Centre for Internet and Society

When #GOIBlocks, twitterati fly off their ‘handles’

praskrishna — 2012-08-26T05:56:19Z

Ever since the news broke mid-week that some genuine Twitter accounts and six spoof accounts were blocked, the social networking platform has been in a tizzy.

Published in the Hindustan Times on August 26, 2012. Pranesh Prakash is quoted.

Hashtags like #GOIblocks and variations on the same theme began “trending” and the twitterati, functioning like a virtual democracy, have been bombarding the world in real time with posts about the issue. 16 accounts of the 15 million twitter users in India, among them those of a few journalists, spoof accounts like @PM0India, a right-wing parody of @PMOIndia, the official twitter account of the Prime Minister’s office, and a few anonymous accounts like Barbarian Indian (@barbarindian) and Dosabandit (@dosabandit) were blocked.

While Narendra Modi turned his twitter display picture black in solidarity with the idea of freedom of speech (and was promptly termed a hypocrite with many like @JagPaws, who has 641 followers, tweeting, “Whoa!! Is he supporting Jihadi sites?”), Pankaj Pachauri, (49,827 followers) Communications Adviser to the Prime Minister’s office, has put up twitter rules and the National Security Advisor Shivshankar Menon’s ominously pro-surveillance keynote address at the release of the IDSA report on “India’s Cyber Security Challenge”.

Many like Nitin Pai @acorn, with 16,988 followers, founder of Takshashila Institute, a public policy think tank, tweeted that “under extraordinary circumstances, the govt must do whatever it can under the constitution to prevent loss of life” and added that targeted and temporary blocks of sites, facebook pages and twitter handles that spewed hate were acceptable. Others like film maker Harini Calamur (@calamur) (11,277 followers) who says she is against censorship tweeted that “Blocking internet handles & sites is silly” and “the Govt’s job is to uphold the constitution & protect our fundamental rights. Not make value judgements.” Much of the debate has led to a genuine exchange, sometimes making comrades of people from opposing camps. Kanchan Gupta, a journalist known for his pro-Hindutva views, whose twitter handle @KanchanGupta (26,424 followers) was among those blocked, accepted on TV that scores of “people from all communities” many of whom “disagreed violently” with him had extended their support on twitter.

Others like writer Shivam Vij (@Dilidurast), who has 3,296 followers, whom Hindutvawadis has often branded ‘pseudo sickular’, surprised baiters by speaking against the ban.

Many were strident in their criticism of the arbitrary nature of the blocks and tweeted that it was indicative of authoritarianism. “Internet blocks in India have been increasing in frequency&intensity. I wouldn't put this down to knee-jerk/foolishness.There is *intent*,” tweeted Nikhil Pahwa (@nixxin), founder and editor of @medianama. Others like business journalist Samidha Sharma @samidhas worried that the government’s frequent attacks on freedom of expression shows that it is “following china in all the wrong things”.

While Pranesh Prakash (@pranesh_prakash) of the Centre for Internet and Society tweeted, “They've blocked sites from all parts of the spectrum: Muslim right-wing, Hindu right-wing, neutral news sites, etc. No politics”, many others saw the move as a “self-serving” one. “Dear GoI: why not be honest enough to say that this web censorship has NOTHING to do with security+ all to do with your own arrogance” tweeted Sunny Singh (@sunnysingh_nw3).

For more details visit https://cis-india.org/news/www-hindustan-times-aug-26-2012-when-goi-blocks-twitterati-fly-off-their-handles

WhatsApp spy attack and after

Theres Sudeep — 2019-12-15T05:06:27Z

Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.

The article by Theres Sudeep was published in Deccan Herald on November 6, 2019. Aayush Rathi was quoted.

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.

Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.

It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after

What the government's draft IT intermediary guidelines say

Admin — 2019-02-13T00:31:29Z

Intermediaries will have to hand over to government agencies any information within 72 hours. Intermediaries will have to use automated tools to trace the person posting unlawful content.

The article by Abhijit Ahaskar was published in Livemint on February 12, 2019. CIS research was quoted.

With voices for regulating tech companies getting stronger in the wake of growing incidence of fake news being circulated through social media platforms, the Ministry of Electronics and Information Technology (MEITY) of India has decided to re-examine the Information Technology (IT) Intermediary Guidelines, 2011, under the IT Act, 2000.

Setting the wheel in motion, the ministry proposed a draft called Information Technology Intermediaries Guidelines (Amendment), 2018, and released the recommendations on its website for public comments in December 2018. The first round of comments ended on 31 January, 2019 and was made public last week. The second round of comments and counter-comments will close on 14 February, 2019.

What the draft proposes

The term intermediary refers to all tech companies that are hosting user data or are providing users with a platform for communication. This brings all internet, social media, telecom companies in its ambit.

The draft amendment proposes that intermediaries will have to hand over to governmentagencies any information that might be related to cyber security, national security and related with the investigation, prosecution or prevention of an offence, within 72 hours.

They will have to take down or disable content considered defamatory or against national security under Article 19 (2) of the Constitution within 24 hours on being notified by the appropriate government or its agency in addition to using automated tools to identify, remove and trace the origin of such content. Intermediaries with over 55 lakh users will be required to have a permanent registered office with physical address and a senior official who would be available for coordination with law enforcement agencies.

Concerns over the draft guidelines

Microsoft notes that the problem MEITY is trying to address is of fake news. “Existing regulations provide enough powers to work with social media platforms. There may be a case to bring out additional guidelines for certain types of intermediaries like social media platforms. There may also be a case to strengthen other laws which make the punishment of fake news and misuse of social media stringent. The focus should be on the perpetrators of the crime rather than the intermediaries," it has said in response to the guidelines. Regarding deployment of tools to proactively identify and remove unlawful content, Microsoft cautions that intermediaries will have to monitor all content passing through their systems for this, which is a violation of their individual privacy and right to freedom of expression. It will also be technically impractical due to the high cost of deploying such tech.

According to Broadband India Forum, one of the grounds for the Supreme Court striking down Section 66A of the IT Act, 2000, in Shreya Singhal vs Union of India was the vagueness of the terms used in the provision, such as offensive, menacing and dangerous, which invaded the right of free speech. However, words with a similar level of vagueness, such as grossly harmful, harassing and hateful exist in the proposed draft.

The Centre for Internet and Society (CIS) pointed out that existing laws provide enough teeth to the Indian agencies to act. For instance, Section 505 of the IPC has provisions to penalise disinformation while Sections 290 and 153A of the IPC have provisions if the disinformation is being used to create communal strife. CIS has also flagged the scope of the term unlawful as it is not clearly defined, leaving room for broad interpretation. On the traceability clause, CIS draws attention to the lack of clarity on whether it applies on just social media platforms and messaging services or all intermediaries.

This can be a bit of problem for ISPs which may have no access to contents of an encrypted communication sent and received on its network.

Threat to privacy

The traceability clause, which requires intermediaries to use automated tools to trace the person posting unlawful content, came in for a lot of criticism. While the Ministry in an official tweet in January 2018 clarified that it only requires intermediaries to trace the origin of messages which lead to unlawful activities without breaking encryption, experts believe it isn’t possible without lowering encryption standards or building a backdoor to access encrypted communications.

Amnesty International slammed the clause, arguing, “While governments can legitimately use electronic surveillance to protect people from crime, forcing companies to weaken encryption will affect all users’ online privacy. Such measures would be inherently disproportionate, and therefore impermissible under international human rights law."

