Centre for Internet and Society

The State of Secure Messaging

divyank — 2020-07-17T08:12:15Z

A look at the protections provided by and threats posed to secure communication online.

This blogpost was edited by Gurshabad Grover and Amber Sinha.

The current benchmark for secure communication online is end-to-end encrypted messaging. It refers to a method of encryption wherein the contents of a message are only readable by the devices of the individuals, or endpoints, participating in the communication. All other Internet intermediaries such as internet service providers, internet exchange points, undersea cable operators, data centre operators, and even the messaging service providers themselves cannot read them. This is achieved through cryptographic mechanisms that allow independent devices to establish a shared secret key over an insecure communication channel, which they then use to encrypt and decrypt messages. Common examples of end-to-end encrypted messaging are applications like Signal and WhatsApp.

This post attempts to give at-risk individuals, concerned citizens, and civil society at large a more nuanced understanding of the protections provided and threats posed to the security and privacy of their communications online.

Threat Model

The first step to assessing security and privacy is to identify and understand actors and risks. End-to-end encrypted messaging applications consider the following threat model:

Device compromise: Can happen physically through loss or theft, or remotely. Access to an individual’s device could be gained through technical flaws or coercion (legal, or otherwise). It can be temporary or be made persistent by installing malware on the device.
Network monitoring and interference: Implies access to data in transit over a network. All Internet intermediaries have such access. They may either actively interfere with the communication or passively observe traffic.
Server compromise: Implies access to the web server hosting the application. This could be achieved through technical flaws, insider access such as an employee, or through coercion (legal, or otherwise).

End-to-end encrypted messaging aims to offer complete message confidentiality and integrity in the face of server and network compromise, and some protections against device compromise. These are detailed below.

Protections Provided

Secure messaging services guarantee certain properties. For mature services that have received adequate study from researchers, we can assume them to be sound, barring implementation flaws which are described later.

Confidentiality: The contents of a message are kept private and the ciphers used are practically unbreakable by adversaries.

Integrity: The contents of a message cannot be modified in transit.

Deniability: Aims to mimic unrecorded real-world conversations where an individual can deny having said something. Someone in possession of the chat transcript cannot cryptographically prove that an individual authored a particular message. While some applications feature such off-the-record messaging capabilities, the legal applicability of such mechanisms is debatable.

Forward and Future Secrecy: These properties aim to limit the effects of a temporary compromise of credentials on a device. Forward secrecy ensures messages collected over the network, which were sent before the compromise, cannot be decrypted. Future secrecy ensures messages sent post-compromise are protected. These mechanisms are easily circumvented in practice as past messages are usually stored on the device being compromised, and future messages can be obtained by gaining persistent access during compromise. These properties are meant to protect individuals aware of these limitations in exceptional situations such as a journalist crossing a border.

Shortcomings

While secure messaging services offer useful protections they also have some shortcomings. It is useful to understand these and their mitigations to minimise risk.

Metadata: Information about a communication such as who the participants are, when the messages are sent, where the participants are located, and what the size of a message is can offer important contextual information about a conversation. While some popular messaging services attempt to minimize metadata generation, metadata leakage, in general, is still considered an open problem because such information can be gleaned by network monitoring as well as from server compromise. Application policies around whether such data is stored and for how long it is retained can improve privacy. There are also experimental approaches that use techniques like onion routing to hide metadata.

Authentication: This is the process of asserting whether an individual sending or receiving a message is who they are thought to be. Current messaging services trust application servers and cell service providers for authentication, which means that they have the ability to replace and impersonate individuals in conversations. Messaging services offer advanced features to mitigate this risk, such as notifications when a participant’s identity changes, and manual verification of participants’ security keys through other communication channels (in-person, mail, etc.).

Availability: An individual’s access to a messaging service can be impeded. Intermediaries may delay or drop messages resulting in what is called a denial of service attack. While messaging services are quite resilient to such attacks, governments may censor or completely shut down Internet access.

Application-level gaps: Capabilities offered by services in addition to messaging, such as contact discovery, online status, and location sharing are often not covered by end-to-end encryption and may be stored by the application server. Application policies around how such information is gathered and retained affect privacy.

Implementation flaws and backdoors: Software or hardware flaws (accidental or intentional) on an individual’s device could be exploited to circumvent the protections provided by end-to-end encryption. For mature applications and platforms, accidental flaws are difficult and expensive to exploit, and as such are only accessible to Government or other powerful actors who typically use them to surveil individuals of interest (and not for mass surveillance). Intentional flaws or backdoors introduced by manufacturers may also be present. The only defence against these is security researchers who rely on manual inspection to examine software and network interactions to detect them.

Messaging Protocols and Standards

In the face of demands for exceptional access to encrypted communication from governments, and risks of mass surveillance from both governments and corporations, end-to-end encryption is important to enable secure and private communication online. The signal protocol, which is open and adopted by popular applications like WhatsApp and Signal, is considered a success story as it brought end-to-end encryption to over a billion users and has become a de-facto standard.

However, it is unilaterally developed and controlled by a single organisation. Messaging Layer Security (or MLS) is a working group within the Internet Engineering Task Force (IETF) that is attempting to standardise end-to-end encryption through participation of individuals from corporations, academia, and civil society. The draft protocol offers the standard security properties mentioned above, except for deniability which is still being considered. It incorporates novel research that allows it to scale efficiently for large groups up to thousands of participants, which is an improvement over the signal protocol. MLS aims to increase adoption further by creating open standards and implementations, similar to the Transport Layer Security (TLS) protocol used to encrypt much of the web today. There is also a need to look beyond end-to-end encryption to address its shortcomings, particularly around authentication and metadata leakage.

For more details visit https://cis-india.org/internet-governance/blog/the-state-of-secure-messaging

Privacy in the Age of the Pandemic

pranav — 2020-07-15T11:34:00Z

The Centre for Internet and Society, JKGA Law Chambers, and LawyersClubIndia invites you to the online panel discussion on ‘Privacy in the Age of the Pandemic.’

This event will happen on July 18 (Saturday), from 5:30pm to 7:00pm. The discussion will bring together an inter-disciplinary group of experts to unpack some of the core Privacy issues that will undoubtedly shape society, and future governance in the context of the Covid-19 pandemic.

Register for the event here.

As panelists, we have:
1) Arnab Kumar, who was instrumental in coming up with the Aarogya Setu app and has led policy initiatives from the front at NITI Aayog;
2) Vrinda Bhandari - well known for her advocacy and academic work in this domain;
3) Sahil Deo - who is helping stakeholders make more informed decisions in policy using data analysis;
4) Mira Swaminathan - a policy researcher with deep domain experience in the dangers of surveillance; and
5) Antaraa Vasudev, founder of Civis, an initiative enabling the layperson to understand the effects of policy changes on them!

The session will be moderated by Shweta Reddy, and Akshit Goyal.

For more details visit https://cis-india.org/internet-governance/events/privacy-in-the-age-of-the-pandemic

Engaging with the Covid-19 Crisis

pranav — 2020-07-15T09:31:51Z

In the last six months, COVID-19 has had a far-reaching impact on the world, including on the digital sphere, how people interact with it, and its mediation of social and economic exchanges. Researchers and practitioners at the Centre for Internet and Society (CIS) have responded to this dynamic landscape from different lenses.

WikiProject India COVID-19 Task Force

The Access to Knowledge team at CIS, along with the Wikidata editor community has been maintaining a reliable district and state-wise database of COVID-19 case statistics in India (link). If you are a Wikidata editor, please consider contributing or encouraging others to join this effort.

COVID-19 Apps

Based on publicly available information, Pallavi Bedi presents a comparative analysis of COVID-19 apps launched by different state governments in India, and examines their governing policies regarding privacy and data protection (link).
In light of the central-government’s release of the contact tracing app Aarogya Setu, Siddharth Sonkar’s report seeks to constructively engage with privacy concerns surrounding the app and its operations, and works towards making privacy safeguards governing its operability more consistent with international best practices (link).
Amber Sinha examines the false binary between privacy and surveillance created during a pandemic, and proposes a necessary and proportional method of contact tracing (link).
Aman Nair writes about the lack of oversight present in the Kerala government’s deal with Sprinklr Inc, the violations to the right to privacy, and how legislation that is currently being proposed would fail to prevent situations like this in the future (link).

Gig Economy and Labour Rights

With Tandem Research, CIS organized a webinar to interact with unions representing gig workers and researchers studying labour rights and gig work, to uncover the experiences of gig workers during the lockdown. Based on the discussion, a charter of recommendations was prepared with contributions from participants, and was shared with public and private stakeholders (link).
With support from three domestic workers’ unions, the Domestic Workers Rights Union, Bruhat Bangalore Gruhakarmika Sangha, and Manegelasa Kaarmikara Union, Geeta Menon put together a report that shines light on the plight of domestic workers in Bengaluru during the lockdowns, and now as the lockdown eases. It focuses on how government and administrative bodies, and resident welfare associations, have been culpable in further pushing domestic workers to the margins (link).
Aayush Rathi and Sreyan Chatterjee argue how the suspension of labour laws proposed (and enforced) by several states in India as a part of their COVID-19 impact response, have material and discursive impact on the future of work in India (link).
Ambika Tandon discusses the impact of Covid-19 on the gig economy in Asia, especially reflecting on the measures (or lack thereof) taken by companies to support workers (link).
Zothan Mawii, Aayush Rathi and Ambika Tandon spoke with the leaders of four workers' unions and labour researchers, including the Indian Federation of App-based Transport Workers (IFAT) and the Ola and Uber Drivers and Owners’ Association (OTU), to identify recommended actions that public agencies and private companies may undertake to better support the urgent needs of gig workers in India (link).

Lateral Surveillance

Drawing from multifaceted research on surveillance around the world, Mira Swaminathan and Shubhika Saluja analyse the unique domain of lateral surveillance, and its heightened impacts on the ‘culture of suspicion’ created between social classes, especially during a pandemic (link).
On the latest episode of our In Flux podcast, Shweta Reddy and Mira Swaminathan discuss COVID-19 related surveillance with Torsha Sarkar, and talk about balancing a public health objective with protection of our fundamental rights (link).

Misinformation

In an article in The Wire, Mira Swaminathan argues that the only efficient and effective way to prevent the spread of misinformation related to the pandemic is self-verification, which means that people who consume the data on an everyday basis must educate themselves and acquire the skills to tackle it (link).
Torsha Sarkar examines content moderation measures taken by online intermediaries to tackle harmful information related to COVID-19 on their platforms, and the recommended ways in which information around these decisions can be preserved for better research going forward (link).

Gender justice

In light of a large digital divide across the usage of technology by women, Ambika Tandon and Mira Swaminathan examine how effective calls to domestic abuse helplines are during lockdown (link).

