Centre for Internet and Society

Indian politicians yet to tap voters online: CIS’s Abraham

praskrishna — 2013-10-23T05:31:34Z

Sunil Abraham talks about the role online media will play in forthcoming elections and the behaviour of online readers of news.

The interview (taken by Venkatesh Upadhyay) was published in Livemint on October 22, 2013.

Sunil Abraham, 40, is executive director of the Centre for Internet and Society, a not-for-profit research organization that works on issues related to freedom of expression and privacy. Abraham was in New Delhi to speak on the impact of media, social media and technology on governance and democracy, organized by the Observer Research Foundation together with the Rosa Luxemburg Stiftung. On the sidelines of the conference, he talked about the role that online media will play in forthcoming elections as well the behaviour of online readers of news.

Edited excerpts from the interview:

How important will digital media be for the forthcoming elections?

I think the Internet in India is very different from, say, the one found in the US. So, our capacity to read from similar experience in their elections is limited. If you take the extensive exposure that the (Barack) Obama campaign had on the online space and the manner in which it supposedly helped the campaign, I don’t see that happening here.

Politicians and political parties very active on social media. You don’t think that will have an effect on elections?

I think the missing part of the equation till now is that there has not been any devising—to my knowledge—of targeting of voters through Facebook or Twitter. Our digital footprint leads to immense big-data opportunities, which I do not see politicians in India being able to exploit. Again, to give an example from the United States, there were certain instances there from where if you were member of a particular community, you could be targeted by political campaigns. Here, I don’t see that happening that easily.


Above: Sunil Abraham on the role of digital media in elections

So our politicians are wasting their time on social media?

Not entirely. In my view, one of the good things that the Internet does is that it has the capacity to democratize public opinion. One must also keep in mind that networks such as the ones available through social media are not homogenous. So nodes such as users who are opinion-makers and journalists are active on these networks, and so politicians can use these methods to reach out to more people.

Does the traditional media still have a role?
Of course. Traditional media is more likely to determine political outcomes in comparison to social media because most of the links that we see in social media are related to content that is created on traditional media. Now, of course, we can be sceptical of the role that traditional media plays in influencing the general mood of the country, but that is a different question.

Is there something peculiar about the manner in which readers interact with newspaper reports online?
I think one can usually see the comments section of some news sites littered with hurtful and hateful comments. So, some readers such as myself basically go through these comments to look at trolling and also sometimes for comic relief. But again, every news organization seems to be dealing with this differently. The Times of India, doesn’t, in my view, regulate its comments section. But one can see, say, in The Hindu, that readers’ comments are regulated and are usually very thoughtful.

Is there any particular reason why certain news readers respond the way they do?

Well, a part of the reason why people consuming news online comment and interact the way they do is that anonymity produces a level of freedom that allows people to be more brutal in their behaviour online.

At the same time, you can also see, in some instances, the chilling effects of surveillance, where people end up censuring their thoughts on issues. Of course, surveillance is not the answer. Societies need to deal with hateful threats on their own terms.

What will it take for politicians and public figures to get their message across, given the idiosyncrasies of the Indian digital media?
I think two components are crucial: trust and authenticity. For example, in the case of Wikipedia, there is an assumed amount of trust that the user has. The trust relationship between public figures who are active online and the public also is a two-way street. Politicians must also trust their common party members to use their social media presence as and when they want to. For example, why don’t they allow each and every member of the political party to man their Twitter handle for a day?

As for authenticity, the human mind can say whether an act by someone online is authentic or not.

Finally, what is your view on the role that larger Internet monopolies such as Facebook and Google are playing across the digital plane?

The Internet has also changed over the past 15 years. It used to be a decentralized network. Everybody was hopeful that it would have democratizing potential and, therefore, techno-utopianism was born. Now, it is increasingly clear that a small proportion of websites have 90% of the traffic and large corporations such as Google and Facebook play a significant role in configuring the attention economy. They are now also beginning to take this role very seriously themselves. In the case of Google, increasingly Google is using its power over the attention economy to play a role in the electoral process in India. They have been holding Google Hangouts and what they have been able to do is bring the public to the politicians.

Other concerns such as Facebook and Twitter through their walled-garden arrangements with telecom companies also play a similar role in configuring the attention economy. One is more innocuous—like the manner in which their algorithms are structured determining who shows up in their feeds.

For more details visit https://cis-india.org/news/livemint-venkatesh-upadhyay-october-22-2013-indian-politicians-yet-to-tap-voters-online

Indian PM Narendra Modi’s digital dream gets bad reception

praskrishna — 2015-09-29T15:23:04Z

As Indian Prime Minister Narendra Modi told Silicon Valley’s most powerful chief executives this week how his government “attacked poverty by using the power of networks and mobile phones’’, the entire population of the state of Kashmir remained offline — by order of the state.

The article by Amanda Hodge was published in the Australian on September 29, 2015. Sunil Abraham gave inputs.

“I see technology as a means to empower and as a tool that bridges the distance between hope and opportunity,” Mr Modi said yesterday on a trip in which he will also discuss development at the UN.

Earlier, in a “town hall” meeting with Facebook chief Mark Zuckerberg Mr Modi hailed the power of social media networks that gave governments the opportunity to correct themselves “every five minutes”, rather than every five years.

His remarks during his Digital India tour of the US west coast sparked a storm of Twitter protest.

The northern state’s former chief minister Omar Abdullah, who noted the “irony of listening to Prime Minister Modi lecturing about connected digital India, while we are totally disconnected”.

The ban on mobile and broadband internet in Jammu and Kashmir was imposed last Friday, the beginning of the Muslim holiday of Eid-ul-Zuha during which animals are slaughtered and the meat fed to the poor, for fear social media could inflame tensions over the state government’s decision to enforce a beef ban.

It was to have lasted 24 hours but — notwithstanding Twitter feedback — was extended twice as a “precautionary” measure.

As Mr Modi outlined his dreams of a broadband network connecting the country’s most remote communities, millions of New Delhi mobile phone users continued their daily wrestle with line dropouts.

“We are bringing technology, transparency, efficiency, ease and effectiveness in governance,” he said, as in New Delhi the government talked of pulling down more mobile towers.

Centre for Internet and Society director Sunil Abraham said yesterday: “Schizophrenia between rhetoric and reality (on digital policy) is the global standard for all world leaders.

“Politicians in opposition are invariably opposed to surveillance and in favour of free speech but the very day that politician assumes office even if it is someone as splendid as Barack Obama, they change their opinions on these topics and become pro-surveillance and pro-censorship.”

Certainly successive Indian governments have had a patchy record on such issues. Last March India’s activist Supreme Court struck down a controversial section of the Information Technology Act which made posting information of a “grossly offensive or menacing character” punishable by up to three years’ jail.

That month police in northern Uttar Pradesh arrested a teenager for a Facebook post, which they said “carried derogatory language against a community”.

Previous cases under the former Congress-led government include that of a university professor detained for posting a cartoon about the chief minister of West Bengal and the arrest of two young women over a Facebook post criticising the shutdown of Mumbai following the death of a Hindu right politician.

While Mr Modi’s government welcomed the Supreme Court ruling as a “landmark day for freedom of speech and expression”, last month it attempted to block 857 random porn sites.

Notwithstanding the gulf between Mr Modi’s digital dream rhetoric and the reality at home, his second US visit in 17 months has reaped dividends. Google has committed to a joint initiative to roll out free Wi-Fi to 500 railway stations across the country, and Qualcomm has pledged a $US150 million ($213m) tech startup fund.