Wipro in its response rues such a traceability requirement could lead to breaking of encryption on apps such as WhatsApp and Signal, and this will be a major threat to the privacy rights of citizens as enshrined in the Puttaswamy judgment of the Supreme Court.

Undue burden on small companies

Commenting on the 72 hours timeline for furnishing user data, the Internet Freedom Foundation says that such short deadline for compliance can only be fulfilled by large social media platforms. This might make smaller companies over compliant to government demands for immunity resulting in a total disregard for user privacy.

Regarding taking down of unlawful content, technology policy researchers form National Institute of Public Finance & Policy (NIPFP) caution that overzealous implementation along with over reliance on technological tools for the detection of unlawful content would lead to the curtailment of online speech. They pointed out the instance where Facebook had removed posts documenting the ethnic cleansing of Rohingyas as it had classified Rohingya organisations as dangerous militant groups.

For more details visit https://cis-india.org/internet-governance/news/livemint-abhijit-ahaskar-february-12-2019-what-the-governments-draft-it-intermediary-guidelines-say

What India can Learn from the Snowden Revelations

elonnai — 2013-10-25T07:29:57Z

Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.

The title of the article was changed in the version published by Yahoo on October 23, 2013.

Since the ‘Snowden revelations’, which uncovered the United States government’s massive global surveillance through the PRISM program, there have been reactions aplenty to their impact.

The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.

The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.

Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.

This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including India.

India’s reaction

After the first news of the Snowden revelations, the Indian Supreme Court agreed to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.

The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any government or individual can take against the US government or companies incorporated there.

In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take.

For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.

To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same.

In India, P. Rajeev, Member of Parliament from Kerala, has started a petition asking that the companies disclose information on Indian data given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.

The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been voiced by many, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal Mutual Legal Assistance Treaty process, it does not necessarily enhance the privacy of Indian data.

As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.

Snooping

The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India.

For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually set up servers in Mumbai and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from Skype and Google. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.

Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive.

The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.

The gaps in the Indian surveillance regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, India is in the process of realizing a privacy legislation.

In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote The Report of the Group of Experts on Privacy, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.

The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.

For example, telecoms in India are now required to include user location data as part of the ‘call detail record’ and be able to provide the same to law enforcement agencies on request under provisions in the Unified Access Service and Internet Service Provider Licenses.

At the same time, the Government of India is in the process of putting in place a Central Monitoring System that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.

Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.

If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.

Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.

Policy vacuum

For any government, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe.

When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.

In 2013, the International Principles on the Application of Human Rights to Communications Surveillance were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications.

When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.

Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.

For more details visit https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations

What Does Facebook's Transparency Report Tell Us About the Indian Government's Record on Free Expression & Privacy?

pranesh — 2015-04-05T05:08:37Z

Given India's online population, the number of user data requests made by the Indian government aren't very high, but the number of content restriction requests are not only high on an absolute number, but even on a per-user basis.

Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany. Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do. I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.

Since the Prime Minister of India Shri Narendra Modi has stated that "transparency and accountability are the two cornerstones of any pro-people government", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.

At the same time, Facebook's Global Government Requests Report implicitly showcases governments as the main causes of censorship and surveillance. This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.

For more details visit https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy

Welcome to r@w blog!

sneha-pp — 2019-01-02T11:48:04Z

We from the researchers@work programme at the Centre for Internet and Society (CIS) are delighted to announce the launch of our new blog, hosted on Medium. It will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society; and highlights and materials from ongoing research and events at the researchers@work programme.

r@w blog: Visit (Medium)

A space for reflections on internet and society, r@w blog is also an attempt to facilitate conversations around contemporary debates and foster creative engagement with research and practice through text, images, sounds, videos, code, and other media forms offered by the internet.

r@w blog opens with an essay on ‘Information Offline: Labour, Surveillance, and Activism in the Indian IT & ITES Industry’ by Rianka Roy - as part of an essay series exploring social, economic, cultural, political, infrastructural, and aesthetic dimensions of the "offline" - and audio recording from a session titled #ILoveYou by Dhiren Borisa and Dhrubo Jyoti, which was part of the Internet Researchers’ Conference 2018 - #Offline.

We will publish our (including commissioned/supported) writings and works on this blog, as well as submitted and compiled materials. Please write to raw[at]cis-india[dot]org to submit your works to be considered for publication. Copyright to all material published on this blog are owned by CIS and author(s) concerned, and they are shared under Creative Commons Attribution 4.0 International license.

For more details visit https://cis-india.org/raw/welcome-to-raw-blog

We've come a long, long way together: building coalitions around the right to privacy

praskrishna — 2015-10-29T01:30:50Z

Our worldwide coalition against surveillance is expanding, reaching organisations across all continents and silos.

This article by Matthew Rice was published as part of an openDemocracy editorial partnership with the World Forum for Democracy. Centre for Internet and Society was mentioned.

In the wider civil society space, the opportunities for travel come thick and fast. From the multi-stakeholder perspective, the Internet Governance Forum will be held during November in João Pessoa, Brazil. There is the Stockholm Internet Forum in, naturally, Stockholm. In freedom of expression there is the International Freedom of Expression Exchange Strategy Conference in Trinidad & Tobago, while End Violence Against Women International's conference will be held in Washington in March 2016. What doesn't happen often is an opportunity for these weary travellers to meet in one place and discuss their backgrounds, their similarities, their differences. This is what excites me about the upcoming World Forum for Democracy, which will be organised by the Council of Europe in Strasbourg on 18-20 November 2015. It will be an occasion to meet new people, to bring more minds to think about how surveillance affects their work as well as them as individuals within our and their society, and to discover what the right to privacy means to them.

Building coalitions working on surveillance has reached a new stage. We now have a strong international network of organisations from diverse countries already representing an impressive array of stakeholders across disciplines. That took time and effort to build. The next phase is to push even further the diversity in background and discipline of organisations engaged in these debates as we advocate for the protection of the right to privacy as a fundamental human right.

NSA/GCHQ who?

While the focus of privacy and surveillance in the media has been on the deeply important Edward Snowden revelations, building a global network has provided an opportunity to move away from the simplified nexus of NSA and GCHQ. Casting an eye around the world we see organisations making gains in elevating their national discourse around privacy and pushing governments to make changes. In Pakistan, a successful challenge against the dangerously bad Prevention of Electronic Crime Bill because of its lack of inclusion of civil society in the debate led to the postponement of the bill and a consultation with the previously frozen out groups. Alongside this, exposing Pakistan's Inter-Security Intelligence agency's proposal for a mass surveillance system helped to drive national debate on what is a proportionate interference with the right to privacy, which involved local groups such as the Digital Rights Foundation, Bytes 4 All and Bolo Bhi.

In Colombia, the release of two investigative reports into the shadowy world of intelligence agencies has provided organisations in the country with the opportunity to question their own representatives about their knowledge of surveillance capabilities. A meeting of the intelligence commission, the committee that oversees the work of Colombian intelligence agencies, in early October was too coincidental to not have been influenced by the work of organisations like the Karisma Foundation in beginning discussions with lawmakers directly and delivering the reports to the relevant stakeholders.

Only five years ago, these stories of civil society stirring debates on privacy and national security wouldn't have been possible.