Data Protection

As part of The Bastion’s series on the education sector and children’s privacy, Pallavi Bedi writes about protecting the privacy of children on ed-tech platforms, especially as students are now more than ever dependent on such platforms for their learning (link).
Shweta Reddy was a panelist on Medianama’s Roundtable on Privacy in the era of COVID-19, where she spoke about privacy checks for data collection process for the purposes of public health during the pandemic (link).
Gurshabad Grover was a discussant for the webinar on Health, Encryption & COVID-19: Keeping people and countries safer online, organized by Internet Society, Center for Democracy and Technology and Global Partners Digital, where he spoke about recent threats to end-to-end encrypted communications, including ‘traceability’ in India and the EARN IT in the US (link).

For more details visit https://cis-india.org/internet-governance/blog/engaging-with-the-covid-19-crisis

StateGovtCovidApps PDF

pranav — 2020-07-14T08:03:10Z

For more details visit https://cis-india.org/internet-governance/stategovtcovidapps-pdf

Brindaalakshmi.K - Gendering of Development Data in India - Beyond the Binary #4

sumandro — 2020-06-30T10:34:03Z

For more details visit https://cis-india.org/raw/brindaalakshmi-k-gendering-of-development-data-in-india-beyond-the-binary-4

Brindaalakshmi.K - Gendering of Development Data in India - Beyond the Binary #2

sumandro — 2020-06-30T09:45:47Z

For more details visit https://cis-india.org/raw/brindaalakshmi-k-gendering-of-development-data-in-india-beyond-the-binary-2

Brindaalakshmi.K - Gendering of Development Data in India - Beyond the Binary #1

sumandro — 2020-06-30T09:42:55Z

For more details visit https://cis-india.org/raw/brindaalakshmi-k-gendering-of-development-data-in-india-beyond-the-binary-1

Brindaalakshmi.K - Gendering of Development Data in India: Beyond the Binary

Brindaalakshmi.K — 2020-06-30T10:26:40Z

This report by Brindaalakshmi.K seeks to understand the gendering of development data in India: collection of data and issuance of government (foundational and functional) identity documents to persons identifying outside the cis/binary genders of female and male, and the data misrepresentations, barriers to accessing public and private services, and informational exclusions that still remain. Sumandro Chattapadhyay edited the report and Puthiya Purayil Sneha offered additional editorial support. This work was undertaken as part of the Big Data for Development network supported by International Development Research Centre (IDRC), Canada.

Part 1 - Introduction, Research Method, and Summary of Findings: Download (PDF)

Part 2 - Legal Rights and Enumeration Process: Download (PDF)

Part 3 - Identity Documents and Access to Welfare: Download (PDF)

Part 4 - Digital Services and Data Challenges: Download (PDF)

India has been under a national lockdown due to the global outbreak of the COVID-19 pandemic since late March 2020. Although transgender persons or individuals who do not identify with the gender of their assigned sex at birth, fall into the eligibility category for the relief measures announced by the State, the implementation of the relief measures has seen to be inefficient in different states [1] of the country [2]. Many transgender persons still do not have proper identification documents in their preferred name and gender that can help them with claiming any welfare that is available [3].

Historically, the situation of transgender persons in India has been so, even prior to the present pandemic. A qualitative research study titled Gendering of Development Data in India: Beyond the Binary was undertaken during October 2018 - December 2019, to understand the gendering of development data in India, collection of data and issuance of government (foundational and functional) identity documents to persons identifying outside the cis/binary genders of female and male, and the data misrepresentations, barriers to accessing public and private services, and informational exclusions that still remain.

The interviews for this study were conducted in late 2018 and this report was completed in the beginning of 2020, after India went through an extended national debate on and finally enactment of the Transgender Persons (Protection of Rights) Act during 2019. Three key observations from this study are presented in this blog post. Although these observations were made prior to the release of the draft rules of the new law, it is important to note that the law along with the draft rules in its present version will likely aggrevate the data and social exclusions faced by the transgender community in India.

Observation 1: The need for data has sidestepped the state’s responsibility to address the human rights of its people

The present global development agenda is to leave no one behind [4]. The effort to leave no one behind has shifted the focus of the state towards collecting data on different population groups. The design of and access to welfare programmes relies heavily on the availability of data. The impact of these programmes are again measured and understood as reflected by data. This shift in focus to data has led to further exclusion of already disenfranchised groups including the transgender community [5]. The problem with this lies in the framing of the development discourse as one that demands data as the prerequisite to access welfare benefits.

However, there are significant issues with the data on transgender persons that has been fed into different national and state-level databases, beginning with the census of 2011. For the first time, census of 2011 attempted to enumerate transgender persons. However, the enumeration of transgender persons for the census of 2011 has been severely criticised by the transgender community due to lack of

Clear distinction between sex and gender in the census data collection process,
Community consultation in designing the enumeration process, and
Inclusion of all transgender identities, among others.

However, this flawed data set is being used as the primary data for fund allocation across different states for transgender people’s inclusion, note respondents. Further, any person identifying outside the gender of their assigned sex at birth faces the additional burden of proving their gender identity to access any welfare benefit. However, cisgendered men or women are never asked to prove their gender identity. The need for data from a marginalised population group without addressing the structural problems has only led to further exclusion of this already invisible group of individuals, note respondents. Further, the Transgender Persons (Protection of Rights) Act, 2019 was passed despite the severe criticisms from the transgender community, human rights activist groups [6] and even opposition political parties [7] in India for several reasons [8].

Observation 2: Replication of existing offline challenges by digital systems in multiple data sources, continues to keep transgender persons excluded

Digitisation was supposed to remove existing offline challenges and enable more people centric systems [9]. However, digital systems seem to have replicated the existing offline challenges. In several cases, digitisation has added to the complexities involved.

The replication of challenges begins with the assumption that digital processes are the best way to collect data on transgender persons. Both level of literacy and digital literacy are low among transgender persons in India. According to a report by the National Human Rights Commission [10], nearly 50% of transgender persons have studied less than Class X. This has a significant effect on their access to different rights.

Access to mobile phones is assumed to bridge this access gap to online systems and services. However, observations from different respondents suggest otherwise. Additionally, due to their gender identity, transgender individuals face different set of challenges in procuring valid identification documents required to enter data systems, note respondents. This includes but not limited to:

Lack of standardised online or offline processes to aid in changing their documents and vary within each state in different documents.
Procuring any identification document in preferred name and gender requires existing identification documents in given name and assigned gender, in both online and offline processes. However, due to the stigma with their gender identity, transgender persons often run away from home with no identification document in their assigned name and gender.
With or without an existing ID document, individuals have to go through a tedious offline legal process to change their name and gender on different documents.
Information on such processes, digital or otherwise are usually available only to individuals who are educated or associated with a non-profit organisation working with the community. The challenges are higher for individuals with neither.

Observation 3: Private big data is not good enough as an alternative source of evidence for designing welfare services for transgender persons

Globally, public private partnerships for big data are being pushed through different initiatives like Data Collaboratives [11] and UN Global Pulse [12], among others. These private partnerships are being seen as key to using big data for official statistics, which can then aid in making welfare decisions [13]. However, the respondents note that the different private big data sources are not good enough to make welfare decisions for various reasons including but not limited to:

Dependency on government documents: Access to any private service system like banking, healthcare, housing or education by any individual requires verification using some proof of identity. The discrimination and challenges in procuring government issued identification documents impacts the ability of transgender persons to enter private data systems. This in turn impacts their access to services.
Misrepresentation in data: The dependency of private services on government issued documents / government recorded data, and hierarchy among such documents/data and the continued misrepresentation of transgender people, impacts the big data generated by private service providers. Due to the stigma faced, many transgender persons avoid using public healthcare systems for other medical conditions. The heavy dependency on private health care and lower usage of public health systems, results in insufficient big data on transgender persons, created by both public and private medical care and hence cannot be used to design health related welfare services.
Social media data issues: Different websites and apps also use social media login as the ID verification mechanism. Since not all transgender persons are out to their family and friends about their gender identity, they often tend to have multiple social media accounts with different names and gender to protect their identity. When open about their gender identity, harassment and bullying of transgender persons with violent threats or sexually lucid remarks are quite common on social media platforms. Online privacy therefore continues to be a serious concern for them. Disclosing their transgender status also enables the system to predict user patterns of a vulnerable group with potential for abuse, note respondents.

In conclusion, the present global pandemic has further amplified the inherent flaws in the present data-driven welfare system in the country and its impacts on a marginalised population group like transgender persons in the country. Globally, gender in development data is seen in binary genders of male and female, leaving behind transgender individuals or those who do not identify with the gender of their assigned sex at birth. So the dominant binary gender data conversation is in fact leaving people behind. With the regressive Transgender Persons (Protection of Rights) Act of 2019 and its rules, this inadequacy in the global development agenda related to gender equality is felt at an amplified scale.

Building on the work of Dr. Usha Ramanathan, a renowned human rights activist, I say that data collection and monitoring systems that tag, track, and profile transgender persons placing them under surveillance, have consequences beyond the denial of services, and enter into the arena of criminalising for being beyond the binary [14]. The vulnerabilities of their gender identity exacerbates the threat to freedom. With their freedom threatened, expecting people to be forthcoming about self-identifying themselves in their preferred name and gender, so as to ensure that they are counted in data-driven development interventions and can thus access their constitutionally guaranteed rights, goes against the very idea of sustainable development and human rights.

References

[1] Kumar. V (2020, May 13). In Jharkhand, a Mockery of 'Right to Food' as Lockdown Relief Measures Fail to Deliver. The Wire. Retrieved from: https://thewire.in/food/lockdown-jharkhand-hunger-deaths-corruption-food

[2] Manoj. C.K. (2020, April 24). COVID-19: Thousands pushed to starvation due to faulty biometric system in Bihar. DownToEarth. Retrieved from: https://www.downtoearth.org.in/news/food/covid-19-thousands-pushed-to-starvation-due-to-faulty-biometric-system-in-bihar-70681

[3] G. Ram Mohan. (2020, May 01). Eviction Fear Heightens as Lockdown Signals Loss of Livelihood for Transgender People. The Wire. Retrieved from: https://thewire.in/rights/transgender-people-lockdown-coronavirus

[4] UN Statistics (2016). The Sustainable Development Goals Report 2016. United Nations Statistics. Retrieved from: https://unstats.un.org/sdgs/report/2016/leaving-no-one-behind

[5] Chakrabarti. A (2020, April 25). Visibly Invisible: The Plight Of Transgender Community Due To India's COVID-19 Lockdown. Outlook. Retrieved from: https://www.outlookindia.com/website/story/opinion-visibly-invisible-the-plight-of-transgender-community-due-to-indias-covid-19-lockdown/351468

[6] Knight Kyle. (2019, December 05). India’s Transgender Rights Law Isn’t Worth Celebrating. Human Rights Watch. Retrieved from: https://www.hrw.org/news/2019/12/06/indias-transgender-rights-law-isnt-worth-celebrating

[7] Dharmadhikari Sanyukta. (2019). Trans Bill 2019 passed in Lok Sabha: Why the trans community in India is rejecting it. The News Minute. August 05. Retrieved from: https://www.thenewsminute.com/article/trans-bill-2019-passed-lok-sabha-why-trans-community-india-rejecting-it-106695

[8] Editorial. (2018, December 20). Rights, revised: on the Transgender Persons Bill, 2018. The Hindu. Retrieved from: https://www.thehindu.com/opinion/editorial/rights-revised/article25783926.ece

[9] Ministry of Electronics and Information Technology, Government of India. (2018). National e-Governance Plan. Retrieved from: https://meity.gov.in/divisions/national-e-governance-plan

[10] Kerala Development Society. (2017, February). Study on Human Rights of Transgender as a Third Gender. Retrieved from: https://nhrc.nic.in/sites/default/files/Study_HR_transgender_03082018.pdf

[11] Verhulst, S. G., Young, A., Winowatan, M., & Zahuranec, A. J. (2019, October). Leveraging Private Data for Public Good: A Descriptive Analysis and Typology of Existing Practices. GovLab, Tandon School of Engineering, New York University. Retrieved from: https://datacollaboratives.org/static/files/existing-practices-report.pdf

[12] Kirkpatrick, R., & Vacarelu, F. (2018, December). A Decade of Leveraging Big Data for Sustainable Development. UN Chronicle, Vol. LV, Nos. 3 & 4. Retrieved from: https://unchronicle.un.org/article/decade-leveraging-big-data-sustainable-development

[13] See [11].