But Mr Abraham warned of the potential for such investments to compromise net neutrality — the principle of allowing internet users access to all content and applications.

For more details visit https://cis-india.org/internet-governance/news/the-australian-amanda-hodge-september-29-2015-indian-pm-narendra-modi-digital-dream-gets-bad-reception

Indian net service providers too play censorship tricks

praskrishna — 2013-02-13T04:20:53Z

The study by a Canadian university has found that some major Indian ISPs have deployed web-censorship and filtering technology.

The article by T Ramachandran was published in the Hindu on February 9, 2013. Sunil Abraham is quoted.

Your internet service provider (ISP) could be blocking some content. A study conducted by a Canadian university has found that some major Indian ISPs have deployed web-censorship and filtering technology widely used in China and some West Asian countries.

The findings, published on January 15, were the result of a search for censorship software and hardware on public networks like those operated by ISPs.

A research team at Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, found a software-hardware combo package called PacketShaper being used in many parts of the world, including India.

The study identified the presence of four PacketShaper installations on the networks of three major ISPs in India during the period of study in late 2012. These ISPs had been earlier “implicated in filtering to some degree,” the report said.

The deployment of such traffic management technologies by ISPs could threaten privacy, freedom of expression and competition, said Sunil Abraham, Executive Director of the Bangalore-based NGO, Centre for Internet and Society.

He said tools like PacketShaper could be used by ISPs for two types of censorship —“to block entire websites or choke traffic on certain services or destinations in a highly granular fashion.”

The U.S.-based producers of the technology, Blue Coat Systems, are quite open about the product features on the company’s website. They say it could be used to control and weed out undesirable content. It could also be used to slow down or speed up the operation of programmes and content flow to achieve the goals set by the operators of the networks.

Transparency is the key

Technology experts said such products could be used to exercise legitimate control over the internet traffic and prioritise the use of bandwidth and resources, if used ethically.

“If done in a transparent manner that does not discriminate against different actors within a class it does benefit the collective interest of the ISP’s clients. However, it could also be used to engage in hidden censorship against legitimate speech and also for anti-competitive behaviour,” said Mr. Abraham.

The study focussed on countries where concerns exist over “compliance with international human rights law, legal due process, freedom of speech, surveillance, and censorship.”

For more details visit https://cis-india.org/news/the-hindu-feb-9-2013-t-ramachandran-indian-net-service-providers-too-play-censorship-tricks

Indian Intermediary Liability Regime

Admin — 2018-05-20T15:03:25Z

For more details visit https://cis-india.org/internet-governance/files/indian-intermediary-liability-regime

Indian government websites: Gold mine for cybercriminals

praskrishna — 2014-01-31T06:18:12Z

If you are a cybercriminal trying to commit identity theft or digitally impersonate a citizen, you have help from the unlikeliest of sources — the Government of India.

The article by Srutijith KK was published in the Times of India on January 3, 2014. Sunil Abraham is quoted.

Various government agencies have put vast amount of personal information online, often with little barrier to access and with hardly any provision to prevent their misuse.

Combine a few of these databases and you have a gold mine of information on India's citizens, including some of its wealthiest residents, whose bank accounts are of special interest to thieves. "If I want to target someone, I now have access to so much detail that shouldn't have been in public. Hackers with good social engineering skills will be able to call a call centre and impersonate a person. And from a stalking perspective, it has implications for not just celebrities, but anybody with a jilted lover, a political rival, and so on," said Binoo Thomas, a digital security expert at McAfee Labs.

For example, if somebody wants to get personal details of some of India's richest people, he would simply need to click on the LPG transparency links on Indane, Bharat Gas and HP portals and narrow the search to the South Mumbai region. Many gas agencies have their area of service in their names, such as Bandra Gas Agency or Colaba Gas Agency.

Select one of these gas agencies and you have a list of all the customers, with their consumer number, address and, in many cases, a mobile number. This database is also searchable by name. You can quickly search for any famous surname and be rewarded with a consumer number, residence address and in many cases, a mobile phone number.

A cursory search gave ET the mobile number and full residential address of the well-known matriarch of a famous business family. A search under the Bandra Gas Agency promptly showed the full residential address of a famous Bollywood actress. Your next stop could be the website of the Election Commission of India, which has asked all state Election Commissions to place the entire voter rolls online.

The voter roll also has the full residential address, age and gender of a person. A quick search on the MTNL Mumbai directory online will reveal the landline number for a person. With a little bit of luck and time to troll social networks such as Facebook and LinkedIn, a skilled cybercriminal can discern your date of birth and professional details.

Date of birth, phone number, alternate number and billing address are the details many telephone companies and banks use to determine whether a person calling its customer helpline is indeed who she says she is. This kind of information also allows a hacker to design effective phishing attacks, which lures a person into revealing information such as passwords or credit card numbers. An email that lists accurate personal information appears authoritative and has greater likelihood of being trusted by a recipient.

Thread of identity theft
This kind of crime has been on the rise. In December, US Department of Justice estimated that $24.7 billion were lost to identity theft in 2012, as 11.5 million Americans found themselves defrauded. Similar data is unavailable for India. "Privacy has become a matter of personal security. As the state has been pushed to function in a more transparent manner, authorities are making the details about us transparent instead! The data protection principles are well evolved all over the world.

All of these data controllers are in violation of every good principle. We don't need to wait for a law to observe these principles," said Usha Ramanathan, an independent law researcher specialising in privacy, surveillance and related issues. The ministry of rural development, which administers the Mahatma Gandhi National Rural Employment Guarantee Scheme, goes a step further, and places online the bank account numbers and IFSC codes for all its beneficiaries.

RTI requirements
The justification for publishing this kind of data online is typically section 4 of the RTI Act, which requires all government departments to proactively publish details of subsidy programmes, including details of the subsidy availed. However, section 8(1) of the same Act says that personal information that invades privacy of an individual need not be published unless an appellate authority decides that a larger public interest is served by it. It's unclear what public interest is served by the publication of full residential address, mobile number or bank accounts by various agencies.

In some cases, like the MNREGS and the voter rolls, sector-specific laws also apply. "Going by the provisions of the MGNREGA, which mandates proactive disclosures, we keep all processes in the public view... We have not perceived any threat in displaying bank account numbers of wage seekers, most of which have been opened for receiving wages," said R Subrahmanyam, the joint secretary at the ministry of rural development who heads the MNREGA division.

The petroleum ministry did not respond to an email requesting comment. In an emailed response, Chief Election Commissioner VS Sampath referred to Rule 33 of the Registration of Elector Rules, 1960, to establish that the voter roll was a public document. "Thus it can be seen that Electoral Roll is a public document which is available to the public for inspection. The Commission has, therefore, given instructions to put this public document on the website to facilitate inspection by public. When law stipulates that it is a public document, the public has a right to access it," he said. But no law states that anonymising techniques or relevant barriers to accessing private information should not be deployed.

Legal vacuum
India does not have an omnibus privacy law that overrides sector specific legislation. According to Sunil Abraham of the Bangalore-based thinktank Centre for Internet and Society, there are some 50 different laws that have a privacy element in India. The Department of Personnel and Training has been working on a draft privacy law for three years now.

"We need to think of this problem in the light of the privacy law that is being drafted. Traditionally and culturally our view of privacy has been different. A more explicit understanding of the privacy needs of the citizens is certainly welcome. Section 43A of the IT Act has provisions for data protection," said J Satyanarayana, secretary at the department of information technology.