It has taken years for this global network to form. Privacy International began the conversation through work in Asia in mid-2008. This is often referred to as the first time that the right to privacy had been discussed with organisations in the region, such as the Centre for Internet and Society in India, or the Foundation for Media Alternatives in the Philippines. Those first conversations have come a long way, as shown by the development of initiatives like the International Principles on the Application of Human Rights to Communications Surveillance, which has been signed by 420 organisations from around the world, as well as the expansion of Privacy International across continents from Latin America to Africa and Asia.

Discovering new allies

Establishing this global network required the identification of an ideal type of partnering organisation. It was to be either engaged in research or activism, with a focus on policy relating to modern forms of communication like the internet. An interest in law, the state, and the effect of the private sector helped too. Now, this ideal type is being rewritten, expanded with new characteristics.

Coalition development is in a new phase. Groups outside of the field of internet governance and 'digital rights' are now becoming involved in the debate about privacy and surveillance. In Britain, the role of organisations focused on victim support and child protection are starting to taking an active role in the discussions about the forthcoming Investigatory Powers Bill, which will spell out the powers of the security services to conduct surveillance and associated safeguards. Other civil society actors will be represented in the coalition Don't Spy On Us, which includes organisations such as Privacy International, Open Rights Group, Liberty, Big Brother Watch, Article 19 and English PEN, and which has helped to expand the base of participants in the discussions.

Journalist groups have been growing in their presence also. Press Gazette's Save Our Sources campaign focused on the protection of the anonymity of sources after the unlawful use of the Regulation of Investigatory Powers Act to identify the source of a story from The Sun. The National Union of Journalists has also been running a campaign on these issues for over a year.

The global network has continued to expand its address book too. In Chile, Derechos Digitales has been reaching out to indigenous communities threatened with displacement from their land to discuss the effect surveillance has had on their work. Meanwhile, in South Africa, the Right 2 Know Campaign published a series of case studies on the harassment of various activists, community leaders, think tanks and local unions by intelligence agencies.

These past few years have shown groups from different professional backgrounds and operating at different scales, either nationally or internationally, have become more engaged in the topic of surveillance. This is both a natural and a necessary development. As our lives are increasingly dependent upon the use of technology to communicate, and the devices we carry broadcast information about us even when we are not using them, the discussion on privacy and surveillance needs to reach all areas of society.

The idea to be presented at the World Forum for Democracy is built on the back of this international movement. Currently, national jurisdictions around the world make a distinction between the communications of a national and those of a non-national, and afford them with different human rights protection. In our increasingly interconnected world, this distinction is a big hurdle to the realisation of a meaningful right to privacy, without discrimination. By introducing a right to privacy through interference based jurisdiction – where states owe a negative obligation not to interfere with a person’s communication – our right to privacy will travel with the communications we send.

The success of this idea requires a worldwide, international movement with diverse voices, who will work towards this change using the skills and experiences acquired in their own work, whether that is through strategic litigation, policy development or community organising. All skills and approaches have a role to play in realising the right to privacy across the world.

As I look at the programme for the World Forum for Democracy, and at the different Labs to be held, I see an opportunity to continue to expand this coalition, as well as to learn from other groups’ experiences of building similar movements. Labs organised by interfaith, intercultural, or anti-hate groups bring together people that Privacy International would not normally cross paths with. Meeting new ideas and perspectives on how to achieve change – this is where creativity sparks.

The past few years have exposed Privacy International’s area of work to different cultures, different contexts and different challenges. It has been for the better. The participation of PI, along with some of its partners, in the World Forum for Democracy appears set to carry on this trend.

For more details visit https://cis-india.org/internet-governance/news/open-democracy-matthew-rice-

We need a better AI vision

basu — 2019-10-14T13:55:59Z

Artificial intelligence conjures up a wondrous world of autonomous processes but dystopia is inevitable unless rights and privacy are protected.

The blog post by Arindrajit Basu was published by Fountainink on October 12, 2019.

he dawn of Artificial Intelligence (AI) has policy-makers across the globe excited. In India, it is seen as a tool to overleap structural hurdles and better understand a range of organisational and management processes while improving the implementation of several government tasks. Notwithstanding the apparent enthusiasm in the government and private sectors, an adequate technological, infrastructural, and financial capacity to develop these models at scale is still in the works.

A number of policy documents with direct or indirect references to India’s AI future—to be powered by vast troves of data—have been released in the past year and a half. These include the National Strategy for Artificial Intelligence (which I will refer to as National Strategy) authored by NITI Aayog, the AI Taskforce Report, Chapter 4 of the Economic Survey, the Draft e-Commerce Bill and the Srikrishna Committee Report.

While they extol the virtues of data-driven analytics, references to the preservation or augmentation of India’s constitutional ethos through AI has been limited though it is crucial for safeguarding the rights and liberties of citizens while paving the way for the alleviation of societal oppression.

In this essay, I outline the variety of AI use cases that are in the works. I then highlight India’s AI vision by culling the relevant aspects of policy instruments that impact the AI ecosystem and identify lacunae that can be rectified. Finally, I attempt to “constitutionalise AI policy” by grounding it in a framework of constitutional rights that guarantee protection to the most vulnerable sections of society.

In the manufacturing industry, AI adoption is not uniform across all sectors. But there has been a notable transformation in electronics, heavy electricals and automobiles.

It is crucial to note that these cases, still emerging in India, have been implemented at scale in other countries such as the United Kingdom, United States and China. Projects were rolled out to the detriment of ethical and legal considerations. Hindsight should make the Indian policy ecosystem much wiser. By closely studying the research produced in these diverse contexts, Indian policy-makers should try to find ways around the ethical and legal challenges that cropped up elsewhere and devise policy solutions that mitigate the concerns raised.

***

Before anything else we need to define AI—an endeavour fraught with multiple contestations. My colleagues and I at the Centre for Internet & Society ducked this hurdle when conducting our research by adopting a function-based approach. An AI system (as opposed to one that automates routine, cognitive or non-cognitive tasks) is a dynamic learning system that allows for the delegation of some level of human decision-making to the system. This definition allows us to capture some of the unique challenges and prospects that stem from the use of AI.

The research I contributed to at CIS identified key trends in the use of AI across India. In healthcare, it is used for descriptive and predictive purposes.

For example, the Manipal Group of Hospitals tied up with IBM’s Watson for Oncology to aid doctors in the diagnosis and treatment of seven types of cancer. It is also being used for analytical or diagnostic services. Niramai Health Analytix uses AI to detect early stage breast cancer and Adveniot Tecnosys detects tuberculosis through chest X-rays and acute infections using ultrasound images. In the manufacturing industry, AI adoption is not uniform across all sectors. But there has been a notable transformation in the electronics, heavy electricals and automobiles sector gradually adopting and integrating AI solutions into their products and processes.

It is also used in the burgeoning online lending segment in order to source credit score data. As many Indians have no credit scores, AI is used to aggregate data and generate scores for more than 80 per cent of the population who have no credit scores. This includes Credit Vidya, a Hyderabad-based data underwriting start-up that provides a credit score to first time loan-seekers and feeds this information to big players such as ICICI Bank and HDFC Bank, among others. It is also used by players such as Mastercard for fraud detection and risk management. In the finance world, companies such as Trade Rays are being used to provide user-friendly algorithmic trading services.

AI is also being increasingly used in the education sector for providing services to students such as decision-making assistance and also for student-progress monitoring.

The next big development is in law enforcement. Predictive policing is making great strides in various states, including Delhi, Punjab, Uttar Pradesh and Maharashtra. A brainchild of the Los Angeles Police Department, predictive policing is the use of analytical techniques such as Machine Learning to identify probable targets for intervention to prevent crime or to solve past crime through statistical predictions.