[14] Ramanathan. U. (2014, May 02). Biometrics Use for Social Protection Programmes in India Risk Violating Human Rights of the Poor. UNRISD. Retrieved from: http://www.unrisd.org/sp-hr-ramanathan

For more details visit https://cis-india.org/raw/brindaalakshmi-k-gendering-development-data-india

Remove misinformation, but be transparent please!

TorShark — 2020-06-29T11:46:56Z

The Covid-19 pandemic has seen an extensive proliferation of misinformation and misleading information on the internet - which in turn has highlighted a heightened need for online intermediaries to promptly and effectively deploy its content removal mechanisms. This blogpost examines how this necessity may affect the best practices of transparency reporting and obligations of accountability that these online intermediaries owe to their users, and formulates recommendations to allow preservation of information regarding Covid-19 related content removal, for future research.

This article first appeared in the CyberBrics. The author would like to thank Gurshabad Grover for his feedback and review.

Introduction

We are living through, to put it mildly, strange times. The ongoing pandemic has pinballed into a humanitarian crisis, revealing and deepening the severe class inequalities that exist today. The crisis has been exacerbated by an ‘infodemic’, as the World Health Organization (WHO) notes: a massive abundance of information - occasionally inaccurate - has reduced the general perception of trust and reliability of online sources regarding the disease.

As a response to this phenomenon, in March, the Ministry of Electronics and Information Technology (MeitY) issued an advisory to all social media platforms, asking them to “take immediate action to disable/remove [misinformation on Covid-19] hosted on their platforms on priority basis.” This advisory comes at a time when several prominent online platforms, including Google, Twitter and Facebook are also voluntarily stepping up to remove ‘harmful’ and misleading content relating to the pandemic. In the process, these intermediaries have started to increasingly rely on automated tools to carry out these goals, since their human moderator teams had to be sent home on lockdown norms.

While the intention behind these decisions is understandable, one must wonder how this new-found speed to remove content, prompted by the bid to rid the social media space of ‘fake news’ may affect the best practices of transparency reporting and obligations of accountability that these online intermediaries owe to their users. In this piece, we explore these issues in a little more detail.

What is transparency reporting?

Briefly speaking, transparency reports, in the context of online intermediaries and social media companies, are periodic (usually annual or half-yearly) reports that map different policy enforcement decisions the company has taken regarding, among other things, surveillance and censorship. These decisions are either carried out unilaterally by the company, by third-party notices (in case of content that is infringing copyright, for instance), or at the behest of state authorities. For instance, Google’s page on transparency reporting describes the process as “[s]haring data that sheds light on how the policies and actions of governments and corporations affect privacy, security, and access to information.”x

To gauge the importance of transparency reporting in today’s age of the internet, it is perhaps potent to consider their history. In the beginning of the past decade, Google was one of the only online intermediaries providing any kind of information regarding government requests for user data, or requests for removal of content.

Then, in 2013, the Snowden Leaks happened. This was a watershed moment in the internet’s history, inasmuch as it displayed that these online intermediaries were often excessively pliant with government requests for user information, allowing them backdoor surveillance access. Of course, all of these companies denied these allegations.

However, from this moment onwards, online intermediaries began to roll out transparency reports in a bid to fix their damaged goodwill, and till last year, it was noted that these reports continued to be more detailed, at least in the context of data and content related to users located in the US. A notable exception to this rule was the tech giant Amazon, whose reports are essentially a PDF document of three pages, with no nuance regarding any of the verticals mentioned.

Done well, these reports are invaluable sources of information about things like the number of legal takedowns effectuated by the intermediary, the number of times the government asked for user information from the intermediary for law enforcement purposes, and so on. This in turn becomes a useful way of measuring the breadth of government and private censorship and surveillance. For instance, this report shows that the government emergency reports sent to Facebook have doubled since 2019, which is concerning, since it is not clear what does the company mean by an ‘emergency’ request, and whether its understanding matches up with that provided under the Indian law. Which means that it becomes difficult, in turn, to ascertain the nature of information that the company is handing over to the government.

Best practices and where to find them

While transparency reports are great repositories to gauge the breadth of government censorship and surveillance, one early challenge has been the lack of standardized reporting. Since these reports were mostly autonomous initiatives by online intermediaries, each of them had taken their own forms. This in turn, had made any comparison between them difficult.

This has since been addressed by a number of organizations, including Electronic Frontier Foundation (EFF), New America and Access Now, all creating their own metrics for measuring transparency reports. More definitively, in the context of content removal in 2018, a group of academicians, organizations and experts had collaborated to form the ‘Santa Clara Principles on Transparency and Accountability in Content Moderation’ which have since received the endorsement of around seventy human rights groups. Taken together, these standards and methodologies of analysing transparency reports present a considerable body of work, against which content removals can be mapped.

Content takedown in the time of pandemic

In some of our previous research, we have argued how the speed of removal, or the time taken by an intermediary to remove ‘unlawful’ content, says nothing about the accuracy of the said action. Twitter, for instance, can say that it took some ‘action’ against 584,429 reports of hateful conduct for a specified period; this does not always mean that all the action it took was accurate, or fair, since very little publicly available information is there to comprehensively gauge how effective or accurate are the removal mechanisms deployed by these intermediaries. The heightened pressure to deal with harmful content related to the pandemic, can contribute further to one, removal of perfectly legitimate content (as examples from Facebook shows, and as YouTube has warned in blogs), and two, towards increasing and deepening the information asymmetry regarding accurate data around removals.

Given the diverse nature of misinformation and conspiracy theories relating to the pandemic currently present on the internet, this offers a critical time to study the relation between online information and the outcomes of a public health crisis. However, these efforts stand to be thwarted if reliable information around removals relating to the pandemic continue to be unavailable.

How to map removals in these times?

One, as the industry body IAMAI notes, while positive, collaborative steps between social media companies and the government to curb misinformation are welcome, any form of takedown at the behest of the state must take the correct legal path, as mandated by the provisions of the Information Technology (IT) Act. Additionally, all information regarding content takedowns to remove fake news related to Covid-19 must be preserved and collected separately by these companies, and subsequently represented in their transparency reports.

Two, if the recent case of Twitter fact-checking Donald Trump’s tweet on electoral ballots is any indication, an online intermediary’s suo motu enforcement of its internal speech norms may take different shapes, apart from the usual takedown/leave up binary, including fact-checking and showing warning labels for conspiratorial content (Facebook for instance, has taken to adopt measures that would connect verified sources of information to users interacting with Covid-19 related misinformation). Accordingly, information regarding these additional measures must be mapped, including the efficacy of these steps, and should be presented in the transparency reports.

Additionally, several of these companies have stepped up to use automated moderation tools and systems for quick response against the spread of disinformation on their platforms. However, as YouTube’s Creator Blog warns its users, some of these removals may be erroneous, and the users would accordingly have to appeal these decisions. Therefore, while information regarding removals prompted by the use of these tools must be preserved, and represented separately, these numbers should also be expanded to include the error rates of these automated tools, and the rate at which posts removed by error are reinstated.

Three, as previous research on transparency reporting has shown, there is a substantive bridge between the information provided by these companies for users based in the US, and those based out of other countries. This is problematic on several counts. Due to the expansive issues with the laws relating to content removal in India, this inadequate representation of information makes it impossible to gauge the practical ramifications of the opaque legal system, and accordingly, makes reforms difficult. In the current times, this lack of information may also paint an imperfect picture of government censorship. After all, the Indian government has, on multiple occasions, the dubious reputation of sending flawed legal takedown notices and forcing intermediaries to censor content nevertheless.

Therefore, this continued refusal to provide more nuanced information in the context of India would continue to facilitate these practices, and only increase the breadth of censorship of digital expression.

While the need to remove harmful information from social media platforms in this stage of the crisis might be necessary, such need must not circumvent the adherence to the minimum standards of transparency and accountability. If the Snowdean leaks are any indication, online companies can be made to change their policies during watershed moments in history. The current Covid-19 crisis is one such moment, both offline and online, and the need is more pressing than ever, for these companies to step up and do better.

Shared under Creative Commons BY-SA 4.0 license

For more details visit https://cis-india.org/internet-governance/blog/remove-misinformation-but-be-transparent-please-1

'I feel the pain of having nowhere to go': A Manipuri Trans Woman Recounts Her Ongoing Lockdown Ordeal

Santa Khurai — 2020-06-22T11:42:39Z

"My life and work in Bengaluru came to an abrupt halt with the COVID-19 outbreak and lockdown this March. We no longer had jobs and were forced to plan our departure from the city." -- As told to Santa Khurai, Manipur-based queer and Nupi Manbi activist, artist and writer. Compiled by Aayush Rathi, a cisgender, heterosexual man, and researcher with Centre for Internet and Society, India. This account is part of an ongoing CIS research project on gender, welfare and surveillance in India, and is supported by Privacy International, UK.

Originally published by Firstpost, June 20, 2020.

In 2015, I left my home state of Manipur for Bengaluru.

My name is Sarik*; I prefer to be known as Siku. I am a Nupi Manbi (trans woman).

Other Nupi Manbi had told me that Bengaluru is tolerant of transgender individuals, and that it is easy to find decent, well-paying jobs here. I contacted friends who had already moved here and relocated with their help.