But 43A applies only to corporations, and government agencies are not bound by it. Apart from the central government agencies, several state government agencies and schemes also collect and store personal information. But no standard protocol binds them in deciding who shall have access and who shall not.

For more details visit https://cis-india.org/news/the-times-of-india-january-3-2014-sruthijit-kk-indian-govt-websites-gold-mine-for-cybercriminals

Indian government to bar politicians from using Gmail for official business

praskrishna — 2013-09-05T09:52:17Z

US-based email services seen as too risky.

This article by Neil McAllister was published in the Register on August 30, 2013. Sunil Abraham is quoted.

The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, told the Times of India. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."

The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the contact page for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.

Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the Times of India that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.

The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from United Nations headquarters in New York City.

No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory asserted that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.

But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®

For more details visit https://cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business

Indian Government says it is still drafting privacy law, but doesn’t give timelines

praskrishna — 2017-05-15T02:10:26Z

Read the original published by Medianama here

The Government is drafting a legislation to protect privacy of individuals breached through unlawful means in consultation with stakeholders, the minister for communications and information technology Ravi Shankar Prasad said in the Rajya Sabha. However, no timeline was provided, which is really the problem: Is the Indian government even interested in a privacy law?

In August last year, the Government of India had said in the Supreme Court of India that had said that “violation of privacy doesn’t mean anything because privacy is not a guaranteed right”, actually arguing that the citizens of India do not have a fundamental right to privacy.
In September last year, the DeitY had also sought to make encryption (and personal and business security) weaker via a draft policy on encryption, requiring all users to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain-text to Law and Enforcement Agencies if required. After a public outcry, the paper was withdrawn.
Last month, the DoT made it mandatory to have GPS on all phones by 2018.

We’re in a situation where the country doesn’t have a privacy law on one hand, and is setting up surveillance systems like the Centralized Monitoring System, NETRA, NATGRID (for collecting data from across databases), and linking citizens and databases across the unique identity number in Aadhaar on the other.

What happened to the old Privacy bill?

While India does not yet have a comprehensive privacy policy, back in 2014, the Centre for Internet and Society received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India had drafted. A comparison of the draft bill from 2014 and the draft privacy bill of 2011 can be found here.

As per Prasad, as of now, the Section 43, 43A and 72A of the IT Act of 2000 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorized access or leakage of information.

Questions asked in Rajya Sabha:

Whether Government intends to bring a specific legislation to address the concerns regarding privacy in the country, if so, the details thereof, if not, the reason therefore; and

Whether the legislation would provide for protection of ‘personal data’ along the lines of the European Union’s Data Protection Directive, if so, the details thereof, if not, the reasons therefor

EU Privacy Bill

Interestingly, the question posed to the minister asked if the legislation would provide for protection of personal data along the lines of European Union’s General Data Protection Directive (GDRP), which were approved just last month. EU’s directive defines “any information relating to an identified or identifiable natural person directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, as personal data.

The GDRP has a pretty wide scope and is pretty consumer friendly. The laws require users to provide explicit consent for data collection, companies to report as soon as they have a data breach, and a ‘right to erasure’ that lets users request all personal data related to them to be deleted. It also imposes a significant fine of up to 4% of annual worldwide turnover of a company in the previous financial year, in case of non compliance. For a comprehensive overview of the policy read handbook on European data protection law (pdf).

Email privacy bill US

The US does not have a comprehensive digital privacy law like the EU and mostly relies on the the privacy act of 1974. However, recently the US House of Representatives unanimously passed the Email Privacy Act that would require investigators to get a warrant before forcing companies to hand over customer email or other electronic communications, no matter how old the communication.

For more details visit https://cis-india.org/internet-governance/news/medianama-vivek-pai-may-4-2017-indian-govt-says-it-is-still-drafting-privacy-law

Indian Government Quietly Brings In Its 'Central Monitoring System': Total Surveillance Of All Telecommunications

praskrishna — 2013-07-02T09:12:49Z

There's a worrying trend around the world for governments to extend online surveillance capabilities to encompass all citizens -- often justified with the usual excuse of combatting terrorism and/or child pornography.

The blog post was published in tech dirt on June 8, 2013. Pranesh Prakash is quoted.

The latest to join this unhappy club is India, which has put in place what sounds like a massively intrusive system, as this article from The Times of India makes clear:

The government last month quietly began rolling out a project that gives it access to everything that happens over India's telecommunications network -- online activities, phone calls, text messages and even social media conversations. Called the Central Monitoring System, it will be the single window from where government arms such as the National Investigation Agency or the tax authorities will be able to monitor every byte of communication.

This project has been under development for two years, but in almost total secrecy:

"In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome," warned Pranesh Prakash, director of policy at the Centre for Internet and Society. "Further, this has been done with neither public nor parliamentary dialogue, making the government unaccountable to its citizens."

That combination of total surveillance and zero transparency is a dangerous one, providing the perfect tool for monitoring and controlling political and social dissent. If India wishes to maintain its claim to be "the world's largest democracy", its government would do well to introduce some safeguards against abuse of the new system, such as strong privacy laws, as well as engaging the Indian public in an open debate about what exactly such extraordinary surveillance powers might be used for.

For more details visit https://cis-india.org/news/tech-dirt-june-8-2013-indian-govt-quietly-brings-central-monitoring-system

India:Privacy in Peril

bhairav — 2013-09-25T09:56:22Z

The danger of mass surveillance in India is for real. The absence of a regulating law is damning for Indians who want to protect their privacy against the juggernaut of state and private surveillance.

The article was originally published in the Frontline on July 12, 2013.

At the concluding scene of his latest movie, Superman disdainfully flings a surveillance drone down to earth in front of a horrified general. “You can’t control me,” he tells his military minder. “You can’t find out where I hang up my cape.” This exchange goes to the crux of surveillance: control. Surveillance is the means by which nation-states exercise control over people. If the logical basis of the nation-state is the establishment and maintenance of homogeneity, it is necessary to detect and interdict dissent before it threatens the boundedness and continuity of the national imagination. This imagination often cannot encompass diversity, so it constructs categories of others that include dissenters and outsiders. Admittedly, this happens less in India because the foundation of the Indian nation-state imagined a diverse society expressing a plurality of ideas in a variety of languages secured by a syncretic and democratic government that protected individual freedoms. Unfortunately, this vision is still to be realised, and the foundational idea of India continues to be challenged by poor governance, poverty, insurgencies and rebellion. Consequently, surveillance is, for the modern nation-state, a condicio sine qua non—an essential element without which it will eventually cease to exist. The challenge for democratic nation-states is to find the optimal balance between surveillance and the duty to protect the freedoms of its citizens.

History of wiretaps

Some countries, such as the United States, have assembled a vast apparatus of surveillance to monitor the activities of their citizens and foreigners. Let us review the recent controversy revealed by the whistle-blower Edward Snowden. In 1967, the U.S. Supreme Court ruled in Katz vs United States that wiretaps had to be warranted, judicially sanctioned and supported by probable cause. This resulted in the passage of the Wiretap Act of 1968 that regulated domestic surveillance. Following revelations that Washington was engaging in unrestricted foreign surveillance in the context of the Vietnam war and anti-war protests, the U.S. Congress enacted the Foreign Intelligence Surveillance Act (FISA) in 1978. FISA gave the U.S. government the power to conduct, without judicial sanction, surveillance for foreign intelligence information; and, with judicial sanction from a secret FISA court, surveillance of anybody if the ultimate target was a foreign power. Paradoxically, even a U.S. citizen could be a foreign power in certain circumstances. Domestically, FISA enabled secret warrants for specific items of information such as library book borrowers and car rentals.