Conventional approaches to predictive policing start with the mapping of locations where crimes are concentrated (hot spots) by using algorithms to analyse aggregated data sets. Police in Uttar Pradesh and Delhi have partnered with the Indian Space Research Organisation (ISRO) in a Memorandum of Understanding to allow ISRO’s Advanced Data Processing Research Institute to map, visualise and compile reports about crime-related incidents.

There are aggressive developments also on the facial recognition front. Punjab Police, in association with Gurugram-based start-up Staqu has started implementing the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on the suspected criminal. At the national level, on June 28, the National Crime Records Bureau (NCRB) called for tenders to implement a centralised Automated Facial Recognition System (AFRS), defining the scope of work in broad terms as the “supply, installation and commissioning of hardware and software at NCRB.”

AI is also being increasingly used in the education sector for providing services to students such as decision-making assistance and also for student-progress monitoring. The Andhra Pradesh government had started collecting information from a range of databases and processes the information through Microsoft’s Machine Learning Platform to monitor children and devote student focussed attention on identifying and curbing school drop-outs.

In Andhra Pradesh, Microsoft collaborated with the International Crop Institute for Semi-Arid Tropics (ICRISAT) to develop an AI Sowing App powered by Microsoft’s Cortana Intelligence Suite. It aggregated data using Machine Learning and sent advisories to farmers regarding optimal dates to sow. This was done via text messages on feature phones after ground research revealed that not many farmers owned or were able to use smart phones. The NITI Aayog AI Strategy specifically cited this use case and reported that this resulted in a 10-30 per cent increase in crop yield. The government of Karnataka has entered into a similar arrangement with Microsoft.

Finally, in the defence sector, our research found enthusiasm for AI in intelligence, surveillance and reconnaissance (ISR) functions, cyber defence, robot soldiers, risk terrain analysis and moving towards autonomous weapons systems. These projects are being developed by the Defence Research and Development Organisation but the level of trust and support in AI-driven processes reposed by the wings of the armed forces is yet to be publicly clarified. India also had the privilege of leading the global debate on Lethal Autonomous Weapons Systems (LAWS) with Amandeep Singh Gill chairing the United Nations Group of Governmental Experts (UN-GGE) on the issue. However, ‘lethal’ autonomous weapons systems at this stage appear to be a speck in the distant horizon.

***

Along with the range of use cases described above, a patchwork of policy imperatives is emerging to support this ecosystem. The umbrella document is the National Strategy for Artificial Intelligence published by the NITI Aayog in June 2018. Despite certain lacunae in its scope, the existence of a cohesive and robust document that lends a semblance of certainty and predictability to a rapidly emerging sphere is in itself a boon. The document focuses on how India can leverage AI for both economic growth and social inclusion. The contents of the document can be divided into a few themes, many of which have also found their way into multiple other instruments.

NITI Aayog provides over 30 policy recommendations on investment in scientific research, reskilling, training and enabling the speedy adoption of AI across value chains. The flagship research initiative is a two-tiered endeavour to boost AI research in India. First, new centres of research excellence (COREs) will develop fundamental research. The COREs will act as feeders for international centres for transformational AI which will focus on creating AI-based applications across sectors.

This is an impressive theoretical objective but questions surrounding implementation and structures of operation remain to be answered. China has not only conceptualised an ecosystem but through the Three Year Action Plan to Promote the Development of New Generation Artificial Intelligence Industry, it has also taken a whole-of-government approach to propelling the private sector to an e-leadership position. It has partnered with national tech companies and set clear goals for funding, such as the $2.1 billion technology park for AI research in Beijing.

The contents of the NITI document can be divided into a few themes, many of which have also found their way into multiple other instruments. First, it proposes an “AI+X” approach that captures the long-term vision for AI in India. Instead of replacing the processes in their entirety, AI is understood as an enabler of efficiency in processes that already exist. NITI Aayog therefore looks at the process of deploying AI-driven technologies as taking an existing process (X) and adding AI to them (AI+X). This is a crucial recommendation all AI projects should heed. Instead of waving AI as an all-encompassing magic wand across sectors, it is necessary to identify specific gaps AI can seek to remedy and then devise the process underpinning this implementation.

A cacophony of policy instruments by multiple government departments seeks to reconceptualise data to construct a theoretical framework that allows for its exploitation for AI-driven analytics.

The AI-driven intervention to develop sowing apps for farmers in Karnataka and Andhra Pradesh are examples of effective implementation of this approach. Instead of other knee-jerk reactions to agrarian woes such as a hasty raising of Minimum Support Price, effective research was done in this use-case to identify a lack of predictability in weather patterns as a key factor in productive crop yields. They realised that aggregation of data through AI could provide farmers with better information on weather patterns. As internet penetration was relatively low in rural Karnataka, text messages to feature phones that had a far wider presence was indispensable to the end game.

***

This is in contrast to the ill-conceived path adopted by the Union ministry of electronics and information technology in guidelines for regulating social media platforms that host content (“intermediaries”). Rule 3(9) of the Draft of the Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 mandates intermediaries to use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”.

Proposed in light of the fake news menace and the unbridled spread of “extremist” content online, the use of the phrase “automated tools or appropriate mechanisms” is reflective of an attitude that fails to consider ground realities that confront companies and users alike. They ignore, for instance, the cost of automated tools: whether automated content moderation techniques developed in the West can be applied to Indic languages or grievance redress mechanisms users can avail of if their online speech is unduly restricted. This is thus a clear case of the “AI” mantra being drawn out of a hat without studying the “X” it is supposed to remedy.

The second focus of the National Strategy that has since morphed into a technology policy mainstay across instruments is on data governance, access and utilisation. The document says the major hurdle to the large scale adoption of AI in India is the difficulty in accessing structured data. It recommends developing big annotated data sets to “democratise data and multi-stakeholder marketplaces across the AI value chain”. It argues that at present only one per cent of data can be analysed as it exists in various unconnected silos. Through the creation of a formal market for data, aggregators such as diagnostic centres in the healthcare sector would curate datasets and place them in the market, with appropriate permissions and safeguards. AI firms could use available datasets rather than wasting effort sourcing and curating the sets themselves.

A cacophony of policy instruments by multiple government departments seeks to reconceptualise data to construct a theoretical framework that allows for its exploitation for AI-driven analytics.The first is “community data” and appears both in the Srikrishna Report that accompanied the draft Data Protection Bill in 2018 and the draft e-commerce policy.

But there appears to be some conflict between its usage in the two. Srikrishna endorses a collective protection of privacy by protecting an identifiable community that has contributed to community data. This requires the fulfilment of three key conditions: first, the data belong to an identifiable community; second, individuals in the community consent to being a part of it, and third, the community as a whole consents to its data being treated as community data. On the other hand, the Department of Promotion of Industry and Internal Trade’s (DPIIT) draft e-commerce policy looks at community data as “societal commons” or a “national resource” that gives the community the right to access it but government has ultimate and overriding control of the data. This configuration of community data brings into question the consent framework in the Srikrishna Bill.

The government’s attempt to harness data as a national resource for the development of AI-based solutions may be well-intentioned but is fraught with core problems in implementation.