Immediately, I found work at a fabric dyeing factory. The salary meant I could send some money home, my family was able to invest some of the funds in a monthly marup [revolving informal credit collective], and I was able to dream of someday having enough to buy a piece of land in Manipur.

I wasn’t to know at the time that just five years later, the happiness and hope would both prove fleeting.

***

I grew up in a small locality of Imphal East District, the youngest of three siblings. My mother had passed away, my father is a priest and story-teller, and my older brother worked as a traditional cook. As a result, our lives were fairly hand-to-mouth.

The frequent shifting of homes was very difficult for me, but I had no choice in the matter. I used to earn money by assisting other transgender friends in their tailoring works. While I worked hard in order to set aside enough money to own a small piece of land, it proved impossible with my meagre earnings.

After years of struggle, I decided to move to a big city with the aspiration to earn more.

***

My life and work in Bengaluru came to an abrupt halt with the COVID-19 outbreak and lockdown this March.

We no longer had jobs and were forced to plan our departure from the city. The Manipur government had announced measures that would allow stranded citizens to return to the state, so we began the formal process for our repatriation.

On 14 May 2020, three of us left Bengaluru in a special train that was organised for returnees to Manipur. Four days later, we were in Manipur.

When we reached Imphal, all returnees were first assembled at Modern College in Porompat, Imphal East. From there, we were sent to our respective constituencies to be quarantined. In the process, I was separated from my friends.

I was taken to Wangkhei Girl School as my permanent address falls under this constituency. At the quarantine centre, I was allocated a room shared by six other men. All the inmates were also sharing a toilet. This made me very uncomfortable; my body was undergoing changes due to hormonal effects.

In my discomfort, I reached out to transgender activist Santa Khurai, highlighting the need to set up a separate quarantine centre for transgender people. She immediately created a WhatsApp group for all the transgender people housed at different quarantine centres, keeping us updated about a separate quarantine centre for us. On the evening of 20 May, we rejoiced on seeing photos of the quarantine centre set up for transgender people. That night was the end of my terrible stay at the common quarantine centre.

***

On 21 May, I was shifted to the quarantine centre for transgender people at Ideal Blind School, Takyel. There, I was reunited with two of my friends. We stayed there for 17 days, receiving support from Santa Khurai through telecounseling. Before the quarantine period concluded, we were tested for COVID-19. We did not receive the results, but were advised to go back home. We were provided an acknowledgment in the form of a medical document. The relatives and parents of the other two trans girls had come to pick them up, but since my family doesn’t own a vehicle and it was not possible to hire on, I called a transgender friend to drop me home. I could sense some animosity in the neighbourhood, and decided not to step out from the house.

On the morning of 4 June, local governing bodies and clubs including Meira Paibi [a women’s rights group] thronged my house. A large crowd gathered in the temple shed. The club and Meira Paibi leader called my family members out and we were made to sit in the middle of a large group of people. They asked me to produce the result of the COVID-19 test, and I showed the acknowledgement given to us at the quarantine centre. People in the crowd passed the paper to each other disapprovingly, arguing that I hadn’t been declared COVID negative. One of the local club leaders called the police and doctors. The doctor who was in charge of the facility for transgender persons responded to the call, and validated my discharge from quarantine.

After few hours, even the police arrived and said that I could stay at home. However, the locals pressured the cops into taking my family — including my frail father who is in his 80s — to the police station.

***

We were finally allowed to leave the police station after several rounds of interrogation. My father, my brother (along with his wife and son) were taken back home by the police, while I was separately dropped off at a hotel in Gandhi Avenue, Thangal Bazar. I was advised to check in the hotel at around 3 pm; the charge was Rs 1,000 per day. When I asked the man who would pay for the room, he said, “Let’s see. At least you will be safe to stay here as the locals didn’t accept you coming home. You stay here until the test result come out.”

I called Santa in desperation, who consoled and reassured me. In the meantime, I had also called my sister to ask if some clothes could be brought for me. Her response alarmed and frightened me: My sister told me that my family were not being allowed to enter the house. The gate had been locked and they were instructed to stay at a quarantine centre as they were exposed to me. The news shocked me and made me desperate in wanting the test result to come out expeditiously, so that it would at least prevent any further hardships for my family.

Now I’m staying at the hotel. I fear going back to the house, the hostility of the locals, my family being attacked, my old father being forced to stay at a quarantine centre. I feel the pain of having nowhere to go. It is also infuriating to think that this could have been completely avoided had the officials not been in a haste to make us leave the quarantine centre, and had let us stay till the actual test results were received.

* Name changed to protect identity.

For more details visit https://cis-india.org/raw/a-manipuri-trans-woman-recounts-her-ongoing-lockdown-ordeal-covid19

Guest Report: Bridging the Concerns with Recommending Aarogya Setu

Siddharth Sonkar — 2020-06-24T05:19:43Z

Keywords: Aarogya Setu, Constitutionality, Digital Contact Tracing, Location Data, Personal Data Protection Bill, 2019, Exemptions, Personal Data, Sensitive Personal Data, Mosaic Theory, Surveillance, Privacy, Governing Law, Necessity, Intensity of Review, disparate Impact, Proportionality

This report was edited and reviewed by Arindrajit Basu, Mira Swaminathan, and Aman Nair.Read the full report here

EXECUTIVE SUMMARY

Aarogya Setu collects real-time location data of users every fifteen minutes to facilitate digital contact tracing during the Pandemic. It inter alia color-codes users indicating the extent of risk they pose based on their health status and predicts hotspots which are more susceptible to COVID-19. Its forecasts have reportedly facilitated the identification of 650 clusters of COVID-19 hotspots and predicting 300 emerging hotspots which may have been otherwise missed. In a welcome move, the source code of the application was recently made public. The initially-introduced mandate to use the application was reportedly diluted and a Protocol supplementing the privacy policy with additional safeguards was released. Despite these steps in the right direction, some key concerns continue to require alleviation through engagement. This Report seeks to constructively engage with these concerns towards making privacy safeguards governing its operability more consistent with international best practices.

First, the Report maps situations in which Aarogya Setu in fact remains mandatory (in Table 1) In these situations, there exists no restriction against private parties (e.g. employers, airlines, etc.) from indirectly making its use mandatory. Consequently, there is no real choice in determining the use of the application. Even where there exists a choice to opt-out (e.g. in contexts where there is only an advisory but no indirect mandate), the choice is not meaningful due to the inability to examine the potential consequences of using the apn remains mandatory for practical purposes since there still exists an obligation to undertake due diligence towards making sure that every employee uses the application. In other words, this part of the report explains why it remains indirectly mandatory to use the application. This indirect mandate impedes the exercise of meaningful consent. This could be addressed through a notification directing that no one should be indirectly compelled to use the application. This part also acknowledges that even where a choice to opt-out (e.g. in contexts where there is only an advisory but no indirect mandate), the choice is not meaningful due to the inability to examine the potential consequences of using the application.

Second, the report explains why the mandate to use the Application raises concerns in the first place: i.e. in the absence of transparency beyond the publication of the source code. The open-source code may not necessarily result in meaningful algorithmic transparency (since the processing in the models at the Government of India server continues to remain a black box) in respect of predictions made to determine appropriate health responses. Based on the source code per se, people are unable to verify the wherever there exists operability of the Application more meaningfully. Algorithmic transparency enables people to make an informed decision in using the Application by choice. The ability to make an informed decision is critical to the right to privacy. The right to privacy does not just mean drawing boundaries or creating limitations against any external interference. The right also includes the public’s right to know how an algorithm affects their lives. Given the centrality of transparency in the ability of the user to exercise their privacy better, beyond releasing the source code of Aarogya Setu, publicizing information about how predictions are made is important. This part acknowledges the limitations of transparency in that it can only facilitate identification of privacy harms and not really solve them by itself. Yet, it goes ahead and re-emphasises the inter-relationship of transparency and privacy, highlighting how it became a basis recently in striking down a government-used algorithm, which indicates incentive to increase transparency.

Third, the report reviews whether based on the already-available information from the combined reading of the privacy policy and the protocol, the operability of the application seems consistent with best international practices in protecting user privacy. This part begins with an analysis of the privacy policy and the protocol, which indicate privacy concerns in relation to inter alia location data, followed by an explanation as to why there exists a reasonable expectation of privacy over location data (to establish a privacy intrusion). This is followed by structurally applying the proportionality test to identify necessary modifications to the current framework:

The 'legality' prong may be satisfied by a combined reading of the NDMA and the specificity in the delegated legislation, as has been done in the past particularly in the context of location tracking. However, it is suggested (in the recommendations section) that a statutory legislation comprehensively governing the operability of the Application is introduced to ensure predictability and permanency in the framework governing the operability of the Application as done internationally. Moreover, determining appropriate health responses to the Pandemic is indeed a legitimate interest that is sought to be achieved through the application
Given the limitations of traditional methods of contact-tracing, digital contact tracing could perhaps be a suitable method of ascertaining appropriate health responses to the Pandemic subject to a comprehensive review of evidence on a regular basis to evaluate verifiably its effectiveness. Since the use of the application seems likely in the long run, its efficacy needs to be backed by concrete evidence which corroborates its accuracy and effectiveness such as statistical data on false positives and negatives that result from the application
A careful reading of the combined reading of the Aarogya Setu privacy policy and the Protocol with Fair Information Protection Principles (‘FIPP’) indicates some inconsistencies with international best practices. The extent of inconsistency with best practices may not be considered the least restrictive and therefore necessary form in which digital contact tracing can be conducted in India
Since the inconsistencies seem relatively more restrictive than necessary to facilitate digital contact tracing in India, a balancing of privacy and public health could result in the conclusion that the application is not ‘proportionate’ to the potential privacy harms that can result from using the application. While conducting the balancing exercise, privacy and public health should be viewed as complementary, not competing interests. This conception would encourage courts to consider privacy concerns with sufficient extent of intensity

Based on this analysis, the report concludes that digital contact tracing provided the following conditions (detailed in the ‘Recommendations’ section) are conjunctively satisfied:

Digital contact tracing should supplement (e.g. be in addition to) and not supplant (i.e. replace) traditional methods of contact tracing entirely, particularly for vulnerable groups (e.g. interviews where vulnerable groups, particularly marginalized women do not have access to mobile phones);
A statutory law should be introduced which strictly and comprehensively governs the scope of the application,
the suitability of the application (with meaningful algorithmic transparency) should be corroborated by reliable and relevant statistical evidence (e.g. with the help of closer scrutiny of the basis of predictive outcomes) and
The privacy compromises using the application should be intrusive to the minimum extent possible. This could be done by further adding robust safeguards through stronger restrictions on sharing the collected data

(Final year undergraduate student of the National University of Juridical Sciences (NUJS), Kolkata with a sustained interest in law, technology and policy (graduating with the class of 2020).

