ (Vindu Goel, Karan Deep Singh and Sameer; New York Times; August 14, 2019).
India’s top science institution is trying hard to fix its “manel” problem (Quartz India; August 16, 2019). This piece was originally published on Connect under the headline, “We Learned (The Hard Way) Not to Have Manels.”
Perché l'India ha tagliato internet al Kashmir (Raffaele Angius; WIRED.IT; August 19, 2019).
US pressure threatens to weaken data - localisation mandate in India's landmark data-protection bill (Sandhya Sharma; ET Prime; August 19, 2019).
Linking Aadhaar to Facebook, WhatsApp won't curb fake news, but may undermine its legislation: Experts (Swathy Moorthy; Moneycontrol; August 20, 2019).
Linking Aadhaar to Facebook, Twitter: Possible witch-hunt or key to curb crime & fake news? (Taran Deol and Revathi Krishanan; The Print; August 21, 2019).
AI is biased, you’ll see if you Google ‘hands’ (Rajmohan Sudhakar; Deccan Herald; August 25, 2019).
Government plans tighter rules for social media brands like Facebook, TikTok, ShareChat (Sunny Sen; CNBC TV 18; August 28, 2019).
What Centre will tell Supreme Court on Aadhaar and social media account linkage (Amrita Madhukalya; Hindustan Times; August 28, 2019).

Access to Knowledge

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape.

Wikipedia

Under a grant from Wikimedia Foundation we are doing a project for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Blog Entry

Call for joining the Free Knowledge movement #Wikipedia #Wikimedia (Bhuvana Meenakshi; August 19, 2019).

Internet Governance

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programmes that shape the evolution and use of the Internet. As part of internet governance work we work on policy issues relating to freedom of expression primarily focusing on the Information Technology Act and issues of liability of intermediaries for unlawful speech and simultaneously ensuring that the right to privacy is safeguarded as well.

Freedom of Speech & Expression

Under a grant from the MacArthur Foundation, CIS is doing research on the restrictions placed on freedom of expression online by the Indian government and contribute studies, reports and policy briefs to feed into the ongoing debates at the national as well as international level. As part of the project we bring you the following outputs:

Participation in Events

Packets, net neutrality and gaming public policy outcomes (Organized by Has Geek; Bangalore; August 15, 2019). Gurshabad Grover attended Prof. Vishal Misra's lecture on net neutrality.

Privacy

Under a grant from Privacy International and IDRC we are doing a project on surveillance. CIS is researching the history of privacy in India and how it shapes the contemporary debates around technology mediated identity projects like Aadhar. As part of our ongoing research, we bring you the following outputs:

Submission

Comments on the National Digital Health Blueprint (Samyukta Prabhu, Ambika Tandon, Torsha Sarkar and Aayush Rathi; August 7, 2019).

Participation in Events

Digital ID Forum 2019 (Organized by UNDP; Chulalongkorn University, Thailand; July 3, 2019). Sunil Abraham was one of the panelists at this event.
BIS LITD 17 meeting (Organized by Bureau of Indian Standards; New Delhi; July 3, 2019). Gurshabad Grover attended the sixteenth meeting of the Information Systems Security and Biometrics Section Committee (LITD17).
Facebook Data for Good in Bangalore (Organized by Facebook; Indian Institute of Science, Bangalore; July 25, 2019).
Roundtable with the WhatsApp leadership (Organized by WhatsApp; Mountbatten, The Oberoi, New Delhi; July 26, 2019). Will Cathcart, WhatsApp's new global head, visited India and invited Sunil Abraham for a discussion.
Facebook Data for Good in New Delhi (Organized by Facebook; University of Chicago Center, New Delhi; July 29, 2019).

IT / Information Technology

A research on the usage of systems (computers and telecommunications) for storing, retrieving and sending information as well as the IT Act:

Research Paper

Future of Work in the ASEAN (Aayush Rathi , Vedika Pareek , Divij Joshi and Pranav Bidare; edited by Elonnai Hickok and Ambika Tandon with research assistance from Sankalp Srivastava and Anjanaa Aravindan; August 31, 2019).

Participation in Event

Cyber Policy 2.0 (Organized by National Law University; Bangalore; August 17, 2019). Arindrajit Basu was a speaker.

Artificial Intelligence

With origins dating back to the 1950s Artificial Intelligence (AI) is not necessarily new. However, interest in AI has been rekindled over the recent years due to advancements of technology and its applications to real-world scenarios. We conduct research on the existing legal and regulatory parameters:

Participation in Events

Emergence of Chinese Technology:Rising stakes for innovation, competition and governance (Organized by Omidyar Network in partnership with the Esya Centre; New Delhi; August 12, 2019). Arindrajit Basu attended the event.
Impact of Industrial Revolution 4.0 - IT and Automotive Sector in India (Organized by the Dialogue and Friedrich-Ebert-Stiftung; Bangalore; August 21, 2019). Aayush Rathi attended the event.
Policies for the Platform Economy (Organized by IT for Change; India Habitat Centre; New Delhi; August 30, 2019). Amber Sinha and Anubha Sinha were panelists.

Digital Identity

Omidyar Network is investing in establishment of a three-region research alliance — to be co-led by the Institute for Technology & Society (ITS), Brazil, the Centre for Intellectual Property and Information Technology Law (CIPIT) , Kenya, and CIS. As part of this Alliance, we at the CIS will look at the policy objectives of digital identity projects, how technological policy choices can be thought through to meet the objectives, and how legitimate uses of a digital identity framework may be evaluated.

Research Paper

Design and Uses of Digital Identities - Research Plan (Amber Sinha and Pooja Saxena; August 8, 2019).

Submissions

The Appropriate Use of Digital Identity (Amber Sinha; August 8, 2019).
Comments to the ID4D Practitioners’ Guide (Amber Sinha; August 8, 2019).

Participation in Event

Holding ID Issuers Accountable, What Works? (Organized by Omidyar Network; RightsCon 2019; August 8, 2019).

Researchers@Work

The researchers@work programme at CIS produces and supports pioneering and sustained trans-disciplinary research on key thematics at the intersections of internet and society; organise and incubate networks of and fora for researchers and practitioners studying and making internet in India; and contribute to development of critical digital pedagogy, research methodology, and creative practice.

Participation in Event

Workshop on Archival Standards and Digitisation Workflow (Organized by British Library; NCBS; Bangalore; August 19 - 20, 2019). P.P. Sneha attended the event.

Blog Entries

#HookingUp (Akhil Kang, Christina Thomas Dhanraj, Dhrubo Jyoti, and Gowthaman Ranganathan; August 1, 2019).
Call for Contributions and Reflections: Your experiences in Decolonizing the Internet’s Languages! (P.P. Sneha; August 7, 2019).
Simiran Lalvani - Workers’ fictive kinship relations in Mumbai app-based food delivery (Sumandro Chattapadhyay; August 16, 2019).

About CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

Follow CIS on:

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

Support CIS:

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

Collaborate with CIS:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/august-2019-newsletter

Linking Aadhaar with social media or ending encryption is counterproductive

sunil — 2019-08-28T01:39:47Z

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move.

The article was published in Prime Time on August 26, 2019.

The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

Identity data: Phone numbers of the accused. Names and addresses of the accused.
Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.
Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

For more details visit https://cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive

A judicial overreach into matters of regulation

gurshabad — 2019-08-28T01:28:52Z

A PIL on Aadhaar sheds light on some problematic trends

The article by Gurshabad Grover was published in the Hindu on August 27, 2019.

The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.

The first issue is how the courts, as Anuj Bhuwania has argued in the book Courting the People, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?

After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.

Government’s support

Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.

Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.

Problems of investigation

That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.

To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.

(Disclosure: The CIS is a recipient of research grants from Facebook.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation

AI is biased, you’ll see if you Google ‘hands’

Rajmohan Sudhakar — 2019-08-26T23:53:38Z

As it is, the world is unfair. The question now is, do we want automated tech to be unfair too? As we build more and more AI-dependent smart digital infrastructure in our cities and beyond, we have pretty much overlooked the emerging character of artificial intelligence that would have a profound bearing on our nature and future.

The article by Rajmohan Sudhakar was published in Deccan Herald on August 25, 2019. Radhika Radhakrishnan was quoted.

Are we happy with algorithms making decisions for us? Naturally, one would expect the algorithm to possess discretion. Herein lies the dilemma. Do you trust an AI algorithm? Though an algorithm can evolve over time drawing on the nature and accuracy of the dataset, it shall nevertheless pick up the prejudices and biases it is exposed to.

“Questions on fairness arise at multiple stages of AI design. For instance, who has access to large datasets? The private sector in India. There may not be data at all on marginalised communities while there can be excessive surveillance data on targeted communities. Historic biases in datasets add up: widely used leading datasets of word embeddings associate women as homemakers and men as computer programmers. Focus on FAT (Fairness, Accountability and Transparency) is crucial,” says Radhika Radhakrishnan, programme officer at The Centrefor Internet and Society.

For example, a whopping 90% of the Wikipedia editors are men.

As AI is expected to add 15 trillion US dollars by 2030 to the global economy, at present, the data it relies upon comes from a few nations (45% from the US) while a major chunk of users are elsewhere. As it is vital to any social mechanism, diversity will be key if we are to reap the true benefits of AI. Or else, a non-diverse data set or a programmer crafting an algorithm could chart the most unpleasant course.

“Research recommends the inclusion of social scientists in AI design and ensuring they have decision-making power. The AI Now Institute, for instance. However, there is a dearth of social scientists working on AI. In India, we ignore the social impact of AI in favour of the purely technical solutions of computer scientists. Lack of women, gender-queers, and individuals from under-represented communities reflects poor diversity within the AI industry,” Radhakrishnan points out.

The G20 adopted AI Principles in June, which stressed “AI actors should respect the rule of law,human rights and democratic values, throughout the AI system life-cycle. These include freedom, dignity and autonomy, privacy and data protection, non-discrimination and equality,diversity, fairness, social justice, and internationally recognised labour rights.”

The UK recently set up the Centre for Data Ethics and Innovation. Canada and France are spearheading the International Panel on Artificial Intelligence (IPAI) on the sidelines of the G7summit. Meanwhile, India and France agreed on a slew of measures to advance cooperation ondigital tech. Of course, the EU’s General Data Protection Regulation (GDPR) is a promising start.

All of that is well and welcome. But what such efforts and international bodies could achieve in reality is to be seen as questions loom large over private corporations that own tech exercising clout, henceforth leaving AI vulnerable to manipulation.

“To achieve this, panel members will need to be protected from direct or indirect lobbying by companies, pressure groups and governments — especially by those who regard ethics as a brake on innovation. That also means that panel members will need to be chosen for their expertise, not for which organisation they represent,” reads an August 21 editorial in Nature journal on IPAI.

Whatever one may do to de-bias AI, much damage is done already. Try a google search for images of hands. How many black/brown hands do you see? There you go.