The matter is further confused by treating “data as a public good”. This is projected in Chapter 4 of the 2019 Economic Survey published by the Ministry of Finance. It explicitly states that any configuration needs to be deferential to privacy norms and the upcoming privacy law. The “personal data” of an individual in the custody of a government is also a “public good” once the datasets are anonymised. At the same time, it pushes for the creation of a government database that links several individual databases, which leads to the “triangulation” problem, where matching different datasets together allows for individuals to be identified despite their anonymisation in seemingly disparate databases.

“Building an AI ecosystem” was also one of the ostensible reasons for data localisation—the government’s gambit to mandate that foreign companies store the data of Indian citizens within national borders. In addition to a few other policy instruments with similar mandates, Section 40 of the Draft Personal Data Protection Bill mandates that all “critical data” (this is to be notified by the government) be stored exclusively in India. All other data should have a live, serving copy stored in India even if transfer abroad is allowed. This was an attempt to ensure foreign data processors are not the sole beneficiaries of AI-driven insights.

The government’s attempt to harness data as a national resource for the development of AI-based solutions may be well intentioned but is fraught with core problems in implementation. First, the notion of data as a national resource or as a public good walks a tightrope with constitutionally guaranteed protections around privacy, which will be codified in the upcoming Personal Data Protection Bill. My concerns are not quite so grave in the case of genuine “public data” like traffic signal data or pollution data. However, the Economic Survey manages to crudely amalgamate personal data into the mix.

It also states that personal data in the custody of a government is a public good once the datasets are anonymised. This includes transactions data in the User Payments Interface (UPI), administrative data including birth and death records, and institutional data including data in public hospitals or schools on pupils or patients. At the same time, it pushes for a government database that will lead to the triangulation problem outlined above. The chapter also suggests that said data may be sold to private firms (unclear if this includes foreign or domestic firms). This not only contradicts the notion of public good but is also a serious threat to the confidentiality and security of personal data.

***

Therefore, along with the concerted endeavour to create data marketplaces, it is crucial for policy-makers to differentiate between public data and personal data individuals may consent to be made public. The parameters for clearly defining free and informed consent, as codified in the Draft Personal Data Protection Bill need to be strictly followed as there is a risk of de-anonymisation of data once it finds its way into the marketplace. Second, it is crucial for policy-makers to define clearly a community and parameters for what constitutes individual consent to be part of a community. Finally, along with technical work on setting up a national data marketplace, there must be protracted efforts to guarantee greater security and standards of anonymisation.

The National Strategy mentions that India should position itself as a “garage” for AI in emerging economies. This could mean Indian citizens are used as guinea pigs for AI-driven solutions at the cost of their rights.

Assuming that a constitutionally valid paradigm may be created, the excessive focus on data access by tech players dodges the question of the capabilities of analytic firms to process this data and derive meaningful insights from the information. Scholars on China, arguably the poster-child of data-driven economic growth, have sent mixed messages. Ding argues that despite having half the technical capabilities of the US, easy access to data gives China a competitive edge in global AI competition. On the contrary, Andrew Ng has argued that operationalising a sufficient number of relevant datasets still remains a challenge. Ng’s views are backed up by insiders at Chinese tech giant Tencent who say the company still finds it difficult to integrate data streams due to technical hurdles. NITI Aayog’s idea of a multi-stream data marketplace may theoretically be a solution to these potential hurdles but requires sustained funding and research innovation to be converted into reality.

The National Strategy suggests that government should create a multi-disciplinary committee to set up this marketplace and explore levers for its implementation. This is certainly the need of the hour. It also rightly highlights the importance of research partnerships between academia and the private sector, and the need to support start-ups. There is therefore an urgent need for innovative allied policy instruments that support the burgeoning start-up sector. Proposals such as data localisation may hurt smaller players as they will have to bear the increased fixed costs of setting up or renting data centres.

The National Strategy also incongruously mentions that India should position itself as a “garage” for the use of AI in emerging economies. This could mean Indian citizens are used as guinea pigs for AI-driven solutions at the cost of their fundamental rights. It could also imply that India should occupy a leadership position and work with other emerging economies to frame the global rights based discourse to seek equitable solutions for the application of AI that works to improve the plight of the most vulnerable in society.

***

Our constitutional ethos places us in a unique position to develop a framework that enables the actualisation of this equitable vision—a goal the policy instruments put out thus far appear to have missed. While the National Strategy includes a section on privacy, security and ethical implications of AI, it stops short of rooting it in fundamental rights and constitutional principles. As a centralised policy instrument, the National Strategy deserves praise for identifying key levers in the future of India’s AI ecosystem and, with the exception of the concerns I outlined above, it is at par with the policy-making thought process in any other nation.

When we start the process of using constitutional principles for AI governance, we must remember that as per Article 12, an individual can file a writ against the state for violation of a fundamental right if the action is taken under the aegis of a “public function”. To combat discrimination by private actors, the state can enact legislation compelling private actors to comply with constitutional mandates. In July, Rajeev Chandrashekhar, a Rajya Sabha MP, suggested a law to combat algorithmic discrimination along the lines of the Algorithmic Accountability Bill proposed in the US Senate. There are three core constitutional questions along the lines of the “golden triangle” of the Indian Constitution any such legislation will need to answer—those of accountability and transparency, algorithmic discrimination and the guarantee of freedom of expression and individual privacy.

Algorithms are developed by human beings who have their own cognitive biases. This means ostensibly neutral algorithms can have an unintentional disparate impact on certain, often traditionally disenfranchised groups.

In the MIT Technology Review, Karen Hao explains three stages at which bias might creep in. The first stage is the framing of the problem itself. As soon as computer scientists create a deep-learning model, they decide what they want the model to finally achieve. However, frequently desired outcomes such as “profitability”, “creditworthiness” or “recruitability” are subjective and imprecise concepts subject to human cognitive bias. This makes it difficult to devise screening algorithms that fairly portray society and the complex medley of identities, attributes and structures of power that define it.

The second stage Hao mentions is the data collection phase. Training data could lead to bias if it is unrepresentative of reality or represents entrenched prejudice or structural inequality. For example, most Natural Language Processing systems used for Parts of Speech (POS) tagging in the US are trained on the readily available data sets from the Wall Street Journal. Accuracy would naturally decrease when the algorithm is applied to individuals—largely ethnic minorities—who do not mimic the speech of the Journal.

According to Hao, the final stage for algorithmic bias is data preparation, which involves selecting parameters the developer wants the algorithm to consider. For example, when determining the “risk-profile” of car owners seeking insurance premiums, geographical location could be one parameter. This could be justified by the ostensibly neutral argument that those residing in inner-city areas with narrower roads are more likely to have scratches on their vehicles. But as inner cities in the US have a disproportionately high number of ethnic minorities or other vulnerable socio-economic groups, “pin code” becomes a facially neutral proxy for race or class-based discrimination.

***

The right to equality has been carved into multiple international human rights instruments and into the Equality Code in Articles 14-18 of the Indian Constitution. The dominant approach to interpreting the right to equality by the Supreme Court has been to focus on “grounds” of discrimination under Article 15(1), thus resulting in a lack of recognition of unintentional discrimination and disparate impact.

A notable exception, as constitutional scholar Gautam Bhatia points out, is the case of N.M. Thomas which pertained to reservation in promotions. Justice Mathew argued that the test for inequality in Article 16(4) is an effects-oriented test independent of the formal motivation underlying a specific act. Justice Krishna Iyer and Mathew also articulated a grander vision wherein they saw the Equality Code as transcending the embedded individual disabilities in class driven social hierarchies. This understanding is crucial for governing data driven decision-making that impacts vulnerable communities. Any law or policy on AI-related discrimination must also include disparate impact within its definition of “discrimination” to ensure that developers think about the adverse consequences even of well-intentioned decisions.