Following the 9/11 World Trade Centre attacks, Congress enacted the Patriot Act of 2001, Section 215 of which dramatically expanded the scope of FISA to allow secret warrants to conduct surveillance in respect of “any tangible thing” that was relevant to a national security investigation. In exercise of this power, a secret FISA court issued secret warrants ordering a number of U.S. companies to share, in real time, voice and data traffic with the National Security Agency (NSA). We may never know the full scope of the NSA’s surveillance, but we know this: (a) Verizon Communications, a telecommunications major, was ordered to provide metadata for all telephone calls within and without the U.S.; (b) the NSA runs a clandestine programme called PRISM that accesses Internet traffic, such as e-mails, web searches, forum comments and blogs, in real time; and (c) the NSA manages a comprehensive data analysis system called Boundless Informant that intercepts and analyses voice and data traffic around the world and subjects them to automated pattern recognition. The documents leaked by Snowden allege that Google, Facebook, Apple, Dropbox, Microsoft and Yahoo! participate in PRISM, but these companies have denied their involvement.

India fifth-most monitored

How does this affect India? The Snowden documents reveal that India is the NSA’s fifth-most monitored country after Iran, Pakistan, Jordan and Egypt. Interestingly, China is monitored less than India. Several billion pieces of data from India, such as e-mails and telephone metadata, were intercepted and monitored by the NSA. For Indians, it is not inconceivable that our e-mails, should they be sent using Gmail, Yahoo! Mail or Hotmail, or our documents, should we be subscribing to Dropbox, or our Facebook posts, are being accessed and read by the NSA. Incredibly, most Indian governmental communication, including that of Ministers and senior civil servants, use private U.S. e-mail services. We no longer enjoy privacy online. The question of suspicious activity, irrespective of the rubric under which suspicion is measured, is moot. Any use of U.S. service providers is potentially compromised since U.S. law permits intrusive dragnet surveillance against foreigners. This clearly reveals a dichotomy in U.S. constitutional law: the Fourth Amendment’s guarantees of privacy, repeatedly upheld by U.S. courts, protect U.S. citizens to a far greater extent than they do foreigners. It is natural for a nation-state to privilege the rights of its citizens over others. As Indians, therefore, we must clearly look out for ourselves.

Privacy and personal liberty

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around homes of suspects. In the latter case, the court found that some of the Fundamental Rights “could be described as contributing to the right to privacy”, which was subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the People’s Union for Civil Liberties (PUCL) case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made by the Delhi High Court in the Naz Foundation case (2011) that decriminalised consensual homosexual acts; however, there is an appeal against the judgment in the Supreme Court.

Legislative silence

Judicial vagueness has been compounded by legislative silence. India does not have a law to operationalise a right to privacy. Consequently, a multitude of laws permit daily infractions of privacy. These infractions have survived because they are diverse, dissipated and quite disorganised. However, the technocratic impulse to centralise and consolidate surveillance and data collection has, in recent years, alarmed many citizens. The state hopes to, through enterprises such as the Central Monitoring System (CMS), the Crime and Criminals Tracking Network and System (CCTNS), the National Intelligence Grid (NATGRID), the Telephone Call Interception System (TCIS) and the Unique Identification Number (UID), replicate the U.S. successes in surveillance and monitoring and profiling all its citizens. However, unlike the U.S., India proposes to achieve this without an enabling law. Let us consider the CMS. No documents have been made available that indicate the scope and size of the CMS.

From a variety of police tenders for private equipment, it appears that the Central government hopes to put in place a system that will intercept, in real time, all voice and data traffic originating or terminating in India or being carried by Indian service providers. This data will be subject to pattern recognition and other automated tests to detect emotional markers, such as hate, compassion or intent. The sheer scale of this enterprise is intimidating; all communications in India’s many languages will be subject to interception and testing designed to detect different forms of dissent. This mammoth exercise in monitoring is taking place—it is understood that some components of the CMS are already operational—without statutory sanction. No credible authorities exist to supervise this exercise, no avenues for redress have been identified and no consequences have been laid down for abuse.

Statutory Surveillance

In a recent interview, Milind Deora, Minister of State for Communications and Information Technology, dismissed public scepticism of the CMS saying that direct state access to private communications was better for privacy since it reduced dependence on the interception abilities of private service providers. This circular argument is both disingenuous and incorrect. No doubt, trusting private persons with the power to intercept and store the private data of citizens is flawed. The leaking of the Niira Radia tapes, which contain the private communications of Niira Radia taped on the orders of the Income Tax Department, testifies to this flaw. However, bypassing private players to enable direct state access to private communications will preclude leaks and, thereby, remove from public knowledge the fact of surveillance. This messy situation may be obviated by a regime of statutory regulation of warranted surveillance by an independent and impartial authority. This system is favoured by liberal democracies around the world but conspicuously resisted by the Indian government.

The question of privacy legislation was recently considered by a committee chaired by Justice Ajit Prakash Shah, a former judge of the Delhi High Court who sat on the Bench that delivered the Naz Foundation judgment. The Shah Committee was constituted by the Planning Commission for a different reason: the need to protect personal data that are outsourced to India for processing. The lack of credible privacy law, it is foreseen, will result in European and other foreign personal data being sent to other attractive processing destinations, such as Vietnam, Israel or the Philippines, resulting in the decline of India’s outsourcing industry. However, the Shah Committee also noted the absence of law sufficient to protect against surveillance abuses. Most importantly, the Shah Committee formulated nine national privacy principles to inform any future privacy legislation (see story on page 26). In 2011, the Department of Personnel and Training (DoPT) of the Ministry of Human Resource Development, the same Ministry entrusted with implementing the Right to Information Act, 2005, leaked a draft privacy Bill, marked ‘Secret’, on the Internet. The DoPT Bill received substantive criticism from the Attorney General and some government Secretaries for the clumsy drafting. A new version of the DoPT Bill is reported to have been drafted and sent to the Ministry of Law for consideration. This revised Bill, which presumably contains chapters to regulate surveillance, including the interception of communications, has not been made public.

The need for privacy legislation cannot be overstated. The Snowden affair reveals the extent of possible state surveillance of private communications. For Indians who must now explore ways to protect their privacy against the juggernaut of state and private surveillance, the absence of regulatory law is damning. Permitting, through public inaction, unwarranted and non-targetted dragnet surveillance by the Indian state without reasonable cause would be an act of surrender of far-reaching implications.

Information, they say, is power. Allowing governments to exercise this power over us without thought for the rule of law constitutes the ultimate submission possible in a democratic nation-state. And, since superheroes are escapist fantasies, without the prospect of good laws we will all be subordinate to a new national imagination of control and monitoring, surveillance and profiling. If allowed to come to pass, this will be a betrayal of the foundational idea of India as a free and democratic republic tolerant of dissent.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/frontline-cover-story-july-12-2013-bhairav-acharya-privacy-in-peril

India’s Supreme Court hears challenge to biometric authentication system

praskrishna — 2017-05-20T06:44:02Z

Two lawsuits being heard this week before India’s Supreme Court question a requirement imposed by the government that individuals should quote a biometrics-based authentication number when filing their tax returns.

The post by John Riberio, IDG News Service was mirrored by IT World on May 3, 2017.