“Whose needs are being reflected in AI — those of the poor or those of the big tech looking to‘dump’ their products in an easily exploitable market? Instead of asking, what is the AI solution,we should be wondering, is an AI-based solution necessary in this case?” adds Radhakrishnan.

Where are the big tech located? In the United States. When a white male sitting in that country crafts an algorithm based on a bought dataset, for the benefit of an aboriginal community in the Amazon, something’s amiss.

“Engineers and data scientists who design algorithms are often far removed from the socioeconomic contexts of the people they are designing the tools for. So, they reproduce ideologies that are damaging. They end up reinforcing prejudices. Direct engagement is rare. Engineers should actively and carefully challenge their biases and assumptions by engaging meaningfully with communities to understand their histories and needs,” explains Radhakrishnan.

The march of AI cannot be stopped as more and more datasets get integrated. An ethical approach to computer science and engineering should begin from our institutions of excellence.

“Computer science and engineering disciplines at the undergraduate level teach AI as a purelytechnical subject, not as an interdisciplinary subject. Engineers should be trained in the socialimplications of the systems they design. Technology inevitably re􀁻ects its creators, consciousor not. Therefore, deeper attention to the social contexts of AI and the potential impact of suchsystems when applied to human populations should be incorporated to university curricula,”notes Radhakrishnan.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-rajmohan-sudhakar-august-25-2019-ai-is-biased-you-see-if-you-google-hands

US pressure threatens to weaken data - localisation mandate in India's landmark data-protection bill

Sandhya Sharma — 2019-08-22T01:41:21Z

Sources say the bill may have to concede vital ground to technology companies.

The article by Sandhya Sharma was published by ET Prime on August 19, 2019. Arindrajit Basu was quoted.

Indian law-enforcement agencies have repeatedly expressed their unhappiness with America’s reticence on the sharing of critical data — whether it was around the 26/11 Mumbai attacks or procuring electronic evidence under the Mutual Legal Assistance Treaty (MLAT) from technology companies.

Top cybersecurity sources in the government tell ET prime that India’s own Personal Data Protection (PDP) Bill 2019 is in response to this. Cabinet nod to the bill is expected anytime, and it is likely to be tabled in the next session of Parliament. However, thanks to diplomatic pulls and pressures, a vital provision of the bill could end up markedly diluted. Sources in the Indian government say the US has conveyed it does not want the bill at all.

“We expect it will be a better mechanism than MLAT” for procuring data from technology companies, says a person aware of the development, while adding that the thorny question of data localisation is now a very small part of the bill. Across key bilateral engagements — US Secretary of State Mike Pompeo’s June visit to India, G20 meetings between Prime Minister Narendra Modi and President Donald Trump, and a US trade representative delegation visiting India for talks — American unease with the growing “protectionism” in Indian policy has remained a key talking point.

"Forum members oppose data localisation policies, and we look forward to sharing our concerns when the data protection bill gets introduced in Parliament,” says Susan Ritchie, vice-president of technology, media, and telecommunications at lobby group U.S. India Strategic Partnership Forum (USISPF).

“An environment where regulatory coherence is a governmental priority provides industry with greater predictability and stability resulting in increased investment." A toothless treaty? According to policy experts, MLATs have been the most widely used method for cross-border data sharing. India has signed MLATs with 39 countries, including the US. These treaties give India access to data stored on the cloud and call for data stored by multinational service providers within the jurisdiction of the partner country. However, MLATs are time consuming and have failed in their basic function in the past, sources say, and hence the government was keen to hold the data of Indians back in India, including data pertaining to e-commerce transactions, banking, healthcare, etc.

According to the Justice Srikrishna Committee report, eight of the 10 most accessed websites by Indians are owned by US entities. If data is exclusively processed in India, it will potentially cut off foreign surveillance, the report also notes, while highlighting a three-pronged approach to Indian data to reduce dependence on MLATs.

Talking exclusively to ET Prime, Justice BN Srikrishna says, “MLAT is a long-drawn process and hence the process goes through several diplomatic and judicial channels. It takes anywhere between 18 months to two years to get the information from the foreign technology companies for any investigation [and] much more time for extracting information on taxation and other financial matters…. Once the data of Indian citizens is in India, it will be much easier for law enforcement agencies to take the data for investigation purposes. In the past, the technology companies have dilly-dallied on the information requests of Indian law enforcement agencies.” To be sure, the report does not claim "perfect compliance" through data localisation and it clarifies that for data owned by companies like Google a "conflict of law" might arise if the country of registration — in this case the US — also asserts jurisdiction.

According to the report, between January and June 2017, Google received 3,843 user data-disclosure requests by Indian governmental agencies. Google refused to provide data in 46% of the cases. Now with the PDP Bill, Indian officials can easily get their hands on the data of Indian citizens not residing in India, says Justice Srikrishna. US resistance US tech-industry insiders tell ET Prime on condition of anonymity that no law-enforcement agency should be allowed 100% unfettered access to information. They claim MLATs have been successful in most cases of intelligence sharing around terrorism and national security.

“National security” is a very wide concept in India, unlike in the US where it generally refers to international activities, they say. Jacob Gullish, senior director for digital economy at the lobby group US India Business Council (USIBC), says the term MLAT is often used incorrectly as a catch-all. MLATs are designed for a very narrow and a specific purpose: where the transmitted information is admissible in the foreign country’s judicial system, he says. “In these cases, information has to be handled carefully to ensure the request complies with domestic laws and the transmission is certified for authenticity and a chain of custody, as well as packaged to allow its use as evidence in a foreign court. This process takes time, and the business community supports MLAT reform.

“Just like in the physical world, due process rights for the citizens of the world’s largest and the world’s oldest democracies must be respected in the digital domain. Companies also need legal certainty when operating between different jurisdictions. The bottom line is that law enforcement agencies (LEAs) on both sides need to develop clear processes and procedures, as well as trusted relationships, which will facilitate information exchange during an investigation.” A Google spokesperson echoes Gullish. “On urging from us and other Internet companies, MLAT processes have improved and in most cases responses are provided in a week or two,” the spokesperson says.

“In addition, we are also advocating for MLAT reform, including supporting calls to invest over [USD20 million] to address insufficient staffing, and helping investigators around the world better understand the MLAT process, to help expedite requests.” Other industry insiders claim that US companies field a high volume of requests and respond quickly for the most part, and that ultimately all of this goes back to trust. In December 2011, a Delhi court had issued summons to 21 companies, including Facebook, Microsoft, Google, Yahoo, and YouTube, to face trial for allegedly hosting objectionable content promoting hatred or communal disharmony.

The then IT Minister Kapil Sibal had asked Google and Facebook to ensure prompt removal of offensive material, complaining that the companies had not cooperated in the past. Concerns with data-localisation norms in the present state 1. Diplomatic and political: Data-localisation mandates could impact India’s trade relationships with partners like the US. 2. Security risks (“Regulatory stretching of the attack surface”): Storing data in multiple physical centres increases the exposure to exploitation by malicious actors. 3. Economic impact: Restrictions on cross-border data flow may harm economic growth by increasing compliance costs and entry barriers for foreign service providers, thereby reducing investment or forcing businesses to pass on these costs to the consumers. The major cost pertains to setting up data centres in India.

Further, for startups looking to attain global stature, reciprocal restrictions slapped by other countries can be a serious hurdle. “Data localisation would be most effective if it is — (a) done after India updates its privacy and security standards by passing the Personal Data Protection Bill 2019; (b) done sectorally, after considering how critical it is to store the data in India; (c) done conditionally in (i) the country where data is transferred having equivalent privacy and security safeguards, both de jure and de facto and (ii) the presence of an executive data sharing agreement,” says Arindrajit Basu, senior policy officer at New Delhi-based think tank Centre for Internet and Society. This is essentially what the international community describes as “free flow of data with trust” — the G20 mandate which India recently rejected. Can the US CLOUD Act solve for the lack of information access? A section of policy experts argues that the localisation mandate proposed in India’s new bill does not solve an important problem: What happens when law-enforcement agencies need access to data relating to a foreigner stored in a server located in another jurisdiction by a company incorporated in the US? Will the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) passed in the US last year help?

The US has recently amended the CLOUD Act after a dispute between Microsoft and the US government. The law now ensures two things: American law-enforcement agencies will get access to data held by US cloud service providers (CSPs) regardless of jurisdiction, and allow “qualified foreign governments” to access data stored by US CSPs. This has given rise to a view that the CLOUD Act could be the silver bullet countries like India need to push US tech companies to share data in a timely fashion. Basu of the Centre for Internet and Society says, “India should use the threat of data localisation to negotiate an executive arrangement under the CLOUD Act. India would fare better if it were to use the language of international law to articulate its position in the MLAT reform process, or to propel itself to a better position under the CLOUD Act (which requires countries to demonstrate a commitment to a free and open Internet) or potentially pursue negotiations for a multilateral data sharing treaty.” Siddharth Jain, assistant commissioner in Delhi Police and an expert in investigating cyber-crime issues, says Indian technology firms do provide adequate and timely information about suspicious transactions; however, US firms are lax in sharing information.

Telangana IPS officer Rema Rajeshwari concurs that it’s a problem for law-enforcement agencies to cull out information from some US technology companies. Data-protection bill already diluted? ET Prime has learned that the net result of the pulls and pressures exerted by US commercial and diplomatic interests is that data localisation now remains just a small part of India’s data-protection bill. The Ministry of External Affairs maintains that the US-India relationship is “extremely important”. After President Trump’s controversial comments on offering mediation on the Kashmir issue, ministry spokesperson Raveesh Kumar said, “We are very strong strategic partners and we have brought in deep convergences across a range of issues.

We have excellent trade and investment linkages and are moving toward high defence and technology tie-up.” It’s not just political posturing by India to maintain the tricky relationship at a time when the Trump administration is coming up with reports one after the other criticising the country’s proposed data-protection policies. The PDP Bill was listed to be tabled in Parliament in the first session of the Modi 2.0 government but is yet to see the light of the day. If India tables the draft bill without making concessions that ease the demands on US technology companies, it will severely harm the India-US technology relationship, according to some US policy lobbyists. However, government sources tell ET Prime that the bill now has “data localisation as a very small part”, meaning that it is already likely diluted due to US pressure tactics. Sources say the non-critical data of an individual like height, weight, bank-account number, etc., will not need to be mandatorily stored in India. However, biometric data will have to be stored locally.

Top policymakers who were consulted for the Justice Srikrishna Committee report say should the bill be diluted under duress, it will be a sorry statement for India’s data-protection regime. Meanwhile, with nationalistic sentiments in full flourish during the new Modi government’s first Parliament session, the Ministry of Electronics and Information Technology issued a note that “the bill being prepared will address India’s sovereign data concerns and provide a framework to boost innovation in India while complying with the directives contained in the judgment of [the Honourable Supreme Court]”.