For more details visit https://cis-india.org/internet-governance/guest-report-bridging-the-concerns-with-recommending-aarogya-setu

Geo-economic impacts of the coronavirus: Global Supply Chains (Part I)

Nikhil Dave — 2020-06-16T08:17:44Z

This two part blog post looks at the geo-economic impacts of the coronavirus by examining crucial impacts of developments in China. Part I looks at the impact of China's shutdown on global supply chains and part two, considers the implications for the future of 5G technology.

Introduction

The outbreak and swift spread of COVID-19, though comparable to previous incidents such as the SARS-CoV virus outbreak in 2003, has had a far more severe impact for a number of reasons which inter alia, include China’s enhanced role in the world economy and global supply chains. Back in 2003, China produced a mere 5% of the Global GDP, which has since increased nearly four times to 16%, with similar rises in Chinese imports, exports, services sector and tourism. Emerging as a public health emergency and global pandemic over the past few months, there have been 7 million confirmed cases of COVID-19 and nearly 4,00,000 deaths worldwide. The resultant economic impact has also been devastating for most affected countries. In most instances, it can be traced back to China’s integral role as the “world’s factory.”

As the situation worsened in January, the response from China was drastic, with complete lockdowns of cities and provinces giving free reign to the surveillance state to control the lives of its citizens. The province of Hubei with a population of 58 million people was completely isolated from the rest of the country and millions of businesses worldwide, as it was placed in strict lockdown for months.

The adverse impact of a viral outbreak in a city was compounded greatly by the rate at which it can spread due to the efficiency of modern transport systems. The Chinese aviation sector being one of the largest in the world led to the rapid spread of COVID-19 across a number of countries. Beyond the impact on human lives, it has also exposed the pitfalls of placing complete reliance on one manufacturing hub.

Through this two part blog post, two broad impacts will be addressed– in part one, the impact of China’s shutdown on global supply chains and economy and in part two, the implications for the future of 5G technology. The latter would also include how China has strategically leveraged its near monopoly status in certain sectors, its earlier recovery, and the vulnerable economic position of states as effective tools to further its lead in the all-important 5G tech race.

BLOG POST 1 : Global Supply Chains

Disruption of Global Supply Chains

Internationally, the manufacturing industry is structured within the intertwined nature of global supply chains. This implies that a break in the flow of production and distribution of one part of the chain would have a compound effect on the interconnected global economy. It would prevent the manufacture of finished products in several other countries which are dependent on a specific region for components. However, these highly interdependent supply chains have only developed over the last three decades, with China’s extensive expansion and a massive push towards globalisation from the 1990s. China emerged as an industrial hub for several reasons which inter alia include: a low-cost workforce, extremely efficient manufacturing capabilities, lower tax rates, and streamlined logistics – placing it miles ahead of competing developing economies. This would provide companies with two particular benefits – extremely low production cost and a significant increase in profit margins. For businesses in the West, it became nearly impossible to compete with another that was manufacturing in China because they had significantly larger margins to undercut them on cost. Thus, businesses globally gravitated towards China as a manufacturer and provider of essential components with no readily available alternatives.

The resultant global supply chains tend to be rather opaque in their functioning, due to the prohibitively high investment of time and resources required in supply network mapping (the process of figuring out where each component of a product is sourced from). As a direct consequence, most companies tend to not have sufficient clarity on when disruptions are likely and no conceivable back-up plans. This has been witnessed in previous disasters such as the 2011 tsunami and earthquake in Japan when several automobile companies were oblivious to the supply chain disruptions for several weeks and production was halted globally. Yet, the troubles caused by placing reliance on a single supplier has not led to companies across sectors taking major steps to remedy the situation.

The lack of prior estimation of such an incident and creation of response plans despite a similar, albeit much smaller coronavirus outbreak (SARS-CoV in 2003) recently, has halted production across sectors US, Germany, France and others. The global supply chains have broken down in sectors ranging from machinery, aviation, pharmaceuticals, medical equipment, apparel, automobiles, and technology. This is majorly due to the limited inventories and paucity of substitutable source for components.

As per reports of a survey conducted by the Institute for Supply Management, nearly 75% of companies have faced supply chain disruptions due to China’s lockdown measures and transportation restrictions – showing the level of unpreparedness that most businesses are at within the current global crisis. A second study conducted by Dun & Bradstreet found that nearly 51,000 companies had direct suppliers in Wuhan itself – and the province has facilities which are Tier-2 suppliers for nearly 5 million companies in the world. Both multinationals and small businesses depend on China for either finished products or essential components – this enhances the economic impact with production being disrupted across all levels. So when China’s factories are closed, half the world’s factories across diverse sectors cannot continue production beyond the inventory they possess.

Excessive dependence?

The Sino-American Trade war had already stressed supply chains sufficiently over the past two years and China’s shutdown ended up being the last straw. Two key areas that have been impacted – critical medical equipment production (given the public health emergency) and the technology industry. The two have also been strategically linked by China to extract important geo-political benefits.

The response to the pandemic exposed the world’s over-dependence on China for key medical equipment including PPE, ventilators, and N95 masks which became highly valued as infection numbers rose. China produced nearly half of the world’s N95 respirators before the pandemic and with production in overdrive, it accounts for 85% . With China looking to use it as a bargaining chip, it had soured US-China relations further.

China’s integral role in the global electronics and technology industry produced a definitive impact on production for US companies and the rest of the world. Even the smartphone market which has witnessed consistent growth over the past decade has seen a decline in the first quarter of 2020. Apple was one of the first tech companies to acknowledge the impact on revenues and smartphone sales world over. Thus, the shutdown of China’s factory floors had created a supply side problem which soon evolved into a demand crunch due to lockdowns being imposed in all major economies.

The smartphone market demand crunch is indicative of a larger pattern of a sharp fall in demand across industries in the West. South Korea, one of the top exporters, has witnessed a 46.3% fall in exports as per its May numbers. Even in early March, a UNCTAD report estimated that global value chains had already suffered a loss of $50 billion, due to COVID-19 related shutdowns, of which the major impact has been on the US, EU, Japan and South Korea. Just two months later, the estimated losses to the global economy stand at $5.8-8.8 trillion, as per a report by the Asian Development Bank. China’s production shutdown along with the continued spread of COVID-19 has caused a catastrophic domino effect for the global economy which cannot be overstated.

Path ahead for Global Supply Chains & China’s Role

China has been slowly trying to get production back up with increased safety measures in place and stood at around 80% of earlier levels in April. Nonetheless the devastating impact of the pandemic has caused several states to re-evaluate their strategies of complete reliance on China for essential components. The sole dependence on China for essential components must be cut down despite the lower margins it provides simply because of the possibly incalculable damage caused by such an event.

An overarching trend among countries largely dependent on China has been their government’s push to decouple from China’s supply chains by setting-up of manufacturing facilities in South-East Asia. A number of businesses had been considering a transfer of part of their production centres to other Asian countries including India and other South-East Asian nations. These include the US tech giants – Apple, Microsoft and Google as well as Samsung, Intel, Nike and Adidas, that are considering a shift in partial production to Vietnam and Thailand. As a reactionary measure, governments in the United States and the EU have announced economic stimulus packages with figures in trillions. Within these stimulus packages some countries such as Japan have offered incentives in billions of dollars to firms for shifting production out of China.

Even though the US had signed phase one of a “historic” trade deal with China in January 2020, signalling a short truce after the trade wars, Trump has pushed the pedal back on sanctions in May. These include sanctions targeting Huawei to cover up loopholes which allowed American companies with facilities abroad to continue supplying components to China - including the all important semiconductor chips used in most Huawei devices and 5G base-stations. China has stated that they will retaliate with all necessary measures suggesting the trade wars are only likely to heighten once again. There have also been reports that China, taking a leaf out of the US’s ‘lawfare’ strategy, intends to launch innumerable investigations into US tech companies in retaliation. The sanctions could include investigations into companies such as Apple, Cisco, and Qualcomm that are heavily reliant on Chinese suppliers along with a prospective ban on Boeing aircrafts being purchased in China.

In light of the fresh sanctions and pressure on Johnson from his own party, even the UK has announced its intentions of forming a 5G alliance of democratic nations - the D10 - independent of Chinese reliance. (US sanctions on Huawei and the 5G alliance will be addressed in further detail in Part Two). China’s economic sanctions against Australia as retaliation for official investigations demands on the origin of the virus has caused Australia to consider reducing complete reliance on China as the primary market for its goods but stopping short of decoupling due to their mutual dependence.

Another strong indicator of a prominent economy looking to limit China’s impact in its economy and supply chains has been India’s move to block the automatic FDI route for neighbours given the “volatile business climate” in the COVID-19 hit economy. India’s clear intention is to prevent hostile takeover of businesses in India by Chinese firms and their rising commercial influence in India’s markets. All of these moves certainly suggest that several major economies are looking to reduce their economic reliance on China and diversify their supply chains.

With several countries looking to decouple their supply chains from China, geo-economic relations could be starkly different from the standards of normalcy. However, shifting production away from China and reducing their dependency presents several complex obstacles. China’s infrastructure and supply of highly-skilled workers in the technology and electronics industry are difficult to replicate elsewhere. Creation of adequate replacement for component manufacturing particularly is likely to take several years to develop capacity and infrastructure as well. Even if manufacturing processes are shifted outside China, companies may still have to rely on China for component sourcing, one of the major causes for the current breakdown of supply chains. Nintendo had partially transferred production of Switch consoles to Vietnam in 2019. In the wake of China’s shutdown, the console has been unavailable in stores since component supply dried up from China.

Even if a large swathe of countries is miraculously successful in reducing their economic reliance on China – the pattern of continued dependence displayed by companies like Nintendo in the technology sector point towards China’s continued importance. Its domination in 5G network infrastructure is also likely to continue - as will be mentioned in the subsequent blog post- this further entrenches the world’s reliance on China in the manufacture and deployment of technology. China is already slated to lead the global economic recovery since it is well ahead of other states and one of the only major economies likely to grow this year.

China has also displayed a willingness to take action to kickstart the process of global economic recovery by engaging and providing aid through several multilateral fora - including the ASEAN, the Central and Eastern European States under its controversial 17=1 Mechanism, the ten Pacific Island states, and the Arab League. The US, under Trump, has been adopting a policy of ‘America First’ which led to a lack of crucial international cooperation during the pandemic with other countries adopting export controls on essential products too. Furthermore, the US decision to cut funding from the WHO in the midst of a pandemic only brought further harms to their soft power and position as an international leader. The key advantages held and actions taken by China, in contrast to the US’s apathy could ensure their emergence as a winner in the emerging global economic order of the post-pandemic world. The control of global supply chains entrenched in Chinese domination seems unlikely to witness a radical shift because of the very over-dependence on China. This factor coupled with its earlier economic recovery from the pandemic highlight the importance it will continue to play in global economic affairs.