Civil rights groups have opposed the Aadhaar biometric system, which is based on centralized records of all ten fingerprints and iris scans, as their extensive use allegedly encroach on the privacy rights of Indians. “Aadhaar is surveillance technology masquerading as secure authentication technology,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.

The Indian government has in the meantime extended the use of Aadhaar, originally meant to identify beneficiaries of state schemes for the poor, to other areas such as filing of taxes, distribution of meals to school children and payment systems.

Hearings on the writ petitions, challenging the amendment to the Income Tax Act, are going on in Delhi before a Supreme Court bench consisting of Justices A.K. Sikri and Ashok Bhushan.

Tax payers are required to have the Aadhaar number in addition to their permanent account number (PAN), which they have previously used to file their tax returns. Their failure to produce the Aadhaar number would lead to invalidation of the PAN number, affecting people who are already required to quote this number for other transactions such as buying cars or opening bank accounts.

The stakes in this dispute are high. The petitioners have argued for Aadhaar being voluntary and question the manner in which the new amendment to the tax law has been introduced. The government has said both in court and in other public forums that it needs a reliable and mandatory biometric system to get around the issue of fake PAN numbers.

The lawyer for one of the plaintiffs, Shyam Divan, has argued for the individual’s absolute ownership of her body, citing Article 21 of the Indian Constitution, which protects a person from being “deprived of his life or personal liberty except according to procedure established by law.” The government has countered by saying that citizens do not have absolute rights over their bodies, citing the law against an individual committing suicide as an example.

The Supreme Court in another lawsuit looking into privacy issues and the constitutionality of the Aadhaar scheme had ruled in an interim order in 2015 that the biometric program had to be voluntary and could not be used to deprive the poor of benefits.

"The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen," the top court ruled.

The government holds that the Aadhaar Act, passed in Parliament last year, provides the legal backing for making the biometric identification compulsory.

The current lawsuits against Aadhaar have not been argued on grounds of privacy, reportedly because the court would not allow this line of argument, which is already being heard in the other case. The Supreme Court has made current petitioners “fight this battle with one arm tied behind their backs!,” wrote lawyer Gautam Bhatia in a blog post Wednesday.

For more details visit https://cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system

India’s post-truth society

swaraj — 2018-09-12T12:16:31Z

The proliferation of lies and manipulative content supplies an ever-willing state a pretext to step up surveillance.

The op-ed was published in Hindu Businessline on September 7, 2018.

After a set of rumours spread over WhatsApp triggered a series of lynchings across the country, the government recently took the interesting step of placing the responsibility for this violence on WhatsApp. This is especially noteworthy because the party in power, as well as many other political parties, have taken to campaigning over social media, including using WhatsApp groups in a major way to spread their agenda and propaganda.

After all, a simple tweet or message could be shared thousands of times and make its way across the country several times, before the next day’s newspaper is out. Nonetheless, while the use of social media has led to a lot of misinformation and deliberately polarising ‘news’, it has also helped contribute to remarkable acts of altruism and community, as seen during the recent Kerala floods.

While the government has taken a seemingly techno-determinist view by placing responsibility on WhatsApp, the duality of very visible uses of social media has led to others viewing WhatsApp and other internet platforms more as a tool, at the mercy of the user. However, as historian Melvin Kranzberg noted, “technology is neither good nor bad; nor is it neutral”. And while the role of political and private parties in spreading polarising views should be rigorously investigated, it is also true that these internet platforms are creating new and sometimes damaging structural changes to how our society functions. A few prominent issues are listed below:

Fragmentation of public sphere

Jurgen Habermas, noted sociologist, conceptualised the Public Sphere as being “a network for communicating information and points of view, where the streams of communication are, in the process, filtered and synthesised in such a way that they coalesce into bundles of topically specified public opinions”.

To a large extent, the traditional gatekeepers of information flow, such as radio, TV and mainstream newspapers, performed functions enabling a public sphere. For example, if a truth-claim about an issue of national relevance was to be made, it would need to get an editor’s approval.

In case there was a counter claim, that too would have to pass an editorial check. Today however, nearly anybody can become a publisher of information online, and if it catches the right ‘influencer’s attention, it could spread far wider and far quicker than it would’ve in traditional media. While this does have the huge positive of giving space to more diverse viewpoints, it also comes with two significant downsides.

First, that it gives a sense of ‘personal space’ to public speech. An ordinary person would think a few times, do some research, and perhaps practice a speech before giving it before 10,000 people. An ordinary person would also think for perhaps five seconds before putting out a tweet on the very same topic, despite now having a potentially global audience.

Second, by having messages sent directly to your hand-held device, rather than open for anyone to fact-check and counter, there is less transparency and accountability for those who send polarising material and misinformation. How can a mistaken and polarising view be countered, if one doesn’t even know it is being made? And if it can’t be countered, how can its spread by contained?

The attention market

Not only is that earlier conception of public sphere being fragmented, these new networked public spheres are also owned by giant corporations. This means that these public spheres where critical discourse is being shaped and spread, are actually governed by advertisement-financed global conglomerates. In a world of information overflow, and privately owned, ad-financed public spheres, the new unit of currency is attention.

It is in the direct interest of the Facebooks and Googles of the world, to capture user attention as long as possible, regardless of what type of activity that encourages. It goes without saying that neither the ‘mundane and ordinary’, nor the ‘nuanced and detailed’ capture people’s attention nearly as well as the sensational and exciting.

Nearly as addicting, studies show, are the headlines and viewpoints which confirm people’s biases. Fed by algorithms that understand the human desire to ‘fit in’, people are lowered into echo chambers where like-minded people find each other and continually validate each other. When people with extremist views are guided to each other by these algorithms, they not only gather validation, but also now use these platforms to confidently air their views — thus normalising what was earlier considered extreme. Needless to say, internet platforms are becoming richer in the process.

Censorship by obfuscation

Censorship in the attention economy, no longer requires blocking of views or interrupting the transmission of information. Rather, it is sufficient to drown out relevant information in an ocean of other information. Fact checking news sites face this problem. Regardless of how often they fact-check speeches by politicians, only a minuscule percentage of the original audience comes to know about, much less care about the corrections.

Additionally, repeated attacks (when baseless) on credibility of news sources causes confusion about which sources are trustworthy. In her extremely insightful book “Twitter and Tear Gas”, Prof Zeynep Tufekci rightly points out that rather than traditional censorship, powerful entities today, (often States) focus on overwhelming people with information, producing distractions, and deliberately causing confusion, fear and doubt. Facts, often don’t matter since the goal is not to be right, but to cause enough confusion and doubt to displace narratives that are problematic to these powers.

Viewpoints from members of groups that have been historically oppressed, are especially harangued. And those who are oppressed tend to have less time, energy and emotional resources to continuously deal with online harassment, especially when their identities are known and this harassment can very easily spill over to the physical world.

Conclusion

Habermas saw the ideal public sphere as one that is free of lies, distortions, manipulations and misinformation. Needless to say, this is a far cry from our reality today, with all of the above available in unhealthy doses. It will take tremendous effort to fix these issues, and it is certainly no longer sufficient for internet platforms to claim they are neutral messengers. Further, whether the systemic changes are understood or not, if they are not addressed, they will continue to create and expand fissures in society, giving the state valid cause for intervening through backdoors, surveillance, and censorship, all actions that states have historically been happy to do!