India and EU: a potential template In contrast to the Indo-US friction, India’s understanding with the European Union (EU) on the issue of data protection offers a potential template. India is looking at dialing EU to seek ‘adequacy’ status with the General Data Protection Regulation (GDPR) once it passes the PDP Bill. Tomasz Kozlowski, EU Ambassador to India, said at the recent ET 5G Congress, “Data protection is an important element of EU-India cooperation.

With such a law in place, India will be joining the global trend of global convergence toward a modern data-protection law, and take a leadership role in the region and globally, at a time when the need to address challenges to data privacy and security requires a common approach.” Kozlowski added that the “adoption of strong data protection law will also pave way for EU-India discussions and further facilitate data flows.” Top cybersecurity sources in the Indian government point out that the US has agreed to GDPR, which is far more stringent than the Indian Bill. If so, why make noise about India’s data-localisation demands?

For more details visit https://cis-india.org/internet-governance/news/et-prime-sandhya-sharma-august-19-2019-us-pressure-threatens-to-weaken-data-localisation-mandate-in-indias-landmark-data-protection-bill

July 2019 Newsletter

praskrishna — 2019-08-09T13:50:49Z

Centre for Internet & Society (CIS) newsletter for July 2019.

Highlights for July 2019
CIS presented its comments on the proposed rules 29,30,31 of the Draft Copyright (Amendment) Rules, 2019 to the Department for Promotion of Industry and Internal Trade, Ministry of Commerce and Industry, Govt. of India. The comments were made in response to Notification G.S.R 393(E) published in the Gazette of India on May 30, 2019. CIS submitted that in the domestic approach to modernising our copyright legislation, we must refrain from considering distribution of born-digital/ digitised works over the public Internet equivalent to the function of broadcasting works over cable/ satellite. The Indian National Trust for Art & Heritage Pune Chapter is working with various organisations to preserve the natural heritage places like rivers in Pune district of Maharashtra, India. After the presentation of 'Project Jalbodh' by CIS-A2K in River Dialogue organised by INTACH in April 2018, several organisations have shown keen interest in collaboration. Subodh Kulkarni shares some insights in his report. ICANN has Advisory Committees which help guide the policy recommendations that the ICANN community develops while its Supporting Organizations are charged with developing policy recommendations for a particular aspect of ICANN's operations. ICANN publishes a combined budget for all these bodies under the head of policy development. CIS inquired about the financial resources allocated to each of them specifically. CIS in partnership with the Internet Society organized an event on the impact of consolidation in the Internet economy. It was divided into two roundtable discussions, the first one focusing on the policies and regulation while the latter dealt with the technical evolution of the Internet. The roundtables aimed to analyze how growing forces of consolidation, including concentration, vertical and horizontal integration, and barriers to market entry and competition would influence the Internet in the next 3 to 5 years. The report by Akriti Bopanna and Gurshabad Grover provides an insight into the developments. As part of its Researchers at work programme on key thematics at the intersections of internet and society, CIS called for abstracts for essays that explore social, economic, cultural, political, infrastructural, or aesthetic dimensions of the ‘list’. Ten abstracts would be shortlisted by August 9 from the list of submissions and the selected authors would be requested to submit the full essay of their draft by September 15. Final versions of the essays are expected to be published in October. With the rise and popularity of app-based platforms such as Ola, Uber, Swiggy Zomato, and others, there is a growing public conversation about regulation of such 'gig-work' platforms and the working conditions of people who work for them. To explore this further CIS conducted a panel discussion at its Bangalore office. Researchers associated with the project presented their preliminary findings. Panelists preliminary field insights along with reflections on what it meant to do such studies, how they went about studying gig-work, and challenges that arose in their work. An excerpt from an essay by Maya Indira Ganesh, written for and published as part of the Bodies of Evidence collection of Deep Dives titled You auto-complete me: romancing the bot explains human relations with bots. The Bodies of Evidence collection, edited by Bishakha Datta and Richa Kaul Padte, is a collaboration between Point of View and the Centre for Internet and Society, undertaken as part of the Big Data for Development Network supported by International Development Research Centre, Canada.

CIS and the News

The following articles were authored by CIS secretariat during the month:

Fostering Strategic Convergence in US-India Tech Relations: 5G and Beyond (Justin Sherman and Arindrajit Basu; The Diplomat; July 3, 2019).
Fix Problems Before Complete Failure (Shyam Ponappa; Business Standard; July 4, 2019).
What is the problem with ‘Ethical AI’? An Indian Perspective (A rindrajit Basu and Pranav M.B; cyberBRICS; July 17, 2019).
Old Isn't Always Gold: FaceApp and Its Privacy Policies (Mira Swaminathan and Shweta Reddy; The Wire; July 20, 2019).
The worrying survival of moon landing conspiracy theorists (Nishant Shah; Indian Express; July 22, 2019).
India Is Falling Down the Facial Recognition Rabbit Hole (Karan Saini and Prem Sylvester; The Wire; July 23, 2019).
Why I’m not going to tell you about the dangers of apps like FaceApp (Nishant Shah; Indian Express; July 28, 2019).
The Digital Identification Parade (Aayush Rathi and Ambika Tandon; Indian Express; July 29, 2019). The authors acknowledge Sumandro Chattapadhyay, Amber Sinha and Arindrajit Basu for their edits and Karan Saini for his inputs.
In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights (Shweta Mohandas; The Wire; July 30, 2019).

CIS in the News

CIS secretariat was consulted for the following articles published during the month in various publications:

PIB plans a fact-checking unit to counter fake news (Smriti Kak Ramachandran; Hindustan Times; July 3, 2019).
How Sai Baba Was Made To Spy On Your Phone For Credit Ratings (Gopal Sathe; Huffington Post; July 4, 2019).
Mozilla is funding a way to support Julia in Firefox (Catalin Cimpanu; ZD Net; July 8, 2019).
Deepfakes: Algorithms at war, trust at stake (Rajmohan Sudhakar; Deccan Herald; July 14, 2019).
Digital public information system design: Talk to experts, find the right way (Prachatai; July 18, 2019).
Easing the US-India divergence on data localisation (Shashidhar KJ and Kashish Parpiani; Observer Research Foundation; July 22, 2019).
For sex workers, mobile phone becomes a double-edged sword (Tushar Kaushik; Economic Times; July 23, 2019).
Twitter reacts to the India's cryptocurrency drama (Rajarshi Mitra; FXStreet; July 26, 2019).

Access to Knowledge

Copyright and Patent

Research on harms caused to consumers, developing countries, human rights, and creativity/innovation from excessive regimes of copyright, patents, and other such monopolistic rights over knowledge:

Submission

Comments on the Draft Copyright (Amendment) Rules, 2019 concerning Statutory Licensing (Anubha Sinha; July 11, 2019). This submission presents comments to the Department for Promotion of Industry and Internal Trade (“DPIIT”), Ministry of Commerce and Industry pertaining to the notification G.S.R 393(E) containing the draft Copyright (Amendment) Rules, 2019 issued on 30th May 2019.

Wikipedia

Blog Entries

Orientation programme, Wikipedia workshop & Action Plan meeting in PAH Solapur University (Subodh Kulkarni; July 19, 2019).
Wikimedia Workshop on Rivers under Project Jalbodh (Subodh Kulkarni; July 30, 2019).
Re-licensing Sessions with Authors and Organisations (Subodh Kulkarni; July 31, 2019).

Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software:

Participation in Event

Learning and Understanding the Frameworks of Rights at Work (Organized by Kai Hsin Hung; IT for Change; Bangalore; July 13, 2019). Torsha and Mira attended the workshop.

Internet Governance

Freedom of Speech & Expression

Blog Entry

DIDP #34 On granular detail on ICANN's budget for policy development process (Akriti Bopanna; July 6, 2019).

Participation in Events

13th European Summer School on Internet Governance (Organized by European Summer School on Internet Governance; Meissen; July 13 - 20, 2019). Akriti Bopanna attended the school.
ICANN 65 De-briefing Meeting (Organized by Indian Council for Research on International Economic Relations ; July 16, 2019). Akriti Bopanna remotely presented on the Human Rights related developments that took place at the Marrakech meeting, over the course of the 4 days.

Privacy

Blog Entry

The Impact of Consolidation in the Internet Economy on the Evolution of the Internet (Akriti Bopanna and Gurshabad Grover; July 3, 2019). The blog post was edited by Swaraj Barooah, Elonnai Hickok and Vishnu Ramachandran. Swagam Dasgupta provided inputs.

Participation in Events

Digital ID Forum 2019 (Organized by UNDP; Chulalongkorn University, Thailand; July 3, 2019). Sunil Abraham was one of the panelists at this event.
BIS LITD 17 meeting (Organized by Bureau of Indian Standards; New Delhi; July 3, 2019). Gurshabad Grover attended the sixteenth meeting of the Information Systems Security and Biometrics Section Committee (LITD17).
Facebook Data for Good in Bangalore (Organized by Facebook; Indian Institute of Science, Bangalore; July 25, 2019).
Roundtable with the WhatsApp leadership (Organized by WhatsApp; Mountbatten, The Oberoi, New Delhi; July 26, 2019). Will Cathcart, WhatsApp's new global head, visited India and invited Sunil Abraham for a discussion.
Facebook Data for Good in New Delhi (Organized by Facebook; University of Chicago Center, New Delhi; July 29, 2019).

IT / Information Technology

A research on the usage of systems (computers and telecommunications) for storing, retrieving and sending information as well as the IT Act:

Participation in Event

Leveraging Web Application Vulnerabilities for Reconnaissance and Intelligence Gathering (Organized by Has Geek; GRD College of Science, Coimbatore; July 5, 2019). Karan Saini gave a talk at the JSFoo Conference.

Artificial Intelligence

Participation in Events

Roundtable Discussion on “The Future of AI Policy in India” (Organized by Indian Council for Research on International Economic Relations, New Delhi; July 1, 2019).
Emerging AI technology in health care in India, health equity and justice: Critical reflections and charting out way forward (Organized by HEaL (Health, Ethics, and Law Institute of Training, Research and Advocacy) of FMES (Forum for Medical Ethics Society) in collaboration with CPS (Centre for Policy Studies), Indian Institute of Technology-Bombay; July 13, 2019). Radhika Radhakrishnan, participated in a roundtable discussion on "Emerging AI technology in health care in India, health equity and justice: Critical reflections and charting out way forward."

Gender

Presentation to Amnesty International on researching the Future of Work (Organized by Amnesty Interntional, New Delhi; July 18, 2019). Aayush Rathi and Ambika Tandon made a presentation on CIS research on Future of Work.

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum.

Monthly Blog

Fix Problems Before Complete Failure (Shyam Ponappa; Organizing India Blogspot; July 4, 2019).