AI driven assessments have been challenged on grounds of constitutional violations in other jurisdictions. In 2016, the Wisconsin Supreme Court considered the legality of using risk assessment tools such as COMPAS for sentencing criminals. It affirmed the trial court’s findings and held that using COMPAS did not violate constitutional due process standards. Eric Loomis had argued that using COMPAS infringed both his right to an individualised sentence and to accurate information as COMPAS provided data for specific groups and kept the methodology used to prepare the report a trade secret. He additionally argued that the court used unconstitutional gendered assessments as the tool used gender as one of the parameters.

The Wisconsin Supreme Court disagreed with Loomis arguing that COMPAS only used publicly available data and data provided by the defendant, which apparently meant Loomis could have verified any information contained in the report. On the question of individualisation, the court argued that COMPAS provided only aggregate data for groups similarly placed to the offender. However, it went on to argue as the report was not the sole basis for a decision by the judge, a COMPAS assessment would be sufficiently individualised as courts retained the discretion and information necessary to disagree.

By assuming that Loomis could have genuinely verified all the data collected about similarly placed groups and that judges would exercise discretion to prevent the entrenchment of inequalities through COMPAS’s decision-making patterns, the judges ignored social realities. Algorithmic decision-making systems are an extension of unequal decision-making that re-entrenches prevailing societal perceptions around identity and behaviour. An instance of discrimination cannot be looked at as a single instance but as one in a menagerie of production systems that define, modulate and regulate social existence.

The policy-making ecosystem needs, therefore, to galvanise the “transformative” vision of India’s democratic fibre and study existing systems and power structures AI could re-entrench or mitigate. For example, in the matter of bank loans there is a presumption against the credit-worthiness of those working in the informal sector. The use of aggregated decision-making may lead to more equitable outcomes given that there is concrete thought on the organisational structures making these decisions and the constitutional safeguards provided.

Most case studies on algorithmic discrimination in Virgina Eubanks’ Automating Inequality or Safiya Noble’s Algorithms of Oppression are based on western contexts. There is an urgent need for publicly available empirical studies on pilot cases in India to understand the contours of discrimination. Primary research questions should explore three related subjects. Are specified ostensibly neutral variables being used to exclude certain communities from accessing opportunities and resources or having a disproportionate impact on their civil liberties? Is there diversity in the identities of the coders themselves? Are the training data sets used representative and diverse and, finally, what role does data driven decision-making play in furthering the battle against embedded structural hierarchies?

***

A key feature of AI-driven solutions is the “black box” that processes inputs and generates actionable outputs behind a veil of opacity to the human operator. Essentially, the black box denotes that aspect of the human neural decision-making function that has been delegated to the machine. A lack of transparency or understanding could lead to what Frank Pasquale terms a “Black Box Society” where algorithms define the trajectories of daily existence unless “the values and prerogatives of the encoded rules hidden within black boxes” are challenged.

Ex-post facto assessment is often insufficient for arriving at genuine accountability. For example, the success of predictive policing in the US was drawn from the fact that police have indeed found more crimes in areas deemed “high risk”. But this assessment does not account for the fact that this is a product of a vicious cycle through which more crime is detected in an area simply because more policemen are deployed. Here, the National Strategy rightly identifies that simply opening up code may not deconstruct the black box as not all stakeholders impacted by AI solutions may understand the code. The constant aim should be explicability which means the human developer should be able to explain how certain factors may be used to arrive at a certain cluster of outcomes in a given set of situations.

The requirement of accountability stems from the Right to Life provision under Article 21. As stated in the seven-judge bench in Maneka Gandhi vs. Union of India, any procedure established by law must be seen to be “fair, just and reasonable” and not “fanciful, oppressive or arbitrary.”

The Right to Privacy was recognised as a fundamental right by the nine-judge bench in K.S. Puttaswamy (Retd.) vs. Union of India. Mass surveillance can lead to the alteration of behavioural patterns which may in turn be used for the suppression of dissent by the State. Pulling vast tracts of data on all suspected criminals—as in facial recognition systems like PAIS—create a “presumption of criminality” that can have a chilling effect on democratic values.

Therefore, any use, particularly by law enforcement would need to satisfy the requirements for infringing on the right to privacy: the existence of a law, necessity—a clearly defined state objective—and proportionality between the state object and the means used restricting fundamental rights the least. Along with centralised policy instruments such as the National Strategy, all initiatives taken in pursuance of India’s AI agenda must pay heed to the democratic virtues of privacy and free speech and their interlinkages.

India needs a law to regulate the impact of Artificial Intelligence and enable its development without restricting fundamental rights. However, regulation should not adopt a “one-size-fits-all” approach that views all uses with the same level of rigidity. Regulatory intervention should be based on questions around power asymmetries and the likelihood of the use case adversely affronting human dignity captured by India’s constitutional ethos.

As an aspiring leader in global discourse, India can lay the rules of the road for other emerging economies not only by incubating, innovating and implementing AI powered technologies but by grounding it in a lattice of rich constitutional jurisprudence that empowers the individual.

The High Level Task Force on Artificial Intelligence (AI HLEG) set up by the European Commission in June 2018 published a report on “Ethical Guidelines for Trustworthy AI” earlier this year. They feature seven core requirements which include human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non-discrimination and fairness; societal and environmental well-being; and accountability. While the principles are comprehensive, this document stops short of referencing any domestic or international constitutional law that helps cement these values. The Indian Constitution can help define and concretise each of these principles and could be used as a vehicle to foster genuine social inclusion and mitigation of structural injustice through AI.

At the centre of the vision must be the inherent rights of the individual. The constitutional moment for data driven decision-making emerges therefore when we conceptualise a way through which AI can be utilised to preserve and improve the enforcement of rights while also ensuring that data does not become a further avenue for exploitation.

National vision transcends the boundaries of policy and to misuse Peter Drucker, “eats strategy for breakfast”. As an aspiring leader in global discourse, India can lay the rules of the road for other emerging economies not only by incubating, innovating and implementing AI powered technologies but by grounding it in a lattice of rich constitutional jurisprudence that empowers the individual, particularly the vulnerable in society. While the multiple policy instruments and the National Strategy are important cogs in the wheel, the long-term vision can only be framed by how the plethora of actors, interest groups and stakeholders engage with the notion of an AI-powered Indian society.

For more details visit https://cis-india.org/internet-governance/blog/fountain-ink-october-12-2019-arindrajit-basu-we-need-a-better-ai-vision

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit https://cis-india.org/internet-governance/blog/online-anonymity

Way to watch

chinmayi — 2013-07-01T10:17:27Z

The domestic surveillance regime in India lacks adequate safeguards.

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Vodafone Report Explains Government Access to Customer Data

joe — 2014-06-19T10:38:01Z

Vodafone Group PLC, the world’s second largest mobile carrier, released a report on Friday, June 6 2014 disclosing to what extent governments can request their customers’ data.

The Law Enforcement Disclosure Report, a section of a larger annual Sustainability Report began by asserting that Vodafone "customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws."

However, the report continues, Vodafone is incapable of fully protecting its customers right to privacy, because it is bound by the laws in the various countries in which it operates. "If we do not comply with a lawful demand for assistance, governments can remove our license to operate, preventing us from providing services to our customers," The report goes into detail about the laws in each of the 29 nations where the company operates.