For more details visit https://cis-india.org/internet-governance/blog/hindu-businessline-swaraj-paul-barooah-september-7-2018-indias-post-truth-society

India’s parental control directive and the need to improve stalkerware detection

divyank — 2024-04-04T14:20:41Z

We analyse a child-monitoring app being developed by the Indian government and question whether it is an effective way to enact parental controls. We highlight how such monitoring apps are often repurposed for digital stalking and play a role in intimate partner violence. We also evaluate the protection provided by antivirus tools in detecting such stalkerware apps and describe how we collected technical evidence to help improve the detection of these apps.

This post was reviewed and edited by Amrita Sengupta.

Stalkerware is a form of surveillance targeted primarily at partners, employees and children in abusive relationships. These are software tools that enable abusers to spy on a person’s mobile device, allowing them to remotely access all data on the device, including calls, messages, photos, location history, browsing history, app data, and more. Stalkerware apps run hidden in the background without the knowledge or consent of the person being surveilled.[1] Such applications are easily available online and can be installed by anyone with little technical know-how and physical access to the device.

News reports indicate that the Ministry of Electronics and Information Technology (MeitY) is supporting the development of an app called “SafeNet”[2] that allows parents to monitor activity and set content filters on children’s devices. Following a directive from the Prime Minister’s office to “incorporate parental controls in data usage” by July 2024, the Internet Service Providers Association of India (ISPAI) has suggested that the app should come preloaded on mobile phones and personal computers sold in the country. The Department of Telecom is also asking schools to raise awareness about such parental control solutions.[3][4]

The beta version of the app is available for Android devices on the Google Play Store and advertises a range of functionalities including location access, monitoring website and app usage, call and SMS logs, screen time management and content filtering. The content filtering functionality warrants a separate analysis and this post will only focus on the surveillance capabilities of this app.

Applications like Safenet, that do not attempt to hide themselves and claim to operate with the knowledge of the person being surveilled, are sometimes referred to as “watchware”.[5] However, for all practical purposes, these apps are indistinguishable from stalkerware. They possess the same surveillance capabilities and can be deployed in the exact same ways. Such apps sometimes incorporate safeguards to notify users that their device is being monitored. These include persistent notifications on the device’s status bar or a visible app icon on the device’s home screen. However, such safeguards can be circumvented with little effort. The notifications can simply be turned off on some devices and there are third-party Android tools that allow app icons and notifications to be hidden from the device user, allowing watchware to be repurposed as stalkerware and operate secretly on a device. This leaves very little room for distinction between stalkerware and watchware apps.[6] In fact, the developers of stalkerware apps often advertise their tools as watchware, instructing users to only use them for legitimate purposes.

Even in cases where stalkerware applications are used in line with their stated purpose of monitoring minors’ internet usage, the effectiveness of a surveillance-centric approach is suspect. Our previous work on children’s privacy has questioned the treatment of all minors under the age of 18 as a homogenous group, arguing for a distinction between the internet usage of a 5-year-old child and a 17-year-old teenager. We argue that educating and empowering children to identify and report online harms is more effective than attempts to surveil them.[7][8] Most smartphones already come with options to enact parental controls on screen time and application usage[9][10], and the need for third-party applications with surveillance capabilities is not justified.

Studies and news reports show the increasing role of technology in intimate partner violence (IPV).[11][12] Interviews with IPV survivors and support professionals indicate an interplay of socio-technical factors, showing that abusers leverage the intimate nature of such relationships to gain access to accounts and devices to exert control over the victim. They also indicate the prevalence of “dual-use” apps such as child-monitoring and anti-theft apps that are repurposed by abusers to track victims.[13]

There is some data available that indicates the use of stalkerware apps in India. Kaspersky anti-virus’ annual State of Stalkerware reports consistently place India among the top 4 countries with the most number of infections detected by its product, with a few thousand infections reported each year between 2020 and 2023.[14][15][16[17] TechCrunch’s Spyware Lookup Tool, which compiles information from data leaks from more than nine stalkerware apps to notify victims, also identifies India as a hotspot for infections.[18] Avast, another antivirus provider, reported a 20% rise in the use of stalkerware apps during COVID-19 lockdowns.[19] The high rates of incidence of intimate partner violence in India, with the National Family Health Survey reporting that about a third of all married women aged 18–49 years have experienced spousal violence [20], also increases the risk of digitally-mediated abuse.

Survivors of digitally-mediated abuse often require specialised support in handling such cases to avoid alerting abusers and potential escalations. As part of our ongoing work on countering digital surveillance, we conducted an analysis of seven stalkerware applications, including two that are based in India, to understand and improve how survivors and support professionals can detect their presence on devices.

In some cases, where it is safe to operate the device, antivirus solutions can be of use. Antivirus tools can often identify the presence of stalkerware and watchware on a device, categorising them as a type of malware. We measured how effective various commercial antivirus solutions are at detecting stalkerware applications. Our results, which are detailed in the Appendix, indicate a reasonably good coverage, with six out of the seven apps being flagged as malicious by various antivirus solutions. We found that Safenet, the newest app on the list, was not detected by any antivirus. We also compared the detection results with a similar study conducted in 2019 [21] and found that some newer versions of previously known apps saw lower rates of detection. This indicates that antivirus solutions need to analyse new apps and newer versions of apps more frequently to improve coverage and understand how they are able to evade detection.

In cases where the device cannot be operated safely, support workers use specialised forensic tools such as the Mobile Verification Toolkit [22] and Tinycheck [23], which can be used to analyse devices without modifying them. We conducted malware analysis on the stalkerware apps to document the traces they leave on devices and submitted them to an online repository of indicators of compromise (IOCs).[24] These indicators are incorporated in detection tools used by experts to detect stalkerware infections.

Despite efforts to support survivors and stop the spread of stalkerware applications, the use of technology in abusive relationships continues to grow.[25] Making a surveillance tool like Safenet available for free, publicising it for widespread use, and potentially preloading it on mobile devices and personal computers sold in the country, is an ill-conceived way to enact parental controls and will lead to an increase in digitally-mediated abuse. The government should immediately take this application out of the public domain and work on developing alternate child protection policies that are not rooted in distrust and surveillance.

If you are affected by stalkerware there are some resources available here:
https://stopstalkerware.org/information-for-survivors/
https://stopstalkerware.org/resources/

Appendix

Our analysis covered two apps based in India, SafeNet and OneMonitar, and five other apps, Hoverwatch, TheTruthSpy, Cerberus, mSpy and FlexiSPY. All samples were directly obtained from the developer’s websites. The details of the samples are as follows:

Name

File name

Version

Date sample was obtained

SHA-1 Hash

SafeNet

Safenet_Child.apk

0.15

16th March, 2024

d97a19dc2212112353ebd84299d49ccfe8869454

OneMonitar

ss-kids.apk

5.1.9

19th March, 2024

519e68ab75cd77ffb95d905c2fe0447af0c05bb2

Hoverwatch

setup-p9a8.apk

7.4.360

5th March, 2024

50bae562553d990ce3c364dc1ecf44b44f6af633

TheTruthSpy

TheTruthSpy.apk

23.24

5th March, 2024

8867ac8e2bce3223323f38bd889e468be7740eab

Cerberus

Cerberus_disguised.apk

3.7.9

4th March, 2024

75ff89327503374358f8ea146cfa9054db09b7cb

mSpy

bt.apk

7.6.0.1

21st March, 2024

f01f8964242f328e0bb507508015a379dba84c07

FlexiSPY

5009_5.2.2_1361.apk

5.2.2

26th March, 2024

5092ece94efdc2f76857101fe9f47ac855fb7a34

We analysed the network activity of these apps to check what web servers they send their data to. With increasing popularity of Content Delivery Networks (CDNs) and cloud infrastructure, these results may not always give us an accurate idea about where these apps originate, but can sometimes offer useful information:

Name Domain IP Address[26] Country ASN Name and Number

SafeNet safenet.family 103.10.24.124 India Amrita Vishwa Vidyapeetham, AS58703

OneMonitar onemonitar.com 3.15.113.141 United States Amazon.com, Inc., AS16509

OneMonitar api.cp.onemonitar.com 3.23.25.254 United States Amazon.com, Inc., AS16509

Hoverwatch hoverwatch.com 104.236.73.120 United States DigitalOcean, LLC, AS14061

Hoverwatch a.syncvch.com 158.69.24.236 Canada OVH SAS, AS16276

TheTruthSpy thetruthspy.com 172.67.174.162 United States Cloudflare, Inc., AS13335

TheTruthSpy protocol-a946.thetruthspy.com 176.123.5.22 Moldova ALEXHOST SRL, AS200019

Cerberus cerberusapp.com 104.26.9.137 United States Cloudflare, Inc., AS13335

mSpy mspy.com 104.22.76.136 United States Cloudflare, Inc., AS13335

mSpy mobile-gw.thd.cc 104.26.4.141 United States Cloudflare, Inc., AS13335

FlexiSPY flexispy.com 104.26.9.173 United States Cloudflare, Inc., AS13335

FlexiSPY djp.bz 119.8.35.235 Hong Kong HUAWEI CLOUDS, AS136907

To understand whether commercial antivirus solutions are able to categorise stalkerware apps as malicious, we used a tool called VirusTotal, which aggregates checks from over 70 antivirus scanners.[27] We uploaded hashes (i.e. unique signatures) of each sample to VirusTotal and recorded the total number of detections by various antivirus solutions. We compared our results to a similar study by Citizen Lab in 2019 [28] that looked at a similar set of apps to identify changes in detection rates over time.

Product

VirusTotal Detections (March 2024)

VirusTotal Detections (January 2019) (By Citizen Lab)

SafeNet [29]

0/67 (0 %)

N/A

OneMonitar [30]

17/65 (26.1%)

N/A

Hoverwatch

24/58 (41.4%)

22/59 (37.3%)

TheTruthSpy

38/66 (57.6%)

0

Cerberus

8/62 (12.9%)

6/63 (9.5%)

mSpy

8/63 (12.7%)

20/63 (31.7%)

Flexispy [31]

18/66 (27.3%)

34/63 (54.0%)

We also checked if Google’s Play Protect service [32], a malware detection tool that is built-in to Android devices using Google’s Play Store. These results were also compared with similar checks performed by Citizen Lab in 2019.

Product

Detected by Play Protect (March 2024)

Detected by Play Protect (January 2019) (By Citizen Lab)

SafeNet

no

N/A

OneMonitar

yes

N/A

Hoverwatch

yes

yes

TheTruthSpy

yes

yes

Cerberus

yes

no

mSpy

yes

yes

Flexispy

yes

yes

Endnotes

1. Definition adapted from Coalition Against Stalkerware, https://stopstalkerware.org/

2. https://web.archive.org/web/20240316060649/https://safenet.family/

3. https://www.hindustantimes.com/india-news/itministry-tests-parental-control-app-progress-to-be-reviewed-today-101710702452265.html

4. https://www.hindustantimes.com/india-news/schools-must-raise-awareness-about-parental-control-in-internet-usage-says-dot-101710840561172.html

5. https://github.com/AssoEchap/stalkerware-indicators/blob/master/README.md

6. https://cybernews.com/privacy/difference-between-parenting-apps-and-stalkerware/

7. https://timesofindia.indiatimes.com/blogs/voices/shepherding-children-in-the-digital-age/

8. https://blog.avast.com/stalkerware-and-children-avast

9. https://safety.google/families/parental-supervision/

10. https://support.apple.com/en-in/105121

11. R. Chatterjee et al., "The Spyware Used in Intimate Partner Violence," 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 441-458.

12. https://www.computerweekly.com/news/252492575/Use-of-abusive-stalkerware-against-women-skyrocketed-in-2020

13. D. Freed et al., "Digital technologies and intimate partner violence: A qualitative analysis with multiple stakeholders", PACM: Human-Computer Interaction: Computer-Supported Cooperative Work and Social Computing (CSCW), vol. 1, no. 2, 2017.

14. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/03/07160820/The-State-of-Stalkerware-in-2023.pdf

15. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/07152747/EN_The-State-of-Stalkerware_2022.pdf

16. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf

17. https://media.kasperskycontenthub.com/wp-content/uploads/sites/100/2020/03/25175212/EN_The-State-of-Stalkerware-2020.pdf

18. https://techcrunch.com/pages/thetruthspy-investigation/

19. https://www.thenewsminute.com/atom/avast-finds-20-rise-use-spying-and-stalkerware-apps-india-during-lockdown-129155

20. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10071919/

21. https://citizenlab.ca/docs/stalkerware-holistic.pdf

22. https://docs.mvt.re/en/latest/

23. https://tiny-check.com/

24. https://github.com/AssoEchap/stalkerware-indicators/pull/125

25. https://stopstalkerware.org/2023/05/15/report-shows-stalkerware-is-not-declining/

26. IP information provided by https://ipinfo.io/

27. https://docs.virustotal.com/docs/how-it-works

28. https://citizenlab.ca/docs/stalkerware-holistic.pdf

29. Sample was not known to VirusTotal, it was uploaded at the time of analysis

30. Sample was not known to VirusTotal, it was uploaded at the time of analysis

31. Sample was not known to VirusTotal, it was uploaded at the time of analysis

32. https://developers.google.com/android/play-protect

For more details visit https://cis-india.org/internet-governance/blog/india2019s-parental-control-directive-and-the-need-to-improve-stalkerware-detection

India’s National ID Program May Be Turning The Country Into A Surveillance State

praskrishna — 2017-04-07T12:49:30Z

For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.

The blog post by Pranav Dixit was published by BuzzFeedNews on April 4, 2017. Sunil Abraham was quoted.

An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below:

“You can’t change your fingerprints”

Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.

“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.

Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking into the country’s online national identity database and registering himself as Ecuadorian President Rafael Correa. In April 2016, hackers posted a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — was leaked onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — released on the Dark Web.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”

“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”

The UIDAI claims that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.

“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.

Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”

Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an interview with the Economic Times, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.

Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.

Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”

“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”

For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent interview with Indian business news channel ET Now. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”

Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”

For more details visit https://cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state

India’s digital check

sunil — 2015-09-15T14:55:47Z

All nine pillars of Digital India directly correlate with policy research conducted at the Centre for Internet and Society, where I have worked for the last seven years. This allows our research outputs to speak directly to the priorities of the government when it comes to digital transformation.

The article was originally published by DNA on July 8, 2015.

Broadband Highways and Universal Access to Mobile Connectivity: The first two pillars have been combined in this paragraph because they both require spectrum policy and governance fixes. Shyam Ponappa, a distinguished fellow at our Centre calls for the leveraging of shared spectrum and also shared backhaul infrastructure. Plurality in spectrum management, for eg, unlicensed spectrum should be promoted for accelerating backhaul or last mile connectivity, and also for community or local government broadband efforts. Other ideas that have been considered by Ponappa include getting state owned telcos to exit completely from the last mile and only focus on running an open access backhaul through Bharat Broadband Limited. Network neutrality regulations are also required to mitigate free speech, diversity and competition harms as ISPs and TSPs innovate with business models such as zero-rating.