Researchers@Work

Event Organized

#MappingDigitalLabour - Panel discussion on platform-work in Mumbai and New Delhi (CIS, Bangalore; July 19, 2019). Watch the session recording video here.

Blog Entries

Studying the Internet Discourse in India through the Prism of Human Rights (Deva Prasad M.; July 1, 2019).
#DigitalPedagogies (Ashutosh Potdar, Maya Dodd, Nidhi Kalra, and Ravikant Kisana; July 1, 2019).
#OpenAccessScholarlyPublishing (Abhishek Shrivastava, Dibyaduti Roy, and Nirmala Menon; July 11, 2019).
#RenarrationWeb (Anuja Mirchandaney, Deepak Prince, Dinesh and Shalini; July 23, 2019).

About CIS

Follow CIS on:

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

Support CIS:

Collaborate with CIS:

For more details visit https://cis-india.org/about/newsletters/july-2019-newsletter

The Digital Identification Parade

Aayush Rathi and Ambika Tandon — 2019-07-30T00:19:25Z

NCRB’s proposed Automated Facial Recognition System impinges on right to privacy, is likely to target certain groups.

The article by Aayush Rathi and Ambika Tandon was published in the Indian Express on July 29, 2019. The authors acknowledge Sumandro Chattapadhyay, Amber Sinha and Arindrajit Basu for their edits and Karan Saini for his inputs.

The National Crime Records Bureau recently issued a request for proposals for the procurement of an Automated Facial Recognition System (AFRS). The stated objective of the AFRS is to “identify criminals, missing persons/children, unidentified dead bodies and unknown traced children/persons”. It will be designed to compare images against a “watchlist” curated using images from “any […] image database available with police/other entity”, and “newspapers, raids, sent by people, sketches, etc.” The integration of diverse databases indicates the lack of a specific purpose, with potential for ad hoc use at later stages. Data sharing arrangements with the vendor are unclear, raising privacy concerns around corporate access to sensitive information of crores of individuals.

While a senior government official clarified that the AFRS will only be used against the integrated police database in India — the Crime and Criminal Tracking Network and Systems (CCTNS) — the tender explicitly states the integration of several other databases, including the passport database, and the National Automated Fingerprint Identification System. This is hardly reassuring. Even a targeted database like the CCTNS risks over-representation of marginalised communities, as has already been witnessed in other countries. The databases that the CCTNS links together have racial and colonial origins, recording details of unconvicted persons if they are found to be “suspicious”, based on their tribe, caste or appearance. However, including other databases puts millions of innocent individuals on the AFRS’s watchlist. The objective then becomes to identify “potential criminals” — instead of being “presumed innocent”, we are all persons-who-haven’t-been-convicted-yet.

The AFRS may allow indiscriminate searching by tapping into publicly and privately installed CCTVs pan-India. While facial recognition technology (FRT) has proliferated globally, only a few countries have systems that use footage from CCTVs installed in public areas. This is the most excessive use of FRT, building on its more common implementation as border technology. CCTV cameras are already rife with cybersecurity issues, and integration with the AFRS will expand the “attack surface” for exploiting vulnerabilities in the AFRS. Additionally, the AFRS will allow real-time querying, enabling “continuous” mass surveillance. Misuse of continuous surveillance has been seen in China, with the Uighurs being persecuted as an ethnic minority.

FRT differs from other biometric forms of identification (such as fingerprints, DNA samples) in the degree and pervasiveness of surveillance that it enables. It is designed to operate at a distance, without any knowledge of the targeted individual(s). It is far more difficult to prevent an image of one’s face from being captured, and allows for the targeting of multiple persons at a time. By its very nature, it is a non-consensual and covert surveillance technology.

Potential infringements on the right to privacy, a fundamental right, could be enormous as FRT allows for continuous and ongoing identification. Further, the AFRS violates the legal test of proportionality that was articulated in the landmark Puttaswamy judgment, with constant surveillance being used as a strategy for crime detection. Other civil liberties such as free speech and the right to assemble peacefully could be implicated as well, as specific groups of people such as dissidents and protests can be targeted.

Moreover, facial recognition technology has not performed well as a crime detection technology. Challenges arise at the stage of input itself. Variations in pose, illumination, and expression, among other factors, adversely impact the accuracy of automated facial analysis. In the US, law enforcement has been using images from low-quality surveillance feed as probe photos, leading to erroneous matches. A matter of concern is that several arrests have been made solely on the basis of likely matches returned by FRT.

Research indicates that default camera settings better expose light skin than dark, which affects results for FRT across racial groups. Moreover, the software could be tested on certain groups more often than others, and could consequently be more accurate in identifying individuals from that group. The AFRS is envisioned as having both functionalities of an FRT — identification of an individual, and social classification — with the latter holding significant potential to misclassify minority communities.

In the UK, after accounting for a host of the issues outlined above, the Science and Technology Committee, comprising 14 sitting MPs, recently called for a moratorium on deploying live FRT. It will be prudent to pay heed to this directive in India, in the absence of any framework around data protection, or the use of biometric technologies by law enforcement.

The experience of law enforcement’s use of FRT globally, and the unique challenges posed by the usage of live FRT demand closer scrutiny into how it can be regulated. One approach may be to use a technology-neutral regulatory framework that identifies gradations of harms. However, given the history of political surveillance by the Indian state, a complete prohibition on FRT may not be too far-fetched.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-ambika-tandon-indian-express-july-29-2019-the-digital-identification-parade

India is falling down the facial recognition rabbit hole

Prem Sylvester and Karan Saini — 2019-07-25T13:40:00Z

Its use as an effective law enforcement tool is overstated, while the underlying technology is deeply flawed.

The article by Prem Sylvester and Karan Saini was published in the Wire on July 23, 2019.

In a discomfiting reminder of how far technology can be used to intrude on the lives of individuals in the name of security, the Ministry of Home Affairs, through the National Crime Records Bureau, recently put out a tender for a new Automated Facial Recognition System (AFRS).

The stated objective of this system is to “act as a foundation for a national level searchable platform of facial images,” and to “[improve] outcomes in the area of criminal identification and verification by facilitating easy recording, analysis, retrieval and sharing of Information between different organizations.”

The system will pull facial image data from CCTV feeds and compare these images with existing records in a number of databases, including (but not limited to) the Crime and Criminal Tracking Networks and Systems (or CCTNS), Interoperable Criminal Justice System (or ICJS), Immigration Visa Foreigner Registration Tracking (or IVFRT), Passport, Prisons, Ministry of Women and Child Development (KhoyaPaya), and state police records.

Furthermore, this system of facial recognition will be integrated with the yet-to-be-deployed National Automated Fingerprint Identification System (NAFIS) as well as other biometric databases to create what is effectively a multi-faceted system of biometric surveillance.

It is rather unfortunate, then, that the government has called for bids on the AFRS tender without any form of utilitarian calculus that might justify its existence. The tender simply states that this system would be “a great investigation enhancer.”

This confidence is misplaced at best. There is significant evidence that not only is a facial recognition system, as has been proposed, ineffective in its application as a crime-fighting tool, but it is a significant threat to the privacy rights and dignity of citizens. Notwithstanding the question of whether such a system would ultimately pass the test of constitutionality – on the grounds that it affects various freedoms and rights guaranteed within the constitution – there are a number of faults in the issued tender.

Let us first consider the mechanics of a facial recognition system itself. Facial recognition systems chain together a number of algorithms to identify and pick out specific, distinctive details about a person’s face – such as the distance between the eyes, or shape of the chin, along with distinguishable ‘facial landmarks’. These details are then converted into a mathematical representation known as a face template for comparison with similar data on other faces collected in a face recognition database. There are, however, several problems with facial recognition technology that employs such methods.

Facial recognition technology depends on machine learning – the tender itself mentions that the AFRS is expected to work on neural networks “or similar technology” – which is far from perfect. At a relatively trivial level, there are several ways to fool facial recognition systems, including wearing eyewear, or specific types of makeup. The training sets for the algorithm itself can be deliberately poisoned to recognise objects incorrectly, as observed by students at MIT.

More consequentially, these systems often throw up false positives, such as when the face recognition system incorrectly matches a person’s face (say, from CCTV footage) to an image in a database (say, a mugshot), which might result in innocent citizens being identified as criminals. In a real-time experiment set in a train station in Mainz, Germany, facial recognition accuracy ranged from 17-29% – and that too only for faces seen from the front – and was at 60% during the day but 10-20% at night, indicating that environmental conditions play a significant role in this technology.

Facial recognition software used by the UK’s Metropolitan Police has returned false positives in more than 98% of match alerts generated.

When the American Civil Liberties Union (ACLU) used Amazon’s face recognition system, Rekognition, to compare images of legislative members of the American Congress with a database of mugshots, the results included 28 incorrect matches.

There is another uncomfortable reason for these inaccuracies – facial recognition systems often reflect the biases of the society they are deployed in, leading to problematic face-matching results. Technological objectivity is largely a myth, and facial recognition offers a stark example of this.

An MIT study shows that existing facial recognition technology routinely misidentifies people of darker skin tone, women and young people at high rates, performing better on male faces than female faces (8.1% to 20.6% difference in error rate), lighter faces than darker faces (11.8% to 19.2% difference in error rate) and worst on darker female faces (20.8% to 34.7% error rate). In the aforementioned ACLU study, the false matches were disproportionately people of colour, particularly African-Americans. The bias rears its head when the parameters of machine-learning algorithms, derived from labelled data during a “supervised learning” phase, adhere to socially-prejudiced ideas of who might commit crimes.

The implications for facial recognition are chilling. In an era of pervasive cameras and big data, such prejudice can be applied at unprecedented scale through facial recognition systems. By replacing biased human judgment with a machine learning technique that embeds the same bias, and more reliably, we defeat any claims of technological neutrality. Worse, because humans will assume that the machine’s “judgment” is not only consistently fair on average but independent of their personal biases, they will read agreement of its conclusions with their intuition as independent corroboration.

In the Indian context, consider that Muslims, Dalits, Adivasis and other SC/STs are disproportionately targeted by law enforcement. The NCRB in its 2015 report on prison statistics in India recorded that over 55% of the undertrials prisoners in India are either Dalits, Adivasis or Muslims, a number grossly disproportionate to the combined population of Dalits, Adivasis and Muslims, which amounts to just 39% of the total population according to the 2011 Census.

If the AFRS is thus trained on these records, it would clearly reinforce socially-held prejudices against these communities, as inaccurately representative as they may be of those who actually carry out crimes. The tender gives no indication that the developed system would need to eliminate or even minimise these biases, nor if the results of the system would be human-verifiable.

This could lead to a runaway effect if subsequent versions of the machine-learning algorithm are trained with criminal convictions in which the algorithm itself played a causal role. Taking such a feedback loop to its logical conclusion, law enforcement may use machine learning to allocate police resources to likely crime spots – which would often be in low income or otherwise vulnerable communities.