(Nikhil Dave is a student at the West Bengal University of National Juridical Sciences and a researcher at CIS. This post was edited and reviewed by Arindrajit Basu and Aman Nair)

For more details visit https://cis-india.org/internet-governance/geo-economic-impacts-of-the-coronavirus-global-supply-chains-part-i

The debate over internet governance and cyber crimes: West vs the rest?

Elizabeth Dominic — 2020-06-08T07:04:26Z

The post looks at the two models proposed for internet governance and the role of cyber crimes in shaping the debate. In this context, it will also critically analyze the Budapest Convention (the “convention”) and the recently proposed Russian Resolution (the “resolution”), and the strategies adopted in each to deal with the menace of cybercrimes. It will also briefly discuss India’s stances on these issues.

With Internet connectivity and use of technology rising exponentially, the tug of war over Internet governance continues. On one end are the states advocating for a global, open and free model of the Internet, dubbed as the ‘Western model’, spearheaded by the U.S. and its allies. On the other end are a cluster of states led by China and Russia, advocating for a sovereign and controlled version of the internet, a ‘Leviathan model’. Although the idea of an Internet embodying the principles of equality, openness and multistakeholderism sounds appealing, the rise of new trends including cyber crimes and online misinformation poses a challenge to this model making it arduous, if not impossible, to pick one model over the other.

The post will briefly explore the two models proposed for Internet governance and the role of cybercrimes in shaping the debate. In this context, it will also critically analyze the Budapest Convention (the “convention”) and the recently proposed Russian Resolution (the “resolution”), and the strategies adopted in each to deal with the menace of cybercrimes. It will also briefly discuss India’s stance on the convention.

Two Models and Three Parties

Since the evolution of the Internet, its stewards have been expounding a global internet embodying features such as statelessness, openness, interoperability, security, and multistakeholderism. Known as the Western model of internet governance, it has been embraced by many states including UK, France. The model is premised on the idea that the internet should be a space where there is free flow of content without filtering by any intervening party including the state, thereby upholding the freedom of speech and human rights. However since the potential to cause harm in cyberspace is real, the states cannot leave the domain ungoverned. Therefore, the proponents of the Western model do exercise some degree of sovereignty over cyberspace within their borders but it is largely in contrast to the tight control exercised by the statist and controlled model, spearheaded by China and Russia. The latter model advocates for a closed version of the internet bound by territorial borders along with authoritarian control over the flow of information.

Interestingly, not every state can be easily categorized into either of these groups. Some states either lack the capacity or an interest to implement one of the model. Tim Maurer et al. in a seminal paper identifies such states as the “swing states”. They are undecided on either of the models but have the capacity to influence global conversations due to their mixed political orientations and resources. Swing states and the influence they wield in shaping the trajectory of the international process is not the focus of this post but will be explored in a future blog post.

Cyber Crime: The Menace of Internet Era

While the internet has huge potential to enable development of states on many fronts, it can also be used for criminal purposes. Cybercrime is one of the most daunting challenges of the internet era. Technological advancements that enable unique features like anonymity in cyberspace make cybercrimes less risky with the potential to provide high returns, making it all the more appealing to various actors. The growing number of internet users and connected devices increases the number of possible targets. Examples include Stuxnet, a malware that targeted the Iranian nuclear facility, and Wannacry, a ransomware attack that affected computers worldwide. In 2018, the Chief of United Nations Office on Drugs and Crime (UNODC) pointed out that cyber crimes are estimated to generate revenue of approximately $1.5trillion per year. Despite cyber crimes proliferating rapidly, law enforcement agencies have not been able to keep up the pace resulting in an enforcement gap. The transnational nature of cyber crimes is one of the major difficulties faced by them. Due to its global nature, cyberspace provides a platform for criminals to commit crimes out of one state, which could have the potential to affect multiple victims in different states. This means investigations of such crimes involve questions of extra territorial jurisdictions and increased cooperation between authorities of different states, creating various complications. This, coupled with diverse types of actors such as states, non-state actors, and groups hired by either of the two further complicates the issue at hand.

The Convention on Cybercrime of the Council of Europe, known as the Budapest Convention, is the only international instrument currently in place that addresses the issue of cyber crime. Recognizing the paramount need for combating crimes, it criminalizes conduct that affects the “confidentiality, integrity, and availability of computer systems, networks, and computer data”. It covers a diverse rangeof issues ranging from illegal access, computer related fraud to child pornography. Furthermore, it serves as an instrument that facilitates greater cooperation among states to enable better detection, investigation, and prosecution of cyber crimes.

The wide division of opinions on internet governance is also mirrored in the debate on how to effectively tackle the issue of cybercrime. This led to a recent development in last year’s General Assembly in the form of a Russian-led resolution on cybercrime. The resolution proposes the establishment of a committee of experts to draft a new cybercrime treaty that would replace the convention. Considering the fact that Russia has been a strong advocate of a Leviathan model of internet, the proposed treaty would in most likelihood embrace principles of sovereignty and non-interference while dealing with cyber crimes.

With the resolution passing the final vote at the UN General Assembly, the proponents of the convention are met with a time bound challenge to come up with innovative approaches to convince more states to join their side.

The Budapest Convention v. The Russian Resolution

The Budapest Convention has met with multiple criticisms, the major one being that it is a West drafted treaty with hardly any involvement of the developing countries. It’s also argued that as the treaty is almost two decades old, its provisions are too outdated to deal with evolving crimes. Furthermore, it is criticized for the vagueness of some of its provisions, which allow governments to bifurcate their obligations, and thereby hinders the effective implementation of the treaty. For example, the MLA regime of the treaty is often cited as ineffective as it does not command firm cooperation from parties by providing them grounds to refuse the same.

Despite being imperfect, a realistic analysis of the convention would reveal that it is the best instrument at hand to deal with cyber crimes. The convention, establishing common standards for its signatories, along with the Cybercrime Convention Committee (the “Committee”) that oversees its implementation and Programme Office on Cyber Crime (the “C-PROC”) dedicated towards capacity building, provides a dynamic framework for effectively tackling cybercrimes. The Committee ensures that the convention is adapted to address evolving crimes such as denial of service attacks and identity thefts, which did not exist at the time the convention was adopted, by issuing guidance notes and draft protocols. Similarly on the issue of procedural law, despite new developments such as cloud servers, the Committee is actively working on addressing the complicated challenges posed by it. It has proposed an additional protocol to specifically deal with access to evidence in the cloud by facilitating more efficient mutual legal assistance amongst the signatories and direct cooperation with service providers, while striking a balance between rule of law and human rights. The protocol if adopted would not only aid in the law enforcement process but would also have a major impact on how the international community perceives sovereignty in cyberspace. Furthermore, The C-PROC through its various capacity building initiatives such as strengthening of the legislations along the lines of rule of law and human rights, training of relevant authorities, promotion of public-private partnerships and international cooperation strengthens the ability of states to deal with cyber crimes.

While the international community is unable to arrive at a consensus on internet governance, with neither conglomerate of states acceding to the demands of the other, renewing global diplomatic negotiations on it might seem to be the best step. However a look at Russia’s resolution and its draft cyber crime convention would indicate that it might not be the appropriate solution to the problem at hand. The resolution as well as the draft convention, which is supposed to serve as a framework for the treaty, are drafted without due regard for human rights concerns. A mere reference to human rights, requiring use of ICTs to be in compliance with human rights and fundamental freedoms, is insufficient to safeguard it while combating cyber crimes. Primarily, the language used in the resolution is vague.It fails to define “use of information and communication technologies for criminal purposes". It mentions both cyber enabled crimes such as use of ICTs for trafficking as well as cyber crimes that could detrimentally affect “critical infrastructures of states and enterprises” and “well-being of individuals”. Such broad wording is highly problematic as it vests immense powers at the hands of the state to criminalize even ordinary online behaviour that is detrimental to its interests. In fact, such practices are already in existence around the world where we see governments clamping down on human rights activists, journalists, and civil society for expressing their opinions that are critical of the government in the online space. Numerous examples of such authoritarian actions include internet shutdowns, blocking of websites, which have become the trend around the world. While legislations curbing cyber crimes are quintessential to ensure a safe and secure cyberspace, arbitrary use of it, as is widely observed, today can have chilling effects on exercising rights in the online domain. Furthermore, combating a complex issue like cyber crime, which involves questions of technicalities, laws, and human rights, requires concerted efforts from various stakeholders including civil society and private sector. It is only through such multistakeholder endeavors that we can curb the use of ICTs for criminal purposes without hindering human rights. Therefore an ad hoc intergovernmental group of experts, as proposed by the resolution, is not the appropriate body to develop an international treaty on cyber crimes.

In short, the resolution and the draft convention are proposing a Leviathan model vesting state with excessive control over the internet. In practice, it would bear resemblance to the “sovereign internet law” of Russia and the “Golden Shield Project” of China. Such models are widely criticized for eschewing democratic principles in the name of ensuring security of the state from cyber attacks. For instance, the “sovereign internet law” mandates installation of technical equipments for counteracting threats to stability, security, and functional integrity of the internet.” The law, therefore, allows the government to prevent any communication that challenges its interests. A past attempt by the Russian government to block Telegram, is an example of the same. Furthermore, in the event of a “threat”, the law provides for routing of traffic solely through networks located within Russia, thereby allowing isolation of the national network and centralized control over it by the state. It paves the way for creation of digital borders, premised on the principle of state sovereignty. The “Great Firewall of China”, a part of the “Golden Shield Project”, is the most appropriate depiction of internet sovereignty. The Firewall serves as a system of surveillance that vests the government with complete control over all incoming and outgoing information over the Chinese networks. Any new domain has to obtain prior approval from the government before becoming accessible on the Chinese internet. When it comes to the question of human rights, a mere search for the term “democracy” in a search engine is blocked. The resolution by leaving the question of what amounts to use of ICTs for criminal purposes open-ended creates the danger of exercising of similar excessive powers by the states that could impinge upon fundamental human rights. The draft convention already incorporates the principle of state sovereignty. If adopted, it comes with the risk of us seeing the likes of Chinese model of the internet in greater numbers.

The convention is not perfect but we should be realistic and not expect one treaty to solve all problems at a go. The convention, coupled with its follow-up and capacity-building mechanisms are making positive developments in addressing evolving cyber threats while promoting a global and open internet . With as many as 65 parties and many using it as the model for their national cyber crime legislation, a new treaty to address cyber crimes pose the risk of hindering the developments made by the convention so far especially in the international cooperation front. Concerted efforts to improvise the convention are more practical than developing a new international framework, especially when the probability of reaching a consensus is almost nil.

India and the Budapest Convention: To Ratify or Not

Despite cybersecurity being a major concern and occupying a central place in its overall internet governance policy, India has surprisingly not yet become a party to the convention. It has even amended its Informational Technology Act, 2008 along the lines of the convention. India’s reluctance to sign, notwithstanding the convention’s potential to aid it in addressing its concerns in the cyber front especially with regard to jurisdictional issues while tackling cyber crimes, warrants an analysis.