Vodafone’s report is one of the first published by a multinational service provider. Compiling such a report was especially difficult, according to the report, for a few reasons. Because no comparable report had been published before, Vodafone had to figure out for themselves, the “complex task” of what information they could legally publish in each country. This difficulty was compounded by the fact that Vodafone operates physical infrastructure and thus sets up a business in each of the countries where it provides services. This means that Vodafone is subject to the laws and operating licenses of each nation where it operates, unlike as a search engine such as Google, which can provide services across international borders but still be subject to United States law – where it is incorporated.

The report is an important step forward for consumer privacy. First, the Report shows that the company is aware of the conflict of interest between government authorities and its customers, and the pivotal position that the company can play in honoring the privacy of its users by providing information regarding the same in all cases where it legally can. Additionally, providing the user insight into challenges that the company faces when addressing and responding to law enforcement requests, the Report provides a brief overview of the legal qualifications that must be met in each country to access customer data. Also, Vodafone’s report has encouraged other telecom companies to disclose similar information to the public. For instance, Deutsche Telekom AG, a large European and American telecommunications company, said Vodafone’s report had led it consider releasing a report of it’s own.

Direct Government Access

The report revealed that six countries had constructed secret wires or “pipes” which allowed them access to customers’ private data. This means that the governments of these six countries have immediate access to Vodafone’s network without any due process, oversight, or accountability for these opaque practices. Essentially, the report reveals, in order to operate in one of these jurisdictions, a communications company must ensure that authorities have, real time and direct access to all personal customer data at any time, without any specific justification. The report does not name these six nations for legal reasons.

"These pipes exist, the direct access model exists,” Vodafone's group privacy officer, Stephen Deadman, told the Guardian. “We are making a call to end direct access as a means of government agencies obtaining people's communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used."

Data Organization

Vodafone’s Report lists the aggregate number of content requests they received in each country where it operates, and groups these requests into two major categories. The first is Lawful Interceptions, which is when the government directly listens in or reads the content of a communication. In the past, this type of action has been called wiretapping, but now includes reading the content of text messages, emails, and other communications.

The second data point Vodafone provides for each country is the number of Communications Data requests they receive from each country. These are requests for the metadata associated with customer communications, such as the numbers they have been texting and the time stamps on all of their texts and calls.

It is worth noting that all of the numbers Vodafone reports are warrant statistics rather than target statistics. Vodafone, according to the report, has chosen to include the number of times a government sent a request to Vodafone to "intrude into the private affairs of its citizens, not the extent to which those warranted activities then range across an ever-expanding multiplicity of devices, accounts and apps."

Data Construction

However, in many cases, laws in the various companies in which Vodafone operates prohibit Vodafone from publishing all or part of the aforementioned data. In fact, this is the rule rather than the exception. The majority of countries, including India, prohibit Vodafone from releasing the number of data requests they receive. Other countries publish the numbers themselves, so Vodafone has chosen not to reprint their statistics either. This is because Vodafone wants to encourage governments to take responsibility for informing their citizens of the statistics themselves.

The report also makes note of the process Vodafone went through to determine the legality of publishing these statistics. It was not always straightforward. For example, in Germany, when Vodafone’s legal team went to examine the legislation governing whether or not they could publish statistics on government data requests, they concluded that the laws were unclear, and asked German authorities for advice on how to proceed. They were informed that publishing any such statistics would be illegal, so they did not include any German numbers in their report. However, since that time, other local carriers have released similar statistics, and thus the situation remains unresolved.

Other companies have also recently released reports. Twitter, a microblogging website, Facebook, a social networking website, and Google a search engine with social network capabilities have all released comparable reports, but their reports differ from Vodafone’s in a number of ways. While Twitter, Google, and Facebook all specified the percent of requests granted, Vodafone released no similar statistics. However, Vodafone prepared discussions of the various legal constraints that each country imposed on telecom companies, giving readers an understanding of what was required in each country for authorities to access their data, a component that was left out of other recent reports. Once again, Vodafone’s report differed from those of Google Facebook and Twitter because while Vodafone opens businesses in each of the countries where it operates and is subject to their laws, Google, Facebook, and Twitter are all Internet companies and so are only governed by United States law.

Google disclosed that it received 27,427 requests over a six-month period ending in December, 2013, and also noted that the number of requests has increased consistently each six-month period since data began being compiled in 2009, when fewer than half as many requests were being made. On the other hand Google said that the percentage of requests it complied with (64% over the most recent period) had declined significantly since 2010, when it complied with 76% of requests.

Google went into less detail when explaining the process non-American authorities had to go through to access data, but did note that a Mutual Legal Assistance Treaty was the primary way governments outside of the United States could force the release of user data. Such a treaty is an agreement between the United States and another government to help each other with legal proceedings. However, the report indicated that Google might disclose user information in situations when they were not legally compelled to, and did not go into detail about how or when it did that. Thus, given the difficulty of obtaining a Mutual Legal Assistance Treaty in addition to local warrants or subpoenas, it seems likely that Google complies with many more non-American data requests than it was legally forced to.

Facebook has only released two such reports so far, for the two six month periods in 2013, but they too indicated an increasing number of requests, from roughly 26,000 to 28,147. Facebook plans to continue issuing reports every six months.

Twitter has also seen an increase of 22% in government requests between this and the previous reporting period, six months ago. Twitter attributes this increase in requests to an increase in users internationally, and it does seem that the website has a similarly growing user base, according to charts released by Twitter. It is worth noting that while large nations such as the United States and India are responsible for the majority of government requests, smaller nations such as Bulgaria and Ecuador also order telecom and Internet companies to turn over data.

Vodaphone’s Statistics

Though Vodafone’s report didn’t print statistics for the majority of the countries the report covered, looking at the few numbers they did publish can shed some light on the behavior of governments in countries where publishing such statistics is illegal. For the countries where Vodafone does release data, the numbers of government requests for Vodafone data were much higher than for Google data. For instance, Italy requested Vodafone data 605,601 times, while requesting Google data only 896 times. This suggests that other countries such as India could be looking at many more customers’ data through telecom companies like Vodafone than Internet companies like Google.

Vodafone stressed that they were not the only telecom company that was being forced to share customers’ data, sometimes without warrants. In fact, such access was the norm in countries where authorities demanded it.

India and the Reports

India is one of the most proliferate requesters of data, second only to the United States in number of requests for data from Facebook and fourth after the United States, France and Germany in number of requests for data from Google. In the most recent six-month period, India requested data from Google 2,513 times, Facebook 3,598 times, and Twitter 19 times. The percentage of requests granted varies widely from country. For example, while Facebook complies with 79% of United States authorities’ requests, it only grants 50% of India’s requests. Google responds to 83% of US requests but only 66% of India’s.

Facebook also provides data on the number of content restrictions each country requests. A content restriction request is where an authority asks Facebook to take down a particular status, photo, video, or other web content and no longer display it on their site. India, with 4,765 requests, is the country that most often asks Facebook to remove content.

While Vodafone’s report publishes no statistics on Indian data requests, because such disclosure would be illegal, it does discuss the legal considerations they are faced with. In India, the report explains, several laws govern Internet communications. The Information Technology Act (ITA) of 2000 is the parent legislation governing information technology in India. The ITA allows certain members of Indian national or state governments order an interception of a phone call or other communication in real time, for a number of reasons. According to the report, an interception can be ordered “if the official in question believes that it is necessary to do so in the: (a) interest of sovereignty and integrity of India; (b) the security of the State; (c) friendly relations with foreign states; (d) public order; or (e) the prevention of incitement of offences.” In short, it is fairly easy for a high-ranking official to order a wiretapping in India.