Adam Greenfield writes in Radical Machines on the idea of ‘over transparency,’ that combines “bias” of the system’s designers as well of the training sets – based as these systems are on machine learning – and “legibility” of the data from which patterns may be extracted. The “meaningful question,” then, isn’t limited to whether facial recognition technology works in identification – “[i]t’s whether someone believes that they do, and acts on that belief.”

The question thus arises as to why the MHA/NCRB believes this is an effective tool for law enforcement. We’re led, then, to another, larger concern with the AFRS – that it deploys a system of surveillance that oversteps its mandate of law enforcement. The AFRS ostensibly circumvents the fundamental right to privacy, as ratified by the Supreme Court in 2018, through sourcing its facial images from CCTV cameras installed in public locations, where the citizen may expect to be observed.

The extent of this surveillance is made even clearer when one observes the range of databases mentioned in the tender for the purposes of matching with suspects’ faces extends to “any other image database available with police/other entity” besides the previously mentioned CCTNS, ICJS et al. The choice of these databases makes overreach extremely viable.

This is compounded when we note that the tender expects the system to “[m]atch suspected criminal face[sic] from pre-recorded video feeds obtained from CCTVs deployed in various critical identified locations, or with the video feeds received from private or other public organization’s video feeds.” There further arises a concern with regard to the process of identification of such “critical […] locations,” and if there would be any mechanisms in place to prevent this from being turned into an unrestrained system of surveillance, particularly with the stated access to private organisations’ feeds.

The Perpetual Lineup report by Georgetown Law’s Center on Privacy & Technology identifies real-time (and historic) video surveillance as posing a very high risk to privacy, civil liberties and civil rights, especially owing to the high-risk factors of the system using real-time dragnet searches that are more or less invisible to the subjects of surveillance.

It is also designated a “Novel Use” system of criminal identification, i.e., with little to no precedent as compared to fingerprint or DNA analysis, the latter of which was responsible for countless wrongful convictions during its nascent application in the science of forensic identification, which have since then been overturned.

In the Handbook of Face Recognition, Andrew W. Senior and Sharathchandra Pankanti identify a more serious threat that may be born out of automated facial recognition, assessing that “these systems also have the potential […] to make judgments about [subjects’] actions and behaviours, as well as aggregating this data across days, or even lifetimes,” making video surveillance “an efficient, automated system that observes everything in front of any of its cameras, and allows all that data to be reviewed instantly, and mined in new ways” that allow constant tracking of subjects.

Such “blanket, omnivident surveillance networks” are a serious possibility through the proposed AFRS. Ye et al, in their paper on “Anonymous biometric access control”, show how automatically captured location and facial image data obtained from cameras designed to track the same can be used to learn graphs of social networks in groups of people.

Consider those charged with sedition or similar crimes, given that the CCTNS records the details as noted in FIRs across the country. Through correlating the facial image data obtained from CCTVs across the country – the tender itself indicates that the system must be able to match faces obtained from two (or more) CCTVs – this system could easily be used to target the movements of dissidents moving across locations.

Constantly watched

Further, something which has not been touched upon in the tender – and which may ultimately allow for a broader set of images for carrying out facial recognition – is the definition of what exactly constitutes a ‘criminal’. Is it when an FIR is registered against an individual, or when s/he is arrested and a chargesheet is filed? Or is it only when an individual is convicted by a court that they are considered a criminal?

Additionally, does a person cease to be recognised by the tag of a criminal once s/he has served their prison sentence and paid their dues to society? Or are they instead marked as higher-risk individuals who may potentially commit crimes again? It could be argued that such a definition is not warranted in a tender document, however, these are legitimate questions which should be answered prior to commissioning and building a criminal facial recognition system.

Senior and Pankanti note the generalised metaphysical consequences of pervasive video surveillance in the Handbook of Face Recognition:

“the feeling of disquiet remains [even if one hasn’t committed a major crime], perhaps because everyone has done something “wrong”, whether in the personal or legal sense (speeding, parking, jaywalking…) and few people wish to live in a society where all its laws are enforced absolutely rigidly, never mind arbitrarily, and there is always the possibility that a government to which we give such powers may begin to move towards authoritarianism and apply them towards ends that we do not endorse.”

Such a seemingly apocalyptic scenario isn’t far-fetched. In the section on ‘Mandatory Features of the AFRS’, the system goes a step further and is expected to integrate “with other biometric solution[sic] deployed at police department system like Automatic Fingerprint identification system (AFIS)[sic]” and “Iris.” This form of linking of biometric databases opens up possibilities of a dangerous extent of profiling.

While the Aadhaar Act, 2016, disallows Aadhaar data from being handed over to law enforcement agencies, the AFRS and its linking with biometric systems (such as the NAFIS) effectively bypasses the minimal protections from biometric surveillance the prior unavailability of Aadhaar databases might have afforded. The fact that India does not have a data protection law yet – and the Bill makes no references to protection against surveillance either – deepens the concern with the usage of these integrated databases.

The Perpetual Lineup report warns that the government could use biometric technology “to identify multiple people in a continuous, ongoing manner [..] from afar, in public spaces,” allowing identification “to be done in secret”. Senior and Pankanti warn of “function creep,” where the public grows uneasy as “silos of information, collected for an authorized process […] start being used for purposes not originally intended, especially when several such databases are linked together to enable searches across multiple domains.”

This, as Adam Greenfield points out, could very well erode “the effectiveness of something that has historically furnished an effective brake on power: the permanent possibility that an enraged populace might take to the streets in pursuit of justice.”

What the NCRB’s AFRS amounts to, then, is a system of public surveillance that offers little demonstrable advantage to crime-fighting, especially as compared with its costs to fundamental human rights of privacy and the freedom of assembly and association. This, without even delving into its implications with regard to procedural law. To press on with this system, then, would be indicative of the government’s lackadaisical attitude towards protecting citizens’ freedoms.

The views expressed by the authors in this article are personal.

For more details visit https://cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole

ออกแบบระบบข้อมูลประชาชนดิจิทัล: คุยกับผู้เชี่ยวชาญหาแนวทางเหมาะสม

Admin — 2019-07-21T14:32:25Z

Talk with Sunil Abraham, an expert on the Internet and good governance in the issue of creating a digital identification system.

What should you think before doing a national database? Transparency should be inversely proportional to the power of the person. The state must provide information as well. Not the only store Database technology and public surveillance are not the same. Otherwise the entire system will crash How important is democracy in making good information systems? Read the interview published by Prachatai on July 18, 2019 below

คุยกับสุนิล อับราฮัม ผู้เชี่ยวชาญเรื่องอินเทอร์เน็ตและธรรมาภิบาลในประเด็นการจัดทำระบบข้อมูลประจำตัวประชาชนแบบดิจิทัล ควรคิดอะไรก่อนทำฐานข้อมูลประชาชนระดับชาติ ความโปร่งใสควรแปรผกผันกับอำนาจของบุคคล รัฐต้องให้ข้อมูลด้วย ไม่ใช่เก็บอย่างเดียว เทคโนโลยีฐานข้อมูลกับการสอดส่องประชาชนไม่ใช่เรื่องเดียวกัน ไม่เช่นนั้นพังทั้งระบบ ประชาธิปไตยสำคัญอย่างไรกับการทำระบบข้อมูลที่ดี

หนึ่งในบทสนทนาที่มีในปัจจุบันคือการนำข้อมูลประชาชนขึ้นสู่ระบบดิจิทัล เทคโนโลยีการบริหารจัดการข้อมูลอย่างระบบฐานข้อมูลดิจิทัลไปจนถึงโครงข่ายออนไลน์แบบบลอกเชนทำให้จินตนาการดังกล่าวเป็นรูปเป็นร่างขึ้น

แต่เมื่อถอยกลับไปมองภาพใหญ่จะพบว่าเรื่องทางเทคนิคเป็นเพียงหนึ่งเม็ดทรายบนชายหาด ยังมีข้อควรคำนึงถึงเยอะแยะหยุมหยิมไปหมดทั้งในเรื่องกฎหมาย ความพร้อมของผู้บังคับใช้กฎหมาย ภาคธุรกิจและประชาชนที่ต้องคำนึงถึงเรื่องพฤติกรรม บรรทัดฐานของสังคม และคำถามสำคัญที่ว่าระบบดังกล่าวจะถูกใช้ในการเฝ้าระวัง สอดแนมประชาชนหรือไม่ เพราะประเทศเผด็จการที่คนไทยหลายคนยกย่องอย่างจีน ก็ใช้ข้อมูลอัตลักษณ์ประชาชนถึงขั้นคุมความประพฤติกันด้วยระบบคะแนนได้แล้ว

แม้ยังไม่เกิดในไทยแต่ก็ไม่ได้แปลว่าเป็นไปไม่ได้ ความกังวลของชาว 14 อำเภอและสามจังหวัดชายแดนใต้เมื่อมีข้อความ SMS จากกองอำนวยการรักษาความมั่นคงภายใน (กอ.รมน.) ให้ไปสแกนใบหน้าเพื่อลงทะเบียนซิมการ์ดตามประกาศของ กสทช. เป็นหนึ่งในภาพสะท้อนจากพื้นที่ที่ความมั่นคงหลอมรวมอยู่ในการใช้ชีวิตประจำวันที่ชัดเจน ปัญหาของการทำระบบนั้นยืนอยู่บนคำถามใหญ่ว่า “ทำอย่างไร” และ “เพื่ออะไร” หากกิจวัตรประจำวันของคนทั้งประความมั่นคงจะกลายเป็นองค์ประกอบในเทศ

สุนิล อับบราฮัม ผู้อำนวย (ผอ.) การบริหารจากศูนย์เพื่ออินเทอร์เน็ตและสังคมจากประเทศอินเดีย ให้สัมภาษณ์ประชาไทในเรื่องรูปร่างหน้าตาของระบบพิสูจน์อัตลักษณ์บุคคลดิจิทัลว่าควรเป็นแบบไหน อะไรที่ต้องคำนึงถึงและถามกันบ่อยๆ เมื่อจะออกแบบระบบ การเฝ้าระวังอาชญากรรมและปัญหาความมั่นคงทำได้แค่ไหน และการเป็นประชาธิปไตยเกี่ยวอะไรกับการมีระบบข้อมูลประชาชนดิจิทัลที่ดี

ประชาไท: ระบบข้อมูลประชาชนดิจิทัลคืออะไร

สุนิล: เดิมทีบัตรประชาชนเป็นวัตถุทางกายภาพ ส่วนมากก็เป็นกระดาษและมันก็มีข้อน่าห่วงมากๆ ในเรื่องความปลอดภัย เพราะว่ารัฐและบริษัทเอกชนต่างใช้บัตรประชาชนเพื่อไปถ่ายสำเนา อันนี้ผมได้ยินว่าในบริบทของไทยก็ถือเป็นเรื่องปกติเช่นกัน สิ่งที่คุณต้องการจริงๆ คือวิธีที่จะทำให้ภาครัฐและเอกชนยืนยันตัวตนโดยไม่ต้องเก็บข้อมูลจากคุณมากจนเกินไป