Public Internet Access Programme: Continuing investments into Common Service Centres (CSCs) for almost a decade may be questionable and therefore a citizen’s audit should be undertaken to determine how the programme may be redesigned. The reinventing of post offices is very welcome, however public libraries are also in need urgent reinventing. CSCs, post offices and public libraries should all leverage long range WiFi for Internet and intranet, empowering BYOD [Bring Your Own Device] users. Applications will take time to develop and therefore immediate emphasis should be on locally caching Indic language content. State Public Library Acts need to be amended to allow for borrowing of digital content. Flat-fee licensing regimes must be explored to increase access to knowledge and culture. Commons-based peer production efforts like Wikipedia and Wikisource need to be encouraged.

e-Governance: Reforming Government through Technology: DeitY, under the leadership of free software advocate Secretary RS Sharma, has accelerated adoption and implementation of policies supporting non-proprietary approaches to intellectual property in e-governance. Policies exist and are being implemented for free and open source software, open standards and electronic accessibility for the disabled. The proprietary software lobby headed by Microsoft and industry associations like NASSCOM have tried to undermine these policies but have failed so far.

The government should continue to resist such pressures. Universal adoption of electronic signatures within government so that there is a proper audit trail for all communications and transactions should be made an immediate priority. Adherence to globally accepted data protection principles such as minimisation via “form simplification and field reduction” for Digital India should be applauded. But on the other hand the mandatory requirement of Aadhaar for DigiLocker and eSign amounts to contempt of the Supreme Court order in this regard.

e-Kranti — Electronic Delivery of Services: The 41 mission mode projects listed are within the top-down planning paradigm with a high risk of failure — the funds reserved for these projects should instead be converted into incentives for those public, private and public private partnerships that accelerate adoption of e-governance. The dependency on the National Informatics Centre (NIC) for implementation of e-governance needs to be reduced, SMEs need to be able to participate in the development of e-governance applications. The funds allocated for this area to DeitY have also produced a draft bill for Electronic Services Delivery. This bill was supposed to give RTI-like teeth to e-governance service by requiring each government department and ministry to publish service level agreements [SLAs] for each of their services and prescribing punitive action for responsible institutions and individuals when there was no compliance with the SLAs.

Information for All: The open data community and the Right to Information movement in India are not happy with the rate of implementation of National Data Sharing and Accessibility Policy (NDSAP). Many of the datasets on the Open Data Portal are of low value to citizens and cannot be leveraged commercially by enterprise. Publication of high-value datasets needs to be expedited by amending the proactive disclosure section of the Right to Information Act 2005.

Electronics Manufacturing: Mobile patent wars have begun in India with seven big ticket cases filed at the Delhi High Court. Our Centre has written an open letter to the previous minister for HRD and the current PM requesting them to establish a device level patent pool with a compulsory license of 5%. Thereby replicating India’s success at becoming the pharmacy of the developing world and becoming the lead provider of generic medicines through enabling patent policy established in the 1970s. In a forthcoming paper with Prof Jorge Contreras, my colleague Rohini Lakshané will map around fifty thousand patents associated with mobile technologies. We estimate around a billion USD being collected in royalties for the rights-holders whilst eliminating legal uncertainties for manufacturers of mobile technologies.

IT for Jobs: Centralised, top-down, government run human resource development programmes are not useful. Instead the government needs to focus on curriculum reform and restructuring of the education system. Mandatory introduction of free and open source software will give Indian students the opportunity to learn by reading world-class software. They will then grow up to become computer scientists rather than computer operators. All projects at academic institutions should be contributions to existing free software projects — these projects could be global or national, for eg, a local government’s e-governance application. The budget allocated for this pillar should instead be used to incentivise research by giving micro-grants and prizes to those students who make key software contributions or publish in peer-reviewed academic journals or participate in competitions. This would be a more systemic approach to dealing with the skills and knowledge deficit amongst Indian software professionals.

Early Harvest Programmes: Many of the ideas here are very important. For example, secure email for government officials — if this was developed and deployed in a decentralised manner it would prevent future surveillance of the Indian government by the NSA. But a few of the other low-hanging fruit identified here don’t really contribute to governance. For example, biometric attendance for bureaucrats is just glorified bean-counting — it does not really contribute to more accountability, transparency or better governance.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation that has zero-rating alliances with telecom operators in many countries across the world

For more details visit https://cis-india.org/internet-governance/blog/dna-sunil-abraham-july-8-2015-india-digital-check

India’s Central Monitoring System: Security can’t come at cost of privacy

praskrishna — 2013-07-15T06:43:21Z

During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).

Danish Raza's article was published in FirstPost on July 10, 2013. Sunil Abraham is quoted.

The surveillance project, described as the Indian version of PRISM, will allow the government to monitor online and telephone data of citizens. prism-milind-deora-cms-central-monitoring-system/” target=”_blank”>

The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.

A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It merely states that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”

One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.

“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.

There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.

Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”

Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”

Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?

“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”

Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”

For more details visit https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy

Name	Domain	IP Address[26]	Country	ASN Name and Number
SafeNet	safenet.family	103.10.24.124	India	Amrita Vishwa Vidyapeetham, AS58703
OneMonitar	onemonitar.com	3.15.113.141	United States	Amazon.com, Inc., AS16509
OneMonitar	api.cp.onemonitar.com	3.23.25.254	United States	Amazon.com, Inc., AS16509
Hoverwatch	hoverwatch.com	104.236.73.120	United States	DigitalOcean, LLC, AS14061
Hoverwatch	a.syncvch.com	158.69.24.236	Canada	OVH SAS, AS16276
TheTruthSpy	thetruthspy.com	172.67.174.162	United States	Cloudflare, Inc., AS13335
TheTruthSpy	protocol-a946.thetruthspy.com	176.123.5.22	Moldova	ALEXHOST SRL, AS200019
Cerberus	cerberusapp.com	104.26.9.137	United States	Cloudflare, Inc., AS13335
mSpy	mspy.com	104.22.76.136	United States	Cloudflare, Inc., AS13335
mSpy	mobile-gw.thd.cc	104.26.4.141	United States	Cloudflare, Inc., AS13335
FlexiSPY	flexispy.com	104.26.9.173	United States	Cloudflare, Inc., AS13335
FlexiSPY	djp.bz	119.8.35.235	Hong Kong	HUAWEI CLOUDS, AS136907

Product	VirusTotal Detections (March 2024)	VirusTotal Detections (January 2019) (By Citizen Lab)
SafeNet [29]	0/67 (0 %)	N/A
OneMonitar [30]	17/65 (26.1%)	N/A
Hoverwatch	24/58 (41.4%)	22/59 (37.3%)
TheTruthSpy	38/66 (57.6%)	0
Cerberus	8/62 (12.9%)	6/63 (9.5%)
mSpy	8/63 (12.7%)	20/63 (31.7%)
Flexispy [31]	18/66 (27.3%)	34/63 (54.0%)

Product	Detected by Play Protect (March 2024)	Detected by Play Protect (January 2019) (By Citizen Lab)
SafeNet	no	N/A
OneMonitar	yes	N/A
Hoverwatch	yes	yes
TheTruthSpy	yes	yes
Cerberus	yes	no
mSpy	yes	yes
Flexispy	yes	yes