One of the widely cited reasons for the reluctance is the non-inclusion of India and other developing countries in the drafting stage. However choosing to stand on the sidelines merely because of non-inclusion in the initial negotiations might not be the wisest move especially since the convention addresses matters that are of extreme importance to India. Ratifying the treaty even at a later stage would still enable it to participate in further evolution of the convention, which could outweigh this concern. Another major concern for India is that terrorism, considering how cyberspace has enlarged its scope and reach, does not find any mention in the substantive law of the convention. However the procedural provisions of the convention apply to any criminal offence committed with the aid of a computer, including terrorism. But it is often argued that the MLA regime is not sufficiently firm to facilitate cooperation. While it is true that the process has to be made more efficient, the Committee along with the Cloud Evidence Group is actively working on addressing its shortcomings. Finally, controversial provision-Ar.32, on cross border access to data- is also a cause for concern for India. The Guidance Notes issued by the Committee, however, clarifies the limited scope of the article thereby addressing the privacy and data protection concerns raised against it.

The convention is still evolving and is constantly being reviewed to make it more effective. Therefore India has to ask itself the question whether it wants to stand on the sidelines and observe the developments or if it should partake in shaping its progress. Currently, it is the only instrument in place that provides a legal framework for facilitating cooperation on cyber crime investigations amongst various jurisdictions. Considering that India has already embarked on a “Digital India” initiative, which in most likelihood will be accompanied by a spike in cyber crimes, it is the need of the hour to ratify the convention.

Elizabeth Dominic is a lawyer and a tech-policy researcher. Her work focuses on the intersection of law and technology and human rights, particularly on the applicability of current international legal frameworks to cyberspace and emerging technologies. Previously, she has worked at the Centre for Communication Governance and at IT for Change.

This post was reviewed and edited by Aman Nair,Amber Sinha and Arindrajit Basu

For more details visit https://cis-india.org/internet-governance/blog/the-debate-over-internet-governance-and-cyber-crimes-west-vs-the-rest

Essay: Watching Corona or Neighbours? - Introducing ‘Lateral Surveillance’ during COVID-19

Mira Swaminathan and Shubhika Saluja — 2020-05-22T06:39:02Z

Surveillance is already suspected to have become the ‘new normal’ considering the extensive amounts of money that is being invested by governments around the globe. The only way out of this pandemic is to take a humane approach to surveillance wherein the discriminatory tendencies of the people while spreading information about those infected are factored in to prevent excessive harm.

In times of emergency, ‘immature and even dangerous technologies are pressed into service, because the risks of doing nothing are bigger.’ Several mechanisms undertaken by governments worldwide, in response to the COVID-19 pandemic, have been criticized for enabling State sponsored mass surveillance. There are certain long term impacts of these mechanisms, especially mobile applications that arm the State with seemingly accurate and real time data of the individual. In this article, we explore the possibility of these apps becoming tools of lateral surveillance, i.e., the act of citizens surveilling each other and becoming the ‘eyes and ears’ of the State, in the near future. Though these apps may be helpful tools for contract tracing in times of the COVID-19 pandemic, the long term implications of these short term measures may cost the members of the society their anonymity, freedom of speech and create obstacles in the creation of a healthy and friendly society. One such implication is the ‘skill of surveilling thy neighbour’ being enabled by these apps to a certain extent at the present.

The governments across the globe have responded to COVID-19 through aggressive technological measures to trace individuals and enforce quarantine, costing individuals their privacy in exchange for the supposed benefit to the collective public health. In the same week when the Karnataka Government released a PDF with the names and addresses of around nineteen thousand international passengers who were quarantined in Bangalore, a man in Maharashtra was beaten up for sneezing in public. This stigma against anyone who could be potentially infected is not just prevalent in India but also in other countries. For example, in the United States, a man who returned from a Cruise that had a COVID-19 carrier on board, received death threats and personal attacks despite him being tested negative for COVID-19. Though South Korea has been successful in flattening the curve of COVID-19 cases through aggressive contact tracing (using security camera footage, credit card records, even GPS data from cars and cellphones), excessive data was exploited by internet mobs to hound infected individuals leading the government to minimize data sharing with the public. Escalations of a similar nature were evident in India as well when a woman was harassed and boycotted by her neighbours after the Delhi government marked her house with a quarantine sticker. With implicit and explicit forms of ‘watching over your neighbours’, the question then arises, is it the virus we are required to keep a check on or the neighbour next door who is “suspected” of carrying the virus?

What is Lateral Surveillance?

Surveillance, as is used in the hierarchical sense, is a vertical relationship between the person watching and the person being watched, which is usually the State and the citizen. All situations of surveillance involve power relations. In the conventional form of surveillance, there is a direct power hierarchy between the State and the citizens, and the State determines the collection, control and use of data for ‘public good.’ Lateral surveillance, on the other hand is a rather nuanced concept where citizens ‘keep an eye’ on other citizens and be vigilant of their acts. In this setup, there is not a hierarchical relationship where the one being watched is in some way being controlled or is under the authority of the watcher. As described by Mark Andrejevic, surveillance relationships can be mutual, a horizontal relationship between person to person is referred to as lateral or peer to peer surveillance. He further describes it as “the use of surveillance tools by individuals, rather than by agents of institutions public or private, to keep track of one another, covers (but is not limited to) three main categories: romantic interests, family, and friends or acquaintances.”

Sometimes, peer to peer surveillance is used to achieve emotional objectives such as community building and strengthening relationships with neighbours or tackling depression among the lonely. These emotional and social factors act as a driving force for lateral surveillance mechanisms creating a situation where privacy may be undermined for the betterment of the community. Surveillance technologies not only act as a tool for social control, but also as a tool for social exclusion. The mere requirement of Aarogya Setu as a ‘mandatory condition’ to travel via Indian Railways is a massive social exclusion of a large population of people who do not have smartphones. Lateral surveillance thus makes it easier to identify between those who conform to the ‘norms’ and those who don’t. For instance, even silent acts of not conforming with societal norms or opinion of the majority, threaten freedom of expression: during the lockdown to prevent the spread of COVID-19, the citizens who chose not to participate in the activity of lighting of lamps (urged by the Prime Minister) were either forced to conform, or were faced with a potential to be termed as ‘anti-national’ by some of their neighbours. In another instance, in South Korea, the LGBT community came under the scanner after a cluster of Coronavirus cases were reported from a particular area. This resulted in large-scale circulation of homophobic content and comments against the patients who tested positive from the community. This not only made it difficult for authorities to collect information but also increased troubles for the people belonging to the sexual minority in getting tested.

Lateral surveillance creates a culture of suspicion, where everyone is looked at as a potential suspect. In the times of COVID- 19, it translates into instances of being suspicious of the activity of a neighbour who could be potentially carrying the virus or someone who exercises his fundamental right to criticize the government. The practice of lateral surveillance is most harmful as it creates a culture of ‘hate’, ‘fear’ and ‘constant suspicion’ against an ‘enemy’. Lateral surveillance has been used for multiple instances, wherever the State identifies that it “cannot be everywhere”. There have been several campaigns that have been launched to promote lateral surveillance. For example, the “if you see something, say something” campaign launched after 9/11 attacks in the United States of America was an extreme form of lateral surveillance. The campaign encouraged people to report ‘any suspicious activity’ which resulted in creating a culture of xenophobia and racism where innocent individuals were reported by their neighbours for crimes they did not commit. Thus, the culture of lateral surveillance ensures that a system is created wherein everyone has the duty to ‘keep an eye’ for ‘their own safety’ and this heightens the fear of crime in the society.

Potential Lateral Surveillance issues with the Apps tracking Coronavirus

The priority of the government during such times is to take all available resources to address the emergency. However, these measures raise concerns about the invasion of privacy on account of public health considerations and balancing between the two conflicting interests. With the increase in quarantine monitoring and Corona tracking apps, the question is: whether real time collection and availability of (some of this) information secures the safety of the people or build a culture of surveillance?

Among these measures, the most publicised one is the Indian Government’s Aarogya Setu app. The app which was initially released hastily with an incomprehensive/ambiguous privacy policy and later replaced without notice to its users, is now being mandated for not only certain groups who are on the frontline such as journalists, e-commerce employees, delivery personnel but also is increasingly becoming a precondition to access public places. The government and private entities alike are making the app compulsory for entering apartments, travelling by the railways or the metro. The concept of ‘consent’ is seen eroding in the face of social pressure as the acceptance of the terms and conditions of the app is no longer an act free from coercion in the larger public interest. However, the Aarogya Setu app which exists over and above the various State Government apps to track COVID-19, enforce quarantine and spread awareness in the respective states, has come under the radar for not meeting the expected privacy standards such as minimal data collection, transparency to verify encryption techniques among others. The privacy policy of the app reveals that it maintains a record of all the places the user may have visited along with records of contact the user may have made with other users. This exchange of personally identifiable information among people’s devices may become a point of attack for malicious actors as highlighted in the Working Paper of Internet Freedom Foundation. Concerns over the working and information storage of the app were also raised by an ethical hacker who warned that “an attacker can get with a meter precision the health status” of someone anywhere in India. When seen from the lens of lateral surveillance, the information (stored on the server) is vulnerable to unwarranted exposure even though it is only meant to be shared with the government and other departments “formulate or implement an appropriate health response”. What raises deeper issues is the wide scope of the government’s ability to share the response data in de-identified form with several government departments and third parties on a ‘strict necessity’ basis or for research purposes. The possibility of the app being repurposed to meet multiple purposes cannot be overlooked. This potential for excessive sharing and function creep are the basis for concerns over changing forms of surveillance, from traditional to lateral due to higher possibilities of leakage of personal information.

A fundamental problem that can be noticed here is that an implementation of a public good is looked at as a binary. Each individual or organization in this pandemic performs their actions based on an “imaginary binary,” wherein the choice needs to be made between two equally worse options, created by their existing circumstances. Surveillance is regarded as ‘binary’ in nature, a tool used for both protection and control. For example, feminist legal theories have recognized that privacy used at either of the extremes (in the form of a binary) can result in affecting people’s autonomy. These theories acknowledge that while surveillance regimes exist, there are ‘gaps’ created in the system to reinforce newer surveillance mechanisms. This gap can support vulnerable groups while a ‘contextualized situation’ is created to ensure everyone’s rights are equally protected.

It is important to note that implementing 'absolute surveillance’ without basic ethical considerations like how it would affect minority groups (religious minorities, LGBTQIA community etc.) creates a problem of the ‘binary’ between surveillance and privacy, especially since the ‘culture of surveillance’ is involved in the process. Similarly, when the government responds to the pandemic by leveraging technology as its option against protecting the interests of those who may be discriminated against due to such intrusive technologies while ignoring the ethical considerations such as transparency and openness, it creates an air of suspicion. For instance, inaccessibility or absence of privacy policies in the case of Tamil Nadu & West Bengal Quarantine apps, heightens suspicion about the long term implications of such data collection activities. However, if ethical considerations are adopted in the implementation of these apps, lateral surveillance could be potentially avoided.