ในทางอุดมคตินั้นระบบเอกสารประจำตัวที่ดี ควรที่จะทำให้การยืนยันรายละเอียดของคุณอย่างพวกที่อยู่ อายุ สถานะจน-รวย โดยไม่ต้องเก็บข้อมูล (อื่นๆ) ที่ไม่จำเป็นรวมถึงเลขบัตรประชาชนด้วย แม้แต่เลขประจำตัวประชาชนของคุณก็ไม่ควรจะถูกเก็บไปโดยองค์กรอื่นๆ โดยไม่มีความจำเป็น

ปัจจุบันเรามีทางเลือกสองแบบ มีตัวอย่างในแคนาดา สหราชอาณาจักร หรือแม้แต่ในไทยที่กำลังทำ โครงการระบบพิสูจน์ตัวตนอิเลกทรอนิคส์แห่งชาติ หรือ National Digital ID (NDID) คุณคิดถึงวิธีแก้ปัญหาเรื่องระบบเอกสารประจำตัวในฐานะระบบนิเวศที่จะให้ตัวแสดงในระบบนิเวศยืนยันข้อมูลประจำตัวและเก็บข้อมูลของปัจเจกผ่านระบบการจัดการการยินยอมที่ดี (consent management)

(แต่) ก็มีหลายประเทศที่มีหน่วยงานจัดทำระบบฐานข้อมูลประชาชนแห่งชาติแบบรวมศูนย์ แล้วก็กลายเป็นจุดล้มเหลวจุดเดียว (Single Point of Failure - SPOF) ของระบบในประเทศ นี่จึงเป็นตัวเลือกใหญ่ๆ ที่แต่ละประเทศมี คือจะใช้วิธีจัดการแบบระบบนิเวศที่คิดถึงทุกอย่างแบบเป็นองค์รวม หรือมองว่าประเทศหนึ่งประเทศก็เหมือนกับบริษัทหรือมหาวิทยาลัย อะไรที่ใช้ได้กับบริษัทหรือมหาวิทยาลัยก็ใช้แบบนั้นกับประเทศทั้งประเทศ

แต่ละวิธีมีข้อเสียต่างกันอย่างไร

ในทางวิทยาศาสตร์คอมพิวเตอร์และวิศวกรรมคอมพิวเตอร์ ผู้เชี่ยวชาญทุกคนจะบอกว่าไม่มีระบบไหนที่ถูกแฮ็กไม่ได้ แต่ระหว่างสองตัวเลือกนี้มีความแตกต่างอย่างมาก ในโมเดลระบบนิเวศจะไม่มีจุดล้มเหลวจุดเดียวและการเจาะระบบนี้ก็มีต้นทุนสูงกว่าระบบแบบรวมศูนย์ แม้แต่การฟื้นฟูและรักษาข้อมูลที่หายไปก็ทำได้ถูกกว่าด้วย แต่ในระบบแบบรวมศูนย์นั้น ทุกคนจะได้รับผลกระทบเมื่อมีการเจาะเข้าไปได้ และส่วนมากการโจมตีจุดที่ล้มเหลวจุดเดียวก็มีต้นทุนน้อยกว่า

กระแสโลกที่มีต่อการทำข้อมูลประชาชนดิจิทัลคืออะไร

แนวโน้มใหญ่ๆ ของโลกคือมีบางบริษัทที่ขายเทคโนโลยีไบโอเมทริกซ์ (การใช้ข้อมูลทางชีวภาพ เช่น ลักษณะทางกายภาพอย่างม่านตา ลายนิ้วมือ ดีเอ็นเอ ใบหน้าเพื่อตรวจสิทธิหรือแสดงตน) ที่โดยพื้นฐานแล้วเป็นเทคโนโลยีแบบควบคุมจากระยะไกลและไม่ต้องใช้ความยินยอมของเจ้าของข้อมูล เพราะเวลาที่มีการสแกนใบหน้าหรือม่านตาเพื่อยืนยันตัวตนนั้น เจ้าของข้อมูลอาจจะไม่รู้ ผู้ใช้งานอาจจะสแกนจากระยะไกลด้วยกล้องความคมชัดสูง และการเก็บข้อมูลอัตลักษณ์ก็เก็บได้ขณะที่เจ้าของนอนหลับหรือหมดสติ

เทคโนโลยีไบโอเมทริกซ์เป็นเทคโนโลยีการเฝ้าระวังที่ดีมากเมื่อรัฐบาลต้องการต่อกรกับอาชญากรรมหรือบังคับใช้กฎหมาย อย่างไรก็ตาม เทคโนโลยีการเฝ้าระวังไม่ใช่เทคโนโลยีข้อมูลประจำตัวที่ดี โชคร้ายที่บริษัทใหญ่ๆ ที่ขายระบบเฝ้าระวังได้เดินทางไปทั่วโลกและบอกกับรัฐบาลต่างๆ ว่าพวกคุณสามารถแก้ปัญหาเรื่องเอกสารข้อมู,และความมั่นคงได้พร้อมกันด้วยเทคโนโลยีเฝ้าระวังซึ่งมันไม่จริง

ถ้าคุณใช้เทคโนโลยีการเฝ้าระวังมาสร้างระบบข้อมูลประชาชน นั่นหมายความว่าคุณยิ่งไปสร้างความเสี่ยงด้านความมั่นคงเข้าไปอีก เพราะคุณสร้างสิ่งที่เรียกว่า ‘ไหน้ำผึ้ง’ หมายถึงว่ามีจุดๆ หนึ่งที่เก็บข้อมูลลายนิ้วมือ ใบหน้าหรือม่านตาของทุกๆ คน แล้วถ้าระบบนั้นมีจุดที่ล้มเหลวขึ้นมาเพียงจุดเดียว ลองนึกถึงระบบอินเทอร์เน็ตที่เก็บพาสเวิร์ดของทุกคนเอาไว้ในเซิฟเวอร์เดียวกัน มันก็เป็นความเสี่ยงนั้น

เทคโนโลยีไบโอเมทริกซ์นั้นควรใช้ในระบบแบบไม่รวมศูนย์ คุณสามารถเก็บข้อมูลทางชีวภาพจากประชาชนได้ แต่ควรเก็บมันเอาไว้ในชิปสมาร์ทการ์ดของแต่ละคน อย่างระบบสแกนใบหน้าของไอโฟนที่ไม่มีเซิฟเวอร์เก็บข้อมูลใบหน้า แต่อาศัยพื้นที่บนโทรศัพท์มือถือของผู้ใช้งานให้เก็บข้อมูลเหล่านั้นเอง

บางประเทศมีสมาร์ทการ์ดที่มีแม้กระทั่งเครื่องอ่านลายนิ้วมือบนบัตร ที่คุณต้องทำก็คือใส่สมาร์ทการ์ดเข้าไปในเครื่องอ่าน จากนั้นคุณก็วางนิ้วมือลงบนสมาร์ทการ์ดโดยไม่ต้องเอานิ้วไปแปะที่อุปกรณ์อื่นของรัฐหรือเอกชน นั่นเป็นวิธีการใช้งานไบโอเมทริกซ์ที่ถูกต้องเพราะคุณใช้โบโอเมทริกซ์แบบที่ไม่อิงอยู่กับการเฝ้าระวัง

แปลว่าแนวโน้มระบบข้อมูลประชาชนของรัฐส่วนใหญ่อยู่กับฐานคิดการเฝ้าระวังใช่ไหม

ใช่แล้ว ความมั่นคงแห่งชาติและการเฝ้าระวังถูกจัดเป็นความสำคัญอันดับต้นๆ ซึ่งนั่นไม่ใช่แนวทางในการออกแบบระบบฐานข้อมูลประจำตัวประชาชนแบบ e-governance (ธรรมาภิบาลอิเล็คโทรนิกส์) การเฝ้าระวังนั้นสำคัญมากสำหรับสังคม แต่มันก็เหมือนเกลือในอาหาร คุณไม่สามารถกินอาหารได้โดยไม่มีเกลืออยู่ในนั้นนิดหน่อย คุณไม่สามารถมีประเทศที่ปลอดภัยหากไม่มีการเฝ้าระวัง แต่ถ้าคุณตัดสินใจตักเกลือห้าช้อนชาใส่ลงไปในอาหารเมื่อไหร่ อาหารก็เป็นพิษ เรื่องการเฝ้าระวังก็เช่นกัน มันจำเป็นในปริมาณน้อย แต่จะมีผลย้อนกลับหากมีมากเกินไป

แล้วแนวทางที่ดีที่สุดควรเป็นแบบไหน

ควรใช้ระบบและมาตรฐานแบบเปิด (open source and open standard) เพราะคุณจะสามารถพิสูจน์และตรวจสอบระบบได้ ถ้าคุณตรวจสอบหรือพิสูจน์ไม่ได้ นั่นหมายความว่าคุณจะไม่รู้ว่ามันทำงานอย่างไร ส่วนต่อไปคือข้อมูลที่ถูกขอและส่งต่อในระบบนิเวศเมื่อทำธุรกรรมจะต้องมีจำนวนน้อยที่สุด

อีกสิ่งที่จำเป็นคือ คุณต้องมี Human in the Loop (ความสัมพันธ์หรือปฏิสัมพันธ์ของมนุษย์ในระบบนั้น) หมายความว่า คุณควรรู้ว่าในขั้นตอนนั้นๆ มีเจ้าหน้าที่รัฐหรือพนักงานเอกชนคนไหนเป็นคนรับผิดชอบ และถ้ามีอะไรผิดพลาดคุณควรจะหาคนรับผิดรับชอบได้

ความรับผิดรับชอบนั้นแยกได้ว่า หนึ่ง เห็นตัวคนที่รับผิดชอบ สื่อมวลชนสามารถชี้นิ้วไปได้และบอกว่าคนนี้รับผิดชอบกับความผิดพลาดนั้น สอง การเป็นผู้จ่ายค่าปรับ ส่วนนี้สำคัญกับภาคเอกชน และสุดท้ายคือคนที่ต้องติดคุกหากมีเรื่องร้ายแรงเกิดขึ้น เช่นสิทธิมนุษยชนของบางคนได้รับผลกระทบ ดังนั้น เมื่อคุณจะออกแบบระบบฐานข้อมูลประจำตัว คุณต้องถามว่า ‘ใครเป็น Human in the loop’ นั่นเป็นกุญแจหลักของการออกแบบ