The report goes on to detail Indian authorities’ abilities to request other customer data beyond a lawful interception. The Code of Criminal Procedure allows a court or police officer to ask Vodafone and other telecom companies to produce “any document or other thing” that the officer believes is necessary for any investigation. The ITA extends this ability to any information stored in any computer, and requires service providers to extend their full assistance to the government. Thus, it is not only legally simple to order a wiretapping in India; it is also very easy for authorities to obtain customer web or communication data at any time.

It is clear that Indian laws governing communication have very little protections in place for consumer privacy. However, many in India hope to change this reality. The Group of Experts chaired by Justice AP Shah, the Department of Personnel and Training, along with other concerned groups have been working towards the drafting of a privacy legislation for India. According to the Report of the Group of Experts on Privacy, the legislation would fix the 50 or so privacy laws in India that are outdated and unable to protect citizen’s privacy when they use modern technology.

On the other hand, the Indian government is moving forward with a number of plans to further infringe the privacy of civilians. For example, the Central Monitoring System, a clandestine electronic surveillance program, gives India’s security agencies and income tax officials direct access to communications data in the country. The program began in 2007 and was announced publicly in 2009 to little fanfare and muted public debate. The system became operational in 2013.

Conclusion

Vodafone’s report indicates that it is concerned about protecting its customer’s privacy, and Vodafone’s disclosure report is an important step forward for consumer web and communication privacy. The report stresses that company practice and government policy need to come together to protect citizen’s privacy and –businesses cannot do it alone. However, the report reveals what companies can do to effect privacy reform. By challenging authorities abilities to access customer data, as well as publishing information about these powers, they bring the issue to the government’s attention and open it up to public debate. Through Vodafone’s report, the public can see why their governments are making surveillance decisions. Yet, in India, there is still little adoption of transparent business practices such as these. Perhaps if more companies were transparent about the level of government surveillance their customers were being subjected to, their practices and policies for responding to requests from law enforcement, and the laws and regulations that they are subject to - the public would press the government for stronger privacy safeguards and protections.

For more details visit https://cis-india.org/internet-governance/blog/vodafone-report-explains-govt-access-to-customer-data

VII NLSIR Symposium

praskrishna — 2014-01-09T07:08:33Z

The National Law School of India Review (NLSIR) - the flagship journal of the National Law School of India University (NLSIU), Bangalore is pleased to announce the seventh NLSIR Symposium on “Bridging the Security-Liberty Divide” scheduled to be held on December 21 and December 22, 2013 at the National Assessment and Accreditation Council (NAAC, opposite NLSIU Campus, Nagarhavi) Conference Hall, Bangalore.

This was published by NLSIR on December 20, 2013.

The decade following September 11 has been dubbed “liberty’s lost decade”, not just for the United States of America but for the world at large, marked by increasing tension between State interests in national security and individual liberty. As we continue to grapple with the implications of this clash, one clear winner seems to be emerging, best observed by examining changes in legal systems throughout this decade. The recent upsurge of criticism against NSA activity globally, however, could be seen as indicative of a changing trend. The VIIth NLSIR Symposium seeks to trace this dialogue between competing notions of security and liberty, and hopes to assess and analyse similar developments in India Confirmed speakers for the symposium include renowned legal experts such as Hon’ble Justice Muralidhar, Menaka Guruswamy, Mrinal Satish, Bharat Karnad, Aparna Chandra, Chinmayi Arun, Shyam Diwan, Bhairav Acharya, Roshni, Yug Mohit Chaudhary and Saikat Datta.

This year, the discussions will be divided into four panels:

Session I: Securing Liberty from the State - Redefining Criminal Thresholds in Law
(Forenoon, December 21, 2013, Saturday)

Session II: Intrusive Intelligence - Surveillance Programs and Privacy in India
(Afternoon, December 21, 2013, Saturday)

Session III: Beyond Borders - Extradition, Asylum and Concerns of State Security
(Forenoon, December 22, 2013, Sunday)

Session IV: Connecting the Dots
(Afternoon, December 22, 2013, Sunday)

For more details visit https://cis-india.org/news/nlsir-december-21-2013-nlsir-symposium

Views | Why the Left may for once be right

praskrishna — 2012-04-25T11:48:50Z

The article by Pramit Bhattacharya was published in LiveMint on April 23, 2012.

India’s information technology (IT) minister, Kapil Sibal appears to be running into rough weather over IT rules framed last year, which curb freedom of expression on the internet. The rules have incensed India’s growing blogging community and piqued at least a few of his fellow parliamentarians.

On the opening day of the upcoming parliamentary session on Tuesday, the Rajya Sabha is set to vote on an annulment motion against the IT rules, moved by P. Rajeeve of the Communist Party of India (Marxist), a rediff.com report said. Ironically, the party that still treats Stalin as a hero (quoting him unfailingly in its political resolutions) has become the first to stand up for internet freedom.
Rajeeve is of course not the only parliamentarian to take exception to the rules. Jayant Choudhry, a member of parliament (MP) from the Rashtriya Lok Dal, was the first to draw attention to the draconian rules late last year, and MPs from other regional parties such as the Samajwadi Party and the Asom Gana Parishad criticized the rules in a parliamentary discussion in December.

Two sets of rules, one governing cyber cafes and the other relating to intermediaries have attracted most criticism. The rules relating to intermediaries such as internet service providers, search engines or interactive websites such as Twitter and Facebook are the most disturbing. Intermediaries are required under the current rules to remove content that anyone objects to, within 36 hours of receiving the complaint, without allowing content creators any scope of defence.

The criteria for deciding objectionable content, laid down in the rules, are subjective and vague. For instance, intermediaries are mandated to remove among other things, ‘grossly harmful’ content, whatever that may mean.

This is a unique form of ‘private censorship’ that will endanger almost all online content. In this age of easily offended sensibilities, it is virtually impossible to write anything that does not “offend” anyone. For instance, even this piece may be termed ‘grossly harmful’ to the CPI(M) party.

However far-fetched this may sound, this has already become a reality. A researcher working with the Bangalore-based Centre for Internet and Society (CIS) tried out such a strategy with several different intermediaries, and was successful in six out of seven times, always with frivolous and flawed complaints, Pranesh Prakash of CIS wrote in a January blog-post. It has become much easier in India to ban an e-book than a book, Prakash pointed out.

The rules regulating cyber cafes are no better. Cyber cafes are required to keep a log detailing the identity of users and their internet usage, which has negative implications for privacy and personal safety of users, analysis of the rules by PRS legislative research said.

Internet freedom in India has declined over time and is only ‘partly free’, a 2011 report on internet freedom by US-based think tank, Freedom House said. India has joined a growing club of developing nations where, “internet freedom is increasingly undermined by legal harassment, opaque censorship procedures, or expanding surveillance,” the report noted.

The only saving grace is that some of the IT rules are drafted in a language so arcane that anyone will find it hard to decipher them, leave alone implementing them. Sample this: “The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force: provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.”

The first task at hand for Sibal may be to explain to fellow lawmakers what the above rule is supposed to mean, before he defends such rules.

Click for the original, Pranesh Prakash is quoted in this article.

For more details visit https://cis-india.org/news/left-may-for-once-be-right