Apps like Corona Watch and Quarantine Watch, are potential examples of such surveillance apps where the State collects personal data and the citizens are expected to be more vigilant towards each other. As these apps increase the chances of users learning about who could have infected them (by showing the timing when an infected person visited a particular location on interactive maps). Though most of these apps currently available in West Bengal, Tamil Nadu, Maharashtra or Goa are capable of being used as sophisticated tools for State surveillance through creation of heat maps, checking on those quarantined while monitoring containment zones, and potential database for facial recognition because of selfies being sought from individuals at periodic intervals. The problem of lateral surveillance surfaces due to the potential of the same information being leaked to the public due to the lack of safeguards in the app and its design such as excessive data collection, third party exploitation of the data, lack of proper anonymization and encryption measures.

The other problem is that these apps affect the attitude of the people, making them more suspicious and wary as a community member. Since these apps make it more likely for personal information of nearby citizens to be revealed to other citizens, they encourage the practice of ‘watching over others’. They are being encouraged to stay updated about who is a possible threat to them or a vector of the virus, which is similar to the objective of neighbourhood watch schemes and peer surveillance programs. Instead of building a ‘healthy society’, there is increased suspicion, heightened fear of the virus, possibilities of discrimination and ostracisation of those suspected of carrying the virus. Further, intrusive tracking and excessive health messaging can discourage citizens, making them feel bullied and stigmatised. As Sean McDonald writes, when these technologies which enable the use of individual information as a “representative sample for public health risk” can have dangerous unintended consequences “when paired with the kinds of panic, scarcity and desperation”in such public health emergencies.

The need for more security makes people more likely to detect threats in every different action from the normal. This not only heightens the fear among everyone regarding the ‘perceived threat’ of the existence of a quarantined or infected patient, but it also creates a culture of vigilance, i.e. the people start to suspect everything and everyone. As Janet Chan mentions in her work- “such perceived threat has a tendency to ‘increase intolerance, prejudice, ethno-centrism, and xenophobia’. The consequence of the constant contact among neighbours may result in ethnic profiling, increased anxiety, communication overload and create potential tensions among them.” In Seoul where a restaurant manager was “eavesdropping in people’s conversations” just to confirm whether or not they’re infected with the Coronavirus and in India where photos and videos of patients tested positive of COVID are circulated amongst whatsapp groups. Such forms of lateral surveillance in the physical world is already having a negative impact on the society. Especially in India, where the concept of social distancing mirrors and invokes distinct histories of caste hierarchies, even the most diluted form of social distancing is harmful as it reinforces this segregation of ‘touchable’ and ‘untouchable.’ The virus further aids the existing structures of inequality. Hence, social exclusion due to the ‘culture of suspicion’ is deepened further in such a society in times of a crisis.

The potential technological solutionism of it through the aforementioned apps poses greater risks. The problem lies not only in the manner in which the individuals are being encouraged to seek more information but also the way in which the information is being handled by the State. Apart from the aforementioned apps, some States such as Delhi, Kerala and Telangana are using softwares to track cell phone location for the purposes of contact tracing. In Ahmedabad, the MU Corporation map even reveals the names and addresses of patients who tested positive. Further, the attitude of the people that creates social pressure on the State to reveal personal information as was seen in Mohali. The fact that ‘social pressure’ is a justification for making public quarantine lists, the possibility of more information being rolled out through these apps in the future for the sake of one or a few persons’ protection cannot be ignored.

Furthermore, as more personal data is gathered, the State needs to ensure that security standards and safeguards are maintained to prevent leakage of such data on social media as was already witnessed in Karnataka, Delhi and Nagpur. Even if these measures are being flagged as “necessary” to enforce quarantine or contain transmission, they are prima facie violative of the right to privacy of the people whose sensitive personal information is being disclosed like public property. There is no doubt that the right to privacy is not an absolute right, but neither the Epidemic Diseases Act, 1897 nor the National Disaster Management Act 2005 provide any explicit basis to disclose personal information of persons who have either been infected with the virus or who have been quarantined. Even if such disclosures can be justified as an act in good faith to prevent the outbreak of the disease under Section 4 the Epidemic Diseases Act or within the powers of the National Authority to take such measures for the prevention of disaster under Section 6(i) of the National Disaster Management Act, they need to be proportionate in nature and have a rational nexus with the legitimate aim sought to be achieved by the State (test for which was laid down in Puttaswamy Judgment). It is difficult to determine the connection between the careless disclosure of such sensitive information and prevention of the pandemic. There are less intrusive alternatives available. If public knowledge about an infected person’s residence and mobile phone number is going to assist the fight against the pandemic, then it is a clear case of lateral surveillance being encouraged by the State and that is the path to the ‘culture of suspicion’ as explained above.

In the absence of a comprehensive data protection law (particularly where the State is bound and accountable as a data collection entity), there is no judicial recourse available if the data is used for purposes other than those mentioned in the privacy policies. In certain cases, the privacy policies have not even been made public. This raises more concerns about possibilities of the data being disclosed to unauthorised entities or retained and used for other purposes. This data, if made available or leaked to the public in such times, increases the risks of vigilantism and lateral surveillance resulting in potential discrimination and harassment. The State needs to recognize the risk of normalization of these tools which if continued even after the pandemic could negatively affect the right to privacy not only vis-a-vis the State (as is already the case) but also vis-a-vis other members of society.

Measures to Better Implement Contract Tracing and Reduce Lateral Surveillance

1. Rule of Law and implementation of Privacy Principles : Though the measures introduced for tracking Coronavirus are necessary and crucial in the times of a fast spreading pandemic, they also need to be tested against the requirements of legality and doctrine of proportionality as well. The test of legitimate state aim, necessity and proportionality acts as the guiding force for implementation of state actions that constrain privacy. Deployment of excessively intrusive means to further public health while restraining privacy without any legal basis will do more harm than good. If the conflict between common good and individual privacy is resolved, the impact of the surveillance measures on people in general would reduce, thereby limiting the prospects of lateral surveillance. The path to prevent lateral surveillance goes through the path of reducing the scope of vertical surveillance itself. For instance, if the data collecting authority ensures that the system does not or is least likely to reveal any personal information of the user, then the risk of the same being available in public is minimal. In this regard, the privacy policy of Aarogya Setu app states that the data will be stored in “anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required.” Further, it also provides that the personal information will not be shared with any third party.

Although it is easier to brush aside the application of the privacy principles due to the lack of a comprehensive data protection law, a pandemic cannot be an excuse to forgo the application of these principles and the rule of law. Presently, India is witnessing instances of loss of privacy and confidentiality, stigmatization and rights violations which have been identified as harms of public health practice and surveillance by the World Health Organization. In order to minimize the harm from surveillance, preventive measures such as avoiding collection of unnecessary identifiable information, limited access to collected data, secured data storage practices, pseudonymisation of collected data, definite period of retention of data and promotion of transparency, inclusiveness and openness, should be taken. For instance, Singapore’s TraceTogether app provides a good example of application of data protection principles. The app collects only the mobile number and creates a random anonymized user ID, uses bluetooth, instead of the GPS location or WIFI or mobile network, stores data only on the phone of the user, and prevents third parties from identifying or tracking the user (employing privacy-by-design). The Privacy Policy of the app depicts how privacy principles can be put to work, with minimum data collection, allowing withdrawal of consent and minimal retention of data among other principles. Though Aarogya Setu follows most of the aforementioned principles employed at global level as seen in the case of TraceTogether as well, it goes a step ahead to collect even GPS location which may be considered an excessive means.

Finally, it is essential that the use of these apps remains limited to the times of pandemic without paving the way for sophisticated surveillance, traditional or lateral, post the pandemic. And for privacy policy of Aarogya Setu mentions the use of information only for the “management of COVID-19” the concerns over the its use for an unidentifiable period of time in the future are hinting at it becoming a surveillance tool in a world where people will have to live with Coronavirus.

2. Positive initiatives for improving mental health of citizens: We understand and acknowledge that the impact of lateral surveillance cannot be completely eradicated during a pandemic, we can suggest mechanisms in which initiatives encouraging surveillance can be better implemented by the State and the citizens. Since even a “privacy preserving” app cannot comprehensively address the fundamental issues relating to the efficacy of contact tracing, intended or unintended consequences of social exclusion and discriminatory use, lateral surveillance can be turned on its head by ensuring that mutual care and trust is practiced instead of enabling surveillance. The Central Government and several State Governments such as Maharashtra and Kerala among others are trying to deal with the impact of Coronavirus on mental health with innovative campaigns. So instead of a helpline number, an app can be introduced by the State that gives counselling services to quarantined patients which would help in destigmatizing the existing scenario. Further, citizens too can be involved in helping one another, for example, neighbourhoods in England use “innovative placards wherein they identify the quarantined people in need (and their concerns) with a simple showcase of ‘red/yellow/green’ placards outside their houses. They have also introduced the use of “printable postcards” that are used to offer help for the elderly in the communities. These community initiatives are a much better way of approaching this public health crisis instead of a ‘sticker’ or a ‘label’ outside the quarantined person’s house labelling them in a negative way, as though they have committed a crime.

Avoiding the toxic culture created in the ‘new normal'

Citizens need to be made aware of the consequences of this pandemic on the community in a way they can help each other to overcome it , instead of simply alarming or scaring them which would definitely have long term negative impacts on the community. Considering how instances of discrimination against certain communities are already surfacing amidst the pandemic, contact tracing should explored within the bounds of the law while being implemented through these apps. With certain governments using personnel tracking tools such as smart watches for purposes of public services, the increase in the use of these kinds of intrusive technologies is soon going to be a harsh reality. Surveillance is already suspected to have become the ‘new normal’ considering the extensive amounts of money that is being invested by governments around the globe. The only way out of this pandemic is to take a humane approach to surveillance wherein the discriminatory tendencies of the people while spreading information about those infected are factored in to prevent excessive harm. It can only be expected that the State would be wary of the means being deployed to achieve the end, and the citizens act responsibly while participating in these initiatives so as to reduce the negative impacts of vertical or lateral surveillance. We should all move towards a society where we watch the virus and carefully use technology to avoid situations where ordinary citizens are encouraged to watch over their neighbours. We need to unlearn this habit of “watching over someone else” both voluntarily and involuntarily before it becomes too late.

For more details visit https://cis-india.org/internet-governance/blog/essay-watching-corona-or-neighbours-introducing-2018lateral-surveillance2019-during-covid201919

CIS_BD4D_Guideline04_PT+PB_BigDataAIEthicsReview_ExtendedNotes PDF

pranav — 2020-05-19T10:58:54Z

For more details visit https://cis-india.org/raw/bd4d-guideline-documents/ExtendedNotes