หลักการต่อไปของระบบข้อมูลประชาชนที่ดีคือต้องกระจายจากศูนย์กลาง ไม่ควรมีจุดล้มเหลวจุดใหญ่จุดเดียว การจัดการข้อมูลแบบระบบนิเวศนั้นดีกว่าการรวมศูนย์ นอกจากนั้นระบบควรจะรับมือและฟื้นตัวจากเหตุร้ายแรงที่สุดได้ ในระหว่างที่คุณออกแบบระบบก็ควรตั้งคำถามไปพลางว่า ถ้าระบบโดนแฮ็กจะทำอย่างไร หรือถ้าอาชญากรเอาระบบนี้ไปใช้ล่ะ คุณจำเป็นต้องคำนึงถึงความเป็นไปได้ที่ร้ายแรงที่สุดและต้องออกแบบระบบมารับมือมัน

แล้วมองในแง่สังคม คนทั่วไป คุณกังวลเรื่องอะไรบ้าง

ปัญหาหลักตอนนี้คือ แนวคิดที่รายล้อมระบบข้อมูลประชาชนดิจิทัลคือการย้ำให้พลเมืองต้องโปร่งใสกับรัฐ พวกเขา (รัฐ) ต้องการให้พลเมืองส่งข้อมูลทุกอย่างให้กับรัฐ แต่ว่ารัฐไม่ให้ข้อมูลใดๆ กับพลเมือง ในระบบข้อมูลประชาชนที่ดี รัฐควรจะมีความโปร่งใสกับพลเมือง

ผมจะยกตัวอย่างให้ฟัง สมมติว่าผมเป็นพนักงานรัฐที่ทุจริต ผมจะเขียนลงไปในบันทึกว่าคุณมาหาผมที่ออฟฟิศในวันนี้ นี่คือเลขประจำตัวประชาชนของคุณที่ขอกู้เงิน หรือไม่ก็ได้รับเงินอุดหนุนจำนวน 2,000 บาท ผมก็สามารถเอาเงิน 2,000 บาทเข้ากระเป๋าผมแบบไม่มีใครพิสูจน์ได้ และคุณก็ปฏิเสธไม่ได้ด้วย เพราะว่าเลขประจำตัวของคุณอยู่ในบันทึกของรัฐ แต่ถ้าคุณใช้มันให้ดี เราจะมีเครื่องอ่านสมาร์ทการ์ดที่พลเมืองจะใส่บัตรและกดรหัส หลังจากคุณดึงบัตรออกเจ้าหน้าที่ก็จะใส่สมาร์ทการ์ดของเขาเข้าไปและกดรหัส นั่นจะทำให้มีบันทึกในระบบอิเล็กโทรนิกส์และถูกเซ็นโดยเจ้าหน้าที่รัฐและพลเมือง จะไม่มีใครปฏิเสธได้แล้วว่ามีการพบกันจริงๆ ในระบบข้อมูลประจำตัวที่ดีนั้น ทั้งคู่จะต้องแสดงตัวตน แต่ในระบบที่ไม่ดีจะมีแต่เจ้าหน้าที่รัฐที่ถามหาหลักฐานประจำตัวและคุณจะไม่มีการบันทึกว่าเกิดอะไรขึ้นบ้าง

ความเป็นส่วนตัวและการคุ้มครองนั้นควรมีสัดส่วนแปรผันกับอำนาจ ความโปร่งใสและการกำกับควบคุมควรมีสัดส่วนโดยตรงกับอำนาจ คนที่มีอำนาจหรือคนรวยต้องมีความโปร่งใสมากกว่าคนอื่นและมีความเป็นส่วนตัวน้อยกว่าคนอื่น คนที่ไม่มีอำนาจหรือคนเปราะบางควรจะมีความเป็นส่วนตัวมากขึ้น

ถ้าคุณดูนโยบายด้านฐานข้อมูลแบบเปิด (โอเพ่นดาต้า) หรือกฎหมายเสรีภาพด้านข้อมูลข่าวสารจะพบว่าข้อมูลส่วนบุคคลเป็นข้อยกเว้นในกฎหมายเหล่านั้น ข้อมูลรัฐที่ไม่เป็นส่วนตัวเท่านั้นที่สามารถถูกแบ่งปันกันได้ในโอเพ่นดาต้า แต่ถ้าคุณไปดูกฎหมายความเป็นส่วนตัวก็จะพบว่ามีข้อยกเว้นในเรื่องประโยชน์ต่อสาธารณะ นั่นหมายความว่า ถ้าคุณเป็นเจ้าหน้าที่รัฐหรือนักการเมืองคนสำคัญ สิ่งที่คุณคุยในห้องนอนก็อาจสำคัญกับประเทศทั้งประเทศ นั่นหมายความว่าคุณไม่มีความเป็นส่วนตัวในการพูดคุยเรื่องลับ

ความเป็นส่วนตัวนั้นเป็นข้อยกเว้น แต่ผลประโยชน์สาธารณะมันเป็นข้อยกเว้นของข้อยกเว้นอีกที สมมติว่านายกฯ มีปัญหาสุขภาพร้ายแรงที่ทำให้เขาหรือเธอไม่เหมาะที่จะดำรงตำแหน่งอีกต่อไป ข้อมูลส่วนตัวนั้นก็เป็นข้อยกเว้นของข้อยกเว้น ถ้าการได้รู้ว่านายกฯ ป่วยหนักเป็นประโยชน์ต่อสาธารณะมันก็ควรถูกเปิดเผย การลองทำบททดสอบด้านผลประโยชน์สาธารณะน่าจะช่วยเรื่องการจัดการแกนสมมาตรเชิงอำนาจระหว่างกฎหมายสองชุด

ในการช่วยเหลือคนจน คุณควรมีกฎหมายความโปร่งใสและนโยบายโอเพ่นดาต้าที่ดี เพื่อคุ้มครองคนจนและคนเปราะบาง คุณต้องมีกฎหมายความเป็นส่วนตัว และถ้าคุณมีการทดสอบเรื่องผลประโยชน์สาธารณะในกฎหมายทั้งสองชุด กฎหมายเหล่านั้นก็จะไม่ถูกใช้ขูดรีดคนจน

ความมั่นคงจะอยู่ร่วมกับเสรีภาพและความเป็นส่วนตัวได้อย่างไร

กฎหมายข้อมูลประจำตัวดิจิทัลจะต้องมีสอดรับกับกฎหมายความเป็นส่วนตัวและนโยบายโอเพ่นดาต้า แต่ปัญหาก็คือกฎหมายความเป็นส่วนตัวยังเป็นเรื่องใหม่มากๆ ในภูมิภาคนี้ ไทยเพิ่งผ่าน พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล ที่อินเดียยังไม่มีในระดับชาติ ก็ยังคงมีงานที่ต้องทำอยู่ ศาลต้องทำหน้าที่หาคำนิยาม หน่วยงานกำกับดูแลต้องมีแนวทางกำกับที่จำเพาะมากๆ ภาคอุตสาหกรรมต้องมีแนวทางกำกับตัวเองและแนวปฏิบัติที่ดีที่สุด ภาคประชาสังคมเองก็ต้องช่วยภาคส่วนอื่นๆ ด้วยการถามคำถามหนักๆ

มันต้องใช้เวลา อย่างยุโรปก็มีเส้นทางการมีกฎหมายคุ้มครองข้อมูลยาวนานถึง 35 ปี นั่นเป็นเหตุผลที่ยุโรปมีการคุ้มครองที่ดีกว่า ในภูมิภาคของพวกเราก็จะใช้เวลาต่อสู้ถึง 35 ปีเช่นกัน ดังนั้น ประชาสังคมจะต้องเตรียมตัวในการต่อสู้เป็นเวลา 35 ปี และหลังจากนั้น ลูกหรือลูกของลูกเราจะเห็นระบบนิเวศข้อมูลประชาชนที่ปลอดภัยกว่านี้

รัฐบาลควรทำอะไรบ้าง

การผ่านกฎหมายอย่างเดียวนั้นไม่เพียงพอ ที่ (รัฐบาล) ทำในไทยคือแค่ผ่านกฎหมาย ตอนนี้คุณต้องสร้างคณะกรรมการที่เป็นอิสระ มีงบประมาณมากพอที่จะจ้างวิศวกรและนักกฎมายที่ดีที่สุด คณะกรรมการควรเริ่มบังคับใช้ข้อบังคับอย่างช้าๆ ศาลเองก็ควรพัฒนาองค์ความรู้ ผู้พิพากษาจะต้องเรียนรู้ว่าเกิดอะไรขึ้นบ้างในประเทศอื่นๆ ระบบกฎหมายต้องเตรียมพร้อมกับข้อกังวลใหม่ๆ

เทคโนโลยีช่วยได้แค่ไหน

เทคโนโลยีเป็นแค่ส่วนหนึ่งของการแก้ปัญหา คุณยังต้องกังวลเรื่องกฎหมายและบรรทัดฐานทางสังคม อะไรที่คนธรรมดาเขาทำกัน ถ้าทุกคนยังคงยินดีกับการส่งสำเนาบัตรประชาชน คุณก็ต้องไปเปลี่ยนมัน รัฐบาลมีประสบการณ์มากกับการยกระดับบรรทัดฐานทางสังคม

รัฐบาลต้องใช้อำนาจที่มีในการเปลี่ยนแนวปฏิบัติ เรื่องแนวทางการคุ้มครองความเป็นส่วนตัวก็เหมือนการสูบบุหรี่ พวกนักสูบส่วนมากก็รู้อยู่แล้วว่าการสูบบุหรี่นั้นทำให้เกิดมะเร็งและปัญหาอื่นๆ แต่ก็จะยังสูบต่อไปจนกว่าหมอจะบอกว่าเป็นมะเร็ง รัฐบาลก็ต้องทำให้พลเมืองเกิดความกลัวในสิ่งที่จะเกิดขึ้นเพื่อให้ประชาชนเลิกไม่เอาใจใส่เรื่องข้อมูลส่วนบุคคล

ส่วนสุดท้ายคือตลาด บรรษัทก็ต้องเริ่มสร้างนวัตกรรม เช่น ธนาคารควรออกมาพูดได้ว่าระบบของเราดีกว่าที่อื่น เราไม่ใช้ไบโอเมทริกซ์ เป็นต้น กฎหมายต้องทำให้เกิดการแข่งขันระหว่างบรรษัทในเรื่องความปลอดภัย ความเป็นส่วนตัว เมื่อเราเห็นบรรทัดฐาน กฎหมาย เทคโนโลยี และการแข่งขันทางเทคโนโลยี วันนั้นเราจะเริ่มเห็นทางออก ผมถึงบอกว่ามันจะใช้เวลา 30-40 ปี ไม่ก็นานกว่านั้น

ระบบข้อมูลประจำตัวดิจิทัลที่ดีเกี่ยวอะไรกับประเทศเป็นประชาธิปไตยไหม

ผู้คนถามคำถามยากๆ หลายคำถามในระบอบประชาธิปไตย และนั่นเป็นประโยชน์ แต่สิ่งที่เราต้องการจริงๆ คือประชาธิปไตยที่ปกครองโดยรัฐธรรมนูญ (Constitutional democracy) เพราะคุณไม่สามารถเดินไปถามคนทุกคนเพื่อหามติต่อคำถามทางเทคนิค

คุณต้องมีการอภิปรายสาธารณะที่โปร่งใสเยอะๆ แต่คุณไม่สามารถตัดสินใจกันด้วยการโหวต การไปถามว่า ‘มีกี่คนอยากใช้สแกนลายนิ้วมือ มีกี่คนอยากใช้สแกนใบหน้า’ ไม่ใช่วิธีออกแบบระบบข้อมูลประจำตัวดิจิทัล มันจะต้องวางอยู่บนหลักของรัฐธรรมนูญบางประการเช่นความถูกต้องตามกฎหมาย ความจำเป็น ความได้สัดส่วน หลังจากนั้นคุณจะต้องมีแนวทางที่เสนอโดยวิศวกรและนักกฎหมาย จากนั้นจึงให้มีการถกเถียงและอภิปราย

คุณตัดสินโดยอิงเสียงข้างมากไม่ได้เพียงเพราะคนส่วนมากบอกว่าพวกเขารู้สึกว่าการสแกนใบหน้ามันง่ายมาก คุณก็ไม่สามารถบอกว่าจะนำการสแกนใบหน้าไปใช้กับทุกอย่างเพียงเพราะมันปลดล็อกไอโฟนง่ายดี เพราะในวันพรุ่งนี้เทคโนโลยีเดียวกันอาจถูกนำไปใช้เพื่อสลายการชุมนุมก็ได้ แม้ทุกคนจะรักหลงการสแกนใบหน้าในประชาธิปไตยของคุณ แต่รัฐธรรมนูญยังคงต้องปฏิเสธมันและบอกว่ามันไม่จำเป็น ไม่ได้สัดส่วน มันควรถูกแบน หรือไม่ก็ใช้ในวัตถุประสงค์ที่จำเพาะ

ช่วยอธิบายว่าทำไมการเฝ้าระวังอาจเป็นการทำให้คนหลบเข้าไปอยู่ในมุมมืดมากขึ้น

มันเป็นผลที่เกิดขึ้นโดยไม่ตั้งใจ อย่างถ้าคุณไปบล็อกเนื้อหาที่คนชอบมากๆ คนก็อาจจะหันไปใช้ TOR หรือ VPN (วิธีการเข้าถึงเนื้อหาที่ถูกบล็อก) ซึ่งนั่นไม่ใช่ความตั้งใจของคุณ ถ้าคุณไม่พัฒนาระบบข้อมูลประชาชนที่ดี ประชาชนก็จะเริ่มทำตัวเหมือนอาชญากร แต่พวกเขาไม่ใช่อาชญากร เพียงแค่เขาไม่ชอบการออกแบบระบบเท่านั้น คุณไม่สามารถบังคับให้คนทำพฤติกรรมแบบนั้นหรือแบบนี้ได้ ดังนั้นการเป็นประชาธิปไตยจึงสำคัญ ในระหว่างที่คุณพัฒนาเทคโนโลยีคุณก็ควรถามพวกเขา (ผู้ใช้) ไปด้วยว่ามันใช้ได้หรือไม่ ทำให้เกิดการอภิปรายขึ้น

For more details visit https://cis-india.org/internet-governance/news/e2de2de01e41e1ae1ae23e30e1ae1ae02e49e2de21e39e25e1be23e30e0ae32e0ae19e14e34e08e34e17e31e25-e04e38e22e01e31e1ae1ce39e49e40e0ae35e48e22e27e0ae32e0de2be32e41e19e27e17e32e07e40e2be21e32e30e2ae21

Fostering Strategic Convergence in US-India Tech Relations: 5G and Beyond

Justin Sherman and Arindrajit Basu — 2019-07-05T02:19:09Z

The 2019 G-20 summit underscores the importance of fostering strategic convergence in U.S.-India tech relations.

The article by Justin Sherman and Arindrajit Basu was published in the Diplomat on July 3, 2019.

As world leaders gathered for the G-20 summit in Osaka, Japan this past weekend, a multitude of issues from climate to trade to technology came to the fore. Much of the focus was on U.S.-China interactions at the summit, as the two nations are locked in both a trade war and broader technological and geopolitical competition. Despite the present focus on the U.S. and China, however, it is crucial to not overlook another bilateral relationship of ever-growing importance in the process: The tech relationship between the United States and India.

Certainly, the two countries have many disagreements on some technology issues. But this is a geopolitical relationship that is both strategically important for each country, and a vital opportunity for the two largest democracies in the world to collectively combat Chinese-style digital authoritarianism.

Huawei and 5G

First, with respect to national security and 5G roll-outs, the U.S and India are not on the same page. The United States, for several months now, has been on a diplomatic messaging tour of the world to try to convince — with great resistance (some would argue failure) — allies, partners, and potential partners alike to ban Chinese firm Huawei from supplying components of 5G networks. Many officials across Europe, the Middle East, South America, and elsewhere have been reluctant to ban Huawei per the U.S. recommendation, and India is no exception. Indeed, National Security Advisory Board Chairman P.S. Raghavan told The Hindu that “5G is becoming a fault line in the technology cold war between world powers” and that India must avoid getting caught in these fault lines.

In large part, U.S. diplomatic messaging here has fallen short due to heavy conflations of national security- and trade-related risks; and Trump only contributed further to this fact with his latest reference to Huawei, during the G-20, as a potential trade war bargaining chip. The sheer population of India, however, combined with its fast growing technology sectors and desire to digitize, makes the country an important market player when it comes to the 5G revolution. U.S.-India engagement on 5G issues must be managed effectively through robust articulation of each country’s national interests underscored by a clean segregation of trade and security questions in the discussion. This partnership has the potential to wield great influence in the global market, including in ways that could prioritize or deprioritize certain 5G equipment suppliers (like Huawei).

Data Sovereignty and Data Privacy

Data sovereignty is another hot area in which the U.S.-India tech relationship demands careful negotiation. Over the past year, the Indian government has introduced a range of policy instruments which dictate that certain kinds of data must be stored in servers located physically within India — termed “data localization.” While there are a number of policy objectives this gambit ostensibly seeks to serve, the two which stand out are (1) the presently cumbersome process for Indian law enforcement agencies to access data stored in the U.S. during criminal investigations, and (2) extractive economic models used by U.S. companies operating in India.

A range of conflicting developments emerging from the G-20 summit underscore this fact. India, along with the BRICS grouping, focused on the development dimensions of data governance and re-emphasized the need for data sovereignty — broadly understood as the sovereign right of nations to govern data in their national interest for the welfare of their citizens. President Trump reigned in his focus on the need for cross-border data flows and, in direct opposition to some proposals that have emerged from India, explicitly opposed data localization. While India did not sign the Osaka Declaration on the Digital Economy that promoted cross-border data flows, the importance of cross-border data flows in spurring the global economy did find its way into the Final G-20 Leaders Declaration — which, of course, both countries signed.

Geopolitically, the importance of India’s data governance stance cannot be overstated as it could pave the way for the approach adopted by other emerging economies — most notably the BRICS countries. Likewise, the U.S. has important thinking to do around such questions as what shape a national data privacy law could take. Even though the two countries’ views on data may be quite different from one another, the seats that India and the U.S. have at the table for global data governance discussions — alongside others like Japan, China, and the European Union — underscore the value of meaningful interactions and mutual trust and respect on this issue.

Norms for a Democratic Digital Future

Finally, as the United Nations Group of Governmental Experts and the Open-Ended Working Group meet to resurrect the norm-formulation process for fostering responsible state behavior in cyberspace, India has some homework to do. Even though it has been a member of five out of the six Group of Governmental Experts set up thus far, India is yet to come out with a public statement delineating its views on the applicability of International Law applies in cyberspace. Further, India has also failed to articulate a cohesive digital strategy — instead relying on a patchwork of hastily rolled out and often ill-conceived regulatory policies, some of which commentators in the West have hastily labeled as digital authoritarianism. The U.S., for its part, amidst a cutback to diplomatic cyber engagement (as part of cutbacks to diplomacy writ large), could also up its support of international engagement on these issues. Its recent repeal of net neutrality protections could also be argued as a step back from long-time international norm promotion around internet openness.

Through a combination of domestic policy gambits and foreign policy maneuvers, both states need to draw lines in the sand that safeguard human rights, international law, and democracy online, while arriving at some balance with each other’s national interests.

A primary example lies with artificial intelligence (AI). AI has found increasing use in digital authoritarianism, as dictators use automated, intelligent systems to boost their surveillance capabilities. The Chinese government has arguably been at the forefront of this enhanced level of authoritarian rule for the digital age.

In addition to focusing on AI applications for everything from natural language processing to self-driving cars — through investments, strategies, policy documents, and so on — Beijing has also been deploying AI in the service of large-scale human-rights abuses. Chinese strategy papers on AI, while similarly emphasizing many commercial or benign applications and raising attention to such issues as algorithmic fairness, concurrently have discussed using AI for “social governance,” censorship, and surveillance. To combat the rising intersection of AI and digital authoritarianism, the U.S. and India could wield enormous leverage — as the two largest democracies in the world — in governing these technologies in a democratic fashion that counters dangerous arms-race narratives and uses of AI for surveillance and repression.

The same goes for paying attention to technology exports and diffusion to human-rights abusers. For instance, companies incorporated in China, among those incorporated elsewhere, have been heavily involved in exports of dual-use surveillance technologies to other countries, including those with questionable or outright poor human-rights records. Although companies incorporated in democracies may engage in such practices as well, most democracies take steps to curtail these practices as much as possible, such as through the multilateral Wassenaar Arrangement — which lays out export controls around conventional weapons and dual-use goods and technologies. The U.S. has long been a party to this agreement, and India officially joined in 2018. Arguments persist about the extent to which Beijing is involved in these dual-use surveillance technology exports, but these exports may only increase going forward as companies increasingly sell not just internet surveillance tools but also dual-use AI tools. In this way, too, India and the U.S. could play an important role in countering the spread of such capabilities to human-rights abusers and standing against the spread of digital authoritarianism in the process.

The relationship here is, therefore, one that requires careful navigation for its significant geopolitical, economic, and ideological consequences. For the future of the technological relationship between the world’s largest democracies—and the extent to which they respect each other’s strategic autonomy while converging on issues of mutual interest—could determine the future of global digital governance.

For more details visit https://cis-india.org/telecom/blog/the-diplomat-justin-sherman-and-arindrajit-basu-july-3-2019-fostering-strategic-convergence-in-us-india-tech-relations-5g-and-beyond

ISOC Report

akriti — 2019-07-03T12:44:43Z

For more details visit https://cis-india.org/internet-governance/files/isoc-report.pdf